asyncrat | 1a2d91d4583245bfd63a9b9da90337ba7d4527482c59e26225403500a5cd5379

Resubmissions

21-02-2024 19:45

240221-ygpwbaed6y 10

21-02-2024 19:44

240221-yga26aeh56 3

Analysis

max time kernel
164s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
submitted
21-02-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8/PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr

Score

10^/10

asyncrat babylonrat darkcomet warzonerat new-july-july4-0 new-july-july4-02 null discovery infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

babylonrat

dgorijan20785.hopto.org

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Babylonrat family
babylonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 6 IoCs

rat

resource	yara_rule
behavioral2/memory/5316-388-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5316-402-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5736-443-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4616-447-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/1452-422-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5736-463-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	wintskl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	wintsklt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINCPUL.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINCPUL.EXE

Executes dropped EXE 33 IoCs

pid	Process
516	ADOBESERV.EXE
3004	AUDIOPT.EXE
1588	DRVVIDEO.EXE
4392	WINCPUL.EXE
4632	WINPLAY.EXE
3616	WINLOGONL.EXE
3224	ADOBESERV.EXE
4408	AUDIOPT.EXE
1468	DRVVIDEO.EXE
2484	WINCPUL.EXE
3844	WINLOGONL.EXE
3516	WINPLAY.EXE
5524	AUDIOPT.EXE
5316	WINCPUL.EXE
3964	AUDIOPT.EXE
4232	WINCPUL.EXE
5512	DRVVIDEO.EXE
5600	DRVVIDEO.EXE
2520	WINLOGONL.EXE
5648	WINPLAY.EXE
5824	WINLOGONL.EXE
4616	DRVVIDEO.EXE
1452	DRVVIDEO.EXE
4148	WINPLAY.EXE
5736	WINLOGONL.EXE
2920	WINLOGONL.EXE
5836	AUDIOPT.EXE
5332	wintsklt.exe
812	wintskl.exe
5152	wintsklt.exe
5060	wintskl.exe
5620	wintskl.exe
2484	wintskl.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINCPUL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 2232 set thread context of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	94
PID 516 set thread context of 5692	516	ADOBESERV.EXE	133
PID 4392 set thread context of 5316	4392	WINCPUL.EXE	135
PID 3004 set thread context of 3964	3004	AUDIOPT.EXE	137
PID 2484 set thread context of 4232	2484	WINCPUL.EXE	139
PID 3516 set thread context of 5648	3516	WINPLAY.EXE	147
PID 1588 set thread context of 1452	1588	DRVVIDEO.EXE	145
PID 1468 set thread context of 4616	1468	DRVVIDEO.EXE	140
PID 3224 set thread context of 5616	3224	ADOBESERV.EXE	149
PID 4632 set thread context of 4148	4632	WINPLAY.EXE	143
PID 3844 set thread context of 5736	3844	WINLOGONL.EXE	142
PID 3616 set thread context of 2920	3616	WINLOGONL.EXE	141
PID 4408 set thread context of 5836	4408	AUDIOPT.EXE	150
PID 5332 set thread context of 5152	5332	wintsklt.exe	166
PID 812 set thread context of 2484	812	wintskl.exe	171

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3980-37-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/3980-40-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/3980-42-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/3980-140-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/3980-147-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/3980-137-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/5692-321-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5692-325-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5692-326-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5692-328-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5692-332-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5692-337-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5692-356-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5692-357-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/3964-389-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3964-441-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3964-409-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3964-405-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3964-396-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3964-450-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGONL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINPLAY.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADOBESERV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AUDIOPT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINPLAY.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINCPUL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DRVVIDEO.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintskl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINCPUL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINCPUL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AUDIOPT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DRVVIDEO.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AUDIOPT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGONL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintskl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DRVVIDEO.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADOBESERV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGONL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINCPUL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINPLAY.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DRVVIDEO.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGONL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintsklt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintsklt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINPLAY.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AUDIOPT.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5240	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINCPUL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1452	powershell.exe
1452	powershell.exe
2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
2984	powershell.exe
2984	powershell.exe
1876	powershell.exe
1876	powershell.exe
2356	powershell.exe
2356	powershell.exe
4440	powershell.exe
4440	powershell.exe
1928	powershell.exe
1928	powershell.exe
64	powershell.exe
64	powershell.exe
2696	powershell.exe
2696	powershell.exe
3144	powershell.exe
3144	powershell.exe
3180	powershell.exe
3180	powershell.exe
1208	powershell.exe
1208	powershell.exe
3420	powershell.exe
3420	powershell.exe
4676	powershell.exe
4676	powershell.exe
1876	powershell.exe
2984	powershell.exe
2356	powershell.exe
3180	powershell.exe
1928	powershell.exe
4440	powershell.exe
3144	powershell.exe
64	powershell.exe
2696	powershell.exe
3420	powershell.exe
4676	powershell.exe
1208	powershell.exe
516	ADOBESERV.EXE
516	ADOBESERV.EXE
3004	AUDIOPT.EXE
3004	AUDIOPT.EXE
3004	AUDIOPT.EXE
3004	AUDIOPT.EXE
4392	WINCPUL.EXE
4392	WINCPUL.EXE
3004	AUDIOPT.EXE
3004	AUDIOPT.EXE
2484	WINCPUL.EXE
2484	WINCPUL.EXE
1468	DRVVIDEO.EXE
1468	DRVVIDEO.EXE
1468	DRVVIDEO.EXE
1468	DRVVIDEO.EXE
1468	DRVVIDEO.EXE
1468	DRVVIDEO.EXE
1468	DRVVIDEO.EXE
1468	DRVVIDEO.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5692	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
Token: SeIncreaseQuotaPrivilege	3980	InstallUtil.exe
Token: SeSecurityPrivilege	3980	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	3980	InstallUtil.exe
Token: SeLoadDriverPrivilege	3980	InstallUtil.exe
Token: SeSystemProfilePrivilege	3980	InstallUtil.exe
Token: SeSystemtimePrivilege	3980	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	3980	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3980	InstallUtil.exe
Token: SeCreatePagefilePrivilege	3980	InstallUtil.exe
Token: SeBackupPrivilege	3980	InstallUtil.exe
Token: SeRestorePrivilege	3980	InstallUtil.exe
Token: SeShutdownPrivilege	3980	InstallUtil.exe
Token: SeDebugPrivilege	3980	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	3980	InstallUtil.exe
Token: SeChangeNotifyPrivilege	3980	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	3980	InstallUtil.exe
Token: SeUndockPrivilege	3980	InstallUtil.exe
Token: SeManageVolumePrivilege	3980	InstallUtil.exe
Token: SeImpersonatePrivilege	3980	InstallUtil.exe
Token: SeCreateGlobalPrivilege	3980	InstallUtil.exe
Token: 33	3980	InstallUtil.exe
Token: 34	3980	InstallUtil.exe
Token: 35	3980	InstallUtil.exe
Token: 36	3980	InstallUtil.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	516	ADOBESERV.EXE
Token: SeShutdownPrivilege	5692	InstallUtil.exe
Token: SeDebugPrivilege	5692	InstallUtil.exe
Token: SeTcbPrivilege	5692	InstallUtil.exe
Token: SeDebugPrivilege	3004	AUDIOPT.EXE
Token: SeDebugPrivilege	1468	DRVVIDEO.EXE
Token: SeDebugPrivilege	4392	WINCPUL.EXE
Token: SeDebugPrivilege	3224	ADOBESERV.EXE
Token: SeDebugPrivilege	2484	WINCPUL.EXE
Token: SeDebugPrivilege	1588	DRVVIDEO.EXE
Token: SeDebugPrivilege	3844	WINLOGONL.EXE
Token: SeDebugPrivilege	3516	WINPLAY.EXE
Token: SeDebugPrivilege	4632	WINPLAY.EXE
Token: SeDebugPrivilege	3616	WINLOGONL.EXE
Token: SeIncreaseQuotaPrivilege	3964	AUDIOPT.EXE
Token: SeSecurityPrivilege	3964	AUDIOPT.EXE
Token: SeTakeOwnershipPrivilege	3964	AUDIOPT.EXE
Token: SeLoadDriverPrivilege	3964	AUDIOPT.EXE
Token: SeSystemProfilePrivilege	3964	AUDIOPT.EXE
Token: SeSystemtimePrivilege	3964	AUDIOPT.EXE
Token: SeProfSingleProcessPrivilege	3964	AUDIOPT.EXE
Token: SeIncBasePriorityPrivilege	3964	AUDIOPT.EXE
Token: SeCreatePagefilePrivilege	3964	AUDIOPT.EXE
Token: SeBackupPrivilege	3964	AUDIOPT.EXE
Token: SeRestorePrivilege	3964	AUDIOPT.EXE
Token: SeShutdownPrivilege	3964	AUDIOPT.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3980	InstallUtil.exe
5692	InstallUtil.exe
3964	AUDIOPT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1452	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	89
PID 2232 wrote to memory of 1452	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	89
PID 2232 wrote to memory of 1452	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	89
PID 2232 wrote to memory of 1264	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	93
PID 2232 wrote to memory of 1264	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	93
PID 2232 wrote to memory of 1264	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	93
PID 2232 wrote to memory of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	94
PID 2232 wrote to memory of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	94
PID 2232 wrote to memory of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	94
PID 2232 wrote to memory of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	94
PID 2232 wrote to memory of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	94
PID 2232 wrote to memory of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	94
PID 2232 wrote to memory of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	94
PID 3980 wrote to memory of 516	3980	InstallUtil.exe	95
PID 3980 wrote to memory of 516	3980	InstallUtil.exe	95
PID 3980 wrote to memory of 516	3980	InstallUtil.exe	95
PID 3980 wrote to memory of 3004	3980	InstallUtil.exe	96
PID 3980 wrote to memory of 3004	3980	InstallUtil.exe	96
PID 3980 wrote to memory of 3004	3980	InstallUtil.exe	96
PID 3980 wrote to memory of 1588	3980	InstallUtil.exe	97
PID 3980 wrote to memory of 1588	3980	InstallUtil.exe	97
PID 3980 wrote to memory of 1588	3980	InstallUtil.exe	97
PID 3980 wrote to memory of 4392	3980	InstallUtil.exe	98
PID 3980 wrote to memory of 4392	3980	InstallUtil.exe	98
PID 3980 wrote to memory of 4392	3980	InstallUtil.exe	98
PID 3980 wrote to memory of 3616	3980	InstallUtil.exe	100
PID 3980 wrote to memory of 3616	3980	InstallUtil.exe	100
PID 3980 wrote to memory of 3616	3980	InstallUtil.exe	100
PID 3980 wrote to memory of 4632	3980	InstallUtil.exe	99
PID 3980 wrote to memory of 4632	3980	InstallUtil.exe	99
PID 3980 wrote to memory of 4632	3980	InstallUtil.exe	99
PID 3980 wrote to memory of 3224	3980	InstallUtil.exe	106
PID 3980 wrote to memory of 3224	3980	InstallUtil.exe	106
PID 3980 wrote to memory of 3224	3980	InstallUtil.exe	106
PID 3980 wrote to memory of 4408	3980	InstallUtil.exe	105
PID 3980 wrote to memory of 4408	3980	InstallUtil.exe	105
PID 3980 wrote to memory of 4408	3980	InstallUtil.exe	105
PID 3980 wrote to memory of 1468	3980	InstallUtil.exe	104
PID 3980 wrote to memory of 1468	3980	InstallUtil.exe	104
PID 3980 wrote to memory of 1468	3980	InstallUtil.exe	104
PID 3980 wrote to memory of 2484	3980	InstallUtil.exe	103
PID 3980 wrote to memory of 2484	3980	InstallUtil.exe	103
PID 3980 wrote to memory of 2484	3980	InstallUtil.exe	103
PID 3980 wrote to memory of 3844	3980	InstallUtil.exe	102
PID 3980 wrote to memory of 3844	3980	InstallUtil.exe	102
PID 3980 wrote to memory of 3844	3980	InstallUtil.exe	102
PID 3980 wrote to memory of 3516	3980	InstallUtil.exe	101
PID 3980 wrote to memory of 3516	3980	InstallUtil.exe	101
PID 3980 wrote to memory of 3516	3980	InstallUtil.exe	101
PID 516 wrote to memory of 1876	516	ADOBESERV.EXE	107
PID 516 wrote to memory of 1876	516	ADOBESERV.EXE	107
PID 516 wrote to memory of 1876	516	ADOBESERV.EXE	107
PID 3004 wrote to memory of 2984	3004	AUDIOPT.EXE	116
PID 3004 wrote to memory of 2984	3004	AUDIOPT.EXE	116
PID 3004 wrote to memory of 2984	3004	AUDIOPT.EXE	116
PID 4392 wrote to memory of 4440	4392	WINCPUL.EXE	114
PID 4392 wrote to memory of 4440	4392	WINCPUL.EXE	114
PID 4392 wrote to memory of 4440	4392	WINCPUL.EXE	114
PID 4632 wrote to memory of 3180	4632	WINPLAY.EXE	113
PID 4632 wrote to memory of 3180	4632	WINPLAY.EXE	113
PID 4632 wrote to memory of 3180	4632	WINPLAY.EXE	113
PID 3616 wrote to memory of 64	3616	WINLOGONL.EXE	109
PID 3616 wrote to memory of 64	3616	WINLOGONL.EXE	109
PID 3616 wrote to memory of 64	3616	WINLOGONL.EXE	109

C:\Users\Admin\AppData\Local\Temp\PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8\PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
"C:\Users\Admin\AppData\Local\Temp\PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8\PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr" /S
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
    "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1876
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5692
- - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
    "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
      C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
      4⤵
      Executes dropped EXE
      PID:5524
  - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
      C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3964
- - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
    "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4676
  - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
      C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1452
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
- - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      NTFS ADS
      PID:5316
    - - C:\Users\Admin\Documents\wintsklt.exe
        
        "C:\Users\Admin\Documents\wintsklt.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5332
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5220
      - C:\Users\Admin\Documents\wintsklt.exe
        
        C:\Users\Admin\Documents\wintsklt.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
- - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
      C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4148
- - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:64
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:912
- - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3516
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
      C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5648
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5EC5.tmp.bat""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3420
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5240
      - C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        "C:\Users\Admin\AppData\Roaming\wintskl.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        7⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        7⤵
        Executes dropped EXE
        
        PID:5620
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2484
- - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5736
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      Executes dropped EXE
      PID:5824
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      Executes dropped EXE
      PID:2520
- - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3420
  - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4232
- - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
    "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1468
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
      C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
      4⤵
      Executes dropped EXE
      PID:5512
  - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
      C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4616
  - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
      C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
      4⤵
      Executes dropped EXE
      PID:5600
- - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
    "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4408
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
      C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5836
- - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
    "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3224
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2356
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      PID:5616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DRVVIDEO.EXE.log

Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
8f14c88e146f0b0fb1efaedb7aa44d70

SHA1
e24d9b075b4acedf9e796b3270f50f7e3374e80f

SHA256
168cfdc40e24cac1fbec5368233524d93fb60d7411c323a595cbd50a47062ab3

SHA512
67f43d8927dc9acf647fac9bb60fbf79b68073f43f39c23d4e19b0d7c3407b32287f0a4f19ffdeeb50a6a296b446a5b8ec351271c6959178c3889fda0c90e4ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
cb20201b18e9dd7e1b15214b77c84b05

SHA1
d06ce27c11a362d62e8f61b42b195938038217c3

SHA256
06a23145f56d83f0b4e58db0c189478d58acd8f12739955014b4f055ddc4d982

SHA512
19cbeda4506019a1b283f941d96ff6452d4283acd82df0a3eb33ac56ef43dc4a9d6768abc7daaf1fc1f661a89b5a50b078e4f6a14c6556e4bb183b84611ab5b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
968d97b735640b5da0b49d6a13fb74d7

SHA1
8360a6632b718101dd7ad81be08fa3ec3de351d0

SHA256
77bf45115cf0297647d3d650beb14abf68ce8870f1f470b468b889eeb5c8c18f

SHA512
a6d9f49845b4a18af2e4382858b84f5ff8787713fe2ead395e9e1afd3ac0be899720389075842086d705822258aab57caa1feb791679b3e155442de193ad25bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
0dec2b3a16ad7e53e375a134419f51d5

SHA1
f900dbb5a9adf442f0fc42b9e0aeeb8eb216fc3d

SHA256
59da27034e8d6fc11391c6d4e3ffbd78151f121b4977d4bd2836283a0010f60e

SHA512
7b99c2a722726a86c6ab2d7f6c48bb088f5d6e050928ecba0da77908ae3534a8172120114985dc0859aba8e1ad78c348f4205537b9e505e0051458761a3f1701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
86e18c7d680fedddbc5cdf2437047929

SHA1
ef727ad22cb4540f652c6f04070d7e5549942ca5

SHA256
f20549df0a722fb6a1ee10619eae0a8514a97c29babc61abb09441697079faff

SHA512
16accb9c843cf81e74030a21eaa1434a748333fbf657c407b55aacb9aeb0edb67570508ac79edced268bd49e7456bdac558b940f17de0806a9bd5b1b68160fc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
14ffb88a806ff55353d1170abf9235c5

SHA1
db7a113a1c8c7602d627620c6e67119c989a8404

SHA256
c48c6bf56ee96cb2a424e7ba7ae2064aa069882e59756b2af6b0df0fe0ff2420

SHA512
22611a36aefc0bf9be2450a088464743037d4a98135ef4967a0e3afb6ddb75ff1fd6215679ed772407982e71a59a6c7b9a5f504fd4ac2b2867366a662ff95e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
6d11288bb16279cce7acc98d5d087a98

SHA1
21c24dc04ba074cfce14424b4060673c9819f12b

SHA256
8884d01e6f2c75dacd44ceb88a6b148858fbf3696a40dcf311878483d789cd30

SHA512
9241a4476a234e9b4a80e2c21c665ebd7f1cd72baefec3eb4d72fee4cf1ff8f92ffb08c2f5538bf146441da7760d726400b44c2c366f73038d79a952e5ac663b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
8bd6e4ee5c4c26c65a0723b1a13dd7a2

SHA1
b2b4919fe14e2207077990b19800938c011901a5

SHA256
63b167f111760658cf7e950e72acccf13c5be2bcccdad46eb6645d75827320e5

SHA512
d603521c3d909300a6e2ebb509a6c95c47ece476fbe244c037aeff6f61624cd11a5286a0bfe30fc2938bf0760d1527741efe57c14b95184d1c1faf3074eed8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j3nvxads.sew.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5EC5.tmp.bat

Filesize
151B

MD5
c63f5e9c5cd6e3883cf7c857dc828079

SHA1
e3ce0019abb516f28af22a0375f9c18a208d8ef0

SHA256
e01cf52ae87c2a8c96415a54953589c6c165fb8ac9d350f39fdbbbb8570d121e

SHA512
78bcbc8c63378c03b6d6d6535b288d2d0fb266b5d2990c9b34d22ed211b8c2341e406bb859134447cd4493a609c099358cca2f27fd28fa2fd6289a5f230c29e8

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe

Filesize
40.3MB

MD5
8c6244896d139cd27fbbc6a004cc1c45

SHA1
01205c4050844d4fdafed0f400a837d7ce336edf

SHA256
3d3309071c4e63a33c044fc077595ab463ed2818d9f92c7e5025c310e9a27d85

SHA512
1c6816cb93f1d83629525658da99ed51923a16bfbdeec95c98501f470e4de278af04fd3013043474919b7a55241c04e3d6f540dcccf0b009943068ee8213f55f

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/516-98-0x00000000024C0000-0x00000000024C6000-memory.dmp

Filesize
24KB

Download
memory/516-87-0x0000000000210000-0x000000000030A000-memory.dmp

Filesize
1000KB

Download
memory/516-130-0x00000000050C0000-0x0000000005162000-memory.dmp

Filesize
648KB

Download
memory/516-73-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/516-149-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/912-523-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1452-28-0x0000000006360000-0x000000000637A000-memory.dmp

Filesize
104KB

Download
memory/1452-16-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/1452-9-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/1452-8-0x0000000000D30000-0x0000000000D66000-memory.dmp

Filesize
216KB

Download
memory/1452-35-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/1452-33-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1452-32-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/1452-10-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1452-11-0x0000000005100000-0x0000000005728000-memory.dmp

Filesize
6.2MB

Download
memory/1452-27-0x0000000007680000-0x0000000007CFA000-memory.dmp

Filesize
6.5MB

Download
memory/1452-422-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1452-13-0x0000000005070000-0x00000000050D6000-memory.dmp

Filesize
408KB

Download
memory/1452-26-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

Filesize
304KB

Download
memory/1452-25-0x0000000005E40000-0x0000000005E5E000-memory.dmp

Filesize
120KB

Download
memory/1452-24-0x0000000005AC0000-0x0000000005E14000-memory.dmp

Filesize
3.3MB

Download
memory/1452-12-0x0000000004FD0000-0x0000000004FF2000-memory.dmp

Filesize
136KB

Download
memory/1468-138-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/1468-144-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/1588-117-0x0000000000CF0000-0x0000000000D76000-memory.dmp

Filesize
536KB

Download
memory/1588-142-0x0000000005CB0000-0x0000000005D0C000-memory.dmp

Filesize
368KB

Download
memory/1588-110-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/1588-125-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/1876-156-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/1876-155-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/2232-2-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/2232-6-0x00000000069F0000-0x0000000006BDC000-memory.dmp

Filesize
1.9MB

Download
memory/2232-41-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/2232-0-0x0000000000800000-0x0000000000A06000-memory.dmp

Filesize
2.0MB

Download
memory/2232-5-0x0000000005460000-0x000000000546A000-memory.dmp

Filesize
40KB

Download
memory/2232-4-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/2232-30-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/2232-3-0x0000000005AB0000-0x0000000006054000-memory.dmp

Filesize
5.6MB

Download
memory/2232-7-0x0000000006BE0000-0x0000000006C2C000-memory.dmp

Filesize
304KB

Download
memory/2232-1-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/2232-31-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/2484-154-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/2484-153-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3004-88-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3004-112-0x0000000000BB0000-0x0000000000C68000-memory.dmp

Filesize
736KB

Download
memory/3004-134-0x00000000066A0000-0x0000000006728000-memory.dmp

Filesize
544KB

Download
memory/3160-567-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/3224-151-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3516-145-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/3516-143-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3616-141-0x0000000006D00000-0x0000000006D5A000-memory.dmp

Filesize
360KB

Download
memory/3616-132-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/3616-123-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3616-121-0x0000000000DF0000-0x0000000000E76000-memory.dmp

Filesize
536KB

Download
memory/3844-152-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3844-146-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/3964-389-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3964-441-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3964-409-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3964-405-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3964-396-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3964-450-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3980-40-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/3980-140-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/3980-37-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/3980-42-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/3980-43-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3980-147-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/3980-137-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/4392-136-0x0000000004E90000-0x0000000004EEC000-memory.dmp

Filesize
368KB

Download
memory/4392-118-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/4392-119-0x00000000001E0000-0x0000000000268000-memory.dmp

Filesize
544KB

Download
memory/4392-150-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4408-135-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/4408-148-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/4616-447-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4632-139-0x0000000004E80000-0x0000000004ED0000-memory.dmp

Filesize
320KB

Download
memory/4632-131-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4632-120-0x00000000002C0000-0x000000000033C000-memory.dmp

Filesize
496KB

Download
memory/4632-122-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/5112-521-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/5316-402-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5316-388-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5648-420-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5692-321-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5692-337-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5692-325-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5692-326-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5692-328-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5692-332-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5692-357-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5692-356-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5736-443-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5736-463-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download