asyncrat | 1a2d91d4583245bfd63a9b9da90337ba7d4527482c59e26225403500a5cd5379

Resubmissions

21-02-2024 19:45

240221-ygpwbaed6y 10

21-02-2024 19:44

240221-yga26aeh56 3

Analysis

max time kernel
164s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8/PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
Size

2.0MB
MD5

9e24897df35b09b2b67823b1e47a5b24
SHA1

f878bad995d4188f1de75263724f5935fc6a2408
SHA256

6b0fe8528ae159c1c6dbe6275f1e89d1aabafe842cb4ec01df7eb0d47d0a0358
SHA512

1f0b56b1c0166f3a8cf15e231c7a62bb3e3d38e355c37ea3a1a4d02b339564f81559203371eb04ca725e7b1b95b999be29938166570edd4c288eb7ab1c6341e6
SSDEEP

49152:moUM9eEZyfky3a7B9L787fYIdLVYZcl+:bUMHyR3sB9q7CKA

Score

10^/10

asyncrat babylonrat darkcomet warzonerat new-july-july4-0 new-july-july4-02 infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

asyncrat

Version

0.5.6A

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5316-388-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5316-402-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5736-443-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4616-447-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/1452-422-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5736-463-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Drops file in Drivers directory 3 IoCs

Processes:

InstallUtil.exeAUDIOPT.EXEAUDIOPT.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DRVVIDEO.EXEADOBESERV.EXEAUDIOPT.EXEADOBESERV.EXEWINLOGONL.EXEWINPLAY.EXEWINCPUL.EXEPrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scrWINPLAY.EXEAUDIOPT.EXEDRVVIDEO.EXEWINPLAY.EXEWINLOGONL.EXEWINCPUL.EXEwintsklt.exewintskl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	wintsklt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	wintskl.exe

Drops startup file 2 IoCs

Processes:

WINCPUL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINCPUL.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINCPUL.EXE

Executes dropped EXE 33 IoCs

Processes:

ADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINPLAY.EXEWINLOGONL.EXEADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEAUDIOPT.EXEWINCPUL.EXEAUDIOPT.EXEWINCPUL.EXEDRVVIDEO.EXEDRVVIDEO.EXEWINLOGONL.EXEWINPLAY.EXEWINLOGONL.EXEDRVVIDEO.EXEDRVVIDEO.EXEWINPLAY.EXEWINLOGONL.EXEWINLOGONL.EXEAUDIOPT.EXEwintsklt.exewintskl.exewintsklt.exewintskl.exewintskl.exewintskl.exe

pid	process
516	ADOBESERV.EXE
3004	AUDIOPT.EXE
1588	DRVVIDEO.EXE
4392	WINCPUL.EXE
4632	WINPLAY.EXE
3616	WINLOGONL.EXE
3224	ADOBESERV.EXE
4408	AUDIOPT.EXE
1468	DRVVIDEO.EXE
2484	WINCPUL.EXE
3844	WINLOGONL.EXE
3516	WINPLAY.EXE
5524	AUDIOPT.EXE
5316	WINCPUL.EXE
3964	AUDIOPT.EXE
4232	WINCPUL.EXE
5512	DRVVIDEO.EXE
5600	DRVVIDEO.EXE
2520	WINLOGONL.EXE
5648	WINPLAY.EXE
5824	WINLOGONL.EXE
4616	DRVVIDEO.EXE
1452	DRVVIDEO.EXE
4148	WINPLAY.EXE
5736	WINLOGONL.EXE
2920	WINLOGONL.EXE
5836	AUDIOPT.EXE
5332	wintsklt.exe
812	wintskl.exe
5152	wintsklt.exe
5060	wintskl.exe
5620	wintskl.exe
2484	wintskl.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3980-37-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/3980-40-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/3980-42-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/3980-140-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/3980-147-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/3980-137-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/5692-321-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5692-325-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5692-326-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5692-328-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5692-332-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5692-337-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5692-356-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5692-357-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/3964-389-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3964-441-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3964-409-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3964-405-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3964-396-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3964-450-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AUDIOPT.EXEWINLOGONL.EXEWINLOGONL.EXEAUDIOPT.EXEDRVVIDEO.EXEADOBESERV.EXEDRVVIDEO.EXEWINCPUL.EXEPrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scrADOBESERV.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINCPUL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE

Suspicious use of SetThreadContext 15 IoCs

Processes:

PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scrADOBESERV.EXEWINCPUL.EXEAUDIOPT.EXEWINCPUL.EXEWINPLAY.EXEDRVVIDEO.EXEDRVVIDEO.EXEADOBESERV.EXEWINPLAY.EXEWINLOGONL.EXEWINLOGONL.EXEAUDIOPT.EXEwintsklt.exewintskl.exe

description	pid	process	target process
PID 2232 set thread context of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	InstallUtil.exe
PID 516 set thread context of 5692	516	ADOBESERV.EXE	InstallUtil.exe
PID 4392 set thread context of 5316	4392	WINCPUL.EXE	WINCPUL.EXE
PID 3004 set thread context of 3964	3004	AUDIOPT.EXE	AUDIOPT.EXE
PID 2484 set thread context of 4232	2484	WINCPUL.EXE	WINCPUL.EXE
PID 3516 set thread context of 5648	3516	WINPLAY.EXE	WINPLAY.EXE
PID 1588 set thread context of 1452	1588	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 1468 set thread context of 4616	1468	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 3224 set thread context of 5616	3224	ADOBESERV.EXE	InstallUtil.exe
PID 4632 set thread context of 4148	4632	WINPLAY.EXE	WINPLAY.EXE
PID 3844 set thread context of 5736	3844	WINLOGONL.EXE	WINLOGONL.EXE
PID 3616 set thread context of 2920	3616	WINLOGONL.EXE	WINLOGONL.EXE
PID 4408 set thread context of 5836	4408	AUDIOPT.EXE	AUDIOPT.EXE
PID 5332 set thread context of 5152	5332	wintsklt.exe	wintsklt.exe
PID 812 set thread context of 2484	812	wintskl.exe	wintskl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

112 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5240 timeout.exe
NTFS ADS 1 IoCs

Processes:

WINCPUL.EXE

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData WINCPUL.EXE

pid	process
112	schtasks.exe

pid	process
5240	timeout.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINCPUL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exePrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scrpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeADOBESERV.EXEAUDIOPT.EXEWINCPUL.EXEWINCPUL.EXEDRVVIDEO.EXE

pid	process
1452	powershell.exe
1452	powershell.exe
2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
2984	powershell.exe
2984	powershell.exe
1876	powershell.exe
1876	powershell.exe
2356	powershell.exe
2356	powershell.exe
4440	powershell.exe
4440	powershell.exe
1928	powershell.exe
1928	powershell.exe
64	powershell.exe
64	powershell.exe
2696	powershell.exe
2696	powershell.exe
3144	powershell.exe
3144	powershell.exe
3180	powershell.exe
3180	powershell.exe
1208	powershell.exe
1208	powershell.exe
3420	powershell.exe
3420	powershell.exe
4676	powershell.exe
4676	powershell.exe
1876	powershell.exe
2984	powershell.exe
2356	powershell.exe
3180	powershell.exe
1928	powershell.exe
4440	powershell.exe
3144	powershell.exe
64	powershell.exe
2696	powershell.exe
3420	powershell.exe
4676	powershell.exe
1208	powershell.exe
516	ADOBESERV.EXE
516	ADOBESERV.EXE
3004	AUDIOPT.EXE
3004	AUDIOPT.EXE
3004	AUDIOPT.EXE
3004	AUDIOPT.EXE
4392	WINCPUL.EXE
4392	WINCPUL.EXE
3004	AUDIOPT.EXE
3004	AUDIOPT.EXE
2484	WINCPUL.EXE
2484	WINCPUL.EXE
1468	DRVVIDEO.EXE
1468	DRVVIDEO.EXE
1468	DRVVIDEO.EXE
1468	DRVVIDEO.EXE
1468	DRVVIDEO.EXE
1468	DRVVIDEO.EXE
1468	DRVVIDEO.EXE
1468	DRVVIDEO.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

InstallUtil.exe

pid process

5692 InstallUtil.exe

pid	process
5692	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exePrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scrInstallUtil.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeADOBESERV.EXEInstallUtil.exeAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEADOBESERV.EXEWINCPUL.EXEDRVVIDEO.EXEWINLOGONL.EXEWINPLAY.EXEWINPLAY.EXEWINLOGONL.EXEAUDIOPT.EXE

description	pid	process
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
Token: SeIncreaseQuotaPrivilege	3980	InstallUtil.exe
Token: SeSecurityPrivilege	3980	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	3980	InstallUtil.exe
Token: SeLoadDriverPrivilege	3980	InstallUtil.exe
Token: SeSystemProfilePrivilege	3980	InstallUtil.exe
Token: SeSystemtimePrivilege	3980	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	3980	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3980	InstallUtil.exe
Token: SeCreatePagefilePrivilege	3980	InstallUtil.exe
Token: SeBackupPrivilege	3980	InstallUtil.exe
Token: SeRestorePrivilege	3980	InstallUtil.exe
Token: SeShutdownPrivilege	3980	InstallUtil.exe
Token: SeDebugPrivilege	3980	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	3980	InstallUtil.exe
Token: SeChangeNotifyPrivilege	3980	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	3980	InstallUtil.exe
Token: SeUndockPrivilege	3980	InstallUtil.exe
Token: SeManageVolumePrivilege	3980	InstallUtil.exe
Token: SeImpersonatePrivilege	3980	InstallUtil.exe
Token: SeCreateGlobalPrivilege	3980	InstallUtil.exe
Token: 33	3980	InstallUtil.exe
Token: 34	3980	InstallUtil.exe
Token: 35	3980	InstallUtil.exe
Token: 36	3980	InstallUtil.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	516	ADOBESERV.EXE
Token: SeShutdownPrivilege	5692	InstallUtil.exe
Token: SeDebugPrivilege	5692	InstallUtil.exe
Token: SeTcbPrivilege	5692	InstallUtil.exe
Token: SeDebugPrivilege	3004	AUDIOPT.EXE
Token: SeDebugPrivilege	1468	DRVVIDEO.EXE
Token: SeDebugPrivilege	4392	WINCPUL.EXE
Token: SeDebugPrivilege	3224	ADOBESERV.EXE
Token: SeDebugPrivilege	2484	WINCPUL.EXE
Token: SeDebugPrivilege	1588	DRVVIDEO.EXE
Token: SeDebugPrivilege	3844	WINLOGONL.EXE
Token: SeDebugPrivilege	3516	WINPLAY.EXE
Token: SeDebugPrivilege	4632	WINPLAY.EXE
Token: SeDebugPrivilege	3616	WINLOGONL.EXE
Token: SeIncreaseQuotaPrivilege	3964	AUDIOPT.EXE
Token: SeSecurityPrivilege	3964	AUDIOPT.EXE
Token: SeTakeOwnershipPrivilege	3964	AUDIOPT.EXE
Token: SeLoadDriverPrivilege	3964	AUDIOPT.EXE
Token: SeSystemProfilePrivilege	3964	AUDIOPT.EXE
Token: SeSystemtimePrivilege	3964	AUDIOPT.EXE
Token: SeProfSingleProcessPrivilege	3964	AUDIOPT.EXE
Token: SeIncBasePriorityPrivilege	3964	AUDIOPT.EXE
Token: SeCreatePagefilePrivilege	3964	AUDIOPT.EXE
Token: SeBackupPrivilege	3964	AUDIOPT.EXE
Token: SeRestorePrivilege	3964	AUDIOPT.EXE
Token: SeShutdownPrivilege	3964	AUDIOPT.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

InstallUtil.exeInstallUtil.exeAUDIOPT.EXE

pid process

3980 InstallUtil.exe
5692 InstallUtil.exe
3964 AUDIOPT.EXE

pid	process
3980	InstallUtil.exe
5692	InstallUtil.exe
3964	AUDIOPT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scrInstallUtil.exeADOBESERV.EXEAUDIOPT.EXEWINCPUL.EXEWINPLAY.EXEWINLOGONL.EXE

description	pid	process	target process
PID 2232 wrote to memory of 1452	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	powershell.exe
PID 2232 wrote to memory of 1452	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	powershell.exe
PID 2232 wrote to memory of 1452	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	powershell.exe
PID 2232 wrote to memory of 1264	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	InstallUtil.exe
PID 2232 wrote to memory of 1264	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	InstallUtil.exe
PID 2232 wrote to memory of 1264	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	InstallUtil.exe
PID 2232 wrote to memory of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	InstallUtil.exe
PID 2232 wrote to memory of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	InstallUtil.exe
PID 2232 wrote to memory of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	InstallUtil.exe
PID 2232 wrote to memory of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	InstallUtil.exe
PID 2232 wrote to memory of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	InstallUtil.exe
PID 2232 wrote to memory of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	InstallUtil.exe
PID 2232 wrote to memory of 3980	2232	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	InstallUtil.exe
PID 3980 wrote to memory of 516	3980	InstallUtil.exe	ADOBESERV.EXE
PID 3980 wrote to memory of 516	3980	InstallUtil.exe	ADOBESERV.EXE
PID 3980 wrote to memory of 516	3980	InstallUtil.exe	ADOBESERV.EXE
PID 3980 wrote to memory of 3004	3980	InstallUtil.exe	AUDIOPT.EXE
PID 3980 wrote to memory of 3004	3980	InstallUtil.exe	AUDIOPT.EXE
PID 3980 wrote to memory of 3004	3980	InstallUtil.exe	AUDIOPT.EXE
PID 3980 wrote to memory of 1588	3980	InstallUtil.exe	DRVVIDEO.EXE
PID 3980 wrote to memory of 1588	3980	InstallUtil.exe	DRVVIDEO.EXE
PID 3980 wrote to memory of 1588	3980	InstallUtil.exe	DRVVIDEO.EXE
PID 3980 wrote to memory of 4392	3980	InstallUtil.exe	WINCPUL.EXE
PID 3980 wrote to memory of 4392	3980	InstallUtil.exe	WINCPUL.EXE
PID 3980 wrote to memory of 4392	3980	InstallUtil.exe	WINCPUL.EXE
PID 3980 wrote to memory of 3616	3980	InstallUtil.exe	WINLOGONL.EXE
PID 3980 wrote to memory of 3616	3980	InstallUtil.exe	WINLOGONL.EXE
PID 3980 wrote to memory of 3616	3980	InstallUtil.exe	WINLOGONL.EXE
PID 3980 wrote to memory of 4632	3980	InstallUtil.exe	WINPLAY.EXE
PID 3980 wrote to memory of 4632	3980	InstallUtil.exe	WINPLAY.EXE
PID 3980 wrote to memory of 4632	3980	InstallUtil.exe	WINPLAY.EXE
PID 3980 wrote to memory of 3224	3980	InstallUtil.exe	ADOBESERV.EXE
PID 3980 wrote to memory of 3224	3980	InstallUtil.exe	ADOBESERV.EXE
PID 3980 wrote to memory of 3224	3980	InstallUtil.exe	ADOBESERV.EXE
PID 3980 wrote to memory of 4408	3980	InstallUtil.exe	AUDIOPT.EXE
PID 3980 wrote to memory of 4408	3980	InstallUtil.exe	AUDIOPT.EXE
PID 3980 wrote to memory of 4408	3980	InstallUtil.exe	AUDIOPT.EXE
PID 3980 wrote to memory of 1468	3980	InstallUtil.exe	DRVVIDEO.EXE
PID 3980 wrote to memory of 1468	3980	InstallUtil.exe	DRVVIDEO.EXE
PID 3980 wrote to memory of 1468	3980	InstallUtil.exe	DRVVIDEO.EXE
PID 3980 wrote to memory of 2484	3980	InstallUtil.exe	WINCPUL.EXE
PID 3980 wrote to memory of 2484	3980	InstallUtil.exe	WINCPUL.EXE
PID 3980 wrote to memory of 2484	3980	InstallUtil.exe	WINCPUL.EXE
PID 3980 wrote to memory of 3844	3980	InstallUtil.exe	WINLOGONL.EXE
PID 3980 wrote to memory of 3844	3980	InstallUtil.exe	WINLOGONL.EXE
PID 3980 wrote to memory of 3844	3980	InstallUtil.exe	WINLOGONL.EXE
PID 3980 wrote to memory of 3516	3980	InstallUtil.exe	WINPLAY.EXE
PID 3980 wrote to memory of 3516	3980	InstallUtil.exe	WINPLAY.EXE
PID 3980 wrote to memory of 3516	3980	InstallUtil.exe	WINPLAY.EXE
PID 516 wrote to memory of 1876	516	ADOBESERV.EXE	powershell.exe
PID 516 wrote to memory of 1876	516	ADOBESERV.EXE	powershell.exe
PID 516 wrote to memory of 1876	516	ADOBESERV.EXE	powershell.exe
PID 3004 wrote to memory of 2984	3004	AUDIOPT.EXE	powershell.exe
PID 3004 wrote to memory of 2984	3004	AUDIOPT.EXE	powershell.exe
PID 3004 wrote to memory of 2984	3004	AUDIOPT.EXE	powershell.exe
PID 4392 wrote to memory of 4440	4392	WINCPUL.EXE	powershell.exe
PID 4392 wrote to memory of 4440	4392	WINCPUL.EXE	powershell.exe
PID 4392 wrote to memory of 4440	4392	WINCPUL.EXE	powershell.exe
PID 4632 wrote to memory of 3180	4632	WINPLAY.EXE	powershell.exe
PID 4632 wrote to memory of 3180	4632	WINPLAY.EXE	powershell.exe
PID 4632 wrote to memory of 3180	4632	WINPLAY.EXE	powershell.exe
PID 3616 wrote to memory of 64	3616	WINLOGONL.EXE	powershell.exe
PID 3616 wrote to memory of 64	3616	WINLOGONL.EXE	powershell.exe
PID 3616 wrote to memory of 64	3616	WINLOGONL.EXE	powershell.exe

C:\Users\Admin\AppData\Local\Temp\PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8\PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
"C:\Users\Admin\AppData\Local\Temp\PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8\PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr" /S
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5692

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
4⤵
- Executes dropped EXE
PID:5524

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3964

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:1452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
PID:5316

C:\Users\Admin\Documents\wintsklt.exe
"C:\Users\Admin\Documents\wintsklt.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
PID:5220

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
6⤵
- Executes dropped EXE
PID:5152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
7⤵
PID:3160

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Executes dropped EXE
PID:4148

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
- Executes dropped EXE
PID:2920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:5648

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
5⤵
- Creates scheduled task(s)
PID:112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5EC5.tmp.bat""
5⤵
PID:3420

C:\Windows\SysWOW64\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:5240

C:\Users\Admin\AppData\Roaming\wintskl.exe
"C:\Users\Admin\AppData\Roaming\wintskl.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
7⤵
PID:5260

C:\Users\Admin\AppData\Roaming\wintskl.exe
C:\Users\Admin\AppData\Roaming\wintskl.exe
7⤵
- Executes dropped EXE
PID:5060

C:\Users\Admin\AppData\Roaming\wintskl.exe
C:\Users\Admin\AppData\Roaming\wintskl.exe
7⤵
- Executes dropped EXE
PID:5620

C:\Users\Admin\AppData\Roaming\wintskl.exe
C:\Users\Admin\AppData\Roaming\wintskl.exe
7⤵
- Executes dropped EXE
PID:2484

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
- Executes dropped EXE
PID:5736

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
- Executes dropped EXE
PID:5824

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
- Executes dropped EXE
PID:2520

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Executes dropped EXE
PID:4232

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:5512

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:4616

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:5600

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:5836

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:5616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DRVVIDEO.EXE.log
Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
8f14c88e146f0b0fb1efaedb7aa44d70

SHA1
e24d9b075b4acedf9e796b3270f50f7e3374e80f

SHA256
168cfdc40e24cac1fbec5368233524d93fb60d7411c323a595cbd50a47062ab3

SHA512
67f43d8927dc9acf647fac9bb60fbf79b68073f43f39c23d4e19b0d7c3407b32287f0a4f19ffdeeb50a6a296b446a5b8ec351271c6959178c3889fda0c90e4ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
cb20201b18e9dd7e1b15214b77c84b05

SHA1
d06ce27c11a362d62e8f61b42b195938038217c3

SHA256
06a23145f56d83f0b4e58db0c189478d58acd8f12739955014b4f055ddc4d982

SHA512
19cbeda4506019a1b283f941d96ff6452d4283acd82df0a3eb33ac56ef43dc4a9d6768abc7daaf1fc1f661a89b5a50b078e4f6a14c6556e4bb183b84611ab5b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
968d97b735640b5da0b49d6a13fb74d7

SHA1
8360a6632b718101dd7ad81be08fa3ec3de351d0

SHA256
77bf45115cf0297647d3d650beb14abf68ce8870f1f470b468b889eeb5c8c18f

SHA512
a6d9f49845b4a18af2e4382858b84f5ff8787713fe2ead395e9e1afd3ac0be899720389075842086d705822258aab57caa1feb791679b3e155442de193ad25bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
0dec2b3a16ad7e53e375a134419f51d5

SHA1
f900dbb5a9adf442f0fc42b9e0aeeb8eb216fc3d

SHA256
59da27034e8d6fc11391c6d4e3ffbd78151f121b4977d4bd2836283a0010f60e

SHA512
7b99c2a722726a86c6ab2d7f6c48bb088f5d6e050928ecba0da77908ae3534a8172120114985dc0859aba8e1ad78c348f4205537b9e505e0051458761a3f1701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
86e18c7d680fedddbc5cdf2437047929

SHA1
ef727ad22cb4540f652c6f04070d7e5549942ca5

SHA256
f20549df0a722fb6a1ee10619eae0a8514a97c29babc61abb09441697079faff

SHA512
16accb9c843cf81e74030a21eaa1434a748333fbf657c407b55aacb9aeb0edb67570508ac79edced268bd49e7456bdac558b940f17de0806a9bd5b1b68160fc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
14ffb88a806ff55353d1170abf9235c5

SHA1
db7a113a1c8c7602d627620c6e67119c989a8404

SHA256
c48c6bf56ee96cb2a424e7ba7ae2064aa069882e59756b2af6b0df0fe0ff2420

SHA512
22611a36aefc0bf9be2450a088464743037d4a98135ef4967a0e3afb6ddb75ff1fd6215679ed772407982e71a59a6c7b9a5f504fd4ac2b2867366a662ff95e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
6d11288bb16279cce7acc98d5d087a98

SHA1
21c24dc04ba074cfce14424b4060673c9819f12b

SHA256
8884d01e6f2c75dacd44ceb88a6b148858fbf3696a40dcf311878483d789cd30

SHA512
9241a4476a234e9b4a80e2c21c665ebd7f1cd72baefec3eb4d72fee4cf1ff8f92ffb08c2f5538bf146441da7760d726400b44c2c366f73038d79a952e5ac663b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
8bd6e4ee5c4c26c65a0723b1a13dd7a2

SHA1
b2b4919fe14e2207077990b19800938c011901a5

SHA256
63b167f111760658cf7e950e72acccf13c5be2bcccdad46eb6645d75827320e5

SHA512
d603521c3d909300a6e2ebb509a6c95c47ece476fbe244c037aeff6f61624cd11a5286a0bfe30fc2938bf0760d1527741efe57c14b95184d1c1faf3074eed8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
512KB

MD5
f072284daa82d2a05fc57d6daf7ff8b9

SHA1
84fea40f2905013d31cd7be45638189e019bd6e2

SHA256
8274e78d0c35099fbb37bdf90710c964db17a09265b81dd712c4f8e4b953ce7b

SHA512
d719e5620d1ae85babf05904806dbb22be1e1765f73e4b2e72d16e0d4b1c404704fcaa826ab70e6af100705b96cc36606214bae52ec9ee3ed90035c33142b8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j3nvxads.sew.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5EC5.tmp.bat
Filesize
151B

MD5
c63f5e9c5cd6e3883cf7c857dc828079

SHA1
e3ce0019abb516f28af22a0375f9c18a208d8ef0

SHA256
e01cf52ae87c2a8c96415a54953589c6c165fb8ac9d350f39fdbbbb8570d121e

SHA512
78bcbc8c63378c03b6d6d6535b288d2d0fb266b5d2990c9b34d22ed211b8c2341e406bb859134447cd4493a609c099358cca2f27fd28fa2fd6289a5f230c29e8

Download Submit
C:\Users\Admin\AppData\Roaming\Eubdk\Mpkly.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe
Filesize
24.8MB

MD5
ad4d81970b4803d4dc524543fae2f6fa

SHA1
50f97fb47addac16747126c2ab72c5478d17379b

SHA256
4453b5c5520d7d6f014205ee7f1157906acd4f4823a01fdb7a1d1f875683eb9d

SHA512
ed62fa4b2eeb3427c21b2e12a8e87c23bc940dc9b6972ac592d776b45be97c8f38a6f93ea60ae1e749d3afedd1e8a02f4adbc541379eaa924c34e8c2b603ae5a

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe
Filesize
31.1MB

MD5
e4e2dbe46322ddd9824fe000aa5fce80

SHA1
f79e9756e53bb12a980a59da82c0720c9895c4ba

SHA256
35bdafd90148ec5fe383a6e809ef7d9107c9c41e4b666cbbcc11f87a04041495

SHA512
41c53c273dc867636af0c07421b4e79725dc5c255c29449f223e5aea49ead0c6bca25ec54652f85715c9a602ee06709d680cb35dc3e7d1fe0f4e6933322845a7

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/516-87-0x0000000000210000-0x000000000030A000-memory.dmp

Filesize
1000KB

Download
memory/516-73-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/516-149-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/516-130-0x00000000050C0000-0x0000000005162000-memory.dmp

Filesize
648KB

Download
memory/516-98-0x00000000024C0000-0x00000000024C6000-memory.dmp

Filesize
24KB

Download
memory/912-523-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1452-16-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/1452-24-0x0000000005AC0000-0x0000000005E14000-memory.dmp

Filesize
3.3MB

Download
memory/1452-35-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/1452-33-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1452-32-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/1452-9-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/1452-28-0x0000000006360000-0x000000000637A000-memory.dmp

Filesize
104KB

Download
memory/1452-27-0x0000000007680000-0x0000000007CFA000-memory.dmp

Filesize
6.5MB

Download
memory/1452-8-0x0000000000D30000-0x0000000000D66000-memory.dmp

Filesize
216KB

Download
memory/1452-26-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

Filesize
304KB

Download
memory/1452-25-0x0000000005E40000-0x0000000005E5E000-memory.dmp

Filesize
120KB

Download
memory/1452-10-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1452-12-0x0000000004FD0000-0x0000000004FF2000-memory.dmp

Filesize
136KB

Download
memory/1452-13-0x0000000005070000-0x00000000050D6000-memory.dmp

Filesize
408KB

Download
memory/1452-422-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1452-11-0x0000000005100000-0x0000000005728000-memory.dmp

Filesize
6.2MB

Download
memory/1468-144-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/1468-138-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/1588-142-0x0000000005CB0000-0x0000000005D0C000-memory.dmp

Filesize
368KB

Download
memory/1588-117-0x0000000000CF0000-0x0000000000D76000-memory.dmp

Filesize
536KB

Download
memory/1588-110-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/1588-125-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/1876-155-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/1876-156-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/2232-30-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/2232-41-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/2232-1-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/2232-2-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/2232-3-0x0000000005AB0000-0x0000000006054000-memory.dmp

Filesize
5.6MB

Download
memory/2232-0-0x0000000000800000-0x0000000000A06000-memory.dmp

Filesize
2.0MB

Download
memory/2232-4-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/2232-5-0x0000000005460000-0x000000000546A000-memory.dmp

Filesize
40KB

Download
memory/2232-6-0x00000000069F0000-0x0000000006BDC000-memory.dmp

Filesize
1.9MB

Download
memory/2232-7-0x0000000006BE0000-0x0000000006C2C000-memory.dmp

Filesize
304KB

Download
memory/2232-31-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/2484-153-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/2484-154-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/3004-134-0x00000000066A0000-0x0000000006728000-memory.dmp

Filesize
544KB

Download
memory/3004-112-0x0000000000BB0000-0x0000000000C68000-memory.dmp

Filesize
736KB

Download
memory/3004-88-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3160-567-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/3224-151-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3516-145-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/3516-143-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3616-141-0x0000000006D00000-0x0000000006D5A000-memory.dmp

Filesize
360KB

Download
memory/3616-132-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/3616-121-0x0000000000DF0000-0x0000000000E76000-memory.dmp

Filesize
536KB

Download
memory/3616-123-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3844-146-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/3844-152-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3964-409-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3964-389-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3964-396-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3964-450-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3964-405-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3964-441-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3980-140-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/3980-137-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/3980-37-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/3980-40-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/3980-42-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/3980-43-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3980-147-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/4392-119-0x00000000001E0000-0x0000000000268000-memory.dmp

Filesize
544KB

Download
memory/4392-118-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/4392-150-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4392-136-0x0000000004E90000-0x0000000004EEC000-memory.dmp

Filesize
368KB

Download
memory/4408-135-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/4408-148-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/4616-447-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4632-122-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/4632-120-0x00000000002C0000-0x000000000033C000-memory.dmp

Filesize
496KB

Download
memory/4632-131-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4632-139-0x0000000004E80000-0x0000000004ED0000-memory.dmp

Filesize
320KB

Download
memory/5112-521-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/5316-402-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5316-388-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5648-420-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5692-325-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5692-356-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5692-321-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5692-326-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5692-328-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5692-332-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5692-337-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5692-357-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5736-463-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5736-443-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download