darkcomet | 463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24

Resubmissions

27-01-2023 19:10

230127-xvglescg25 10

27-01-2023 17:57

230127-wjv41adg9z 10

27-01-2023 17:47

230127-wcvjwsdg7x 10

Analysis

max time kernel
601s
max time network
604s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-01-2023 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Doge-Miner203.exe
Size

6.1MB
MD5

d7e6fd264bc937e3646de58e551a29db
SHA1

1db4664777b17e004f71cee4002f9ccc430413e4
SHA256

463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24
SHA512

cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837
SSDEEP

98304:tGFp32YKbG4vUdQUbSZ/I2jeYXyxd4494Wc9f:tEMbqQ5Z/pjVifXuT

Score

10^/10

darkcomet warzonerat 1++dec_code111 1++dec_pure_1 new-july-july4-02 collection infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

1++Dec_Code111

dgorijan20785.hopto.org:35799

Mutex

DC_MUTEX-LBKFSQL

Attributes

gencode
5RZrbWYF4XYM
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5200

Extracted

Family

darkcomet

Botnet

1++Dec_Pure_1

dgorijan20785.hopto.org:35799

Mutex

DC_MUTEX-JP69GTU

Attributes

gencode
ZrXR6g2JfYyE
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\notepad.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2876-209-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/2876-211-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/2876-218-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/2876-336-0x000000000040B556-mapping.dmp	warzonerat
behavioral1/memory/3040-349-0x000000000040B556-mapping.dmp	warzonerat
behavioral1/memory/2876-357-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/3732-379-0x0000000000406DE6-mapping.dmp	warzonerat
behavioral1/memory/3868-412-0x0000000000406DE6-mapping.dmp	warzonerat
behavioral1/memory/3976-429-0x0000000000405CE2-mapping.dmp	warzonerat

Drops file in Drivers directory 4 IoCs

Processes:

AddInProcess32.exeInstallUtil.exeAddInProcess32.exeAUDIOPT.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AddInProcess32.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AddInProcess32.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE

Executes dropped EXE 40 IoCs

Processes:

notepad.exeCPUMON.EXEMSCALC.EXEUSBDRV.EXEWINLOGONS.EXEWINRARL.EXEwinnote.exeCPUMON.EXEUSBDRV.EXEMSCALC.EXEWINLOGONS.EXEWINRARL.EXEwinnote.exeADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXECPUMON.EXEWINLOGONS.EXEWINLOGONS.EXEDRVVIDEO.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINLOGONL.EXEWINLOGONL.EXEAUDIOPT.EXEWINLOGONL.EXEDRVVIDEO.EXEwintsklt.exewintsklt.exewintsklt.exe

pid	process
1468	notepad.exe
392	CPUMON.EXE
1980	MSCALC.EXE
1528	USBDRV.EXE
1760	WINLOGONS.EXE
1448	WINRARL.EXE
832	winnote.exe
984	CPUMON.EXE
1480	USBDRV.EXE
1772	MSCALC.EXE
1316	WINLOGONS.EXE
1516	WINRARL.EXE
612	winnote.exe
2936	ADOBESERV.EXE
3056	AUDIOPT.EXE
1716	DRVVIDEO.EXE
2536	WINCPUL.EXE
2552	WINLOGONL.EXE
2652	WINPLAY.EXE
2656	ADOBESERV.EXE
2332	AUDIOPT.EXE
2676	DRVVIDEO.EXE
2092	WINCPUL.EXE
2380	WINLOGONL.EXE
2964	WINPLAY.EXE
2780	CPUMON.EXE
2876	WINLOGONS.EXE
3040	WINLOGONS.EXE
3724	DRVVIDEO.EXE
3732	DRVVIDEO.EXE
3868	WINCPUL.EXE
2696	WINLOGONL.EXE
1288	WINLOGONL.EXE
3976	WINLOGONL.EXE
3132	AUDIOPT.EXE
2576	WINLOGONL.EXE
3472	DRVVIDEO.EXE
1592	wintsklt.exe
4092	wintsklt.exe
3800	wintsklt.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/452-73-0x0000000000400000-0x0000000000A0D000-memory.dmp	upx
behavioral1/memory/452-75-0x0000000000400000-0x0000000000A0D000-memory.dmp	upx
behavioral1/memory/452-77-0x0000000000400000-0x0000000000A0D000-memory.dmp	upx
behavioral1/memory/452-81-0x0000000000400000-0x0000000000A0D000-memory.dmp	upx
behavioral1/memory/452-82-0x0000000000400000-0x0000000000A0D000-memory.dmp	upx
behavioral1/memory/452-103-0x0000000000400000-0x0000000000A0D000-memory.dmp	upx
behavioral1/memory/452-159-0x0000000000400000-0x0000000000A0D000-memory.dmp	upx
behavioral1/memory/2584-166-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2584-170-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2584-175-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2604-185-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2780-191-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2604-189-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2836-192-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2836-201-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2780-198-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2604-207-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2604-314-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2780-344-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2836-345-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3392-366-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

WINCPUL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINCPUL.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINCPUL.EXE

Loads dropped DLL 46 IoCs

Processes:

cmd.exeAddInProcess32.exenotepad.exewinnote.exeCPUMON.EXEWINLOGONS.EXEInstallUtil.exeWINLOGONS.EXEDRVVIDEO.EXEWINCPUL.EXEAUDIOPT.EXEWINLOGONL.EXEWINPLAY.EXEAUDIOPT.EXEWINLOGONL.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONS.EXE

pid	process
1776	cmd.exe
452	AddInProcess32.exe
452	AddInProcess32.exe
452	AddInProcess32.exe
452	AddInProcess32.exe
452	AddInProcess32.exe
1468	notepad.exe
452	AddInProcess32.exe
452	AddInProcess32.exe
452	AddInProcess32.exe
452	AddInProcess32.exe
452	AddInProcess32.exe
832	winnote.exe
392	CPUMON.EXE
1760	WINLOGONS.EXE
2604	InstallUtil.exe
1316	WINLOGONS.EXE
2604	InstallUtil.exe
2604	InstallUtil.exe
2604	InstallUtil.exe
2604	InstallUtil.exe
2604	InstallUtil.exe
2604	InstallUtil.exe
2604	InstallUtil.exe
2604	InstallUtil.exe
2604	InstallUtil.exe
2604	InstallUtil.exe
2604	InstallUtil.exe
1716	DRVVIDEO.EXE
1716	DRVVIDEO.EXE
2536	WINCPUL.EXE
3056	AUDIOPT.EXE
2552	WINLOGONL.EXE
2652	WINPLAY.EXE
2332	AUDIOPT.EXE
2380	WINLOGONL.EXE
2380	WINLOGONL.EXE
2380	WINLOGONL.EXE
2676	DRVVIDEO.EXE
3868	WINCPUL.EXE
3040	WINLOGONS.EXE
3040	WINLOGONS.EXE
3040	WINLOGONS.EXE
3040	WINLOGONS.EXE
3040	WINLOGONS.EXE
3040	WINLOGONS.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

WINLOGONS.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WINLOGONS.EXE
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WINLOGONS.EXE

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WINRARL.EXEWINRARL.EXEWINLOGONL.EXEADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEADOBESERV.EXEDRVVIDEO.EXEAUDIOPT.EXEWINLOGONL.EXEWINCPUL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	WINRARL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	WINRARL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINCPUL.EXE

Suspicious use of SetThreadContext 18 IoCs

Processes:

notepad.exeWINRARL.EXEWINRARL.EXEADOBESERV.EXECPUMON.EXEUSBDRV.EXEWINLOGONS.EXEWINLOGONS.EXEDRVVIDEO.EXEAUDIOPT.EXEWINCPUL.EXEWINPLAY.EXEWINLOGONL.EXEAUDIOPT.EXEADOBESERV.EXEWINLOGONL.EXEDRVVIDEO.EXEwintsklt.exe

description	pid	process	target process
PID 1468 set thread context of 452	1468	notepad.exe	AddInProcess32.exe
PID 1448 set thread context of 2584	1448	WINRARL.EXE	InstallUtil.exe
PID 1516 set thread context of 2604	1516	WINRARL.EXE	InstallUtil.exe
PID 2936 set thread context of 3392	2936	ADOBESERV.EXE	InstallUtil.exe
PID 392 set thread context of 2780	392	CPUMON.EXE	CPUMON.EXE
PID 1528 set thread context of 2836	1528	USBDRV.EXE	AddInProcess32.exe
PID 1760 set thread context of 2876	1760	WINLOGONS.EXE	WINLOGONS.EXE
PID 1316 set thread context of 3040	1316	WINLOGONS.EXE	WINLOGONS.EXE
PID 1716 set thread context of 3732	1716	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 3056 set thread context of 3932	3056	AUDIOPT.EXE	AUDIOPT.EXE
PID 2536 set thread context of 3868	2536	WINCPUL.EXE	WINCPUL.EXE
PID 2652 set thread context of 4032	2652	WINPLAY.EXE	WINPLAY.EXE
PID 2552 set thread context of 3976	2552	WINLOGONL.EXE	WINLOGONL.EXE
PID 2332 set thread context of 3132	2332	AUDIOPT.EXE	AUDIOPT.EXE
PID 2656 set thread context of 2124	2656	ADOBESERV.EXE	InstallUtil.exe
PID 2380 set thread context of 2576	2380	WINLOGONL.EXE	WINLOGONL.EXE
PID 2676 set thread context of 3472	2676	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 1592 set thread context of 3800	1592	wintsklt.exe	wintsklt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

WINCPUL.EXE

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData WINCPUL.EXE

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINCPUL.EXE

Runs ping.exe 1 TTPs 29 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1388	PING.EXE
2772	PING.EXE
3784	PING.EXE
1240	PING.EXE
2800	PING.EXE
3524	PING.EXE
3052	PING.EXE
548	PING.EXE
2372	PING.EXE
3680	PING.EXE
4044	PING.EXE
3036	PING.EXE
3644	PING.EXE
1640	PING.EXE
3792	PING.EXE
2396	PING.EXE
3412	PING.EXE
3320	PING.EXE
2456	PING.EXE
2528	PING.EXE
1412	PING.EXE
3704	PING.EXE
188	PING.EXE
2744	PING.EXE
1592	PING.EXE
3232	PING.EXE
2468	PING.EXE
3676	PING.EXE
2712	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Doge-Miner203.exenotepad.exewinnote.exewinnote.exeCPUMON.EXEUSBDRV.EXEMSCALC.EXEWINLOGONS.EXEMSCALC.EXEWINLOGONS.EXEpowershell.exepowershell.exeUSBDRV.EXEWINRARL.EXEWINRARL.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeADOBESERV.EXEDRVVIDEO.EXE

pid	process
1944	Doge-Miner203.exe
1944	Doge-Miner203.exe
1944	Doge-Miner203.exe
1944	Doge-Miner203.exe
1944	Doge-Miner203.exe
1468	notepad.exe
1468	notepad.exe
1468	notepad.exe
1468	notepad.exe
1468	notepad.exe
832	winnote.exe
612	winnote.exe
612	winnote.exe
612	winnote.exe
1468	notepad.exe
1468	notepad.exe
392	CPUMON.EXE
392	CPUMON.EXE
1528	USBDRV.EXE
1980	MSCALC.EXE
1528	USBDRV.EXE
1980	MSCALC.EXE
1980	MSCALC.EXE
1980	MSCALC.EXE
1760	WINLOGONS.EXE
1760	WINLOGONS.EXE
1772	MSCALC.EXE
1316	WINLOGONS.EXE
1772	MSCALC.EXE
1772	MSCALC.EXE
1772	MSCALC.EXE
1316	WINLOGONS.EXE
2136	powershell.exe
2144	powershell.exe
1480	USBDRV.EXE
1480	USBDRV.EXE
1448	WINRARL.EXE
1448	WINRARL.EXE
1516	WINRARL.EXE
1516	WINRARL.EXE
1516	WINRARL.EXE
1516	WINRARL.EXE
1516	WINRARL.EXE
1516	WINRARL.EXE
1980	MSCALC.EXE
1772	MSCALC.EXE
2320	powershell.exe
2276	powershell.exe
2160	powershell.exe
1268	powershell.exe
2888	powershell.exe
2772	powershell.exe
2476	powershell.exe
2396	powershell.exe
2560	powershell.exe
2936	ADOBESERV.EXE
2936	ADOBESERV.EXE
2936	ADOBESERV.EXE
1772	MSCALC.EXE
1772	MSCALC.EXE
1772	MSCALC.EXE
1716	DRVVIDEO.EXE
1716	DRVVIDEO.EXE
1716	DRVVIDEO.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

CPUMON.EXEInstallUtil.exe

pid process

2780 CPUMON.EXE
3392 InstallUtil.exe

pid	process
2780	CPUMON.EXE
3392	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Doge-Miner203.exenotepad.exeAddInProcess32.exeCPUMON.EXEMSCALC.EXEUSBDRV.EXEWINLOGONS.EXEUSBDRV.EXEMSCALC.EXEWINLOGONS.EXEwinnote.exewinnote.exepowershell.exepowershell.exeWINRARL.EXEWINRARL.EXEInstallUtil.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1944	Doge-Miner203.exe
Token: SeDebugPrivilege	1468	notepad.exe
Token: SeIncreaseQuotaPrivilege	452	AddInProcess32.exe
Token: SeSecurityPrivilege	452	AddInProcess32.exe
Token: SeTakeOwnershipPrivilege	452	AddInProcess32.exe
Token: SeLoadDriverPrivilege	452	AddInProcess32.exe
Token: SeSystemProfilePrivilege	452	AddInProcess32.exe
Token: SeSystemtimePrivilege	452	AddInProcess32.exe
Token: SeProfSingleProcessPrivilege	452	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	452	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	452	AddInProcess32.exe
Token: SeBackupPrivilege	452	AddInProcess32.exe
Token: SeRestorePrivilege	452	AddInProcess32.exe
Token: SeShutdownPrivilege	452	AddInProcess32.exe
Token: SeDebugPrivilege	452	AddInProcess32.exe
Token: SeSystemEnvironmentPrivilege	452	AddInProcess32.exe
Token: SeChangeNotifyPrivilege	452	AddInProcess32.exe
Token: SeRemoteShutdownPrivilege	452	AddInProcess32.exe
Token: SeUndockPrivilege	452	AddInProcess32.exe
Token: SeManageVolumePrivilege	452	AddInProcess32.exe
Token: SeImpersonatePrivilege	452	AddInProcess32.exe
Token: SeCreateGlobalPrivilege	452	AddInProcess32.exe
Token: 33	452	AddInProcess32.exe
Token: 34	452	AddInProcess32.exe
Token: 35	452	AddInProcess32.exe
Token: SeDebugPrivilege	392	CPUMON.EXE
Token: SeDebugPrivilege	1980	MSCALC.EXE
Token: SeDebugPrivilege	1528	USBDRV.EXE
Token: SeDebugPrivilege	1760	WINLOGONS.EXE
Token: SeDebugPrivilege	1480	USBDRV.EXE
Token: SeDebugPrivilege	1772	MSCALC.EXE
Token: SeDebugPrivilege	1316	WINLOGONS.EXE
Token: SeDebugPrivilege	832	winnote.exe
Token: SeDebugPrivilege	612	winnote.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1448	WINRARL.EXE
Token: SeDebugPrivilege	1516	WINRARL.EXE
Token: SeIncreaseQuotaPrivilege	2604	InstallUtil.exe
Token: SeSecurityPrivilege	2604	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	2604	InstallUtil.exe
Token: SeLoadDriverPrivilege	2604	InstallUtil.exe
Token: SeSystemProfilePrivilege	2604	InstallUtil.exe
Token: SeSystemtimePrivilege	2604	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	2604	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	2604	InstallUtil.exe
Token: SeCreatePagefilePrivilege	2604	InstallUtil.exe
Token: SeBackupPrivilege	2604	InstallUtil.exe
Token: SeRestorePrivilege	2604	InstallUtil.exe
Token: SeShutdownPrivilege	2604	InstallUtil.exe
Token: SeDebugPrivilege	2604	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	2604	InstallUtil.exe
Token: SeChangeNotifyPrivilege	2604	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	2604	InstallUtil.exe
Token: SeUndockPrivilege	2604	InstallUtil.exe
Token: SeManageVolumePrivilege	2604	InstallUtil.exe
Token: SeImpersonatePrivilege	2604	InstallUtil.exe
Token: SeCreateGlobalPrivilege	2604	InstallUtil.exe
Token: 33	2604	InstallUtil.exe
Token: 34	2604	InstallUtil.exe
Token: 35	2604	InstallUtil.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

AddInProcess32.exeInstallUtil.exeAddInProcess32.exeInstallUtil.exeCPUMON.EXEAUDIOPT.EXEWINLOGONS.EXE

pid process

452 AddInProcess32.exe
2604 InstallUtil.exe
2836 AddInProcess32.exe
3392 InstallUtil.exe
2780 CPUMON.EXE
3132 AUDIOPT.EXE
3040 WINLOGONS.EXE

pid	process
452	AddInProcess32.exe
2604	InstallUtil.exe
2836	AddInProcess32.exe
3392	InstallUtil.exe
2780	CPUMON.EXE
3132	AUDIOPT.EXE
3040	WINLOGONS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Doge-Miner203.execmd.execmd.exenotepad.exeAddInProcess32.exe

description	pid	process	target process
PID 1944 wrote to memory of 1448	1944	Doge-Miner203.exe	cmd.exe
PID 1944 wrote to memory of 1448	1944	Doge-Miner203.exe	cmd.exe
PID 1944 wrote to memory of 1448	1944	Doge-Miner203.exe	cmd.exe
PID 1944 wrote to memory of 1448	1944	Doge-Miner203.exe	cmd.exe
PID 1448 wrote to memory of 1240	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 1240	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 1240	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 1240	1448	cmd.exe	PING.EXE
PID 1944 wrote to memory of 1776	1944	Doge-Miner203.exe	cmd.exe
PID 1944 wrote to memory of 1776	1944	Doge-Miner203.exe	cmd.exe
PID 1944 wrote to memory of 1776	1944	Doge-Miner203.exe	cmd.exe
PID 1944 wrote to memory of 1776	1944	Doge-Miner203.exe	cmd.exe
PID 1776 wrote to memory of 548	1776	cmd.exe	PING.EXE
PID 1776 wrote to memory of 548	1776	cmd.exe	PING.EXE
PID 1776 wrote to memory of 548	1776	cmd.exe	PING.EXE
PID 1776 wrote to memory of 548	1776	cmd.exe	PING.EXE
PID 1448 wrote to memory of 1300	1448	cmd.exe	reg.exe
PID 1448 wrote to memory of 1300	1448	cmd.exe	reg.exe
PID 1448 wrote to memory of 1300	1448	cmd.exe	reg.exe
PID 1448 wrote to memory of 1300	1448	cmd.exe	reg.exe
PID 1776 wrote to memory of 1592	1776	cmd.exe	PING.EXE
PID 1776 wrote to memory of 1592	1776	cmd.exe	PING.EXE
PID 1776 wrote to memory of 1592	1776	cmd.exe	PING.EXE
PID 1776 wrote to memory of 1592	1776	cmd.exe	PING.EXE
PID 1776 wrote to memory of 1468	1776	cmd.exe	notepad.exe
PID 1776 wrote to memory of 1468	1776	cmd.exe	notepad.exe
PID 1776 wrote to memory of 1468	1776	cmd.exe	notepad.exe
PID 1776 wrote to memory of 1468	1776	cmd.exe	notepad.exe
PID 1776 wrote to memory of 1468	1776	cmd.exe	notepad.exe
PID 1776 wrote to memory of 1468	1776	cmd.exe	notepad.exe
PID 1776 wrote to memory of 1468	1776	cmd.exe	notepad.exe
PID 1468 wrote to memory of 452	1468	notepad.exe	AddInProcess32.exe
PID 1468 wrote to memory of 452	1468	notepad.exe	AddInProcess32.exe
PID 1468 wrote to memory of 452	1468	notepad.exe	AddInProcess32.exe
PID 1468 wrote to memory of 452	1468	notepad.exe	AddInProcess32.exe
PID 1468 wrote to memory of 452	1468	notepad.exe	AddInProcess32.exe
PID 1468 wrote to memory of 452	1468	notepad.exe	AddInProcess32.exe
PID 1468 wrote to memory of 452	1468	notepad.exe	AddInProcess32.exe
PID 1468 wrote to memory of 452	1468	notepad.exe	AddInProcess32.exe
PID 452 wrote to memory of 392	452	AddInProcess32.exe	CPUMON.EXE
PID 452 wrote to memory of 392	452	AddInProcess32.exe	CPUMON.EXE
PID 452 wrote to memory of 392	452	AddInProcess32.exe	CPUMON.EXE
PID 452 wrote to memory of 392	452	AddInProcess32.exe	CPUMON.EXE
PID 452 wrote to memory of 1980	452	AddInProcess32.exe	MSCALC.EXE
PID 452 wrote to memory of 1980	452	AddInProcess32.exe	MSCALC.EXE
PID 452 wrote to memory of 1980	452	AddInProcess32.exe	MSCALC.EXE
PID 452 wrote to memory of 1980	452	AddInProcess32.exe	MSCALC.EXE
PID 452 wrote to memory of 1528	452	AddInProcess32.exe	USBDRV.EXE
PID 452 wrote to memory of 1528	452	AddInProcess32.exe	USBDRV.EXE
PID 452 wrote to memory of 1528	452	AddInProcess32.exe	USBDRV.EXE
PID 452 wrote to memory of 1528	452	AddInProcess32.exe	USBDRV.EXE
PID 452 wrote to memory of 1760	452	AddInProcess32.exe	WINLOGONS.EXE
PID 452 wrote to memory of 1760	452	AddInProcess32.exe	WINLOGONS.EXE
PID 452 wrote to memory of 1760	452	AddInProcess32.exe	WINLOGONS.EXE
PID 452 wrote to memory of 1760	452	AddInProcess32.exe	WINLOGONS.EXE
PID 452 wrote to memory of 1448	452	AddInProcess32.exe	WINRARL.EXE
PID 452 wrote to memory of 1448	452	AddInProcess32.exe	WINRARL.EXE
PID 452 wrote to memory of 1448	452	AddInProcess32.exe	WINRARL.EXE
PID 452 wrote to memory of 1448	452	AddInProcess32.exe	WINRARL.EXE
PID 1468 wrote to memory of 832	1468	notepad.exe	winnote.exe
PID 1468 wrote to memory of 832	1468	notepad.exe	winnote.exe
PID 1468 wrote to memory of 832	1468	notepad.exe	winnote.exe
PID 1468 wrote to memory of 832	1468	notepad.exe	winnote.exe
PID 452 wrote to memory of 984	452	AddInProcess32.exe	CPUMON.EXE

outlook_office_path 1 IoCs

Processes:

WINLOGONS.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WINLOGONS.EXE

outlook_win_path 1 IoCs

Processes:

WINLOGONS.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WINLOGONS.EXE

C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe
"C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 37
3⤵
- Runs ping.exe
PID:1240

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
3⤵
- Modifies WinLogon for persistence
PID:1300

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 39
3⤵
- Runs ping.exe
PID:548

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 39
3⤵
- Runs ping.exe
PID:1592

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE
"C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE
"C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE"
6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
6⤵
- Drops file in Drivers directory
- Suspicious use of SetWindowsHookEx
PID:2836

C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"
6⤵
- Executes dropped EXE
PID:2876

C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE
"C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
6⤵
PID:2340

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 38
7⤵
- Runs ping.exe
PID:2372

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
7⤵
- Modifies WinLogon for persistence
PID:3452

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 41 > nul && copy "C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe" && ping 127.0.0.1 -n 41 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe"
6⤵
PID:2728

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 41
7⤵
- Runs ping.exe
PID:2800

C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE
"C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
6⤵
PID:2436

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 35
7⤵
- Runs ping.exe
PID:2468

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
7⤵
- Modifies WinLogon for persistence
PID:1604

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe"
6⤵
PID:3596

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 39
7⤵
- Runs ping.exe
PID:3680

C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:3040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
7⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
6⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2604

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
8⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3392

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
8⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
8⤵
- Executes dropped EXE
PID:3724

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
8⤵
- Executes dropped EXE
PID:3732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
9⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1268

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
8⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
PID:3868

C:\Users\Admin\Documents\wintsklt.exe
"C:\Users\Admin\Documents\wintsklt.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
10⤵
PID:3256

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
10⤵
- Executes dropped EXE
PID:4092

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
10⤵
- Executes dropped EXE
PID:3800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
11⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2888

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
8⤵
- Executes dropped EXE
PID:3976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
9⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2772

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
8⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
8⤵
PID:188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
8⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
8⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
8⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2476

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
8⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3132

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
8⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
8⤵
- Executes dropped EXE
PID:3472

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
7⤵
- Executes dropped EXE
PID:2092

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2560

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
8⤵
- Executes dropped EXE
PID:2696

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
8⤵
- Executes dropped EXE
PID:1288

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
8⤵
- Executes dropped EXE
PID:2576

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
7⤵
- Executes dropped EXE
PID:2964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
8⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE
"C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE"
5⤵
- Executes dropped EXE
PID:984

C:\Users\Admin\AppData\Local\Temp\winnote.exe
"C:\Users\Admin\AppData\Local\Temp\winnote.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Users\Admin\AppData\Local\Temp\winnote.exe
"C:\Users\Admin\AppData\Local\Temp\winnote.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:2480

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 37
5⤵
- Runs ping.exe
PID:1388

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:1664

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 36
5⤵
- Runs ping.exe
PID:3676

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:2680

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 36
5⤵
- Runs ping.exe
PID:3704

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:2136

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 36
5⤵
- Runs ping.exe
PID:3232

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:2352

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 35
5⤵
- Runs ping.exe
PID:3792

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:2788

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 35
5⤵
- Runs ping.exe
PID:2528

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:3972

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 38
5⤵
- Runs ping.exe
PID:2772

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:936

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 35
5⤵
- Runs ping.exe
PID:4044

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:4072

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 37
5⤵
- Runs ping.exe
PID:2396

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:2404

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 36
5⤵
- Runs ping.exe
PID:2712

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:2708

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 36
5⤵
- Runs ping.exe
PID:3412

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:2364

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 39
5⤵
- Runs ping.exe
PID:3036

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:2376

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 35
5⤵
- Runs ping.exe
PID:3320

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:3284

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 37
5⤵
- Runs ping.exe
PID:188

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:2252

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 39
5⤵
- Runs ping.exe
PID:1412

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:1500

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 39
5⤵
- Runs ping.exe
PID:3524

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:584

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 39
5⤵
- Runs ping.exe
PID:2456

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:1360

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 35
5⤵
- Runs ping.exe
PID:3644

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:1724

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 36
5⤵
- Runs ping.exe
PID:3052

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:1364

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 39
5⤵
- Runs ping.exe
PID:1640

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:3796

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 36
5⤵
- Runs ping.exe
PID:3784

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
4⤵
PID:2912

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 38
5⤵
- Runs ping.exe
PID:2744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE

Filesize
1.5MB

MD5
76ffa2a4e9e69492a0f938dfd5c1e35f

SHA1
d84990e27fae5197ea02216d83c983c93eb93ad5

SHA256
b82c3ac7e92231430d02ff164bbc72a4f1c0bee1ec1c635404d031840a864476

SHA512
66ab40590d0bdc6d6bddd10d7ba83ccc8749d7c3ee2723c9c5f71d291757afd3334553ba7f8e033bd079928d40999facbfeb450aebbd1295651517cd2c80a410

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE

Filesize
1.5MB

MD5
76ffa2a4e9e69492a0f938dfd5c1e35f

SHA1
d84990e27fae5197ea02216d83c983c93eb93ad5

SHA256
b82c3ac7e92231430d02ff164bbc72a4f1c0bee1ec1c635404d031840a864476

SHA512
66ab40590d0bdc6d6bddd10d7ba83ccc8749d7c3ee2723c9c5f71d291757afd3334553ba7f8e033bd079928d40999facbfeb450aebbd1295651517cd2c80a410

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE

Filesize
1.5MB

MD5
76ffa2a4e9e69492a0f938dfd5c1e35f

SHA1
d84990e27fae5197ea02216d83c983c93eb93ad5

SHA256
b82c3ac7e92231430d02ff164bbc72a4f1c0bee1ec1c635404d031840a864476

SHA512
66ab40590d0bdc6d6bddd10d7ba83ccc8749d7c3ee2723c9c5f71d291757afd3334553ba7f8e033bd079928d40999facbfeb450aebbd1295651517cd2c80a410

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE

Filesize
455KB

MD5
7b6c81fb81040406d3bb5eea00a1fb59

SHA1
4563ed422e8103e50572646bc7b87a0aee2f5832

SHA256
a8c07c82faf15edbd94798537734a186b8d18086223d71c94adc162b23d323ef

SHA512
8695946c527e9999e88ffba607b42465c690c6c4a1262c3a1b4a61a4f0126282d9b26608f685beaa3ff81192248b08a65ca6702eefddba5c62e7a133f160a2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE

Filesize
455KB

MD5
7b6c81fb81040406d3bb5eea00a1fb59

SHA1
4563ed422e8103e50572646bc7b87a0aee2f5832

SHA256
a8c07c82faf15edbd94798537734a186b8d18086223d71c94adc162b23d323ef

SHA512
8695946c527e9999e88ffba607b42465c690c6c4a1262c3a1b4a61a4f0126282d9b26608f685beaa3ff81192248b08a65ca6702eefddba5c62e7a133f160a2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE

Filesize
455KB

MD5
7b6c81fb81040406d3bb5eea00a1fb59

SHA1
4563ed422e8103e50572646bc7b87a0aee2f5832

SHA256
a8c07c82faf15edbd94798537734a186b8d18086223d71c94adc162b23d323ef

SHA512
8695946c527e9999e88ffba607b42465c690c6c4a1262c3a1b4a61a4f0126282d9b26608f685beaa3ff81192248b08a65ca6702eefddba5c62e7a133f160a2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE

Filesize
655KB

MD5
1bb0d863a7b205323d17dcb497a51431

SHA1
76b137c4b913891bdba2a764349d7ccefcef9832

SHA256
13dfb77a6888acc1706d9c5192b94d0ce799938053747a17272bc1a6abb3e3df

SHA512
c8bcf20a5d987534f526addb3d14f4ae76b9fd5ddfbad228f34f5eb6176d76d390e2b8ec06c2ad4e9aef93e22dbe157807caa1c363ef69e029dc4aa56ccdc677

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE

Filesize
655KB

MD5
1bb0d863a7b205323d17dcb497a51431

SHA1
76b137c4b913891bdba2a764349d7ccefcef9832

SHA256
13dfb77a6888acc1706d9c5192b94d0ce799938053747a17272bc1a6abb3e3df

SHA512
c8bcf20a5d987534f526addb3d14f4ae76b9fd5ddfbad228f34f5eb6176d76d390e2b8ec06c2ad4e9aef93e22dbe157807caa1c363ef69e029dc4aa56ccdc677

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE

Filesize
655KB

MD5
1bb0d863a7b205323d17dcb497a51431

SHA1
76b137c4b913891bdba2a764349d7ccefcef9832

SHA256
13dfb77a6888acc1706d9c5192b94d0ce799938053747a17272bc1a6abb3e3df

SHA512
c8bcf20a5d987534f526addb3d14f4ae76b9fd5ddfbad228f34f5eb6176d76d390e2b8ec06c2ad4e9aef93e22dbe157807caa1c363ef69e029dc4aa56ccdc677

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE

Filesize
566KB

MD5
8e8ef744cf8dd267c3059f748f2ae16a

SHA1
7e1268dfbd26c536b262bb88d5f803261cc016f5

SHA256
f2d089492e0e7c3d0118611d7ae5557f4757f417764e451bc87897c3fd9d4ed9

SHA512
c1a2296faa617acd61b85082c0259d99f46dd782607f3f1276ee155718dbc7e5d6d41b2869f8cc19c7e0f4bbf0e8ec770677e2811b5f67bec2d18ee88c24ad5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE

Filesize
566KB

MD5
8e8ef744cf8dd267c3059f748f2ae16a

SHA1
7e1268dfbd26c536b262bb88d5f803261cc016f5

SHA256
f2d089492e0e7c3d0118611d7ae5557f4757f417764e451bc87897c3fd9d4ed9

SHA512
c1a2296faa617acd61b85082c0259d99f46dd782607f3f1276ee155718dbc7e5d6d41b2869f8cc19c7e0f4bbf0e8ec770677e2811b5f67bec2d18ee88c24ad5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE

Filesize
566KB

MD5
8e8ef744cf8dd267c3059f748f2ae16a

SHA1
7e1268dfbd26c536b262bb88d5f803261cc016f5

SHA256
f2d089492e0e7c3d0118611d7ae5557f4757f417764e451bc87897c3fd9d4ed9

SHA512
c1a2296faa617acd61b85082c0259d99f46dd782607f3f1276ee155718dbc7e5d6d41b2869f8cc19c7e0f4bbf0e8ec770677e2811b5f67bec2d18ee88c24ad5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE

Filesize
2.1MB

MD5
d047d98c07f60feceabedb071932b56a

SHA1
ceb1a880d36ad0c79d75081c6004c4820d18c16d

SHA256
16991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355

SHA512
6438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE

Filesize
2.1MB

MD5
d047d98c07f60feceabedb071932b56a

SHA1
ceb1a880d36ad0c79d75081c6004c4820d18c16d

SHA256
16991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355

SHA512
6438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE

Filesize
2.1MB

MD5
d047d98c07f60feceabedb071932b56a

SHA1
ceb1a880d36ad0c79d75081c6004c4820d18c16d

SHA256
16991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355

SHA512
6438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563

Download Submit
C:\Users\Admin\AppData\Local\Temp\winnote.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\winnote.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\winnote.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\winnote.txt

Filesize
81B

MD5
eb584ccda6c7b0bb9209dc2568173e79

SHA1
dec5dbdc63fcaff27b6b3ca79e7718b7a97cebd0

SHA256
d84998002c4c1d1c247679160ed9068b1c418214905e7e4c611b269cb5757b2e

SHA512
72dc559b9ef361016eed55c33acb98c41e4f41dc0622d593f604613cd6907d9da63ecbba272661600013bb30f7e821956b4e9b93e39a5fdf192932f92cda69a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\winnote.txt

Filesize
81B

MD5
c843fc01b3cd3482ff6bf3e838173ab5

SHA1
55107c8bbf641dea424574c125e9d7316de9f0c3

SHA256
f677b5cc8e22334b61915a761426908628ce35c4319c402ab98b83de05d483ca

SHA512
644935f57d8dbc99c958d5da0cd4d651e11feecdc50798796f7e6c45e22356cc9c37e6bfc4e604aca85f703725ceb1566ecf3770f251aabb7c98f4fd7d32b7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\winnote.txt

Filesize
81B

MD5
c843fc01b3cd3482ff6bf3e838173ab5

SHA1
55107c8bbf641dea424574c125e9d7316de9f0c3

SHA256
f677b5cc8e22334b61915a761426908628ce35c4319c402ab98b83de05d483ca

SHA512
644935f57d8dbc99c958d5da0cd4d651e11feecdc50798796f7e6c45e22356cc9c37e6bfc4e604aca85f703725ceb1566ecf3770f251aabb7c98f4fd7d32b7c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe

Filesize
6.1MB

MD5
d7e6fd264bc937e3646de58e551a29db

SHA1
1db4664777b17e004f71cee4002f9ccc430413e4

SHA256
463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24

SHA512
cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe

Filesize
6.1MB

MD5
d7e6fd264bc937e3646de58e551a29db

SHA1
1db4664777b17e004f71cee4002f9ccc430413e4

SHA256
463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24

SHA512
cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cb4a6d223896166b9e6293716b480445

SHA1
b3b8488620d64f3db5811848ab32746232c0b560

SHA256
907ffe38af9b30741d522755f7e83d117d9dccfce1b6c415bc788acbf4aceeb5

SHA512
5495f15f2b9961267ff9e7419a256dabda1fcc753a494f9dcd20bb231211ec6da7b740d68215208a7e842c7a914c8b79a2dee7f92b070a86d50cffc6359b1f3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cb4a6d223896166b9e6293716b480445

SHA1
b3b8488620d64f3db5811848ab32746232c0b560

SHA256
907ffe38af9b30741d522755f7e83d117d9dccfce1b6c415bc788acbf4aceeb5

SHA512
5495f15f2b9961267ff9e7419a256dabda1fcc753a494f9dcd20bb231211ec6da7b740d68215208a7e842c7a914c8b79a2dee7f92b070a86d50cffc6359b1f3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cb4a6d223896166b9e6293716b480445

SHA1
b3b8488620d64f3db5811848ab32746232c0b560

SHA256
907ffe38af9b30741d522755f7e83d117d9dccfce1b6c415bc788acbf4aceeb5

SHA512
5495f15f2b9961267ff9e7419a256dabda1fcc753a494f9dcd20bb231211ec6da7b740d68215208a7e842c7a914c8b79a2dee7f92b070a86d50cffc6359b1f3f

Download Submit
C:\Users\Admin\AppData\Roaming\Uyhtq\Lfczxnkd.exe

Filesize
2.1MB

MD5
d047d98c07f60feceabedb071932b56a

SHA1
ceb1a880d36ad0c79d75081c6004c4820d18c16d

SHA256
16991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355

SHA512
6438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
\Users\Admin\AppData\Local\Temp\CPUMON.EXE

Filesize
1.5MB

MD5
76ffa2a4e9e69492a0f938dfd5c1e35f

SHA1
d84990e27fae5197ea02216d83c983c93eb93ad5

SHA256
b82c3ac7e92231430d02ff164bbc72a4f1c0bee1ec1c635404d031840a864476

SHA512
66ab40590d0bdc6d6bddd10d7ba83ccc8749d7c3ee2723c9c5f71d291757afd3334553ba7f8e033bd079928d40999facbfeb450aebbd1295651517cd2c80a410

Download Submit
\Users\Admin\AppData\Local\Temp\CPUMON.EXE

Filesize
1.5MB

MD5
76ffa2a4e9e69492a0f938dfd5c1e35f

SHA1
d84990e27fae5197ea02216d83c983c93eb93ad5

SHA256
b82c3ac7e92231430d02ff164bbc72a4f1c0bee1ec1c635404d031840a864476

SHA512
66ab40590d0bdc6d6bddd10d7ba83ccc8749d7c3ee2723c9c5f71d291757afd3334553ba7f8e033bd079928d40999facbfeb450aebbd1295651517cd2c80a410

Download Submit
\Users\Admin\AppData\Local\Temp\CPUMON.EXE

Filesize
1.5MB

MD5
76ffa2a4e9e69492a0f938dfd5c1e35f

SHA1
d84990e27fae5197ea02216d83c983c93eb93ad5

SHA256
b82c3ac7e92231430d02ff164bbc72a4f1c0bee1ec1c635404d031840a864476

SHA512
66ab40590d0bdc6d6bddd10d7ba83ccc8749d7c3ee2723c9c5f71d291757afd3334553ba7f8e033bd079928d40999facbfeb450aebbd1295651517cd2c80a410

Download Submit
\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
\Users\Admin\AppData\Local\Temp\MSCALC.EXE

Filesize
455KB

MD5
7b6c81fb81040406d3bb5eea00a1fb59

SHA1
4563ed422e8103e50572646bc7b87a0aee2f5832

SHA256
a8c07c82faf15edbd94798537734a186b8d18086223d71c94adc162b23d323ef

SHA512
8695946c527e9999e88ffba607b42465c690c6c4a1262c3a1b4a61a4f0126282d9b26608f685beaa3ff81192248b08a65ca6702eefddba5c62e7a133f160a2c9

Download Submit
\Users\Admin\AppData\Local\Temp\MSCALC.EXE

Filesize
455KB

MD5
7b6c81fb81040406d3bb5eea00a1fb59

SHA1
4563ed422e8103e50572646bc7b87a0aee2f5832

SHA256
a8c07c82faf15edbd94798537734a186b8d18086223d71c94adc162b23d323ef

SHA512
8695946c527e9999e88ffba607b42465c690c6c4a1262c3a1b4a61a4f0126282d9b26608f685beaa3ff81192248b08a65ca6702eefddba5c62e7a133f160a2c9

Download Submit
\Users\Admin\AppData\Local\Temp\USBDRV.EXE

Filesize
655KB

MD5
1bb0d863a7b205323d17dcb497a51431

SHA1
76b137c4b913891bdba2a764349d7ccefcef9832

SHA256
13dfb77a6888acc1706d9c5192b94d0ce799938053747a17272bc1a6abb3e3df

SHA512
c8bcf20a5d987534f526addb3d14f4ae76b9fd5ddfbad228f34f5eb6176d76d390e2b8ec06c2ad4e9aef93e22dbe157807caa1c363ef69e029dc4aa56ccdc677

Download Submit
\Users\Admin\AppData\Local\Temp\USBDRV.EXE

Filesize
655KB

MD5
1bb0d863a7b205323d17dcb497a51431

SHA1
76b137c4b913891bdba2a764349d7ccefcef9832

SHA256
13dfb77a6888acc1706d9c5192b94d0ce799938053747a17272bc1a6abb3e3df

SHA512
c8bcf20a5d987534f526addb3d14f4ae76b9fd5ddfbad228f34f5eb6176d76d390e2b8ec06c2ad4e9aef93e22dbe157807caa1c363ef69e029dc4aa56ccdc677

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE

Filesize
566KB

MD5
8e8ef744cf8dd267c3059f748f2ae16a

SHA1
7e1268dfbd26c536b262bb88d5f803261cc016f5

SHA256
f2d089492e0e7c3d0118611d7ae5557f4757f417764e451bc87897c3fd9d4ed9

SHA512
c1a2296faa617acd61b85082c0259d99f46dd782607f3f1276ee155718dbc7e5d6d41b2869f8cc19c7e0f4bbf0e8ec770677e2811b5f67bec2d18ee88c24ad5c

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE

Filesize
566KB

MD5
8e8ef744cf8dd267c3059f748f2ae16a

SHA1
7e1268dfbd26c536b262bb88d5f803261cc016f5

SHA256
f2d089492e0e7c3d0118611d7ae5557f4757f417764e451bc87897c3fd9d4ed9

SHA512
c1a2296faa617acd61b85082c0259d99f46dd782607f3f1276ee155718dbc7e5d6d41b2869f8cc19c7e0f4bbf0e8ec770677e2811b5f67bec2d18ee88c24ad5c

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE

Filesize
566KB

MD5
8e8ef744cf8dd267c3059f748f2ae16a

SHA1
7e1268dfbd26c536b262bb88d5f803261cc016f5

SHA256
f2d089492e0e7c3d0118611d7ae5557f4757f417764e451bc87897c3fd9d4ed9

SHA512
c1a2296faa617acd61b85082c0259d99f46dd782607f3f1276ee155718dbc7e5d6d41b2869f8cc19c7e0f4bbf0e8ec770677e2811b5f67bec2d18ee88c24ad5c

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE

Filesize
566KB

MD5
8e8ef744cf8dd267c3059f748f2ae16a

SHA1
7e1268dfbd26c536b262bb88d5f803261cc016f5

SHA256
f2d089492e0e7c3d0118611d7ae5557f4757f417764e451bc87897c3fd9d4ed9

SHA512
c1a2296faa617acd61b85082c0259d99f46dd782607f3f1276ee155718dbc7e5d6d41b2869f8cc19c7e0f4bbf0e8ec770677e2811b5f67bec2d18ee88c24ad5c

Download Submit
\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
\Users\Admin\AppData\Local\Temp\WINRARL.EXE

Filesize
2.1MB

MD5
d047d98c07f60feceabedb071932b56a

SHA1
ceb1a880d36ad0c79d75081c6004c4820d18c16d

SHA256
16991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355

SHA512
6438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563

Download Submit
\Users\Admin\AppData\Local\Temp\WINRARL.EXE

Filesize
2.1MB

MD5
d047d98c07f60feceabedb071932b56a

SHA1
ceb1a880d36ad0c79d75081c6004c4820d18c16d

SHA256
16991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355

SHA512
6438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563

Download Submit
\Users\Admin\AppData\Local\Temp\winnote.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\winnote.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe

Filesize
6.1MB

MD5
d7e6fd264bc937e3646de58e551a29db

SHA1
1db4664777b17e004f71cee4002f9ccc430413e4

SHA256
463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24

SHA512
cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837

Download Submit
memory/392-84-0x0000000000000000-mapping.dmp

Download
memory/392-89-0x0000000000FB0000-0x000000000113C000-memory.dmp

Filesize
1.5MB

Download
memory/452-72-0x0000000000400000-0x0000000000A0D000-memory.dmp

Filesize
6.1MB

Download
memory/452-103-0x0000000000400000-0x0000000000A0D000-memory.dmp

Filesize
6.1MB

Download
memory/452-73-0x0000000000400000-0x0000000000A0D000-memory.dmp

Filesize
6.1MB

Download
memory/452-75-0x0000000000400000-0x0000000000A0D000-memory.dmp

Filesize
6.1MB

Download
memory/452-159-0x0000000000400000-0x0000000000A0D000-memory.dmp

Filesize
6.1MB

Download
memory/452-78-0x0000000000A0A730-mapping.dmp

Download
memory/452-82-0x0000000000400000-0x0000000000A0D000-memory.dmp

Filesize
6.1MB

Download
memory/452-77-0x0000000000400000-0x0000000000A0D000-memory.dmp

Filesize
6.1MB

Download
memory/452-81-0x0000000000400000-0x0000000000A0D000-memory.dmp

Filesize
6.1MB

Download
memory/548-61-0x0000000000000000-mapping.dmp

Download
memory/612-145-0x0000000000000000-mapping.dmp

Download
memory/832-116-0x0000000000000000-mapping.dmp

Download
memory/832-119-0x0000000000A30000-0x0000000000A4A000-memory.dmp

Filesize
104KB

Download
memory/984-122-0x0000000000000000-mapping.dmp

Download
memory/1240-59-0x0000000000000000-mapping.dmp

Download
memory/1268-368-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/1268-356-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/1268-305-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/1268-280-0x0000000000000000-mapping.dmp

Download
memory/1300-62-0x0000000000000000-mapping.dmp

Download
memory/1316-130-0x0000000000000000-mapping.dmp

Download
memory/1448-109-0x0000000000000000-mapping.dmp

Download
memory/1448-141-0x0000000000C90000-0x0000000000CDC000-memory.dmp

Filesize
304KB

Download
memory/1448-120-0x00000000054B0000-0x000000000569C000-memory.dmp

Filesize
1.9MB

Download
memory/1448-114-0x0000000000AF0000-0x0000000000AF6000-memory.dmp

Filesize
24KB

Download
memory/1448-58-0x0000000000000000-mapping.dmp

Download
memory/1448-112-0x0000000000260000-0x000000000048A000-memory.dmp

Filesize
2.2MB

Download
memory/1468-65-0x0000000000000000-mapping.dmp

Download
memory/1468-68-0x0000000000040000-0x000000000065A000-memory.dmp

Filesize
6.1MB

Download
memory/1468-70-0x00000000025B0000-0x00000000025CA000-memory.dmp

Filesize
104KB

Download
memory/1468-71-0x0000000000AD0000-0x0000000000AD6000-memory.dmp

Filesize
24KB

Download
memory/1480-127-0x0000000000000000-mapping.dmp

Download
memory/1516-134-0x0000000000000000-mapping.dmp

Download
memory/1528-102-0x0000000000310000-0x00000000003B8000-memory.dmp

Filesize
672KB

Download
memory/1528-96-0x0000000000000000-mapping.dmp

Download
memory/1592-63-0x0000000000000000-mapping.dmp

Download
memory/1716-233-0x0000000000000000-mapping.dmp

Download
memory/1716-243-0x0000000000340000-0x00000000003C6000-memory.dmp

Filesize
536KB

Download
memory/1716-246-0x0000000000690000-0x00000000006EC000-memory.dmp

Filesize
368KB

Download
memory/1760-99-0x0000000000000000-mapping.dmp

Download
memory/1760-106-0x0000000001280000-0x0000000001314000-memory.dmp

Filesize
592KB

Download
memory/1772-125-0x0000000000000000-mapping.dmp

Download
memory/1776-60-0x0000000000000000-mapping.dmp

Download
memory/1940-303-0x0000000000000000-mapping.dmp

Download
memory/1944-57-0x0000000000BF0000-0x0000000000C08000-memory.dmp

Filesize
96KB

Download
memory/1944-56-0x0000000000CD0000-0x0000000000D00000-memory.dmp

Filesize
192KB

Download
memory/1944-54-0x00000000000F0000-0x000000000070A000-memory.dmp

Filesize
6.1MB

Download
memory/1944-55-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1980-88-0x0000000000000000-mapping.dmp

Download
memory/1980-92-0x0000000000A00000-0x0000000000A78000-memory.dmp

Filesize
480KB

Download
memory/2092-286-0x0000000000000000-mapping.dmp

Download
memory/2124-445-0x00000000004C6E20-mapping.dmp

Download
memory/2136-161-0x000000006C810000-0x000000006CDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2136-162-0x000000006C810000-0x000000006CDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2136-154-0x000000006C810000-0x000000006CDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2136-149-0x0000000000000000-mapping.dmp

Download
memory/2144-153-0x000000006C810000-0x000000006CDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2144-148-0x0000000000000000-mapping.dmp

Download
memory/2144-160-0x000000006C810000-0x000000006CDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2144-163-0x000000006C810000-0x000000006CDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2160-255-0x0000000000000000-mapping.dmp

Download
memory/2160-298-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2160-321-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2160-364-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2276-293-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2276-256-0x0000000000000000-mapping.dmp

Download
memory/2276-318-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2276-348-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2320-272-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2320-245-0x0000000000000000-mapping.dmp

Download
memory/2320-315-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2332-281-0x0000000000000000-mapping.dmp

Download
memory/2340-155-0x0000000000000000-mapping.dmp

Download
memory/2372-156-0x0000000000000000-mapping.dmp

Download
memory/2380-289-0x0000000000000000-mapping.dmp

Download
memory/2396-302-0x0000000000000000-mapping.dmp

Download
memory/2396-381-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2396-312-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-157-0x0000000000000000-mapping.dmp

Download
memory/2468-158-0x0000000000000000-mapping.dmp

Download
memory/2476-311-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2476-295-0x0000000000000000-mapping.dmp

Download
memory/2476-363-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2536-251-0x0000000000F20000-0x0000000000FA8000-memory.dmp

Filesize
544KB

Download
memory/2536-248-0x0000000000000000-mapping.dmp

Download
memory/2536-260-0x0000000000DC0000-0x0000000000E1C000-memory.dmp

Filesize
368KB

Download
memory/2552-253-0x0000000000000000-mapping.dmp

Download
memory/2552-269-0x0000000000A80000-0x0000000000ADA000-memory.dmp

Filesize
360KB

Download
memory/2552-263-0x0000000000EC0000-0x0000000000F46000-memory.dmp

Filesize
536KB

Download
memory/2560-313-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2560-304-0x0000000000000000-mapping.dmp

Download
memory/2584-175-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2584-166-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2584-165-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2584-177-0x0000000000850190-mapping.dmp

Download
memory/2584-170-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2604-207-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2604-178-0x0000000000850190-mapping.dmp

Download
memory/2604-185-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2604-314-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2604-189-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2652-273-0x00000000002C0000-0x0000000000310000-memory.dmp

Filesize
320KB

Download
memory/2652-268-0x00000000013E0000-0x000000000145C000-memory.dmp

Filesize
496KB

Download
memory/2652-262-0x0000000000000000-mapping.dmp

Download
memory/2656-279-0x0000000000000000-mapping.dmp

Download
memory/2656-296-0x0000000004EE0000-0x0000000004F82000-memory.dmp

Filesize
648KB

Download
memory/2676-283-0x0000000000000000-mapping.dmp

Download
memory/2728-184-0x0000000000000000-mapping.dmp

Download
memory/2772-360-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-287-0x0000000000000000-mapping.dmp

Download
memory/2772-309-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2780-191-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2780-326-0x00000000004C6E20-mapping.dmp

Download
memory/2780-344-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2780-188-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2780-198-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2800-186-0x0000000000000000-mapping.dmp

Download
memory/2836-192-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2836-190-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2836-201-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2836-345-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2836-331-0x00000000004B56B0-mapping.dmp

Download
memory/2876-204-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2876-218-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2876-357-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2876-211-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2876-209-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2876-336-0x000000000040B556-mapping.dmp

Download
memory/2876-197-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2876-202-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2888-284-0x0000000000000000-mapping.dmp

Download
memory/2888-339-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-370-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-307-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-200-0x0000000000000000-mapping.dmp

Download
memory/2936-210-0x0000000000D60000-0x0000000000E5A000-memory.dmp

Filesize
1000KB

Download
memory/2936-226-0x00000000047A0000-0x0000000004842000-memory.dmp

Filesize
648KB

Download
memory/2936-214-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2964-294-0x0000000000000000-mapping.dmp

Download
memory/3040-349-0x000000000040B556-mapping.dmp

Download
memory/3056-240-0x00000000009F0000-0x0000000000A78000-memory.dmp

Filesize
544KB

Download
memory/3056-227-0x0000000000F50000-0x0000000001008000-memory.dmp

Filesize
736KB

Download
memory/3056-217-0x0000000000000000-mapping.dmp

Download
memory/3132-440-0x00000000004B56A0-mapping.dmp

Download
memory/3392-366-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3392-323-0x00000000004C6E20-mapping.dmp

Download
memory/3596-346-0x0000000000000000-mapping.dmp

Download
memory/3680-351-0x0000000000000000-mapping.dmp

Download
memory/3732-379-0x0000000000406DE6-mapping.dmp

Download
memory/3868-412-0x0000000000406DE6-mapping.dmp

Download
memory/3976-429-0x0000000000405CE2-mapping.dmp

Download