asyncrat | 45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf

Analysis

max time kernel
159s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b018d9d77edf9c08d39bc6080cf50d2.exe
Size

3.8MB
MD5

1b018d9d77edf9c08d39bc6080cf50d2
SHA1

b24d472f1cb43e0c114de888e9726a6cb8fafca3
SHA256

45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf
SHA512

854a81e05309fe51efd17a49f00f2cd95a01a815923b27b055296b1e5ca8c5c718b2bbaabf0bdafce3019201c26c63ecc199a9210cacbf12d5d110b888f395f4
SSDEEP

98304:rwcCJEcjXKOFlOd/iZujgERMOarjSaoYI6gYo1je:rVaawOd/vMsMOaPI6To1je

Score

10^/10

asyncrat babylonrat darkcomet warzonerat xenorat 2024+apre2-new new-july-july4-0 new-july-july4-02 infostealer persistence rat trojan upx

Malware Config

Extracted

Family

xenorat

dgorijan20785.hopto.org

Mutex

Xens_nd8918d

Attributes

delay
5000
install_path
appdata
port
4488
startup_name
rar

Extracted

Family

asyncrat

Version

0.5.6A

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

v5tvc4rc3ex7

Attributes

delay
5
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

2024+Apre2-new

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-3MW33TC

Attributes

gencode
XE9EWd209YcQ
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000700000002321e-86.dat	family_asyncrat

Warzone RAT payload 6 IoCs

rat

resource	yara_rule
behavioral2/memory/4196-516-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4196-520-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5880-529-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5880-535-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/1992-556-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1992-561-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	smsC66D.tmp
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	smsA374.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	wintsklt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	wintskl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	usbserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	rarwin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	drvmonit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINCPUL.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINCPUL.EXE

Executes dropped EXE 46 IoCs

pid	Process
4252	smsA374.tmp
864	drvmonit.exe
1632	logons.exe
4488	rarwin.exe
1612	svlhost.exe
4888	usbserv.exe
4344	winlists.exe
4028	wintskl.exe
1092	smsBCC8.tmp
3748	smsC091.tmp
856	drvmonit.exe
2916	usbserv.exe
2508	smsC66D.tmp
4516	smsC69C.tmp
1888	ADOBESERV.EXE
3096	AUDIOPT.EXE
4640	DRVVIDEO.EXE
1872	WINCPUL.EXE
4656	WINLOGONL.EXE
1364	WINPLAY.EXE
3568	ADOBESERV.EXE
2696	AUDIOPT.EXE
2712	DRVVIDEO.EXE
3660	WINCPUL.EXE
4620	WINLOGONL.EXE
2560	WINPLAY.EXE
3588	AUDIOPT.EXE
4196	DRVVIDEO.EXE
4776	WINCPUL.EXE
5880	WINCPUL.EXE
5468	WINLOGONL.EXE
1992	WINLOGONL.EXE
3868	WINPLAY.EXE
1112	WINPLAY.EXE
2892	AUDIOPT.EXE
2372	WINCPUL.EXE
4884	DRVVIDEO.EXE
5216	DRVVIDEO.EXE
5840	WINLOGONL.EXE
5616	DRVVIDEO.EXE
3412	DRVVIDEO.EXE
5228	wintsklt.exe
2992	wintskl.exe
6004	wintsklt.exe
6008	wintsklt.exe
5148	wintskl.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2256-193-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2256-196-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2256-198-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2256-200-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2256-305-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2256-307-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2256-310-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/3588-486-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3588-489-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3588-490-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3588-492-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3588-497-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3588-499-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/544-563-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/544-567-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/544-576-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/544-594-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/544-585-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/544-635-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/544-636-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	rarwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINCPUL.EXE

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 4488 set thread context of 2256	4488	rarwin.exe	119
PID 3096 set thread context of 3588	3096	AUDIOPT.EXE	156
PID 4640 set thread context of 4196	4640	DRVVIDEO.EXE	157
PID 1872 set thread context of 5880	1872	WINCPUL.EXE	159
PID 4656 set thread context of 1992	4656	WINLOGONL.EXE	161
PID 1888 set thread context of 544	1888	ADOBESERV.EXE	162
PID 1364 set thread context of 3868	1364	WINPLAY.EXE	163
PID 2560 set thread context of 1112	2560	WINPLAY.EXE	164
PID 2696 set thread context of 2892	2696	AUDIOPT.EXE	165
PID 3660 set thread context of 2372	3660	WINCPUL.EXE	166
PID 4620 set thread context of 5840	4620	WINLOGONL.EXE	169
PID 3568 set thread context of 5352	3568	ADOBESERV.EXE	170
PID 2712 set thread context of 3412	2712	DRVVIDEO.EXE	172
PID 5228 set thread context of 6008	5228	wintsklt.exe	191
PID 2992 set thread context of 5148	2992	wintskl.exe	192

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1548	schtasks.exe
5896	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5976	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINCPUL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4624	powershell.exe
4624	powershell.exe
4624	powershell.exe
1092	smsBCC8.tmp
1092	smsBCC8.tmp
3748	smsC091.tmp
3748	smsC091.tmp
3748	smsC091.tmp
3748	smsC091.tmp
3748	smsC091.tmp
3748	smsC091.tmp
3748	smsC091.tmp
856	drvmonit.exe
856	drvmonit.exe
856	drvmonit.exe
856	drvmonit.exe
856	drvmonit.exe
856	drvmonit.exe
856	drvmonit.exe
3748	smsC091.tmp
3748	smsC091.tmp
3748	smsC091.tmp
856	drvmonit.exe
856	drvmonit.exe
856	drvmonit.exe
3748	smsC091.tmp
3748	smsC091.tmp
3748	smsC091.tmp
856	drvmonit.exe
856	drvmonit.exe
856	drvmonit.exe
3748	smsC091.tmp
3748	smsC091.tmp
3748	smsC091.tmp
856	drvmonit.exe
856	drvmonit.exe
856	drvmonit.exe
3748	smsC091.tmp
3748	smsC091.tmp
3748	smsC091.tmp
856	drvmonit.exe
856	drvmonit.exe
856	drvmonit.exe
3748	smsC091.tmp
3748	smsC091.tmp
3748	smsC091.tmp
856	drvmonit.exe
856	drvmonit.exe
856	drvmonit.exe
3748	smsC091.tmp
3748	smsC091.tmp
3748	smsC091.tmp
856	drvmonit.exe
856	drvmonit.exe
856	drvmonit.exe
3748	smsC091.tmp
3748	smsC091.tmp
3748	smsC091.tmp
856	drvmonit.exe
856	drvmonit.exe
856	drvmonit.exe
3748	smsC091.tmp
3748	smsC091.tmp
3748	smsC091.tmp

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4516	smsC69C.tmp
544	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2508	smsC66D.tmp
Token: SeSecurityPrivilege	2508	smsC66D.tmp
Token: SeTakeOwnershipPrivilege	2508	smsC66D.tmp
Token: SeLoadDriverPrivilege	2508	smsC66D.tmp
Token: SeSystemProfilePrivilege	2508	smsC66D.tmp
Token: SeSystemtimePrivilege	2508	smsC66D.tmp
Token: SeProfSingleProcessPrivilege	2508	smsC66D.tmp
Token: SeIncBasePriorityPrivilege	2508	smsC66D.tmp
Token: SeCreatePagefilePrivilege	2508	smsC66D.tmp
Token: SeBackupPrivilege	2508	smsC66D.tmp
Token: SeRestorePrivilege	2508	smsC66D.tmp
Token: SeShutdownPrivilege	2508	smsC66D.tmp
Token: SeDebugPrivilege	2508	smsC66D.tmp
Token: SeSystemEnvironmentPrivilege	2508	smsC66D.tmp
Token: SeChangeNotifyPrivilege	2508	smsC66D.tmp
Token: SeRemoteShutdownPrivilege	2508	smsC66D.tmp
Token: SeUndockPrivilege	2508	smsC66D.tmp
Token: SeManageVolumePrivilege	2508	smsC66D.tmp
Token: SeImpersonatePrivilege	2508	smsC66D.tmp
Token: SeCreateGlobalPrivilege	2508	smsC66D.tmp
Token: 33	2508	smsC66D.tmp
Token: 34	2508	smsC66D.tmp
Token: 35	2508	smsC66D.tmp
Token: 36	2508	smsC66D.tmp
Token: SeShutdownPrivilege	4516	smsC69C.tmp
Token: SeDebugPrivilege	4516	smsC69C.tmp
Token: SeTcbPrivilege	4516	smsC69C.tmp
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	1092	smsBCC8.tmp
Token: SeDebugPrivilege	3748	smsC091.tmp
Token: SeDebugPrivilege	856	drvmonit.exe
Token: SeDebugPrivilege	4488	rarwin.exe
Token: SeIncreaseQuotaPrivilege	2256	InstallUtil.exe
Token: SeSecurityPrivilege	2256	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	2256	InstallUtil.exe
Token: SeLoadDriverPrivilege	2256	InstallUtil.exe
Token: SeSystemProfilePrivilege	2256	InstallUtil.exe
Token: SeSystemtimePrivilege	2256	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	2256	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	2256	InstallUtil.exe
Token: SeCreatePagefilePrivilege	2256	InstallUtil.exe
Token: SeBackupPrivilege	2256	InstallUtil.exe
Token: SeRestorePrivilege	2256	InstallUtil.exe
Token: SeShutdownPrivilege	2256	InstallUtil.exe
Token: SeDebugPrivilege	2256	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	2256	InstallUtil.exe
Token: SeChangeNotifyPrivilege	2256	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	2256	InstallUtil.exe
Token: SeUndockPrivilege	2256	InstallUtil.exe
Token: SeManageVolumePrivilege	2256	InstallUtil.exe
Token: SeImpersonatePrivilege	2256	InstallUtil.exe
Token: SeCreateGlobalPrivilege	2256	InstallUtil.exe
Token: 33	2256	InstallUtil.exe
Token: 34	2256	InstallUtil.exe
Token: 35	2256	InstallUtil.exe
Token: 36	2256	InstallUtil.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	5284	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2508	smsC66D.tmp
4516	smsC69C.tmp
2256	InstallUtil.exe
3588	AUDIOPT.EXE
544	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 4252	3544	1b018d9d77edf9c08d39bc6080cf50d2.exe	87
PID 3544 wrote to memory of 4252	3544	1b018d9d77edf9c08d39bc6080cf50d2.exe	87
PID 3544 wrote to memory of 4252	3544	1b018d9d77edf9c08d39bc6080cf50d2.exe	87
PID 4252 wrote to memory of 864	4252	smsA374.tmp	90
PID 4252 wrote to memory of 864	4252	smsA374.tmp	90
PID 4252 wrote to memory of 864	4252	smsA374.tmp	90
PID 4252 wrote to memory of 1632	4252	smsA374.tmp	91
PID 4252 wrote to memory of 1632	4252	smsA374.tmp	91
PID 4252 wrote to memory of 4488	4252	smsA374.tmp	93
PID 4252 wrote to memory of 4488	4252	smsA374.tmp	93
PID 4252 wrote to memory of 4488	4252	smsA374.tmp	93
PID 4252 wrote to memory of 1612	4252	smsA374.tmp	94
PID 4252 wrote to memory of 1612	4252	smsA374.tmp	94
PID 4252 wrote to memory of 4888	4252	smsA374.tmp	96
PID 4252 wrote to memory of 4888	4252	smsA374.tmp	96
PID 4252 wrote to memory of 4888	4252	smsA374.tmp	96
PID 4252 wrote to memory of 4344	4252	smsA374.tmp	97
PID 4252 wrote to memory of 4344	4252	smsA374.tmp	97
PID 4252 wrote to memory of 4028	4252	smsA374.tmp	98
PID 4252 wrote to memory of 4028	4252	smsA374.tmp	98
PID 1632 wrote to memory of 1092	1632	logons.exe	101
PID 1632 wrote to memory of 1092	1632	logons.exe	101
PID 4028 wrote to memory of 3748	4028	wintskl.exe	102
PID 4028 wrote to memory of 3748	4028	wintskl.exe	102
PID 4028 wrote to memory of 3748	4028	wintskl.exe	102
PID 864 wrote to memory of 856	864	drvmonit.exe	103
PID 864 wrote to memory of 856	864	drvmonit.exe	103
PID 864 wrote to memory of 856	864	drvmonit.exe	103
PID 4888 wrote to memory of 2916	4888	usbserv.exe	104
PID 4888 wrote to memory of 2916	4888	usbserv.exe	104
PID 4888 wrote to memory of 2916	4888	usbserv.exe	104
PID 4344 wrote to memory of 2508	4344	winlists.exe	105
PID 4344 wrote to memory of 2508	4344	winlists.exe	105
PID 4344 wrote to memory of 2508	4344	winlists.exe	105
PID 1612 wrote to memory of 4516	1612	svlhost.exe	106
PID 1612 wrote to memory of 4516	1612	svlhost.exe	106
PID 1612 wrote to memory of 4516	1612	svlhost.exe	106
PID 4488 wrote to memory of 4624	4488	rarwin.exe	108
PID 4488 wrote to memory of 4624	4488	rarwin.exe	108
PID 4488 wrote to memory of 4624	4488	rarwin.exe	108
PID 856 wrote to memory of 1548	856	drvmonit.exe	110
PID 856 wrote to memory of 1548	856	drvmonit.exe	110
PID 856 wrote to memory of 1548	856	drvmonit.exe	110
PID 4488 wrote to memory of 2256	4488	rarwin.exe	119
PID 4488 wrote to memory of 2256	4488	rarwin.exe	119
PID 4488 wrote to memory of 2256	4488	rarwin.exe	119
PID 4488 wrote to memory of 2256	4488	rarwin.exe	119
PID 4488 wrote to memory of 2256	4488	rarwin.exe	119
PID 4488 wrote to memory of 2256	4488	rarwin.exe	119
PID 4488 wrote to memory of 2256	4488	rarwin.exe	119
PID 2256 wrote to memory of 1888	2256	InstallUtil.exe	120
PID 2256 wrote to memory of 1888	2256	InstallUtil.exe	120
PID 2256 wrote to memory of 1888	2256	InstallUtil.exe	120
PID 2256 wrote to memory of 3096	2256	InstallUtil.exe	121
PID 2256 wrote to memory of 3096	2256	InstallUtil.exe	121
PID 2256 wrote to memory of 3096	2256	InstallUtil.exe	121
PID 2256 wrote to memory of 4640	2256	InstallUtil.exe	122
PID 2256 wrote to memory of 4640	2256	InstallUtil.exe	122
PID 2256 wrote to memory of 4640	2256	InstallUtil.exe	122
PID 2256 wrote to memory of 1872	2256	InstallUtil.exe	123
PID 2256 wrote to memory of 1872	2256	InstallUtil.exe	123
PID 2256 wrote to memory of 1872	2256	InstallUtil.exe	123
PID 2256 wrote to memory of 4656	2256	InstallUtil.exe	124
PID 2256 wrote to memory of 4656	2256	InstallUtil.exe	124

C:\Users\Admin\AppData\Local\Temp\1b018d9d77edf9c08d39bc6080cf50d2.exe
"C:\Users\Admin\AppData\Local\Temp\1b018d9d77edf9c08d39bc6080cf50d2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\AppData\Local\Temp\smsA374.tmp
  "C:\Users\Admin\AppData\Local\Temp\smsA374.tmp"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Users\Admin\AppData\Local\Temp\drvmonit.exe
    "C:\Users\Admin\AppData\Local\Temp\drvmonit.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Users\Admin\AppData\Roaming\XenoManager\drvmonit.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\drvmonit.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:856
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "rar" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE4A.tmp" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1548
- - C:\Users\Admin\AppData\Local\Temp\logons.exe
    "C:\Users\Admin\AppData\Local\Temp\logons.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\smsBCC8.tmp
      "C:\Users\Admin\AppData\Local\Temp\smsBCC8.tmp"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1092
- - C:\Users\Admin\AppData\Local\Temp\rarwin.exe
    "C:\Users\Admin\AppData\Local\Temp\rarwin.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      Drops file in Drivers directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1888
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:544
    - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3096
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3588
    - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4640
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:5784
    - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1872
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:4776
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        
        PID:5880
        
        C:\Users\Admin\Documents\wintsklt.exe
        
        "C:\Users\Admin\Documents\wintsklt.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:5436
        
        C:\Users\Admin\Documents\wintsklt.exe
        
        C:\Users\Admin\Documents\wintsklt.exe
        8⤵
        Executes dropped EXE
        
        PID:6004
        
        C:\Users\Admin\Documents\wintsklt.exe
        
        C:\Users\Admin\Documents\wintsklt.exe
        8⤵
        Executes dropped EXE
        
        PID:6008
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4656
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        Executes dropped EXE
        
        PID:5468
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:5756
    - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1364
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:5896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1E3C.tmp.bat""
        7⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:5976
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        "C:\Users\Admin\AppData\Roaming\wintskl.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        9⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        9⤵
        Executes dropped EXE
        
        PID:5148
    - - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3568
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        
        PID:5260
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:5352
    - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2696
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2892
    - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2712
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        
        PID:5292
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:4884
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:5216
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:5616
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:3412
    - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3660
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5284
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:5136
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4620
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        
        PID:5516
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        Executes dropped EXE
        
        PID:5840
    - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2560
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        
        PID:5640
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Executes dropped EXE
        
        PID:1112
- - C:\Users\Admin\AppData\Local\Temp\svlhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svlhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\smsC69C.tmp
      "C:\Users\Admin\AppData\Local\Temp\smsC69C.tmp"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4516
- - C:\Users\Admin\AppData\Local\Temp\usbserv.exe
    "C:\Users\Admin\AppData\Local\Temp\usbserv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Users\Admin\AppData\Roaming\XenoManager\usbserv.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\usbserv.exe"
      4⤵
      Executes dropped EXE
      PID:2916
- - C:\Users\Admin\AppData\Local\Temp\winlists.exe
    "C:\Users\Admin\AppData\Local\Temp\winlists.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\smsC66D.tmp
      "C:\Users\Admin\AppData\Local\Temp\smsC66D.tmp"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2508
- - C:\Users\Admin\AppData\Local\Temp\wintskl.exe
    "C:\Users\Admin\AppData\Local\Temp\wintskl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\smsC091.tmp
      "C:\Users\Admin\AppData\Local\Temp\smsC091.tmp"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINLOGONL.EXE.log

Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\usbserv.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
fb8c37d2ff693c0a0dde9062657254e9

SHA1
ee9fba15a12fbc57ae97e81f42db0b6f84d0aa8b

SHA256
b6e5100411caa5de0ee58497dfaf53565e858f21cd7448b5b52aa5c1893a11ed

SHA512
4e61e4ef35c39c39e6cbb58d193bbee13652c3a057b944f65a2467d91ca67c537f9a7f76f11664b0315844da8cd75b61867006818ca7b48ca2716b76946fb79a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
0c8f4c003c6d1ad1b71772da1924951b

SHA1
7eb363c9bee2528cdddb95d6682240553230694b

SHA256
a6f174acb0e90fd4d4f6c3dcc730b5767f05f7618775c087ca1843cab8fc8aac

SHA512
c5a5cc56dd044c502b110e1397be10a728a1b2bff86d53ac0ee3b1011c6c989dd4a9ca1471c23abc771d0d9fa60693d2dcb191db75d9d2a0fed5936231e82557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
9715c73ddeb57b44f15fd6c9249d1bc3

SHA1
64aa1f33c0ceae71b115c76119d249a99c6f9cc6

SHA256
ff27b12b95c6be76b31a5e0b1f788ae244bd4f12e7acfc6866bf22dc2700694d

SHA512
6a97355e641182626872bca260b275539ba53bd7d5cccfa5cbc2d2e23384ab966c74c85739a5573203190532e36c69ba1677ee1fb898caad7f1089f0424b548a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
5df56011f6fd2365e22ab19407cc2772

SHA1
32a847a5615a2187f10c00ecf1cac7a0eef36ee5

SHA256
eb4ce884499e9d51ea83c9279d2db322bf3b8dc4433c55d31410443cea28f26e

SHA512
bdc2c60f121755153981f81309d1e6d6d1f8dac4e96d10297b1ed9b0cdeba2fb14457b8fe267942697924bcfc12fb3d73c8ec56433a023113e1487a2e160d309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
d3d970d8c88edd306677ba1225817e16

SHA1
49b1734669f65ab2524652c4b2a87100f01c9c18

SHA256
35fdc7af1dfea2a1a2181f92ca580ab152ed86bfa1816cada2fd649f6b565a74

SHA512
e8c214f99e5b7622a54060a3d926912554e24e228a18a7451979c7d7bd9fdd03acaa74bbdfc289dc7b1248859ac3e8146ca626feded3c769b0c2855d95a8ecc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
da96be1b87a3af46e0e6e407b8fbd1f3

SHA1
493579e72456a2592b88396e275cbe987091c7f6

SHA256
75c5d8a5e0d709efa14b04b878e34396d369f208d9927f81af078771907a0898

SHA512
990d767705ffcf26fb8b780c43963d2116f2abfecdce4a957d2defa7c9786df5851358855f619ce5cf10596576115bb7ad3e2b5ec728569a2d09183e542838e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ip3kchjb.eyr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\drvmonit.exe

Filesize
150KB

MD5
c415a21e89694c691c2808ef19e8e7d9

SHA1
644ba9c39d3579a0419cd1ca52ed361eab8c50b6

SHA256
771cf79fda975168bdb756280aafc59d96f767b03928e48d8b2935548702237a

SHA512
823de8d7a58c88df0a9cf093223a1eab106d68e5939bd9a1d7954ac69f9d5f6237b01d4943ad996dcbed312baf331d7fd99c53d096be40ceddcb99514e412343

Download Submit
C:\Users\Admin\AppData\Local\Temp\logons.exe

Filesize
59KB

MD5
466a4fab74714d28172502dc09ada184

SHA1
2588e5a49b4c58f61627cfecab983705ff54dda1

SHA256
badd6f0f78c14773e916ae11ace9f83b6db9cb52f242a16a86a1ac7f418dfe15

SHA512
6b897c5ba51fe79a1320ddd2f3fa6fe0af482f711ea37d3b6412e026514cca5d2450068d1e485a33236f4c9bbea29a182e9c652517dd01ee34818afb193f6354

Download Submit
C:\Users\Admin\AppData\Local\Temp\rarwin.exe

Filesize
2.1MB

MD5
fe9307672b900d6638ef9653a80eeabd

SHA1
865071fedd32abd1fc159584229095cc98e25464

SHA256
8620630492a1e6a6ebe6172249ba1425895af430bd77c8f1e2a2bfe407a231ee

SHA512
3d67204db32d496b44f6aaad59ce2fd40c51a003ab82d36f1cb47d6caa5d458ee75192ded9fde8683f2c850e4eaad9b8a984387d2951d2bf1bb9bbc5b40eaabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsA374.tmp

Filesize
3.6MB

MD5
c0811a2b760f26064e108332abb981b0

SHA1
9cddfea05f18c464822c822199a890bc24e4c592

SHA256
8cd70df79057b6cf818686eccc6aeef128e75d49288dc737c434987a759067b0

SHA512
cdfafb3c0ff42d8998b57913eea7594fdfb61de1972c6da10ce9f220618652682672ef1d8f3503ac8ddf54d2e411d1e69622fa0d3094d8d4d56740d9fbbb9ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsBCC8.tmp

Filesize
46KB

MD5
a091efe9f16f062fc0985704029b18ef

SHA1
41a58ee152864c3c2eb450e93455a095db24e3fe

SHA256
5a1e12022bdc3f4a423852e24065d9aaf3eb2ee65ca584be71a8c228dd23a7af

SHA512
a0518b633d43d75aa8a1483d4eb15e43fdde301757407de7357e3dffe260d44bc31dce3392b98c6fa989c9c969601575264f15ee178728cac2b90c0b190ea718

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsC091.tmp

Filesize
45KB

MD5
8ccf0cd31941c113e7ed1047cf6cd7d2

SHA1
e460bf7e54ffb34dc66c0bf49ef08fe9e886517d

SHA256
694f320302a9bf8a79ca16e91d8ab7dabef9ff05d2b450bd5ffad4fb6b62eff5

SHA512
cb2beb5af8ff4eaa6cf85502afa195f8a37adae18b4dc1b6d1855ffac656fefdad24035ba77a7e56278bd12b9b1b27682e7bacdf5779e7c0674edb7c732c7fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsC66D.tmp

Filesize
658KB

MD5
114ceda9d99182aff52b3a6faa1bd2a5

SHA1
f5cc13c4a61546fa8e5a43c25483edf773127d79

SHA256
be1d435fda61f1389c6218d5e107e87a2b61f6dc818466bdc6f2b5b631834d3f

SHA512
e8a788398e48c7640c8326dec20c9c459d506be530c3f0845172f6ad371ca2d2276c003a402874daa5cf453a11840c570f95f03229c0f0801416a6616be1f246

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsC69C.tmp

Filesize
733KB

MD5
04e6960a21235431867b45d9b98e637a

SHA1
62e8b447a96a21a3c359e4beee0431542bbfd5d6

SHA256
516d2df50001db9fda81065f989f574bfdafa3f25fda48cb9afdba756301152a

SHA512
95c21edac1233ec31170efcf47fc10f3b652c29eadac2cd795a214373e66b22c64d8caa7f18d19b93bfb587c9d68be29ebdd55105522528cdedf094a034068fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\svlhost.exe

Filesize
746KB

MD5
a560aec0d762f7d49aa35cab16241688

SHA1
80cdb8bd681d072c696a75607bad696f92c67329

SHA256
73dc84de5b8abe542496d8621faed0c2957a7971e55f56f8d3923f5e3aa82b59

SHA512
046f9b799a5cd53b8bc71d56bf59bb479972d098d85ed385dc1ef218d17f25078eaca7de516357fa620d6fe1ce2c594b3bdd508687fc9e415eb64d13a2032721

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE4A.tmp

Filesize
1KB

MD5
a65790d60afe7f29b546aeb30d6418ea

SHA1
16c17e7ff6ceb356edd377ee81556e76e1d17c76

SHA256
d75cb1474855704eac6fd2718796f4bb149b99a338351f5f187329cf0c00785a

SHA512
b8fd846a46cf4525ac2fd0fa5f04d504bc559ee7635edd695bcbfae9ec9601f955fbef9a44d429c70c0a5823597587a08bd3b063c284f37f85f4445cadcffb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\usbserv.exe

Filesize
202KB

MD5
505c9499e2e9d1d898a66084b24b7fa0

SHA1
eb9cc5e05250e4b632139daadcbd337bcebb6ca1

SHA256
0f0b7aac076e447f866220e179d30b8f2623e71f2fae519a02249a83ae9808f6

SHA512
5a0047ca876827211ed5e7e6645135ee5c561ace1d2e2f4f6284daa13530ee652ad9723a3682e9e0b307b5bd814e79f4e9e72099296437b882b3eaf356b7dc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlists.exe

Filesize
671KB

MD5
f159464e574a24e7b075bc82241bb094

SHA1
fba9d7b3ddc51f2b52a62d701a512f57ab3445cc

SHA256
d6b681cd4e8214b2263f4ee48a4c8f93bc7aeedbfd256a6647471b252093b51b

SHA512
6e30961b7d46e09756932b19ad5eb1da3e7cd12cba840c76573920fc85985556f2459a76a214bf5dc129c8961b749545316171211e28f08e9b6f73d0792ea703

Download Submit
C:\Users\Admin\AppData\Local\Temp\wintskl.exe

Filesize
58KB

MD5
99c597e6e14f7ea4725d7157329657e8

SHA1
66bbcf2696ee8d4c96dde1b3d9be8ca212102b08

SHA256
e9292b321ecf224f4ff9a61481957ec9c6aba73bf930fce593cab13e883b6bfc

SHA512
b31c8652252772438445c9134d5a175c08cbd67d3f6575ee7e66e27b59b83e7213852b6736fdccbd873fa77eb66918b15b2ff690e3bee8ccf45dca207a6ec52e

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/544-636-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/544-594-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/544-563-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/544-635-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/544-576-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/544-585-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/544-567-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/856-178-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/856-125-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/856-122-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/856-180-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/864-48-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/864-42-0x0000000000A10000-0x0000000000A3C000-memory.dmp

Filesize
176KB

Download
memory/864-114-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/1092-172-0x00007FFCACB60000-0x00007FFCAD621000-memory.dmp

Filesize
10.8MB

Download
memory/1092-89-0x00000000006B0000-0x00000000006C2000-memory.dmp

Filesize
72KB

Download
memory/1092-188-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/1092-96-0x00007FFCACB60000-0x00007FFCAD621000-memory.dmp

Filesize
10.8MB

Download
memory/1092-167-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/1888-234-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/1888-239-0x0000000000FD0000-0x00000000010CA000-memory.dmp

Filesize
1000KB

Download
memory/1888-258-0x0000000003200000-0x0000000003206000-memory.dmp

Filesize
24KB

Download
memory/1992-556-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1992-561-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2256-200-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2256-201-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/2256-310-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2256-305-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2256-198-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2256-196-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2256-193-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2256-307-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2508-177-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2508-145-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2916-139-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2916-133-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/2916-141-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/3096-245-0x0000000000020000-0x00000000000D8000-memory.dmp

Filesize
736KB

Download
memory/3096-248-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/3588-492-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3588-486-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3588-499-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3588-489-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3588-497-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3588-490-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3748-112-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/3748-173-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/3748-108-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/3748-179-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3748-123-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3868-577-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4196-516-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4196-520-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4488-90-0x0000000005890000-0x0000000005E34000-memory.dmp

Filesize
5.6MB

Download
memory/4488-165-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/4488-55-0x0000000000550000-0x0000000000768000-memory.dmp

Filesize
2.1MB

Download
memory/4488-76-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/4488-149-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/4488-81-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/4488-197-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/4488-132-0x00000000068B0000-0x0000000006A9C000-memory.dmp

Filesize
1.9MB

Download
memory/4488-104-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download
memory/4488-142-0x0000000006B30000-0x0000000006B7C000-memory.dmp

Filesize
304KB

Download
memory/4488-91-0x0000000005380000-0x0000000005412000-memory.dmp

Filesize
584KB

Download
memory/4488-78-0x0000000000F80000-0x0000000000F86000-memory.dmp

Filesize
24KB

Download
memory/4516-146-0x0000000074A70000-0x0000000074AA9000-memory.dmp

Filesize
228KB

Download
memory/4624-164-0x0000000006230000-0x0000000006296000-memory.dmp

Filesize
408KB

Download
memory/4624-170-0x00000000066E0000-0x00000000066FE000-memory.dmp

Filesize
120KB

Download
memory/4624-148-0x00000000058F0000-0x0000000005F18000-memory.dmp

Filesize
6.2MB

Download
memory/4624-151-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4624-152-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4624-185-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/4624-150-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/4624-153-0x0000000005880000-0x00000000058A2000-memory.dmp

Filesize
136KB

Download
memory/4624-163-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/4624-186-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4624-187-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4624-168-0x00000000062A0000-0x00000000065F4000-memory.dmp

Filesize
3.3MB

Download
memory/4624-176-0x0000000006C60000-0x0000000006C7A000-memory.dmp

Filesize
104KB

Download
memory/4624-147-0x0000000003160000-0x0000000003196000-memory.dmp

Filesize
216KB

Download
memory/4624-191-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/4624-171-0x00000000067C0000-0x000000000680C000-memory.dmp

Filesize
304KB

Download
memory/4624-175-0x0000000007DB0000-0x000000000842A000-memory.dmp

Filesize
6.5MB

Download
memory/4624-174-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4888-88-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/4888-79-0x0000000001330000-0x0000000001336000-memory.dmp

Filesize
24KB

Download
memory/4888-74-0x00000000009E0000-0x0000000000A18000-memory.dmp

Filesize
224KB

Download
memory/4888-83-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/4888-135-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/5136-654-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/5756-650-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/5784-643-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/5880-535-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5880-529-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download