asyncrat | 069da9838ffd1b21d13c0a1952608e29e64e7b40847ab3fb67e16cfd797ab834

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
11-01-2023 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Size

1.7MB
MD5

0af5c337082f7f3d9249ca5cdfd2d4ce
SHA1

aeb90df77e8fc06b9a42287cb277710e5305c9bc
SHA256

069da9838ffd1b21d13c0a1952608e29e64e7b40847ab3fb67e16cfd797ab834
SHA512

12e07a9e86bbad4b34b0a603f62396fae24746a7d349a7506a83d625da08fd0dd8fc6dea2d6828f62ccc8e13a3f885831cd65f0b4ed3e97368298f809270ee73
SSDEEP

49152:eafU0nviMsLVdf2Hc5HxK0Es0WLw2ifBJ6Qu:VfHKzLzf2QAJrfc

Score

10^/10

asyncrat darkcomet warzonerat new-july-july4-0 new-july-july4-01 infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-01

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-N3AV3EU

Attributes

gencode
sGSTFQ1pY1TB
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

asyncrat

Version

0.5.6A

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2788-249-0x000000000040C38E-mapping.dmp	asyncrat
behavioral1/memory/2788-287-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/568-386-0x000000000040C38E-mapping.dmp	asyncrat
behavioral1/memory/2876-400-0x000000000040C38E-mapping.dmp	asyncrat

Warzone RAT payload 24 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2628-185-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2628-186-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2628-188-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2628-190-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2628-191-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2628-192-0x0000000000406DE6-mapping.dmp	warzonerat
behavioral1/memory/2820-217-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2820-219-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2820-248-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/2904-303-0x0000000000406DE6-mapping.dmp	warzonerat
behavioral1/memory/2820-310-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2628-314-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2980-320-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/2056-322-0x0000000000406DE6-mapping.dmp	warzonerat
behavioral1/memory/1744-330-0x0000000000406DE6-mapping.dmp	warzonerat
behavioral1/memory/2904-337-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2980-338-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2056-339-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/1744-340-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2056-362-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2980-363-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1744-365-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2904-369-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2332-419-0x0000000000406DE6-mapping.dmp	warzonerat

Drops file in Drivers directory 3 IoCs

Processes:

DRVHDD.EXEPrivate_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exeDRVHDD.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DRVHDD.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DRVHDD.EXE

Executes dropped EXE 25 IoCs

Processes:

DRVHDD.EXEUSBDRVI.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEDRVHDD.EXEUSBDRVI.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEUSBDRVI.EXEDRVHDD.EXEWINLOGONW.EXEDRVHDD.EXEWINCPU.EXEWINPLAYEER.EXEWINLOGONW.EXEUSBDRVI.EXEWINPLAYEER.EXEwintskl.exewintsklt.exeWINCPU.EXEwintskl.exewintsklt.exewintskl.exe

pid	process
1656	DRVHDD.EXE
804	USBDRVI.EXE
1508	WINCPU.EXE
1964	WINLOGONW.EXE
928	WINPLAYEER.EXE
1916	DRVHDD.EXE
1528	USBDRVI.EXE
1808	WINCPU.EXE
1368	WINLOGONW.EXE
1292	WINPLAYEER.EXE
2628	USBDRVI.EXE
2756	DRVHDD.EXE
2820	WINLOGONW.EXE
2880	DRVHDD.EXE
2788	WINCPU.EXE
2904	WINPLAYEER.EXE
2980	WINLOGONW.EXE
2056	USBDRVI.EXE
1744	WINPLAYEER.EXE
1196	wintskl.exe
2364	wintsklt.exe
568	WINCPU.EXE
2876	wintskl.exe
2332	wintsklt.exe
2748	wintskl.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1552-65-0x0000000000400000-0x0000000000701000-memory.dmp	upx
behavioral1/memory/1552-67-0x0000000000400000-0x0000000000701000-memory.dmp	upx
behavioral1/memory/1552-69-0x0000000000400000-0x0000000000701000-memory.dmp	upx
behavioral1/memory/1552-73-0x0000000000400000-0x0000000000701000-memory.dmp	upx
behavioral1/memory/1552-74-0x0000000000400000-0x0000000000701000-memory.dmp	upx
behavioral1/memory/1552-75-0x0000000000400000-0x0000000000701000-memory.dmp	upx
behavioral1/memory/1552-168-0x0000000000400000-0x0000000000701000-memory.dmp	upx
behavioral1/memory/2756-200-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2756-204-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2756-224-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2756-250-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2756-209-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2880-297-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2756-342-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

WINPLAYEER.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINPLAYEER.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINPLAYEER.EXE

Loads dropped DLL 23 IoCs

Processes:

Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exeUSBDRVI.EXEDRVHDD.EXEWINCPU.EXEWINLOGONW.EXEDRVHDD.EXEWINPLAYEER.EXEWINLOGONW.EXEUSBDRVI.EXEWINPLAYEER.EXEcmd.exeWINPLAYEER.EXEWINCPU.EXEcmd.exe

pid	process
1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
804	USBDRVI.EXE
1656	DRVHDD.EXE
1508	WINCPU.EXE
1964	WINLOGONW.EXE
1916	DRVHDD.EXE
928	WINPLAYEER.EXE
1368	WINLOGONW.EXE
1528	USBDRVI.EXE
1292	WINPLAYEER.EXE
2800	cmd.exe
2904	WINPLAYEER.EXE
1808	WINCPU.EXE
1752	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WINPLAYEER.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINPLAYEER.EXE

Suspicious use of SetThreadContext 13 IoCs

Processes:

Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exeUSBDRVI.EXEDRVHDD.EXEWINLOGONW.EXEWINCPU.EXEDRVHDD.EXEWINPLAYEER.EXEWINLOGONW.EXEUSBDRVI.EXEWINPLAYEER.EXEWINCPU.EXEwintskl.exewintsklt.exe

description	pid	process	target process
PID 1720 set thread context of 1552	1720	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
PID 804 set thread context of 2628	804	USBDRVI.EXE	USBDRVI.EXE
PID 1656 set thread context of 2756	1656	DRVHDD.EXE	DRVHDD.EXE
PID 1964 set thread context of 2820	1964	WINLOGONW.EXE	WINLOGONW.EXE
PID 1508 set thread context of 2788	1508	WINCPU.EXE	WINCPU.EXE
PID 1916 set thread context of 2880	1916	DRVHDD.EXE	DRVHDD.EXE
PID 928 set thread context of 2904	928	WINPLAYEER.EXE	WINPLAYEER.EXE
PID 1368 set thread context of 2980	1368	WINLOGONW.EXE	WINLOGONW.EXE
PID 1528 set thread context of 2056	1528	USBDRVI.EXE	USBDRVI.EXE
PID 1292 set thread context of 1744	1292	WINPLAYEER.EXE	WINPLAYEER.EXE
PID 1808 set thread context of 568	1808	WINCPU.EXE	WINCPU.EXE
PID 1196 set thread context of 2876	1196	wintskl.exe	wintskl.exe
PID 2364 set thread context of 2332	2364	wintsklt.exe	wintsklt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2640 schtasks.exe
2488 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1784 timeout.exe
928 timeout.exe
NTFS ADS 1 IoCs

Processes:

WINPLAYEER.EXE

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData WINPLAYEER.EXE

pid	process
2640	schtasks.exe
2488	schtasks.exe

pid	process
1784	timeout.exe
928	timeout.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINPLAYEER.EXE

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

powershell.exePrivate_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeUSBDRVI.EXEDRVHDD.EXEWINCPU.EXEWINLOGONW.EXEDRVHDD.EXEWINPLAYEER.EXEWINLOGONW.EXEUSBDRVI.EXEWINPLAYEER.EXEWINCPU.EXEpowershell.exepowershell.exepowershell.exeWINCPU.EXEwintskl.exewintsklt.exeWINCPU.EXEpowershell.exe

pid	process
568	powershell.exe
1720	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
1776	powershell.exe
1176	powershell.exe
980	powershell.exe
1720	powershell.exe
936	powershell.exe
916	powershell.exe
588	powershell.exe
2208	powershell.exe
2144	powershell.exe
804	USBDRVI.EXE
804	USBDRVI.EXE
1656	DRVHDD.EXE
1656	DRVHDD.EXE
1508	WINCPU.EXE
1508	WINCPU.EXE
1964	WINLOGONW.EXE
1964	WINLOGONW.EXE
1916	DRVHDD.EXE
1916	DRVHDD.EXE
928	WINPLAYEER.EXE
928	WINPLAYEER.EXE
1368	WINLOGONW.EXE
1368	WINLOGONW.EXE
1528	USBDRVI.EXE
1528	USBDRVI.EXE
1292	WINPLAYEER.EXE
1292	WINPLAYEER.EXE
2788	WINCPU.EXE
2252	powershell.exe
2764	powershell.exe
2340	powershell.exe
1808	WINCPU.EXE
1808	WINCPU.EXE
1196	wintskl.exe
1196	wintskl.exe
2364	wintsklt.exe
2364	wintsklt.exe
568	WINCPU.EXE
1004	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exePrivate_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exePrivate_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeUSBDRVI.EXEDRVHDD.EXEWINCPU.EXEWINLOGONW.EXEDRVHDD.EXEWINPLAYEER.EXEWINLOGONW.EXEDRVHDD.EXE

description	pid	process
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1720	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeIncreaseQuotaPrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeSecurityPrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeTakeOwnershipPrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeLoadDriverPrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeSystemProfilePrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeSystemtimePrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeProfSingleProcessPrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeIncBasePriorityPrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeCreatePagefilePrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeBackupPrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeRestorePrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeShutdownPrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeDebugPrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeSystemEnvironmentPrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeChangeNotifyPrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeRemoteShutdownPrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeUndockPrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeManageVolumePrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeImpersonatePrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeCreateGlobalPrivilege	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: 33	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: 34	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: 35	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	804	USBDRVI.EXE
Token: SeDebugPrivilege	1656	DRVHDD.EXE
Token: SeDebugPrivilege	1508	WINCPU.EXE
Token: SeDebugPrivilege	1964	WINLOGONW.EXE
Token: SeDebugPrivilege	1916	DRVHDD.EXE
Token: SeDebugPrivilege	928	WINPLAYEER.EXE
Token: SeDebugPrivilege	1368	WINLOGONW.EXE
Token: SeIncreaseQuotaPrivilege	2756	DRVHDD.EXE
Token: SeSecurityPrivilege	2756	DRVHDD.EXE
Token: SeTakeOwnershipPrivilege	2756	DRVHDD.EXE
Token: SeLoadDriverPrivilege	2756	DRVHDD.EXE
Token: SeSystemProfilePrivilege	2756	DRVHDD.EXE
Token: SeSystemtimePrivilege	2756	DRVHDD.EXE
Token: SeProfSingleProcessPrivilege	2756	DRVHDD.EXE
Token: SeIncBasePriorityPrivilege	2756	DRVHDD.EXE
Token: SeCreatePagefilePrivilege	2756	DRVHDD.EXE
Token: SeBackupPrivilege	2756	DRVHDD.EXE
Token: SeRestorePrivilege	2756	DRVHDD.EXE
Token: SeShutdownPrivilege	2756	DRVHDD.EXE
Token: SeDebugPrivilege	2756	DRVHDD.EXE
Token: SeSystemEnvironmentPrivilege	2756	DRVHDD.EXE
Token: SeChangeNotifyPrivilege	2756	DRVHDD.EXE
Token: SeRemoteShutdownPrivilege	2756	DRVHDD.EXE
Token: SeUndockPrivilege	2756	DRVHDD.EXE
Token: SeManageVolumePrivilege	2756	DRVHDD.EXE
Token: SeImpersonatePrivilege	2756	DRVHDD.EXE
Token: SeCreateGlobalPrivilege	2756	DRVHDD.EXE
Token: 33	2756	DRVHDD.EXE
Token: 34	2756	DRVHDD.EXE
Token: 35	2756	DRVHDD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exeDRVHDD.EXEUSBDRVI.EXE

pid process

1552 Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
2756 DRVHDD.EXE
2628 USBDRVI.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exePrivate_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exeUSBDRVI.EXEDRVHDD.EXEWINLOGONW.EXEWINCPU.EXEWINPLAYEER.EXE

description	pid	process	target process
PID 1720 wrote to memory of 568	1720	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	powershell.exe
PID 1720 wrote to memory of 568	1720	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	powershell.exe
PID 1720 wrote to memory of 568	1720	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	powershell.exe
PID 1720 wrote to memory of 568	1720	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	powershell.exe
PID 1720 wrote to memory of 1552	1720	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
PID 1720 wrote to memory of 1552	1720	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
PID 1720 wrote to memory of 1552	1720	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
PID 1720 wrote to memory of 1552	1720	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
PID 1720 wrote to memory of 1552	1720	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
PID 1720 wrote to memory of 1552	1720	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
PID 1720 wrote to memory of 1552	1720	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
PID 1720 wrote to memory of 1552	1720	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
PID 1552 wrote to memory of 1656	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	DRVHDD.EXE
PID 1552 wrote to memory of 1656	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	DRVHDD.EXE
PID 1552 wrote to memory of 1656	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	DRVHDD.EXE
PID 1552 wrote to memory of 1656	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	DRVHDD.EXE
PID 1552 wrote to memory of 804	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	USBDRVI.EXE
PID 1552 wrote to memory of 804	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	USBDRVI.EXE
PID 1552 wrote to memory of 804	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	USBDRVI.EXE
PID 1552 wrote to memory of 804	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	USBDRVI.EXE
PID 1552 wrote to memory of 1508	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINCPU.EXE
PID 1552 wrote to memory of 1508	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINCPU.EXE
PID 1552 wrote to memory of 1508	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINCPU.EXE
PID 1552 wrote to memory of 1508	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINCPU.EXE
PID 1552 wrote to memory of 1964	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINLOGONW.EXE
PID 1552 wrote to memory of 1964	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINLOGONW.EXE
PID 1552 wrote to memory of 1964	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINLOGONW.EXE
PID 1552 wrote to memory of 1964	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINLOGONW.EXE
PID 1552 wrote to memory of 928	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINPLAYEER.EXE
PID 1552 wrote to memory of 928	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINPLAYEER.EXE
PID 1552 wrote to memory of 928	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINPLAYEER.EXE
PID 1552 wrote to memory of 928	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINPLAYEER.EXE
PID 804 wrote to memory of 1776	804	USBDRVI.EXE	powershell.exe
PID 804 wrote to memory of 1776	804	USBDRVI.EXE	powershell.exe
PID 804 wrote to memory of 1776	804	USBDRVI.EXE	powershell.exe
PID 804 wrote to memory of 1776	804	USBDRVI.EXE	powershell.exe
PID 1656 wrote to memory of 1176	1656	DRVHDD.EXE	powershell.exe
PID 1656 wrote to memory of 1176	1656	DRVHDD.EXE	powershell.exe
PID 1656 wrote to memory of 1176	1656	DRVHDD.EXE	powershell.exe
PID 1656 wrote to memory of 1176	1656	DRVHDD.EXE	powershell.exe
PID 1552 wrote to memory of 1916	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	DRVHDD.EXE
PID 1552 wrote to memory of 1916	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	DRVHDD.EXE
PID 1552 wrote to memory of 1916	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	DRVHDD.EXE
PID 1552 wrote to memory of 1916	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	DRVHDD.EXE
PID 1964 wrote to memory of 980	1964	WINLOGONW.EXE	powershell.exe
PID 1964 wrote to memory of 980	1964	WINLOGONW.EXE	powershell.exe
PID 1964 wrote to memory of 980	1964	WINLOGONW.EXE	powershell.exe
PID 1964 wrote to memory of 980	1964	WINLOGONW.EXE	powershell.exe
PID 1552 wrote to memory of 1528	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	USBDRVI.EXE
PID 1552 wrote to memory of 1528	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	USBDRVI.EXE
PID 1552 wrote to memory of 1528	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	USBDRVI.EXE
PID 1552 wrote to memory of 1528	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	USBDRVI.EXE
PID 1508 wrote to memory of 936	1508	WINCPU.EXE	powershell.exe
PID 1508 wrote to memory of 936	1508	WINCPU.EXE	powershell.exe
PID 1508 wrote to memory of 936	1508	WINCPU.EXE	powershell.exe
PID 1508 wrote to memory of 936	1508	WINCPU.EXE	powershell.exe
PID 928 wrote to memory of 1720	928	WINPLAYEER.EXE	powershell.exe
PID 928 wrote to memory of 1720	928	WINPLAYEER.EXE	powershell.exe
PID 928 wrote to memory of 1720	928	WINPLAYEER.EXE	powershell.exe
PID 928 wrote to memory of 1720	928	WINPLAYEER.EXE	powershell.exe
PID 1552 wrote to memory of 1808	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINCPU.EXE
PID 1552 wrote to memory of 1808	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINCPU.EXE
PID 1552 wrote to memory of 1808	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINCPU.EXE
PID 1552 wrote to memory of 1808	1552	Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe	WINCPU.EXE

C:\Users\Admin\AppData\Local\Temp\Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
"C:\Users\Admin\AppData\Local\Temp\Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Users\Admin\AppData\Local\Temp\Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
C:\Users\Admin\AppData\Local\Temp\Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exe
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2756

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
PID:2904

C:\Users\Admin\Documents\wintsklt.exe
"C:\Users\Admin\Documents\wintsklt.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
6⤵
- Executes dropped EXE
PID:2332

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
4⤵
- Executes dropped EXE
PID:2820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2788

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
5⤵
- Creates scheduled task(s)
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4AA8.tmp.bat""
5⤵
- Loads dropped DLL
PID:2800

C:\Windows\SysWOW64\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:1784

C:\Users\Admin\AppData\Roaming\wintskl.exe
"C:\Users\Admin\AppData\Roaming\wintskl.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Users\Admin\AppData\Roaming\wintskl.exe
C:\Users\Admin\AppData\Roaming\wintskl.exe
7⤵
- Executes dropped EXE
PID:2876

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:568

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
5⤵
- Creates scheduled task(s)
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp17D5.tmp.bat""
5⤵
- Loads dropped DLL
PID:1752

C:\Windows\SysWOW64\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:928

C:\Users\Admin\AppData\Roaming\wintskl.exe
"C:\Users\Admin\AppData\Roaming\wintskl.exe"
6⤵
- Executes dropped EXE
PID:2748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1004

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
4⤵
- Executes dropped EXE
PID:2056

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2880

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
4⤵
- Executes dropped EXE
PID:1744

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
4⤵
- Executes dropped EXE
PID:2980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4AA8.tmp.bat

Filesize
151B

MD5
b24eea85bc3bd9620a718b26791558a0

SHA1
e1750f4ed0155bead6cca28df5ee062066a38a4a

SHA256
e7e0973828c02acbf07060a34612ae33acea5260ee2400d2c056a54dabb85f19

SHA512
69d9267e3158a1eb7fdb1b9c58ecf8c6617289186afd2dd782846d17a9c27166b311682f907a25735b71688f6d3a85d90c6c16316c6243d1847ad457c95e6a6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4b0d1c8dc8da49619e004c772848d45a

SHA1
0216c73d741a45652252fbc38f31b3d3d33c3e04

SHA256
54112ccce9b758faa6897cd6cd0bbf9d88c36fe818be3c6a03d22dd315bfa28c

SHA512
6165a8e73ffee398221aab486222c562a045acd70a211edb1bbd43b6957bd212a842edfd04006bfb2e377a1733a6f1b4447718eec5ef077751880f31b1c53a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4b0d1c8dc8da49619e004c772848d45a

SHA1
0216c73d741a45652252fbc38f31b3d3d33c3e04

SHA256
54112ccce9b758faa6897cd6cd0bbf9d88c36fe818be3c6a03d22dd315bfa28c

SHA512
6165a8e73ffee398221aab486222c562a045acd70a211edb1bbd43b6957bd212a842edfd04006bfb2e377a1733a6f1b4447718eec5ef077751880f31b1c53a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4b0d1c8dc8da49619e004c772848d45a

SHA1
0216c73d741a45652252fbc38f31b3d3d33c3e04

SHA256
54112ccce9b758faa6897cd6cd0bbf9d88c36fe818be3c6a03d22dd315bfa28c

SHA512
6165a8e73ffee398221aab486222c562a045acd70a211edb1bbd43b6957bd212a842edfd04006bfb2e377a1733a6f1b4447718eec5ef077751880f31b1c53a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4b0d1c8dc8da49619e004c772848d45a

SHA1
0216c73d741a45652252fbc38f31b3d3d33c3e04

SHA256
54112ccce9b758faa6897cd6cd0bbf9d88c36fe818be3c6a03d22dd315bfa28c

SHA512
6165a8e73ffee398221aab486222c562a045acd70a211edb1bbd43b6957bd212a842edfd04006bfb2e377a1733a6f1b4447718eec5ef077751880f31b1c53a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4b0d1c8dc8da49619e004c772848d45a

SHA1
0216c73d741a45652252fbc38f31b3d3d33c3e04

SHA256
54112ccce9b758faa6897cd6cd0bbf9d88c36fe818be3c6a03d22dd315bfa28c

SHA512
6165a8e73ffee398221aab486222c562a045acd70a211edb1bbd43b6957bd212a842edfd04006bfb2e377a1733a6f1b4447718eec5ef077751880f31b1c53a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4b0d1c8dc8da49619e004c772848d45a

SHA1
0216c73d741a45652252fbc38f31b3d3d33c3e04

SHA256
54112ccce9b758faa6897cd6cd0bbf9d88c36fe818be3c6a03d22dd315bfa28c

SHA512
6165a8e73ffee398221aab486222c562a045acd70a211edb1bbd43b6957bd212a842edfd04006bfb2e377a1733a6f1b4447718eec5ef077751880f31b1c53a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4b0d1c8dc8da49619e004c772848d45a

SHA1
0216c73d741a45652252fbc38f31b3d3d33c3e04

SHA256
54112ccce9b758faa6897cd6cd0bbf9d88c36fe818be3c6a03d22dd315bfa28c

SHA512
6165a8e73ffee398221aab486222c562a045acd70a211edb1bbd43b6957bd212a842edfd04006bfb2e377a1733a6f1b4447718eec5ef077751880f31b1c53a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4b0d1c8dc8da49619e004c772848d45a

SHA1
0216c73d741a45652252fbc38f31b3d3d33c3e04

SHA256
54112ccce9b758faa6897cd6cd0bbf9d88c36fe818be3c6a03d22dd315bfa28c

SHA512
6165a8e73ffee398221aab486222c562a045acd70a211edb1bbd43b6957bd212a842edfd04006bfb2e377a1733a6f1b4447718eec5ef077751880f31b1c53a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4b0d1c8dc8da49619e004c772848d45a

SHA1
0216c73d741a45652252fbc38f31b3d3d33c3e04

SHA256
54112ccce9b758faa6897cd6cd0bbf9d88c36fe818be3c6a03d22dd315bfa28c

SHA512
6165a8e73ffee398221aab486222c562a045acd70a211edb1bbd43b6957bd212a842edfd04006bfb2e377a1733a6f1b4447718eec5ef077751880f31b1c53a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4b0d1c8dc8da49619e004c772848d45a

SHA1
0216c73d741a45652252fbc38f31b3d3d33c3e04

SHA256
54112ccce9b758faa6897cd6cd0bbf9d88c36fe818be3c6a03d22dd315bfa28c

SHA512
6165a8e73ffee398221aab486222c562a045acd70a211edb1bbd43b6957bd212a842edfd04006bfb2e377a1733a6f1b4447718eec5ef077751880f31b1c53a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4b0d1c8dc8da49619e004c772848d45a

SHA1
0216c73d741a45652252fbc38f31b3d3d33c3e04

SHA256
54112ccce9b758faa6897cd6cd0bbf9d88c36fe818be3c6a03d22dd315bfa28c

SHA512
6165a8e73ffee398221aab486222c562a045acd70a211edb1bbd43b6957bd212a842edfd04006bfb2e377a1733a6f1b4447718eec5ef077751880f31b1c53a5a

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe

Filesize
41.0MB

MD5
4c17f3595c0271a50fc7efec8540663a

SHA1
9f1b5691cd3d48a4b09759f07907a6ef29d8f5bb

SHA256
d931a946d895f118c88badaa728daed8461b8986036763bc642a76b38b3f0817

SHA512
3967a861738c2ef21e7296a29ebe0afe5495a55a71cc0ec61ec93c54829c4d0c05f3ca540b2a23551fd484de863cad97d9b321ef20a5f0f0c1dbecf61a72cb2d

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe

Filesize
41.0MB

MD5
4c17f3595c0271a50fc7efec8540663a

SHA1
9f1b5691cd3d48a4b09759f07907a6ef29d8f5bb

SHA256
d931a946d895f118c88badaa728daed8461b8986036763bc642a76b38b3f0817

SHA512
3967a861738c2ef21e7296a29ebe0afe5495a55a71cc0ec61ec93c54829c4d0c05f3ca540b2a23551fd484de863cad97d9b321ef20a5f0f0c1dbecf61a72cb2d

Download Submit
C:\Users\Admin\Documents\wintsklt.exe

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
\Users\Admin\AppData\Roaming\wintskl.exe

Filesize
41.0MB

MD5
4c17f3595c0271a50fc7efec8540663a

SHA1
9f1b5691cd3d48a4b09759f07907a6ef29d8f5bb

SHA256
d931a946d895f118c88badaa728daed8461b8986036763bc642a76b38b3f0817

SHA512
3967a861738c2ef21e7296a29ebe0afe5495a55a71cc0ec61ec93c54829c4d0c05f3ca540b2a23551fd484de863cad97d9b321ef20a5f0f0c1dbecf61a72cb2d

Download Submit
\Users\Admin\Documents\wintsklt.exe

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
memory/568-61-0x000000006F550000-0x000000006FAFB000-memory.dmp

Filesize
5.7MB

Download
memory/568-63-0x000000006F550000-0x000000006FAFB000-memory.dmp

Filesize
5.7MB

Download
memory/568-386-0x000000000040C38E-mapping.dmp

Download
memory/568-59-0x0000000000000000-mapping.dmp

Download
memory/568-62-0x000000006F550000-0x000000006FAFB000-memory.dmp

Filesize
5.7MB

Download
memory/588-233-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/588-175-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/588-165-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/588-141-0x0000000000000000-mapping.dmp

Download
memory/804-80-0x0000000000000000-mapping.dmp

Download
memory/804-96-0x0000000001F90000-0x0000000001FEC000-memory.dmp

Filesize
368KB

Download
memory/804-86-0x0000000000890000-0x0000000000904000-memory.dmp

Filesize
464KB

Download
memory/916-205-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/916-174-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/916-164-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/916-146-0x0000000000000000-mapping.dmp

Download
memory/928-108-0x0000000001110000-0x0000000001186000-memory.dmp

Filesize
472KB

Download
memory/928-112-0x0000000000BA0000-0x0000000000BFC000-memory.dmp

Filesize
368KB

Download
memory/928-427-0x0000000000000000-mapping.dmp

Download
memory/928-95-0x0000000000000000-mapping.dmp

Download
memory/936-196-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/936-153-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/936-121-0x0000000000000000-mapping.dmp

Download
memory/936-172-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/980-171-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/980-117-0x0000000000000000-mapping.dmp

Download
memory/980-151-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/980-197-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/1004-431-0x0000000000000000-mapping.dmp

Download
memory/1176-195-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/1176-169-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/1176-114-0x0000000000000000-mapping.dmp

Download
memory/1176-149-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/1196-349-0x0000000000000000-mapping.dmp

Download
memory/1196-351-0x0000000000BA0000-0x0000000000C08000-memory.dmp

Filesize
416KB

Download
memory/1292-137-0x0000000000000000-mapping.dmp

Download
memory/1368-130-0x0000000000000000-mapping.dmp

Download
memory/1508-111-0x0000000000430000-0x0000000000480000-memory.dmp

Filesize
320KB

Download
memory/1508-99-0x0000000000C90000-0x0000000000CF8000-memory.dmp

Filesize
416KB

Download
memory/1508-84-0x0000000000000000-mapping.dmp

Download
memory/1528-119-0x0000000000000000-mapping.dmp

Download
memory/1552-64-0x0000000000400000-0x0000000000701000-memory.dmp

Filesize
3.0MB

Download
memory/1552-70-0x00000000006FED40-mapping.dmp

Download
memory/1552-67-0x0000000000400000-0x0000000000701000-memory.dmp

Filesize
3.0MB

Download
memory/1552-168-0x0000000000400000-0x0000000000701000-memory.dmp

Filesize
3.0MB

Download
memory/1552-73-0x0000000000400000-0x0000000000701000-memory.dmp

Filesize
3.0MB

Download
memory/1552-65-0x0000000000400000-0x0000000000701000-memory.dmp

Filesize
3.0MB

Download
memory/1552-69-0x0000000000400000-0x0000000000701000-memory.dmp

Filesize
3.0MB

Download
memory/1552-74-0x0000000000400000-0x0000000000701000-memory.dmp

Filesize
3.0MB

Download
memory/1552-75-0x0000000000400000-0x0000000000701000-memory.dmp

Filesize
3.0MB

Download
memory/1656-113-0x0000000004280000-0x0000000004308000-memory.dmp

Filesize
544KB

Download
memory/1656-98-0x0000000000A30000-0x0000000000AD0000-memory.dmp

Filesize
640KB

Download
memory/1656-77-0x0000000000000000-mapping.dmp

Download
memory/1720-203-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-125-0x0000000000000000-mapping.dmp

Download
memory/1720-56-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1720-55-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1720-173-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-57-0x00000000057D0000-0x0000000005970000-memory.dmp

Filesize
1.6MB

Download
memory/1720-58-0x0000000000510000-0x000000000055C000-memory.dmp

Filesize
304KB

Download
memory/1720-163-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-54-0x00000000008D0000-0x0000000000A80000-memory.dmp

Filesize
1.7MB

Download
memory/1744-340-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1744-365-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1744-330-0x0000000000406DE6-mapping.dmp

Download
memory/1752-426-0x0000000000000000-mapping.dmp

Download
memory/1776-102-0x0000000000000000-mapping.dmp

Download
memory/1776-170-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/1776-178-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/1776-148-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-346-0x0000000000000000-mapping.dmp

Download
memory/1808-127-0x0000000000000000-mapping.dmp

Download
memory/1916-116-0x0000000000000000-mapping.dmp

Download
memory/1964-110-0x00000000009E0000-0x0000000000A3A000-memory.dmp

Filesize
360KB

Download
memory/1964-88-0x0000000000000000-mapping.dmp

Download
memory/1964-97-0x0000000001120000-0x0000000001192000-memory.dmp

Filesize
456KB

Download
memory/2056-322-0x0000000000406DE6-mapping.dmp

Download
memory/2056-362-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2056-339-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2144-177-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/2144-152-0x0000000000000000-mapping.dmp

Download
memory/2144-242-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/2144-167-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/2208-216-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/2208-176-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/2208-155-0x0000000000000000-mapping.dmp

Download
memory/2208-166-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/2252-352-0x0000000000000000-mapping.dmp

Download
memory/2252-357-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/2332-419-0x0000000000406DE6-mapping.dmp

Download
memory/2340-374-0x0000000000000000-mapping.dmp

Download
memory/2356-360-0x0000000000000000-mapping.dmp

Download
memory/2364-367-0x0000000000000000-mapping.dmp

Download
memory/2364-370-0x0000000001300000-0x0000000001376000-memory.dmp

Filesize
472KB

Download
memory/2488-343-0x0000000000000000-mapping.dmp

Download
memory/2628-185-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2628-191-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2628-314-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2628-188-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2628-180-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2628-181-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2628-183-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2628-190-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2628-192-0x0000000000406DE6-mapping.dmp

Download
memory/2628-186-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2640-425-0x0000000000000000-mapping.dmp

Download
memory/2748-428-0x0000000000000000-mapping.dmp

Download
memory/2752-361-0x0000000000000000-mapping.dmp

Download
memory/2756-199-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2756-250-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2756-342-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2756-204-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2756-200-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2756-224-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2756-214-0x00000000004B56A0-mapping.dmp

Download
memory/2756-209-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2764-364-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/2764-355-0x0000000000000000-mapping.dmp

Download
memory/2788-212-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2788-206-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2788-287-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2788-249-0x000000000040C38E-mapping.dmp

Download
memory/2800-344-0x0000000000000000-mapping.dmp

Download
memory/2820-213-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2820-217-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2820-219-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2820-248-0x0000000000405CE2-mapping.dmp

Download
memory/2820-208-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2820-310-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2820-210-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2876-400-0x000000000040C38E-mapping.dmp

Download
memory/2880-251-0x00000000004B56A0-mapping.dmp

Download
memory/2880-297-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2904-337-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2904-369-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2904-303-0x0000000000406DE6-mapping.dmp

Download
memory/2980-363-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2980-320-0x0000000000405CE2-mapping.dmp

Download
memory/2980-338-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download