asyncrat | d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2023 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Size

3.6MB
MD5

7fee70edac93dbec8a5a602b33b97d0b
SHA1

f9595e9e4572dd068a70502faf7717328d8d30ca
SHA256

d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc
SHA512

f04c2457c481ff0ea7de2f0d7bb690ebc0a24d5eebb997075ded14ef0d34becc3d045ab1d57a27657bc85fef3031e5bb7e62548ce3c4e26d3596f16a657c982f
SSDEEP

98304:aQU/QvsjfLP3L4LP1TRDLPo6oELPb/wULPXFLPp:aQjsjff4ZpjvPZxt

Score

10^/10

asyncrat darkcomet warzonerat new-july-july4-0 infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

asyncrat

Version

0.5.6A

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5412-235-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Warzone RAT payload 19 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5340-278-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5432-282-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3728-288-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/2444-290-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3728-258-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5432-246-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3728-249-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5340-237-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5432-232-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/5340-222-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4356-294-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/2444-295-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4836-297-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4356-296-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3728-303-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5432-311-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/5340-312-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3624-323-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3624-326-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat

Drops file in Drivers directory 3 IoCs

Processes:

d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exeDRVHDD.EXEDRVHDD.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DRVHDD.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DRVHDD.EXE

Executes dropped EXE 30 IoCs

Processes:

ADOBESTV.EXEDRVHDD.EXEUSBDRVI.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEADOBESTV.EXEDRVHDD.EXEUSBDRVI.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEDRVHDD.EXEWINLOGONW.EXEUSBDRVI.EXEWINLOGONW.EXEDRVHDD.EXEWINCPU.EXEWINCPU.EXEWINPLAYEER.EXEDRVHDD.EXEWINPLAYEER.EXEWINLOGONW.EXEUSBDRVI.EXEDRVHDD.EXEWINLOGONW.EXEwintsklt.exewintskl.exewintsklt.exewintskl.exe

pid	process
2108	ADOBESTV.EXE
4348	DRVHDD.EXE
1012	USBDRVI.EXE
3444	WINCPU.EXE
3472	WINLOGONW.EXE
628	WINPLAYEER.EXE
3692	ADOBESTV.EXE
4456	DRVHDD.EXE
5084	USBDRVI.EXE
4116	WINCPU.EXE
2952	WINLOGONW.EXE
4736	WINPLAYEER.EXE
2264	DRVHDD.EXE
3336	WINLOGONW.EXE
5340	USBDRVI.EXE
5432	WINLOGONW.EXE
2488	DRVHDD.EXE
5412	WINCPU.EXE
5348	WINCPU.EXE
3728	WINPLAYEER.EXE
5568	DRVHDD.EXE
2444	WINPLAYEER.EXE
5820	WINLOGONW.EXE
4356	USBDRVI.EXE
5580	DRVHDD.EXE
4836	WINLOGONW.EXE
444	wintsklt.exe
2356	wintskl.exe
3624	wintsklt.exe
4344	wintskl.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5324-244-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/2488-248-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2488-250-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5752-274-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5580-293-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2488-286-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2488-242-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5324-233-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/2488-234-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5324-220-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5324-310-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wintsklt.exeWINPLAYEER.EXEWINCPU.EXEUSBDRVI.EXEWINCPU.EXEWINLOGONW.EXEwintskl.exed9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exeDRVHDD.EXEUSBDRVI.EXEADOBESTV.EXEWINCPU.EXEDRVHDD.EXEADOBESTV.EXEWINPLAYEER.EXEWINLOGONW.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	wintsklt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WINPLAYEER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WINCPU.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	USBDRVI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WINCPU.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WINLOGONW.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	wintskl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	DRVHDD.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	USBDRVI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	ADOBESTV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WINCPU.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	DRVHDD.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	ADOBESTV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WINPLAYEER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WINLOGONW.EXE

Drops startup file 2 IoCs

Processes:

WINPLAYEER.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINPLAYEER.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINPLAYEER.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WINPLAYEER.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINPLAYEER.EXE

Suspicious use of SetThreadContext 14 IoCs

Processes:

ADOBESTV.EXEUSBDRVI.EXEWINLOGONW.EXEDRVHDD.EXEWINCPU.EXEWINCPU.EXEWINPLAYEER.EXEWINPLAYEER.EXEADOBESTV.EXEUSBDRVI.EXEDRVHDD.EXEWINLOGONW.EXEwintsklt.exewintskl.exe

description	pid	process	target process
PID 2108 set thread context of 5324	2108	ADOBESTV.EXE	InstallUtil.exe
PID 1012 set thread context of 5340	1012	USBDRVI.EXE	USBDRVI.EXE
PID 2952 set thread context of 5432	2952	WINLOGONW.EXE	WINLOGONW.EXE
PID 4456 set thread context of 2488	4456	DRVHDD.EXE	DRVHDD.EXE
PID 3444 set thread context of 5412	3444	WINCPU.EXE	WINCPU.EXE
PID 4116 set thread context of 5348	4116	WINCPU.EXE	WINCPU.EXE
PID 628 set thread context of 3728	628	WINPLAYEER.EXE	WINPLAYEER.EXE
PID 4736 set thread context of 2444	4736	WINPLAYEER.EXE	WINPLAYEER.EXE
PID 3692 set thread context of 5752	3692	ADOBESTV.EXE	InstallUtil.exe
PID 5084 set thread context of 4356	5084	USBDRVI.EXE	USBDRVI.EXE
PID 4348 set thread context of 5580	4348	DRVHDD.EXE	DRVHDD.EXE
PID 3472 set thread context of 4836	3472	WINLOGONW.EXE	WINLOGONW.EXE
PID 444 set thread context of 3624	444	wintsklt.exe	wintsklt.exe
PID 2356 set thread context of 4344	2356	wintskl.exe	wintskl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4000 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5220 timeout.exe
NTFS ADS 1 IoCs

Processes:

WINPLAYEER.EXE

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData WINPLAYEER.EXE

pid	process
4000	schtasks.exe

pid	process
5220	timeout.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINPLAYEER.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWINLOGONW.EXEADOBESTV.EXEDRVHDD.EXEUSBDRVI.EXEWINCPU.EXEADOBESTV.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEDRVHDD.EXEWINPLAYEER.EXE

pid	process
4404	powershell.exe
4404	powershell.exe
2636	powershell.exe
2636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3428	powershell.exe
3428	powershell.exe
3640	powershell.exe
3640	powershell.exe
4396	powershell.exe
4396	powershell.exe
2136	powershell.exe
2136	powershell.exe
4700	powershell.exe
4700	powershell.exe
3628	powershell.exe
3628	powershell.exe
3488	powershell.exe
3488	powershell.exe
4864	powershell.exe
4864	powershell.exe
4412	powershell.exe
4412	powershell.exe
2136	powershell.exe
3628	powershell.exe
3640	powershell.exe
4404	powershell.exe
3636	powershell.exe
2636	powershell.exe
4700	powershell.exe
3428	powershell.exe
4864	powershell.exe
4396	powershell.exe
4412	powershell.exe
3488	powershell.exe
3472	WINLOGONW.EXE
3472	WINLOGONW.EXE
2108	ADOBESTV.EXE
2108	ADOBESTV.EXE
4348	DRVHDD.EXE
4348	DRVHDD.EXE
1012	USBDRVI.EXE
1012	USBDRVI.EXE
4116	WINCPU.EXE
4116	WINCPU.EXE
3692	ADOBESTV.EXE
3692	ADOBESTV.EXE
3444	WINCPU.EXE
3444	WINCPU.EXE
2952	WINLOGONW.EXE
2952	WINLOGONW.EXE
628	WINPLAYEER.EXE
628	WINPLAYEER.EXE
4348	DRVHDD.EXE
4348	DRVHDD.EXE
4456	DRVHDD.EXE
4456	DRVHDD.EXE
3472	WINLOGONW.EXE
3472	WINLOGONW.EXE
3692	ADOBESTV.EXE
3692	ADOBESTV.EXE
4736	WINPLAYEER.EXE
4736	WINPLAYEER.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

InstallUtil.exe

pid process

5324 InstallUtil.exe

pid	process
5324	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWINLOGONW.EXEDRVHDD.EXEUSBDRVI.EXEWINCPU.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEDRVHDD.EXEWINPLAYEER.EXEUSBDRVI.EXEADOBESTV.EXEInstallUtil.exeDRVHDD.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeSecurityPrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeTakeOwnershipPrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeLoadDriverPrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeSystemProfilePrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeSystemtimePrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeProfSingleProcessPrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeIncBasePriorityPrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeCreatePagefilePrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeBackupPrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeRestorePrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeShutdownPrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeDebugPrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeSystemEnvironmentPrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeChangeNotifyPrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeRemoteShutdownPrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeUndockPrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeManageVolumePrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeImpersonatePrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeCreateGlobalPrivilege	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: 33	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: 34	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: 35	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: 36	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	3472	WINLOGONW.EXE
Token: SeDebugPrivilege	4348	DRVHDD.EXE
Token: SeDebugPrivilege	1012	USBDRVI.EXE
Token: SeDebugPrivilege	4116	WINCPU.EXE
Token: SeDebugPrivilege	3444	WINCPU.EXE
Token: SeDebugPrivilege	2952	WINLOGONW.EXE
Token: SeDebugPrivilege	628	WINPLAYEER.EXE
Token: SeDebugPrivilege	4456	DRVHDD.EXE
Token: SeDebugPrivilege	4736	WINPLAYEER.EXE
Token: SeDebugPrivilege	5084	USBDRVI.EXE
Token: SeDebugPrivilege	3692	ADOBESTV.EXE
Token: SeShutdownPrivilege	5324	InstallUtil.exe
Token: SeDebugPrivilege	5324	InstallUtil.exe
Token: SeTcbPrivilege	5324	InstallUtil.exe
Token: SeIncreaseQuotaPrivilege	2488	DRVHDD.EXE
Token: SeSecurityPrivilege	2488	DRVHDD.EXE
Token: SeTakeOwnershipPrivilege	2488	DRVHDD.EXE
Token: SeLoadDriverPrivilege	2488	DRVHDD.EXE
Token: SeSystemProfilePrivilege	2488	DRVHDD.EXE
Token: SeSystemtimePrivilege	2488	DRVHDD.EXE
Token: SeProfSingleProcessPrivilege	2488	DRVHDD.EXE
Token: SeIncBasePriorityPrivilege	2488	DRVHDD.EXE
Token: SeCreatePagefilePrivilege	2488	DRVHDD.EXE
Token: SeBackupPrivilege	2488	DRVHDD.EXE
Token: SeRestorePrivilege	2488	DRVHDD.EXE
Token: SeShutdownPrivilege	2488	DRVHDD.EXE
Token: SeDebugPrivilege	2488	DRVHDD.EXE
Token: SeSystemEnvironmentPrivilege	2488	DRVHDD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exeInstallUtil.exeDRVHDD.EXE

pid process

368 d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
5324 InstallUtil.exe
2488 DRVHDD.EXE

pid	process
368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
5324	InstallUtil.exe
2488	DRVHDD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exeWINPLAYEER.EXEWINCPU.EXEDRVHDD.EXEUSBDRVI.EXEDRVHDD.EXEWINPLAYEER.EXEWINLOGONW.EXEADOBESTV.EXEUSBDRVI.EXEADOBESTV.EXE

description	pid	process	target process
PID 368 wrote to memory of 2108	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	ADOBESTV.EXE
PID 368 wrote to memory of 2108	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	ADOBESTV.EXE
PID 368 wrote to memory of 2108	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	ADOBESTV.EXE
PID 368 wrote to memory of 4348	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	DRVHDD.EXE
PID 368 wrote to memory of 4348	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	DRVHDD.EXE
PID 368 wrote to memory of 4348	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	DRVHDD.EXE
PID 368 wrote to memory of 1012	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	USBDRVI.EXE
PID 368 wrote to memory of 1012	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	USBDRVI.EXE
PID 368 wrote to memory of 1012	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	USBDRVI.EXE
PID 368 wrote to memory of 3444	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINCPU.EXE
PID 368 wrote to memory of 3444	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINCPU.EXE
PID 368 wrote to memory of 3444	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINCPU.EXE
PID 368 wrote to memory of 3472	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINLOGONW.EXE
PID 368 wrote to memory of 3472	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINLOGONW.EXE
PID 368 wrote to memory of 3472	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINLOGONW.EXE
PID 368 wrote to memory of 628	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINPLAYEER.EXE
PID 368 wrote to memory of 628	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINPLAYEER.EXE
PID 368 wrote to memory of 628	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINPLAYEER.EXE
PID 368 wrote to memory of 3692	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	ADOBESTV.EXE
PID 368 wrote to memory of 3692	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	ADOBESTV.EXE
PID 368 wrote to memory of 3692	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	ADOBESTV.EXE
PID 368 wrote to memory of 4456	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	DRVHDD.EXE
PID 368 wrote to memory of 4456	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	DRVHDD.EXE
PID 368 wrote to memory of 4456	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	DRVHDD.EXE
PID 368 wrote to memory of 5084	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	USBDRVI.EXE
PID 368 wrote to memory of 5084	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	USBDRVI.EXE
PID 368 wrote to memory of 5084	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	USBDRVI.EXE
PID 368 wrote to memory of 4116	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINCPU.EXE
PID 368 wrote to memory of 4116	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINCPU.EXE
PID 368 wrote to memory of 4116	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINCPU.EXE
PID 368 wrote to memory of 2952	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINLOGONW.EXE
PID 368 wrote to memory of 2952	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINLOGONW.EXE
PID 368 wrote to memory of 2952	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINLOGONW.EXE
PID 368 wrote to memory of 4736	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINPLAYEER.EXE
PID 368 wrote to memory of 4736	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINPLAYEER.EXE
PID 368 wrote to memory of 4736	368	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	WINPLAYEER.EXE
PID 628 wrote to memory of 2636	628	WINPLAYEER.EXE	powershell.exe
PID 628 wrote to memory of 2636	628	WINPLAYEER.EXE	powershell.exe
PID 628 wrote to memory of 2636	628	WINPLAYEER.EXE	powershell.exe
PID 3444 wrote to memory of 3628	3444	WINCPU.EXE	powershell.exe
PID 3444 wrote to memory of 3628	3444	WINCPU.EXE	powershell.exe
PID 3444 wrote to memory of 3628	3444	WINCPU.EXE	powershell.exe
PID 4456 wrote to memory of 4404	4456	DRVHDD.EXE	powershell.exe
PID 4456 wrote to memory of 4404	4456	DRVHDD.EXE	powershell.exe
PID 4456 wrote to memory of 4404	4456	DRVHDD.EXE	powershell.exe
PID 1012 wrote to memory of 3640	1012	USBDRVI.EXE	powershell.exe
PID 1012 wrote to memory of 3640	1012	USBDRVI.EXE	powershell.exe
PID 1012 wrote to memory of 3640	1012	USBDRVI.EXE	powershell.exe
PID 4348 wrote to memory of 3636	4348	DRVHDD.EXE	powershell.exe
PID 4348 wrote to memory of 3636	4348	DRVHDD.EXE	powershell.exe
PID 4348 wrote to memory of 3636	4348	DRVHDD.EXE	powershell.exe
PID 4736 wrote to memory of 3428	4736	WINPLAYEER.EXE	powershell.exe
PID 4736 wrote to memory of 3428	4736	WINPLAYEER.EXE	powershell.exe
PID 4736 wrote to memory of 3428	4736	WINPLAYEER.EXE	powershell.exe
PID 3472 wrote to memory of 4412	3472	WINLOGONW.EXE	powershell.exe
PID 3472 wrote to memory of 4412	3472	WINLOGONW.EXE	powershell.exe
PID 3472 wrote to memory of 4412	3472	WINLOGONW.EXE	powershell.exe
PID 2108 wrote to memory of 4700	2108	ADOBESTV.EXE	powershell.exe
PID 2108 wrote to memory of 4700	2108	ADOBESTV.EXE	powershell.exe
PID 2108 wrote to memory of 4700	2108	ADOBESTV.EXE	powershell.exe
PID 5084 wrote to memory of 4864	5084	USBDRVI.EXE	powershell.exe
PID 5084 wrote to memory of 4864	5084	USBDRVI.EXE	powershell.exe
PID 5084 wrote to memory of 4864	5084	USBDRVI.EXE	powershell.exe
PID 3692 wrote to memory of 3488	3692	ADOBESTV.EXE	powershell.exe

C:\Users\Admin\AppData\Local\Temp\d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
"C:\Users\Admin\AppData\Local\Temp\d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5324

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
3⤵
- Executes dropped EXE
PID:2264

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
3⤵
- Executes dropped EXE
PID:5568

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:5580

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
3⤵
- Executes dropped EXE
PID:5340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:5412

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
4⤵
- Creates scheduled task(s)
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4825.tmp.bat""
4⤵
PID:5196

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:5220

C:\Users\Admin\AppData\Roaming\wintskl.exe
"C:\Users\Admin\AppData\Roaming\wintskl.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:2356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
PID:2284

C:\Users\Admin\AppData\Roaming\wintskl.exe
C:\Users\Admin\AppData\Roaming\wintskl.exe
6⤵
- Executes dropped EXE
PID:4344

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
3⤵
- Executes dropped EXE
PID:3336

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
3⤵
- Executes dropped EXE
PID:5820

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
3⤵
- Executes dropped EXE
PID:4836

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- NTFS ADS
PID:3728

C:\Users\Admin\Documents\wintsklt.exe
"C:\Users\Admin\Documents\wintsklt.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
5⤵
PID:1904

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
5⤵
- Executes dropped EXE
PID:3624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
6⤵
PID:5300

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
PID:5464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
PID:5752

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2488

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
3⤵
- Executes dropped EXE
PID:4356

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
3⤵
- Executes dropped EXE
PID:5348

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
3⤵
- Executes dropped EXE
PID:5432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
3⤵
- Executes dropped EXE
PID:2444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ADOBESTV.EXE.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DRVHDD.EXE.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\USBDRVI.EXE.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINCPU.EXE.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINLOGONW.EXE.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINPLAYEER.EXE.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
7294f48e6552a5af288ed038f1789202

SHA1
71a7aede6f31f324baa344e8bff6aa905cb04e6f

SHA256
8a2cd25378a25f86916490e9374223d850d8938be88e5b6b95b6045644bed646

SHA512
d1f35b7a10528bf695ed050e33304d453bca94151d02979992d6f8a2fea9336e2b70d78e5b5bccee1b820b4da7fa1172d805e85707ef9a02475dc6d7f76695b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
009ff999d8b82f7916b6acef59ced8b9

SHA1
68a319c9acc7ec330cf410582d9775d50a488f52

SHA256
1974db26f4ce2218012728bfb2d1ad8b7df1cae6d10bacada3f50c1b51e6ea12

SHA512
610163735a64e596011bef4cf8fdb598fd17cfacd7065a9b58be71a960e9c164f2dc981816d1319ba9c6e107dffb20fa50984e9a68437d07a4278d46b48b2c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
cc54a8d0e173221248101854bb762731

SHA1
3831735cd948687f9aa5ae66559d718b68d40fca

SHA256
6db3b9829468aeed41f84bfc878ce214a0409be46a0c71b42d6e8a1b010b8b53

SHA512
177d5492d9590acd677c19b05c29e763e15816375fc7f955c6d81327b2f98b117ed358e6ff4711431429cf3516876b82e35a04f01cc8c7561cd18de713f956f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
009ff999d8b82f7916b6acef59ced8b9

SHA1
68a319c9acc7ec330cf410582d9775d50a488f52

SHA256
1974db26f4ce2218012728bfb2d1ad8b7df1cae6d10bacada3f50c1b51e6ea12

SHA512
610163735a64e596011bef4cf8fdb598fd17cfacd7065a9b58be71a960e9c164f2dc981816d1319ba9c6e107dffb20fa50984e9a68437d07a4278d46b48b2c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
009ff999d8b82f7916b6acef59ced8b9

SHA1
68a319c9acc7ec330cf410582d9775d50a488f52

SHA256
1974db26f4ce2218012728bfb2d1ad8b7df1cae6d10bacada3f50c1b51e6ea12

SHA512
610163735a64e596011bef4cf8fdb598fd17cfacd7065a9b58be71a960e9c164f2dc981816d1319ba9c6e107dffb20fa50984e9a68437d07a4278d46b48b2c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
5a64e8bc3ea542c1f1ada523b8b6fe4e

SHA1
4aad592add09e4df0fb185f21cb01122e84e53e7

SHA256
2da9232909224074d041b02b6ca33e9dfa5784a8bc0a1a09faac95af4c68349a

SHA512
8a12b602d7b891557e1a8e7f8c363810d1ed4ee99927e6e90a44e0201818cff8173e9aa83e69248d98e82ca457c0abf22c4149f8df0af6df62ed5223d83d811d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
009ff999d8b82f7916b6acef59ced8b9

SHA1
68a319c9acc7ec330cf410582d9775d50a488f52

SHA256
1974db26f4ce2218012728bfb2d1ad8b7df1cae6d10bacada3f50c1b51e6ea12

SHA512
610163735a64e596011bef4cf8fdb598fd17cfacd7065a9b58be71a960e9c164f2dc981816d1319ba9c6e107dffb20fa50984e9a68437d07a4278d46b48b2c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
009ff999d8b82f7916b6acef59ced8b9

SHA1
68a319c9acc7ec330cf410582d9775d50a488f52

SHA256
1974db26f4ce2218012728bfb2d1ad8b7df1cae6d10bacada3f50c1b51e6ea12

SHA512
610163735a64e596011bef4cf8fdb598fd17cfacd7065a9b58be71a960e9c164f2dc981816d1319ba9c6e107dffb20fa50984e9a68437d07a4278d46b48b2c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
076266e8fcf8a9e8cc354458fa4ed64a

SHA1
3e3f1db0d2a8a01932f9dd071b5be83e738283a8

SHA256
cf607810ebae827150c4a15e4562b3f7df507e78ac428131f3c1d0ead7394cfe

SHA512
790cded9005e462679853277ade11537c75be49d66b81736063c1228c43ab1a61f25f4d671ef834e78fe59a3459e142a42573f7da4f0b219f360b2c35135c390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
076266e8fcf8a9e8cc354458fa4ed64a

SHA1
3e3f1db0d2a8a01932f9dd071b5be83e738283a8

SHA256
cf607810ebae827150c4a15e4562b3f7df507e78ac428131f3c1d0ead7394cfe

SHA512
790cded9005e462679853277ade11537c75be49d66b81736063c1228c43ab1a61f25f4d671ef834e78fe59a3459e142a42573f7da4f0b219f360b2c35135c390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
076266e8fcf8a9e8cc354458fa4ed64a

SHA1
3e3f1db0d2a8a01932f9dd071b5be83e738283a8

SHA256
cf607810ebae827150c4a15e4562b3f7df507e78ac428131f3c1d0ead7394cfe

SHA512
790cded9005e462679853277ade11537c75be49d66b81736063c1228c43ab1a61f25f4d671ef834e78fe59a3459e142a42573f7da4f0b219f360b2c35135c390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
076266e8fcf8a9e8cc354458fa4ed64a

SHA1
3e3f1db0d2a8a01932f9dd071b5be83e738283a8

SHA256
cf607810ebae827150c4a15e4562b3f7df507e78ac428131f3c1d0ead7394cfe

SHA512
790cded9005e462679853277ade11537c75be49d66b81736063c1228c43ab1a61f25f4d671ef834e78fe59a3459e142a42573f7da4f0b219f360b2c35135c390

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE

Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE

Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE

Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4825.tmp.bat

Filesize
151B

MD5
4ff7f94fc6eb06c336706f33ff997f9f

SHA1
32011e283227649a2c1dbd3f1ab459b0f37f3509

SHA256
e1bd6266d2dff535a5c4f242c30e13b90a5bfc1fd2b2083d4f6405e8eb07fabb

SHA512
5b408262d6f85a25e13a1f1ac69210533af3dc77a14ba3f607f14fbef518700199a0a405c6cbd6a0e0613c2b12c77f783c2708e80cf336d423512a17f95ae77b

Download Submit
C:\Users\Admin\Documents\wintsklt.exe

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\Documents\wintsklt.exe

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/444-300-0x0000000000000000-mapping.dmp

Download
memory/628-147-0x0000000000000000-mapping.dmp

Download
memory/628-154-0x0000000000360000-0x00000000003D6000-memory.dmp

Filesize
472KB

Download
memory/1012-150-0x0000000000770000-0x00000000007E4000-memory.dmp

Filesize
464KB

Download
memory/1012-138-0x0000000000000000-mapping.dmp

Download
memory/1904-304-0x0000000000000000-mapping.dmp

Download
memory/2108-132-0x0000000000000000-mapping.dmp

Download
memory/2108-152-0x0000000000430000-0x00000000004EA000-memory.dmp

Filesize
744KB

Download
memory/2136-190-0x0000000006090000-0x00000000060AA000-memory.dmp

Filesize
104KB

Download
memory/2136-182-0x0000000000000000-mapping.dmp

Download
memory/2264-213-0x0000000000000000-mapping.dmp

Download
memory/2284-318-0x0000000000000000-mapping.dmp

Download
memory/2356-317-0x0000000000000000-mapping.dmp

Download
memory/2444-290-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2444-221-0x0000000000000000-mapping.dmp

Download
memory/2444-295-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2488-286-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2488-234-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2488-219-0x0000000000000000-mapping.dmp

Download
memory/2488-242-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2488-248-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2488-250-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2636-171-0x0000000000000000-mapping.dmp

Download
memory/2952-166-0x0000000000000000-mapping.dmp

Download
memory/3136-299-0x0000000000000000-mapping.dmp

Download
memory/3136-307-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/3336-209-0x0000000000000000-mapping.dmp

Download
memory/3412-306-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/3412-298-0x0000000000000000-mapping.dmp

Download
memory/3428-176-0x0000000000000000-mapping.dmp

Download
memory/3444-140-0x0000000000000000-mapping.dmp

Download
memory/3444-155-0x0000000000330000-0x0000000000398000-memory.dmp

Filesize
416KB

Download
memory/3444-156-0x00000000052A0000-0x0000000005844000-memory.dmp

Filesize
5.6MB

Download
memory/3472-144-0x0000000000000000-mapping.dmp

Download
memory/3472-165-0x0000000004C20000-0x0000000004C2A000-memory.dmp

Filesize
40KB

Download
memory/3472-151-0x0000000000330000-0x00000000003A2000-memory.dmp

Filesize
456KB

Download
memory/3472-157-0x0000000004C80000-0x0000000004D12000-memory.dmp

Filesize
584KB

Download
memory/3488-180-0x0000000000000000-mapping.dmp

Download
memory/3624-319-0x0000000000000000-mapping.dmp

Download
memory/3624-323-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3624-326-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3628-183-0x0000000002C00000-0x0000000002C36000-memory.dmp

Filesize
216KB

Download
memory/3628-186-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/3628-187-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/3628-172-0x0000000000000000-mapping.dmp

Download
memory/3636-175-0x0000000000000000-mapping.dmp

Download
memory/3640-174-0x0000000000000000-mapping.dmp

Download
memory/3640-185-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

Filesize
136KB

Download
memory/3692-158-0x0000000000000000-mapping.dmp

Download
memory/3728-249-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3728-258-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3728-218-0x0000000000000000-mapping.dmp

Download
memory/3728-288-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3728-303-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4000-313-0x0000000000000000-mapping.dmp

Download
memory/4116-164-0x0000000000000000-mapping.dmp

Download
memory/4344-327-0x0000000000000000-mapping.dmp

Download
memory/4348-153-0x0000000000030000-0x00000000000D0000-memory.dmp

Filesize
640KB

Download
memory/4348-135-0x0000000000000000-mapping.dmp

Download
memory/4356-296-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4356-224-0x0000000000000000-mapping.dmp

Download
memory/4356-294-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4396-181-0x0000000000000000-mapping.dmp

Download
memory/4404-188-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/4404-184-0x00000000054B0000-0x0000000005AD8000-memory.dmp

Filesize
6.2MB

Download
memory/4404-173-0x0000000000000000-mapping.dmp

Download
memory/4412-189-0x0000000008020000-0x000000000869A000-memory.dmp

Filesize
6.5MB

Download
memory/4412-177-0x0000000000000000-mapping.dmp

Download
memory/4456-160-0x0000000000000000-mapping.dmp

Download
memory/4700-178-0x0000000000000000-mapping.dmp

Download
memory/4736-168-0x0000000000000000-mapping.dmp

Download
memory/4836-260-0x0000000000000000-mapping.dmp

Download
memory/4836-297-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4864-179-0x0000000000000000-mapping.dmp

Download
memory/5084-162-0x0000000000000000-mapping.dmp

Download
memory/5196-314-0x0000000000000000-mapping.dmp

Download
memory/5220-316-0x0000000000000000-mapping.dmp

Download
memory/5300-325-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/5300-324-0x0000000000000000-mapping.dmp

Download
memory/5324-233-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5324-244-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5324-210-0x0000000000000000-mapping.dmp

Download
memory/5324-292-0x000000006F1C0000-0x000000006F1F9000-memory.dmp

Filesize
228KB

Download
memory/5324-220-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5324-310-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5340-278-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5340-222-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5340-237-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5340-212-0x0000000000000000-mapping.dmp

Download
memory/5340-312-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5348-214-0x0000000000000000-mapping.dmp

Download
memory/5412-235-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5412-309-0x0000000005810000-0x00000000058AC000-memory.dmp

Filesize
624KB

Download
memory/5412-216-0x0000000000000000-mapping.dmp

Download
memory/5432-311-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5432-232-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5432-246-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5432-282-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5432-217-0x0000000000000000-mapping.dmp

Download
memory/5464-215-0x0000000000000000-mapping.dmp

Download
memory/5568-226-0x0000000000000000-mapping.dmp

Download
memory/5580-255-0x0000000000000000-mapping.dmp

Download
memory/5580-293-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5752-231-0x0000000000000000-mapping.dmp

Download
memory/5752-274-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5820-228-0x0000000000000000-mapping.dmp

Download