asyncrat | f5d3a3fe964d364b810ed1d6cbad6ee89da1b0586e80f2794b55d102d8536168

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TronMiner-2024/TronMiner-2024.exe
Size

2.0MB
MD5

15307910d7c9a3a1215e4e4e4f500895
SHA1

49a7df2a0ebfb6556c1e17cc8baf8cd5756eded9
SHA256

514caaa6fbcdf64af8cbb24487ba1f89d1219ac25988c51a34fc850f6bf0b8e5
SHA512

9b9f339a4c7bbf1b824e2efcad3c8fb84bd47b153d29f459a9e50624a83481a81441db0aaf9fb2eae0842aa5c3358e103bad28a7a5b45f152ebe28fccbeb4453
SSDEEP

49152:qoUM9eEZyfky3a7B9L787fYIdLVYZcl+:/UMHyR3sB9q7CKA

Score

10^/10

asyncrat babylonrat darkcomet warzonerat new-july-july4-0 new-july-july4-02 infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

asyncrat

Version

0.5.6A

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5612-327-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5612-335-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5784-411-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5784-383-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/1572-408-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1572-382-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Drops file in Drivers directory 3 IoCs

Processes:

InstallUtil.exeAUDIOPT.EXEAUDIOPT.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINLOGONL.EXEWINPLAY.EXEwintskl.exeWINCPUL.EXEWINLOGONL.EXEWINCPUL.EXEWINPLAY.EXEDRVVIDEO.EXEAUDIOPT.EXEWINPLAY.EXEADOBESERV.EXEDRVVIDEO.EXEADOBESERV.EXEwintsklt.exeTronMiner-2024.exeAUDIOPT.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	wintskl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	wintsklt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	TronMiner-2024.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE

Drops startup file 2 IoCs

Processes:

WINCPUL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINCPUL.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINCPUL.EXE

Executes dropped EXE 31 IoCs

Processes:

ADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEDRVVIDEO.EXEAUDIOPT.EXEWINPLAY.EXEWINCPUL.EXEWINLOGONL.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEWINPLAY.EXEWINCPUL.EXEWINPLAY.EXEAUDIOPT.EXEDRVVIDEO.EXEwintsklt.exewintskl.exewintsklt.exewintsklt.exewintsklt.exewintskl.exe

pid	process
1032	ADOBESERV.EXE
3932	AUDIOPT.EXE
3240	DRVVIDEO.EXE
2072	WINCPUL.EXE
3116	WINLOGONL.EXE
1104	WINPLAY.EXE
4936	ADOBESERV.EXE
4248	AUDIOPT.EXE
3536	DRVVIDEO.EXE
3272	WINCPUL.EXE
2076	WINLOGONL.EXE
2112	WINPLAY.EXE
5612	DRVVIDEO.EXE
5620	AUDIOPT.EXE
4940	WINPLAY.EXE
5736	WINCPUL.EXE
1572	WINLOGONL.EXE
5784	WINCPUL.EXE
5908	WINLOGONL.EXE
4384	WINPLAY.EXE
5788	WINPLAY.EXE
5800	WINCPUL.EXE
6084	WINPLAY.EXE
5352	AUDIOPT.EXE
3340	DRVVIDEO.EXE
5664	wintsklt.exe
3168	wintskl.exe
820	wintsklt.exe
5504	wintsklt.exe
5948	wintsklt.exe
3160	wintskl.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1604-38-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1604-42-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1604-44-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1604-43-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1604-134-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1604-135-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1604-138-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/5620-328-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5620-338-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5620-336-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5212-412-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5292-442-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5292-436-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5292-460-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5292-466-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5620-358-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5620-352-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5620-332-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5292-471-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5292-473-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WINLOGONL.EXEAUDIOPT.EXEDRVVIDEO.EXETronMiner-2024.exeDRVVIDEO.EXEWINLOGONL.EXEADOBESERV.EXEADOBESERV.EXEWINCPUL.EXEAUDIOPT.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	TronMiner-2024.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINCPUL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE

Suspicious use of SetThreadContext 15 IoCs

Processes:

TronMiner-2024.exeDRVVIDEO.EXEAUDIOPT.EXEWINLOGONL.EXEWINCPUL.EXEWINPLAY.EXEWINLOGONL.EXEWINCPUL.EXEWINPLAY.EXEADOBESERV.EXEADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEwintsklt.exewintskl.exe

description	pid	process	target process
PID 5000 set thread context of 1604	5000	TronMiner-2024.exe	InstallUtil.exe
PID 3240 set thread context of 5612	3240	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 3932 set thread context of 5620	3932	AUDIOPT.EXE	AUDIOPT.EXE
PID 2076 set thread context of 1572	2076	WINLOGONL.EXE	WINLOGONL.EXE
PID 3272 set thread context of 5784	3272	WINCPUL.EXE	WINCPUL.EXE
PID 2112 set thread context of 4384	2112	WINPLAY.EXE	WINPLAY.EXE
PID 3116 set thread context of 5908	3116	WINLOGONL.EXE	WINLOGONL.EXE
PID 2072 set thread context of 5800	2072	WINCPUL.EXE	WINCPUL.EXE
PID 1104 set thread context of 6084	1104	WINPLAY.EXE	WINPLAY.EXE
PID 1032 set thread context of 5212	1032	ADOBESERV.EXE	InstallUtil.exe
PID 4936 set thread context of 5292	4936	ADOBESERV.EXE	InstallUtil.exe
PID 4248 set thread context of 5352	4248	AUDIOPT.EXE	AUDIOPT.EXE
PID 3536 set thread context of 3340	3536	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 5664 set thread context of 5948	5664	wintsklt.exe	wintsklt.exe
PID 3168 set thread context of 3160	3168	wintskl.exe	wintskl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3280 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5244 timeout.exe
NTFS ADS 1 IoCs

Processes:

WINCPUL.EXE

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData WINCPUL.EXE

pid	process
3280	schtasks.exe

pid	process
5244	timeout.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINCPUL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeTronMiner-2024.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeDRVVIDEO.EXEAUDIOPT.EXEWINPLAY.EXEWINCPUL.EXEWINLOGONL.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXE

pid	process
2512	powershell.exe
2512	powershell.exe
5000	TronMiner-2024.exe
5000	TronMiner-2024.exe
2620	powershell.exe
2620	powershell.exe
3460	powershell.exe
3460	powershell.exe
3320	powershell.exe
3320	powershell.exe
4616	powershell.exe
4616	powershell.exe
2904	powershell.exe
2904	powershell.exe
3972	powershell.exe
3972	powershell.exe
3480	powershell.exe
3480	powershell.exe
3268	powershell.exe
3268	powershell.exe
3600	powershell.exe
3600	powershell.exe
1652	powershell.exe
1652	powershell.exe
2788	powershell.exe
2788	powershell.exe
4900	powershell.exe
4900	powershell.exe
2620	powershell.exe
3320	powershell.exe
3460	powershell.exe
4616	powershell.exe
2904	powershell.exe
3972	powershell.exe
3480	powershell.exe
3268	powershell.exe
2788	powershell.exe
1652	powershell.exe
4900	powershell.exe
3600	powershell.exe
3240	DRVVIDEO.EXE
3240	DRVVIDEO.EXE
3932	AUDIOPT.EXE
3932	AUDIOPT.EXE
2112	WINPLAY.EXE
2112	WINPLAY.EXE
2112	WINPLAY.EXE
2112	WINPLAY.EXE
2072	WINCPUL.EXE
2072	WINCPUL.EXE
2072	WINCPUL.EXE
2072	WINCPUL.EXE
2076	WINLOGONL.EXE
2076	WINLOGONL.EXE
3272	WINCPUL.EXE
3272	WINCPUL.EXE
2112	WINPLAY.EXE
2112	WINPLAY.EXE
3116	WINLOGONL.EXE
3116	WINLOGONL.EXE
1104	WINPLAY.EXE
1104	WINPLAY.EXE
2072	WINCPUL.EXE
2072	WINCPUL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

InstallUtil.exe

pid process

5292 InstallUtil.exe

pid	process
5292	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeTronMiner-2024.exeInstallUtil.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeDRVVIDEO.EXEAUDIOPT.EXEAUDIOPT.EXE

description	pid	process
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	5000	TronMiner-2024.exe
Token: SeIncreaseQuotaPrivilege	1604	InstallUtil.exe
Token: SeSecurityPrivilege	1604	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	1604	InstallUtil.exe
Token: SeLoadDriverPrivilege	1604	InstallUtil.exe
Token: SeSystemProfilePrivilege	1604	InstallUtil.exe
Token: SeSystemtimePrivilege	1604	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	1604	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	1604	InstallUtil.exe
Token: SeCreatePagefilePrivilege	1604	InstallUtil.exe
Token: SeBackupPrivilege	1604	InstallUtil.exe
Token: SeRestorePrivilege	1604	InstallUtil.exe
Token: SeShutdownPrivilege	1604	InstallUtil.exe
Token: SeDebugPrivilege	1604	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	1604	InstallUtil.exe
Token: SeChangeNotifyPrivilege	1604	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	1604	InstallUtil.exe
Token: SeUndockPrivilege	1604	InstallUtil.exe
Token: SeManageVolumePrivilege	1604	InstallUtil.exe
Token: SeImpersonatePrivilege	1604	InstallUtil.exe
Token: SeCreateGlobalPrivilege	1604	InstallUtil.exe
Token: 33	1604	InstallUtil.exe
Token: 34	1604	InstallUtil.exe
Token: 35	1604	InstallUtil.exe
Token: 36	1604	InstallUtil.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	3240	DRVVIDEO.EXE
Token: SeDebugPrivilege	3932	AUDIOPT.EXE
Token: SeIncreaseQuotaPrivilege	5620	AUDIOPT.EXE
Token: SeSecurityPrivilege	5620	AUDIOPT.EXE
Token: SeTakeOwnershipPrivilege	5620	AUDIOPT.EXE
Token: SeLoadDriverPrivilege	5620	AUDIOPT.EXE
Token: SeSystemProfilePrivilege	5620	AUDIOPT.EXE
Token: SeSystemtimePrivilege	5620	AUDIOPT.EXE
Token: SeProfSingleProcessPrivilege	5620	AUDIOPT.EXE
Token: SeIncBasePriorityPrivilege	5620	AUDIOPT.EXE
Token: SeCreatePagefilePrivilege	5620	AUDIOPT.EXE
Token: SeBackupPrivilege	5620	AUDIOPT.EXE
Token: SeRestorePrivilege	5620	AUDIOPT.EXE
Token: SeShutdownPrivilege	5620	AUDIOPT.EXE
Token: SeDebugPrivilege	5620	AUDIOPT.EXE
Token: SeSystemEnvironmentPrivilege	5620	AUDIOPT.EXE
Token: SeChangeNotifyPrivilege	5620	AUDIOPT.EXE
Token: SeRemoteShutdownPrivilege	5620	AUDIOPT.EXE
Token: SeUndockPrivilege	5620	AUDIOPT.EXE
Token: SeManageVolumePrivilege	5620	AUDIOPT.EXE
Token: SeImpersonatePrivilege	5620	AUDIOPT.EXE
Token: SeCreateGlobalPrivilege	5620	AUDIOPT.EXE
Token: 33	5620	AUDIOPT.EXE
Token: 34	5620	AUDIOPT.EXE
Token: 35	5620	AUDIOPT.EXE
Token: 36	5620	AUDIOPT.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

InstallUtil.exeAUDIOPT.EXEInstallUtil.exe

pid process

1604 InstallUtil.exe
5620 AUDIOPT.EXE
5292 InstallUtil.exe

pid	process
1604	InstallUtil.exe
5620	AUDIOPT.EXE
5292	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TronMiner-2024.exeInstallUtil.exeDRVVIDEO.EXEAUDIOPT.EXEADOBESERV.EXEWINCPUL.EXEWINPLAY.EXEWINLOGONL.EXE

description	pid	process	target process
PID 5000 wrote to memory of 2512	5000	TronMiner-2024.exe	powershell.exe
PID 5000 wrote to memory of 2512	5000	TronMiner-2024.exe	powershell.exe
PID 5000 wrote to memory of 2512	5000	TronMiner-2024.exe	powershell.exe
PID 5000 wrote to memory of 1604	5000	TronMiner-2024.exe	InstallUtil.exe
PID 5000 wrote to memory of 1604	5000	TronMiner-2024.exe	InstallUtil.exe
PID 5000 wrote to memory of 1604	5000	TronMiner-2024.exe	InstallUtil.exe
PID 5000 wrote to memory of 1604	5000	TronMiner-2024.exe	InstallUtil.exe
PID 5000 wrote to memory of 1604	5000	TronMiner-2024.exe	InstallUtil.exe
PID 5000 wrote to memory of 1604	5000	TronMiner-2024.exe	InstallUtil.exe
PID 5000 wrote to memory of 1604	5000	TronMiner-2024.exe	InstallUtil.exe
PID 1604 wrote to memory of 1032	1604	InstallUtil.exe	ADOBESERV.EXE
PID 1604 wrote to memory of 1032	1604	InstallUtil.exe	ADOBESERV.EXE
PID 1604 wrote to memory of 1032	1604	InstallUtil.exe	ADOBESERV.EXE
PID 1604 wrote to memory of 3932	1604	InstallUtil.exe	AUDIOPT.EXE
PID 1604 wrote to memory of 3932	1604	InstallUtil.exe	AUDIOPT.EXE
PID 1604 wrote to memory of 3932	1604	InstallUtil.exe	AUDIOPT.EXE
PID 1604 wrote to memory of 3240	1604	InstallUtil.exe	DRVVIDEO.EXE
PID 1604 wrote to memory of 3240	1604	InstallUtil.exe	DRVVIDEO.EXE
PID 1604 wrote to memory of 3240	1604	InstallUtil.exe	DRVVIDEO.EXE
PID 1604 wrote to memory of 2072	1604	InstallUtil.exe	WINCPUL.EXE
PID 1604 wrote to memory of 2072	1604	InstallUtil.exe	WINCPUL.EXE
PID 1604 wrote to memory of 2072	1604	InstallUtil.exe	WINCPUL.EXE
PID 1604 wrote to memory of 3116	1604	InstallUtil.exe	WINLOGONL.EXE
PID 1604 wrote to memory of 3116	1604	InstallUtil.exe	WINLOGONL.EXE
PID 1604 wrote to memory of 3116	1604	InstallUtil.exe	WINLOGONL.EXE
PID 1604 wrote to memory of 1104	1604	InstallUtil.exe	WINPLAY.EXE
PID 1604 wrote to memory of 1104	1604	InstallUtil.exe	WINPLAY.EXE
PID 1604 wrote to memory of 1104	1604	InstallUtil.exe	WINPLAY.EXE
PID 1604 wrote to memory of 4936	1604	InstallUtil.exe	ADOBESERV.EXE
PID 1604 wrote to memory of 4936	1604	InstallUtil.exe	ADOBESERV.EXE
PID 1604 wrote to memory of 4936	1604	InstallUtil.exe	ADOBESERV.EXE
PID 1604 wrote to memory of 4248	1604	InstallUtil.exe	AUDIOPT.EXE
PID 1604 wrote to memory of 4248	1604	InstallUtil.exe	AUDIOPT.EXE
PID 1604 wrote to memory of 4248	1604	InstallUtil.exe	AUDIOPT.EXE
PID 1604 wrote to memory of 3536	1604	InstallUtil.exe	DRVVIDEO.EXE
PID 1604 wrote to memory of 3536	1604	InstallUtil.exe	DRVVIDEO.EXE
PID 1604 wrote to memory of 3536	1604	InstallUtil.exe	DRVVIDEO.EXE
PID 1604 wrote to memory of 3272	1604	InstallUtil.exe	WINCPUL.EXE
PID 1604 wrote to memory of 3272	1604	InstallUtil.exe	WINCPUL.EXE
PID 1604 wrote to memory of 3272	1604	InstallUtil.exe	WINCPUL.EXE
PID 1604 wrote to memory of 2076	1604	InstallUtil.exe	WINLOGONL.EXE
PID 1604 wrote to memory of 2076	1604	InstallUtil.exe	WINLOGONL.EXE
PID 1604 wrote to memory of 2076	1604	InstallUtil.exe	WINLOGONL.EXE
PID 1604 wrote to memory of 2112	1604	InstallUtil.exe	WINPLAY.EXE
PID 1604 wrote to memory of 2112	1604	InstallUtil.exe	WINPLAY.EXE
PID 1604 wrote to memory of 2112	1604	InstallUtil.exe	WINPLAY.EXE
PID 3240 wrote to memory of 2620	3240	DRVVIDEO.EXE	powershell.exe
PID 3240 wrote to memory of 2620	3240	DRVVIDEO.EXE	powershell.exe
PID 3240 wrote to memory of 2620	3240	DRVVIDEO.EXE	powershell.exe
PID 3932 wrote to memory of 3320	3932	AUDIOPT.EXE	powershell.exe
PID 3932 wrote to memory of 3320	3932	AUDIOPT.EXE	powershell.exe
PID 3932 wrote to memory of 3320	3932	AUDIOPT.EXE	powershell.exe
PID 1032 wrote to memory of 3460	1032	ADOBESERV.EXE	powershell.exe
PID 1032 wrote to memory of 3460	1032	ADOBESERV.EXE	powershell.exe
PID 1032 wrote to memory of 3460	1032	ADOBESERV.EXE	powershell.exe
PID 2072 wrote to memory of 3972	2072	WINCPUL.EXE	powershell.exe
PID 2072 wrote to memory of 3972	2072	WINCPUL.EXE	powershell.exe
PID 2072 wrote to memory of 3972	2072	WINCPUL.EXE	powershell.exe
PID 1104 wrote to memory of 3480	1104	WINPLAY.EXE	powershell.exe
PID 1104 wrote to memory of 3480	1104	WINPLAY.EXE	powershell.exe
PID 1104 wrote to memory of 3480	1104	WINPLAY.EXE	powershell.exe
PID 3116 wrote to memory of 2904	3116	WINLOGONL.EXE	powershell.exe
PID 3116 wrote to memory of 2904	3116	WINLOGONL.EXE	powershell.exe
PID 3116 wrote to memory of 2904	3116	WINLOGONL.EXE	powershell.exe

C:\Users\Admin\AppData\Local\Temp\TronMiner-2024\TronMiner-2024.exe
"C:\Users\Admin\AppData\Local\Temp\TronMiner-2024\TronMiner-2024.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:5612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
- Executes dropped EXE
PID:5908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Executes dropped EXE
PID:6084

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Executes dropped EXE
PID:5788

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Executes dropped EXE
PID:4940

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4384

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
5⤵
- Creates scheduled task(s)
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA9C8.tmp.bat""
5⤵
PID:2004

C:\Windows\SysWOW64\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:5244

C:\Users\Admin\AppData\Roaming\wintskl.exe
"C:\Users\Admin\AppData\Roaming\wintskl.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
7⤵
PID:5208

C:\Users\Admin\AppData\Roaming\wintskl.exe
C:\Users\Admin\AppData\Roaming\wintskl.exe
7⤵
- Executes dropped EXE
PID:3160

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
- Executes dropped EXE
PID:1572

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3272

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Executes dropped EXE
PID:5784

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3536

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:3340

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4248

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:5352

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5292

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
PID:5800

C:\Users\Admin\Documents\wintsklt.exe
"C:\Users\Admin\Documents\wintsklt.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
PID:884

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
6⤵
- Executes dropped EXE
PID:820

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
6⤵
- Executes dropped EXE
PID:5504

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
6⤵
- Executes dropped EXE
PID:5948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
7⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Executes dropped EXE
PID:5736

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINCPUL.EXE.log

Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
6618d00e6044941741b2f0a63f0b377e

SHA1
fe3edbe889bd6b5fde73ecaa116f2135245db813

SHA256
67c3b0ef717fc08196935d959da592cea8469fdfe62405b9d76b740e27ea0c22

SHA512
1bcd5b40a6d87fc3ad77bc9c1046729a5492e486bba946abbc8cfc18628b6238ee9f62052741add742b8a23b3d09a31f6102a7aec399cf94091e0d051838f76e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
8214b392cdf005f16fb108cb9e862bba

SHA1
58781dcb3063a0b284baa8283c4fd3738b72568c

SHA256
78b7e947ae8af73df5a08c7b0e9af1f276b6503710bc9b17419ab0d5a6400bf9

SHA512
ee153ad4e35e48332d7d4875a556982296d1e4b0514dd9ecacfab1ba45cad7d9600ea5f86c30877241dd300429bbfd73c8b765fb8985851773204730a8dbfb3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
4456192013c5a091c7381d186a45fd1d

SHA1
0164a52d63b6eab2f40caf45d28e086af7d7f0f1

SHA256
60accaedd4ab4d48c98ed23aa260306c5cbd4856b5bd7290937d419684a59b8f

SHA512
7dd76dca4fd8bf86b4a2982adf30ad234970e6327b44918b2805a4258fcf392be8f37d09ad3a0042b1525f5f85c160979c8ce88e4aa5ba7b8999cf90c0cb8d4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
2f981c04f342892b0e5d749899a5795a

SHA1
f2234787c29f58fdb3d32779968ee598155a028b

SHA256
d91b6f5ad25a33616fbaefa05dbb07d212651530b6da92b6bcbb02b1c56496ea

SHA512
5873c60d8338a091279ec36bb1783f76db84a97c00e44a740feada9d973b8687e8b4f638231982fdf0909eaac33808e1c37afef3da5a47a41d708b139e03443c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
364e7a076cf4a1e9c62ea167f808a911

SHA1
2468c8390968fbfe89c9b08cc13a9bbe067e629f

SHA256
28664ad6912f9a6400976796a8c5195e9cbcf9247587151592bcc9f03158e7b1

SHA512
cc7d025b39ef6f7b37015df76f99a952f3af7a4cbcb8a7d15cfd387d74403765459b09ee0e2c5319a96500df061c578deb3558c163aa5e44fd6504ea3958d8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
804KB

MD5
c6f2e47b80e1794ab8d49bc85da86442

SHA1
948aa302c23a5e1356a4f5c7cf28b16721b8c012

SHA256
464dfd565d91477d008c3eda0674835fdd8f9b272c7e372338c5004464ba7093

SHA512
f504a057b952483cadf7d9debbc42b100f4c723f8382d2a616c9120ee007f0d7a67446d97f2f6dd7d29a680dcceae33402d0847ef7bc7193d0e9c70cecd7328a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
242KB

MD5
d0722ddc7cdb72ad39b831191205cbe6

SHA1
dbee535ac2f5125d581bb2c14719c6767ea411ec

SHA256
43a5f6c5ba5d0b95eaa5d85c9f648c60d951a5d5cb77c83bdc6dc2425512380a

SHA512
d2a9fc80536607a10b9e7a7bd1703a03b2b6fe1a252d276864edd6dab3fea1b79a3a3125889e0e29790ce107b32b5616ddd93a659545a660a8462f1745e82dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
559KB

MD5
039ecfbe343e5493ae8e31e2a76ba35b

SHA1
a6a251ec044bcbc1f4eb9d7ad9048bb8ec641bf9

SHA256
4f7a22014dbb7a21e604e9a09f123de6f1b76f1217aa14ec59a47f3208a19ca4

SHA512
ecd46fc2ece0d277013d7f062a348991c600ce4fac04d1ec1ba6364a485c66580db9af470837e0e39675b19397b465a58e29288dd79b20ccf1ed50da02c62a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
64KB

MD5
f7003503501f0dd95acf576f774d2364

SHA1
ac6ada0705e98dc1c96dee2d33aa3adab8a57a33

SHA256
50d5ad5fa72bbcc4db87255e0fc00de6845d4a67df091c82b56bd2074d3c74c7

SHA512
bc2ff4a955289fbaf3e05e3b00bc1170abeb0f5fa205f6186e01bdeb4c2baaef890aeeab0c259680443f6a8d779c86f175f5d8cbbbd6a67a3fe97b36f5743f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
262KB

MD5
8c70e01d8ae67103e7b94c235d13fc91

SHA1
e928d61cd6d4340e09902815cce0d3555f68895c

SHA256
97253d23be7aa58e19bef731e3d2c8021713173f375a41e3177a6565dbba9abf

SHA512
2ddadd8a483582828d541e25c5459277a76db64d18d3c76144f4010e862bb5f639f2dc68f2a3c557b1bc3d841fb6b43f5d8d361824b53c3cd3058c7a3477d804

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
238KB

MD5
41e833a5df2f9bdaf232fc48e0d291fe

SHA1
333291596c7865212b20549723762a4a0b8c1d46

SHA256
52e0a4701f7c6aab2aaabfeed3c08c1cd71b4478e39fe81cccaead6813bf32b4

SHA512
1c6b1300f10c37c04b196a69f7515a981315a63cf74c3b7325f66062110cfd99d23bec0f9f99a3b6c9ea06f0018738463fa52ef9ca44d830f38061ebfa58d601

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
65KB

MD5
b023640a8c20a0c041bf3372220ef6ff

SHA1
3e69567437b60b02f7c645c0a603ae8354b69978

SHA256
4571c8ef795f2d16e6febdb94669c7bd06be1dee7e9e9c373e4da2e926a167ba

SHA512
b5f133c48fc322ef2ea3470feae36bf6e2ddb6576bdbf95be4b88b3546c1d1ca1b32a855f2c620ff1fb8c3b83de5c20e071aa286436459e7e4e2f2598d6fcfa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
169KB

MD5
5de43564bb8a21073fddf67e8c0573a2

SHA1
51b4fa2ab86676f023edfaf09345bca9dd31075b

SHA256
fd1797e191babe05eb74b0eea8652b7c7dda47b15aa9eea2ddd724c9decf66f2

SHA512
d5e26f7e0d1ae58c89b120d1deb0dd7af96ed922b686001a7d604345269ffcfd2eeafea9f8cd3d59d1d6fb0700ed0746c9d3de0e66385c6e3e16b406e2ca8e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
256KB

MD5
360ddc3565b9ebecd96fa0fe319a4713

SHA1
4cd656a15501a6ed14c04b369053f376871ff48d

SHA256
4c5b425fabfdac99ad9d0559a2a5f11ca00e7910b82dbbaccf0bd04458deabe0

SHA512
1d46e597116ef2e3c1103bd1ab5e0c35c5a8da83f2953143908b6da9d958d0fe4a609385d60135650baf0dbbe1ec1108c97b657137b0fcfdd4fb34db2f21451b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
64KB

MD5
90adb26d78ae411e9c3177af57e53d11

SHA1
8f99931adb2a66c06970e71bc30ca97c293c402c

SHA256
842ba47220e47cd9d7019ccf398a36d18be4bad806fb5b4fe509340c317afa52

SHA512
d1119949679942bc1edd79cfe8294a1a144972749fc67d0c5fe48127fdafe8ff8326324c5bd11fcfca010c00b8462acf5b91b83c5e24729b9eed26c0845cd7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_znfmlm2q.kgo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA9C8.tmp.bat

Filesize
151B

MD5
cc8bc22aadb39173829bed20f1940009

SHA1
ced406db20556c16590a23daebfecc5348e951f5

SHA256
5bb941282d7224fc7d264c465d4debc55492d66489d92a4b82f204e1dcf1ea8b

SHA512
6a887ceb29cdff628cdcdc6d7e45ac34a8f14a0863ee172c38a719d047a87de575f72bb8b08b69845cf0514946931ed366fdfd213306c4293e1f69e75480cdbc

Download Submit
C:\Users\Admin\AppData\Roaming\Thomibmb\Dbawda.exe

Filesize
192KB

MD5
7ce2d5431dfeba54ac4a36ea4dac39d0

SHA1
b1d3f564867adc7a97becd2ff59b57fc33021001

SHA256
085991f596be36e762bc6048cdbc508ebc208453efc938bb3ac367e2ec37c2fa

SHA512
b3380f4166a88b83d4ea5e926756ce815eed33d591ff9b5b0991a1a68162e1bfd9459a99f2ac3ce515c9b19f0894871d73699d5af59b5bded7d1d2c3ae7b5174

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe

Filesize
14.6MB

MD5
68bdfbdd447ebd2a07f6be6869521086

SHA1
2dd2d7f719abf258700e51a16f8d657589bde041

SHA256
6cdeeecbdaf6e707f685d2fdcaa15273cce3abe32178e0ba42547dd4dfa57a7f

SHA512
64f9bd089ff83e6e93672687d6f82c22a93f60fa8550a8a74f04c6c5de193bb9d52e3bae121ead507d2bb7789db85d399b60185bca20a4d6298c7351d172fc36

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe

Filesize
18.1MB

MD5
455e035abbd73f8d969f67b06761b75e

SHA1
cf4d064d6dce7cfea0fbb1ab5fbd3765a374cde9

SHA256
895dd4268c7d9db8f0e8208d3d333597a1109381c638713d87355a295f468e2c

SHA512
823d44b1626fae456406981671f961d0812ccae275d22c0d06dafe4fae8091bf84845ae22894b828ea848ce45b39bbed3ddded5440ecee79294ffb1a68ced30d

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/1032-88-0x00000000727D0000-0x0000000072F80000-memory.dmp

Filesize
7.7MB

Download
memory/1032-144-0x0000000006F10000-0x0000000006FB2000-memory.dmp

Filesize
648KB

Download
memory/1032-89-0x0000000000C90000-0x0000000000D8A000-memory.dmp

Filesize
1000KB

Download
memory/1032-113-0x0000000001750000-0x0000000001756000-memory.dmp

Filesize
24KB

Download
memory/1104-147-0x0000000005BB0000-0x0000000005C00000-memory.dmp

Filesize
320KB

Download
memory/1104-122-0x0000000000060000-0x00000000000DC000-memory.dmp

Filesize
496KB

Download
memory/1104-133-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/1104-130-0x00000000727D0000-0x0000000072F80000-memory.dmp

Filesize
7.7MB

Download
memory/1572-382-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1572-408-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1604-138-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1604-44-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1604-135-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1604-42-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1604-38-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1604-45-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/1604-43-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1604-134-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2072-117-0x00000000000D0000-0x0000000000158000-memory.dmp

Filesize
544KB

Download
memory/2072-132-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2072-140-0x0000000004C80000-0x0000000004CDC000-memory.dmp

Filesize
368KB

Download
memory/2072-120-0x00000000727D0000-0x0000000072F80000-memory.dmp

Filesize
7.7MB

Download
memory/2076-156-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/2076-153-0x00000000727D0000-0x0000000072F80000-memory.dmp

Filesize
7.7MB

Download
memory/2112-142-0x00000000727D0000-0x0000000072F80000-memory.dmp

Filesize
7.7MB

Download
memory/2112-155-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

Filesize
64KB

Download
memory/2512-8-0x0000000002500000-0x0000000002536000-memory.dmp

Filesize
216KB

Download
memory/2512-30-0x0000000005FF0000-0x000000000600A000-memory.dmp

Filesize
104KB

Download
memory/2512-26-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

Filesize
120KB

Download
memory/2512-36-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2512-25-0x00000000054F0000-0x0000000005844000-memory.dmp

Filesize
3.3MB

Download
memory/2512-34-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2512-10-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/2512-27-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download
memory/2512-12-0x0000000004D00000-0x0000000005328000-memory.dmp

Filesize
6.2MB

Download
memory/2512-13-0x0000000004BF0000-0x0000000004C12000-memory.dmp

Filesize
136KB

Download
memory/2512-29-0x0000000007320000-0x000000000799A000-memory.dmp

Filesize
6.5MB

Download
memory/2512-28-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/2512-9-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2512-11-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/2512-15-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/2512-14-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/3116-123-0x00000000727D0000-0x0000000072F80000-memory.dmp

Filesize
7.7MB

Download
memory/3116-148-0x0000000006080000-0x00000000060DA000-memory.dmp

Filesize
360KB

Download
memory/3116-121-0x0000000000140000-0x00000000001C6000-memory.dmp

Filesize
536KB

Download
memory/3144-462-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download
memory/3240-149-0x00000000727D0000-0x0000000072F80000-memory.dmp

Filesize
7.7MB

Download
memory/3240-124-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3240-139-0x0000000006170000-0x00000000061CC000-memory.dmp

Filesize
368KB

Download
memory/3240-112-0x00000000001E0000-0x0000000000266000-memory.dmp

Filesize
536KB

Download
memory/3272-152-0x00000000727D0000-0x0000000072F80000-memory.dmp

Filesize
7.7MB

Download
memory/3272-154-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/3536-145-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/3536-136-0x00000000727D0000-0x0000000072F80000-memory.dmp

Filesize
7.7MB

Download
memory/3932-110-0x00000000727D0000-0x0000000072F80000-memory.dmp

Filesize
7.7MB

Download
memory/3932-150-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/3932-111-0x0000000000CC0000-0x0000000000D78000-memory.dmp

Filesize
736KB

Download
memory/3932-141-0x0000000005B40000-0x0000000005BC8000-memory.dmp

Filesize
544KB

Download
memory/4248-137-0x00000000727D0000-0x0000000072F80000-memory.dmp

Filesize
7.7MB

Download
memory/4248-146-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4384-385-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4604-485-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4936-143-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/4936-151-0x00000000727D0000-0x0000000072F80000-memory.dmp

Filesize
7.7MB

Download
memory/5000-41-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/5000-7-0x0000000006400000-0x000000000644C000-memory.dmp

Filesize
304KB

Download
memory/5000-5-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/5000-1-0x00000000005C0000-0x00000000007C6000-memory.dmp

Filesize
2.0MB

Download
memory/5000-0-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/5000-2-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/5000-4-0x00000000052A0000-0x0000000005332000-memory.dmp

Filesize
584KB

Download
memory/5000-3-0x0000000005850000-0x0000000005DF4000-memory.dmp

Filesize
5.6MB

Download
memory/5000-33-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/5000-31-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/5000-6-0x0000000006870000-0x0000000006A5C000-memory.dmp

Filesize
1.9MB

Download
memory/5212-412-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5292-471-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5292-460-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5292-436-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5292-442-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5292-466-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5292-473-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5612-327-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5612-335-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5620-358-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5620-352-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5620-332-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5620-336-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5620-338-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5620-328-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5784-383-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5784-411-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download