asyncrat | 45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08-04-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe
Size

3.8MB
MD5

1b018d9d77edf9c08d39bc6080cf50d2
SHA1

b24d472f1cb43e0c114de888e9726a6cb8fafca3
SHA256

45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf
SHA512

854a81e05309fe51efd17a49f00f2cd95a01a815923b27b055296b1e5ca8c5c718b2bbaabf0bdafce3019201c26c63ecc199a9210cacbf12d5d110b888f395f4
SSDEEP

98304:rwcCJEcjXKOFlOd/iZujgERMOarjSaoYI6gYo1je:rVaawOd/vMsMOaPI6To1je

Score

10^/10

asyncrat babylonrat darkcomet warzonerat xenorat 2024+apre2-new new-july-july4-0 new-july-july4-02 infostealer persistence rat trojan upx

Malware Config

Extracted

Family

xenorat

dgorijan20785.hopto.org

Mutex

Xens_nd8918d

Attributes

delay
5000
install_path
appdata
port
4488
startup_name
rar

Extracted

Family

asyncrat

Version

0.5.6A

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

Mutex

v5tvc4rc3ex7

Attributes

delay
5
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

2024+Apre2-new

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-3MW33TC

Attributes

gencode
XE9EWd209YcQ
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000013f2c-31.dat	family_asyncrat

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

resource	yara_rule
behavioral1/memory/3880-365-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/3880-366-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 9 IoCs

resource	yara_rule
behavioral1/files/0x0006000000014890-87.dat	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/3576-342-0x0000000000400000-0x00000000004C9000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/3576-343-0x0000000000400000-0x00000000004C9000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/3576-344-0x0000000000400000-0x00000000004C9000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/3576-346-0x0000000000400000-0x00000000004C9000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/3576-347-0x0000000000400000-0x00000000004C9000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/3576-348-0x0000000000400000-0x00000000004C9000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/3880-365-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/3880-366-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables embedding command execution via IExecuteCommand COM object 2 IoCs

resource	yara_rule
behavioral1/memory/3880-365-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
behavioral1/memory/3880-366-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM

Detects file containing reversed ASEP Autorun registry keys 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000013f2c-31.dat	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral1/memory/2552-74-0x0000000000A20000-0x0000000000A32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

UPX dump on OEP (original entry point) 25 IoCs

resource	yara_rule
behavioral1/memory/2536-173-0x0000000000400000-0x0000000000853000-memory.dmp	UPX
behavioral1/memory/2536-177-0x0000000000400000-0x0000000000853000-memory.dmp	UPX
behavioral1/memory/2536-180-0x0000000000400000-0x0000000000853000-memory.dmp	UPX
behavioral1/memory/2536-183-0x0000000000400000-0x0000000000853000-memory.dmp	UPX
behavioral1/memory/2536-182-0x0000000000400000-0x0000000000853000-memory.dmp	UPX
behavioral1/memory/2536-266-0x0000000000400000-0x0000000000853000-memory.dmp	UPX
behavioral1/memory/2536-265-0x0000000000400000-0x0000000000853000-memory.dmp	UPX
behavioral1/memory/2536-311-0x0000000000400000-0x0000000000853000-memory.dmp	UPX
behavioral1/memory/3372-318-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral1/memory/3372-322-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral1/memory/3372-323-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral1/memory/3372-324-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral1/memory/3372-326-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral1/memory/3372-327-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral1/memory/3372-329-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral1/memory/3372-330-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral1/memory/3576-335-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX
behavioral1/memory/3576-338-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX
behavioral1/memory/3576-340-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX
behavioral1/memory/3576-342-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX
behavioral1/memory/3576-343-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX
behavioral1/memory/3576-344-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX
behavioral1/memory/3576-346-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX
behavioral1/memory/3576-347-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX
behavioral1/memory/3576-348-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/3880-365-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/3880-366-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	sms16FA.tmp
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINCPUL.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINCPUL.EXE

Executes dropped EXE 57 IoCs

pid	Process
2316	sms1268.tmp
1316	drvmonit.exe
1952	logons.exe
2552	sms1314.tmp
2508	rarwin.exe
1400	svlhost.exe
2688	usbserv.exe
1324	wintskl.exe
2448	winlists.exe
2944	sms1536.tmp
2584	sms167D.tmp
2004	sms16FA.tmp
2628	drvmonit.exe
1128	usbserv.exe
2400	ADOBESERV.EXE
2452	AUDIOPT.EXE
2772	DRVVIDEO.EXE
2732	WINCPUL.EXE
2056	WINPLAY.EXE
1944	WINLOGONL.EXE
1624	ADOBESERV.EXE
1504	DRVVIDEO.EXE
3044	WINLOGONL.EXE
1744	AUDIOPT.EXE
1656	WINCPUL.EXE
628	WINPLAY.EXE
3364	AUDIOPT.EXE
3372	AUDIOPT.EXE
3800	WINCPUL.EXE
3808	WINCPUL.EXE
3816	WINCPUL.EXE
3824	WINCPUL.EXE
3832	WINCPUL.EXE
3840	WINCPUL.EXE
3848	WINCPUL.EXE
3856	WINCPUL.EXE
3864	WINCPUL.EXE
3880	DRVVIDEO.EXE
788	WINCPUL.EXE
3260	WINCPUL.EXE
3296	WINCPUL.EXE
3304	WINPLAY.EXE
1124	WINCPUL.EXE
3336	WINCPUL.EXE
2176	AUDIOPT.EXE
3300	WINPLAY.EXE
1800	WINPLAY.EXE
2900	wintsklt.exe
3332	AUDIOPT.EXE
3392	WINLOGONL.EXE
2008	DRVVIDEO.EXE
1968	WINLOGONL.EXE
1892	WINCPUL.EXE
2404	wintskl.exe
2204	wintsklt.exe
1996	wintskl.exe
1948	wintskl.exe

Loads dropped DLL 64 IoCs

pid	Process
2316	sms1268.tmp
2316	sms1268.tmp
2316	sms1268.tmp
2672	Process not Found
2316	sms1268.tmp
2316	sms1268.tmp
2316	sms1268.tmp
776	Process not Found
2316	sms1268.tmp
2316	sms1268.tmp
2316	sms1268.tmp
2316	sms1268.tmp
2316	sms1268.tmp
824	Process not Found
2784	Process not Found
1316	drvmonit.exe
2688	usbserv.exe
2536	InstallUtil.exe
2536	InstallUtil.exe
2536	InstallUtil.exe
2536	InstallUtil.exe
2536	InstallUtil.exe
2536	InstallUtil.exe
2536	InstallUtil.exe
2536	InstallUtil.exe
2536	InstallUtil.exe
2536	InstallUtil.exe
2536	InstallUtil.exe
2536	InstallUtil.exe
2452	AUDIOPT.EXE
2452	AUDIOPT.EXE
1656	WINCPUL.EXE
1656	WINCPUL.EXE
1656	WINCPUL.EXE
1656	WINCPUL.EXE
1656	WINCPUL.EXE
1656	WINCPUL.EXE
1656	WINCPUL.EXE
1656	WINCPUL.EXE
1656	WINCPUL.EXE
2772	DRVVIDEO.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2056	WINPLAY.EXE
2732	WINCPUL.EXE
628	WINPLAY.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
628	WINPLAY.EXE
1504	DRVVIDEO.EXE
1744	AUDIOPT.EXE
1944	WINLOGONL.EXE
3044	WINLOGONL.EXE
1744	AUDIOPT.EXE
2732	WINCPUL.EXE
3864	WINCPUL.EXE
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2536-171-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2536-173-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2536-177-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2536-180-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2536-183-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2536-182-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2536-266-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2536-265-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2536-311-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/3372-316-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3372-318-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3372-322-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3372-323-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3372-324-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3372-326-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3372-327-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3372-329-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3372-330-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3576-334-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3576-335-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3576-338-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3576-340-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3576-342-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3576-343-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3576-344-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3576-346-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3576-347-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3576-348-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINCPUL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	rarwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 2536	2508	rarwin.exe	52
PID 2452 set thread context of 3372	2452	AUDIOPT.EXE	90
PID 2400 set thread context of 3576	2400	ADOBESERV.EXE	93
PID 1656 set thread context of 3864	1656	WINCPUL.EXE	102
PID 1624 set thread context of 3916	1624	ADOBESERV.EXE	104
PID 2772 set thread context of 3880	2772	DRVVIDEO.EXE	103
PID 2056 set thread context of 3300	2056	WINPLAY.EXE	108
PID 628 set thread context of 1800	628	WINPLAY.EXE	113
PID 1744 set thread context of 3332	1744	AUDIOPT.EXE	118
PID 3044 set thread context of 3392	3044	WINLOGONL.EXE	117
PID 1504 set thread context of 2008	1504	DRVVIDEO.EXE	114
PID 1944 set thread context of 1968	1944	WINLOGONL.EXE	116
PID 2732 set thread context of 1892	2732	WINCPUL.EXE	119
PID 2900 set thread context of 2204	2900	wintsklt.exe	137
PID 2404 set thread context of 1948	2404	wintskl.exe	141

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3168	3916	WerFault.exe	104
3952	1892	WerFault.exe	119
3892	1968	WerFault.exe	116

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1124	schtasks.exe
2180	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2728	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINCPUL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
924	powershell.exe
2552	sms1314.tmp
2944	sms1536.tmp
2944	sms1536.tmp
2944	sms1536.tmp
2944	sms1536.tmp
2944	sms1536.tmp
2944	sms1536.tmp
2628	drvmonit.exe
2628	drvmonit.exe
2628	drvmonit.exe
2944	sms1536.tmp
2944	sms1536.tmp
2944	sms1536.tmp
2628	drvmonit.exe
2628	drvmonit.exe
2628	drvmonit.exe
2944	sms1536.tmp
2944	sms1536.tmp
2944	sms1536.tmp
2628	drvmonit.exe
2628	drvmonit.exe
2628	drvmonit.exe
2944	sms1536.tmp
2944	sms1536.tmp
2944	sms1536.tmp
2628	drvmonit.exe
2628	drvmonit.exe
2628	drvmonit.exe
2944	sms1536.tmp
2944	sms1536.tmp
2944	sms1536.tmp
2628	drvmonit.exe
2628	drvmonit.exe
2628	drvmonit.exe
2944	sms1536.tmp
2944	sms1536.tmp
2944	sms1536.tmp
2628	drvmonit.exe
2628	drvmonit.exe
2628	drvmonit.exe
2508	rarwin.exe
2508	rarwin.exe
2944	sms1536.tmp
2944	sms1536.tmp
2944	sms1536.tmp
2752	powershell.exe
2628	drvmonit.exe
2628	drvmonit.exe
2628	drvmonit.exe
1772	powershell.exe
2252	powershell.exe
1584	powershell.exe
2944	sms1536.tmp
2944	sms1536.tmp
2944	sms1536.tmp
2944	sms1536.tmp
2656	powershell.exe
2828	powershell.exe
3056	powershell.exe
2332	powershell.exe
2864	powershell.exe
1140	powershell.exe
2080	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2584	sms167D.tmp
3576	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2584	sms167D.tmp
Token: SeDebugPrivilege	2584	sms167D.tmp
Token: SeTcbPrivilege	2584	sms167D.tmp
Token: SeIncreaseQuotaPrivilege	2004	sms16FA.tmp
Token: SeSecurityPrivilege	2004	sms16FA.tmp
Token: SeTakeOwnershipPrivilege	2004	sms16FA.tmp
Token: SeLoadDriverPrivilege	2004	sms16FA.tmp
Token: SeSystemProfilePrivilege	2004	sms16FA.tmp
Token: SeSystemtimePrivilege	2004	sms16FA.tmp
Token: SeProfSingleProcessPrivilege	2004	sms16FA.tmp
Token: SeIncBasePriorityPrivilege	2004	sms16FA.tmp
Token: SeCreatePagefilePrivilege	2004	sms16FA.tmp
Token: SeBackupPrivilege	2004	sms16FA.tmp
Token: SeRestorePrivilege	2004	sms16FA.tmp
Token: SeShutdownPrivilege	2004	sms16FA.tmp
Token: SeDebugPrivilege	2004	sms16FA.tmp
Token: SeSystemEnvironmentPrivilege	2004	sms16FA.tmp
Token: SeChangeNotifyPrivilege	2004	sms16FA.tmp
Token: SeRemoteShutdownPrivilege	2004	sms16FA.tmp
Token: SeUndockPrivilege	2004	sms16FA.tmp
Token: SeManageVolumePrivilege	2004	sms16FA.tmp
Token: SeImpersonatePrivilege	2004	sms16FA.tmp
Token: SeCreateGlobalPrivilege	2004	sms16FA.tmp
Token: 33	2004	sms16FA.tmp
Token: 34	2004	sms16FA.tmp
Token: 35	2004	sms16FA.tmp
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	2552	sms1314.tmp
Token: SeDebugPrivilege	2944	sms1536.tmp
Token: SeDebugPrivilege	2628	drvmonit.exe
Token: SeDebugPrivilege	2508	rarwin.exe
Token: SeIncreaseQuotaPrivilege	2536	InstallUtil.exe
Token: SeSecurityPrivilege	2536	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	2536	InstallUtil.exe
Token: SeLoadDriverPrivilege	2536	InstallUtil.exe
Token: SeSystemProfilePrivilege	2536	InstallUtil.exe
Token: SeSystemtimePrivilege	2536	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	2536	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	2536	InstallUtil.exe
Token: SeCreatePagefilePrivilege	2536	InstallUtil.exe
Token: SeBackupPrivilege	2536	InstallUtil.exe
Token: SeRestorePrivilege	2536	InstallUtil.exe
Token: SeShutdownPrivilege	2536	InstallUtil.exe
Token: SeDebugPrivilege	2536	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	2536	InstallUtil.exe
Token: SeChangeNotifyPrivilege	2536	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	2536	InstallUtil.exe
Token: SeUndockPrivilege	2536	InstallUtil.exe
Token: SeManageVolumePrivilege	2536	InstallUtil.exe
Token: SeImpersonatePrivilege	2536	InstallUtil.exe
Token: SeCreateGlobalPrivilege	2536	InstallUtil.exe
Token: 33	2536	InstallUtil.exe
Token: 34	2536	InstallUtil.exe
Token: 35	2536	InstallUtil.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2004	sms16FA.tmp
2584	sms167D.tmp
2536	InstallUtil.exe
3372	AUDIOPT.EXE
3576	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2316	2364	45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe	29
PID 2364 wrote to memory of 2316	2364	45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe	29
PID 2364 wrote to memory of 2316	2364	45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe	29
PID 2364 wrote to memory of 2316	2364	45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe	29
PID 2316 wrote to memory of 1316	2316	sms1268.tmp	30
PID 2316 wrote to memory of 1316	2316	sms1268.tmp	30
PID 2316 wrote to memory of 1316	2316	sms1268.tmp	30
PID 2316 wrote to memory of 1316	2316	sms1268.tmp	30
PID 2316 wrote to memory of 1952	2316	sms1268.tmp	31
PID 2316 wrote to memory of 1952	2316	sms1268.tmp	31
PID 2316 wrote to memory of 1952	2316	sms1268.tmp	31
PID 2316 wrote to memory of 1952	2316	sms1268.tmp	31
PID 1952 wrote to memory of 2552	1952	logons.exe	33
PID 1952 wrote to memory of 2552	1952	logons.exe	33
PID 1952 wrote to memory of 2552	1952	logons.exe	33
PID 2316 wrote to memory of 2508	2316	sms1268.tmp	34
PID 2316 wrote to memory of 2508	2316	sms1268.tmp	34
PID 2316 wrote to memory of 2508	2316	sms1268.tmp	34
PID 2316 wrote to memory of 2508	2316	sms1268.tmp	34
PID 2316 wrote to memory of 1400	2316	sms1268.tmp	35
PID 2316 wrote to memory of 1400	2316	sms1268.tmp	35
PID 2316 wrote to memory of 1400	2316	sms1268.tmp	35
PID 2316 wrote to memory of 1400	2316	sms1268.tmp	35
PID 2316 wrote to memory of 2688	2316	sms1268.tmp	37
PID 2316 wrote to memory of 2688	2316	sms1268.tmp	37
PID 2316 wrote to memory of 2688	2316	sms1268.tmp	37
PID 2316 wrote to memory of 2688	2316	sms1268.tmp	37
PID 2316 wrote to memory of 2448	2316	sms1268.tmp	38
PID 2316 wrote to memory of 2448	2316	sms1268.tmp	38
PID 2316 wrote to memory of 2448	2316	sms1268.tmp	38
PID 2316 wrote to memory of 2448	2316	sms1268.tmp	38
PID 2316 wrote to memory of 1324	2316	sms1268.tmp	39
PID 2316 wrote to memory of 1324	2316	sms1268.tmp	39
PID 2316 wrote to memory of 1324	2316	sms1268.tmp	39
PID 2316 wrote to memory of 1324	2316	sms1268.tmp	39
PID 1324 wrote to memory of 2944	1324	wintskl.exe	42
PID 1324 wrote to memory of 2944	1324	wintskl.exe	42
PID 1324 wrote to memory of 2944	1324	wintskl.exe	42
PID 1324 wrote to memory of 2944	1324	wintskl.exe	42
PID 1400 wrote to memory of 2584	1400	svlhost.exe	43
PID 1400 wrote to memory of 2584	1400	svlhost.exe	43
PID 1400 wrote to memory of 2584	1400	svlhost.exe	43
PID 1400 wrote to memory of 2584	1400	svlhost.exe	43
PID 2448 wrote to memory of 2004	2448	winlists.exe	44
PID 2448 wrote to memory of 2004	2448	winlists.exe	44
PID 2448 wrote to memory of 2004	2448	winlists.exe	44
PID 2448 wrote to memory of 2004	2448	winlists.exe	44
PID 1316 wrote to memory of 2628	1316	drvmonit.exe	45
PID 1316 wrote to memory of 2628	1316	drvmonit.exe	45
PID 1316 wrote to memory of 2628	1316	drvmonit.exe	45
PID 1316 wrote to memory of 2628	1316	drvmonit.exe	45
PID 2688 wrote to memory of 1128	2688	usbserv.exe	46
PID 2688 wrote to memory of 1128	2688	usbserv.exe	46
PID 2688 wrote to memory of 1128	2688	usbserv.exe	46
PID 2688 wrote to memory of 1128	2688	usbserv.exe	46
PID 2508 wrote to memory of 924	2508	rarwin.exe	48
PID 2508 wrote to memory of 924	2508	rarwin.exe	48
PID 2508 wrote to memory of 924	2508	rarwin.exe	48
PID 2508 wrote to memory of 924	2508	rarwin.exe	48
PID 2628 wrote to memory of 1124	2628	drvmonit.exe	50
PID 2628 wrote to memory of 1124	2628	drvmonit.exe	50
PID 2628 wrote to memory of 1124	2628	drvmonit.exe	50
PID 2628 wrote to memory of 1124	2628	drvmonit.exe	50
PID 2508 wrote to memory of 2536	2508	rarwin.exe	52

C:\Users\Admin\AppData\Local\Temp\45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe
"C:\Users\Admin\AppData\Local\Temp\45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\sms1268.tmp
  "C:\Users\Admin\AppData\Local\Temp\sms1268.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\drvmonit.exe
    "C:\Users\Admin\AppData\Local\Temp\drvmonit.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Users\Admin\AppData\Roaming\XenoManager\drvmonit.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\drvmonit.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "rar" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2B83.tmp" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1124
- - C:\Users\Admin\AppData\Local\Temp\logons.exe
    "C:\Users\Admin\AppData\Local\Temp\logons.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\sms1314.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms1314.tmp"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2552
- - C:\Users\Admin\AppData\Local\Temp\rarwin.exe
    "C:\Users\Admin\AppData\Local\Temp\rarwin.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:924
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      Drops file in Drivers directory
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2536
    - - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2400
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:3576
    - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2452
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Executes dropped EXE
        
        PID:3364
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3372
    - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2772
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:3880
    - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2732
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:788
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:3260
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:3296
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:1124
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:3336
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 200
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:3952
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1944
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 200
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:3892
    - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2056
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp389D.tmp.bat""
        7⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        "C:\Users\Admin\AppData\Roaming\wintskl.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        9⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        9⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        9⤵
        Executes dropped EXE
        
        PID:1948
    - - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1624
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2080
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 220
        7⤵
        Program crash
        
        PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1744
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Executes dropped EXE
        
        PID:2176
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3332
    - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1504
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        
        PID:2540
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:3856
    - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1656
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:3800
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:3808
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:3816
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:3824
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:3832
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:3840
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:3848
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:3856
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        NTFS ADS
        
        PID:3864
        
        C:\Users\Admin\Documents\wintsklt.exe
        
        "C:\Users\Admin\Documents\wintsklt.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:3748
        
        C:\Users\Admin\Documents\wintsklt.exe
        
        C:\Users\Admin\Documents\wintsklt.exe
        8⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        9⤵
        
        PID:3368
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3044
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        Executes dropped EXE
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:3844
    - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:628
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Executes dropped EXE
        
        PID:3304
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Executes dropped EXE
        
        PID:1800
- - C:\Users\Admin\AppData\Local\Temp\svlhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svlhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\sms167D.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms167D.tmp"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2584
- - C:\Users\Admin\AppData\Local\Temp\usbserv.exe
    "C:\Users\Admin\AppData\Local\Temp\usbserv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Users\Admin\AppData\Roaming\XenoManager\usbserv.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\usbserv.exe"
      4⤵
      Executes dropped EXE
      PID:1128
- - C:\Users\Admin\AppData\Local\Temp\winlists.exe
    "C:\Users\Admin\AppData\Local\Temp\winlists.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\sms16FA.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms16FA.tmp"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2004
- - C:\Users\Admin\AppData\Local\Temp\wintskl.exe
    "C:\Users\Admin\AppData\Local\Temp\wintskl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\sms1536.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms1536.tmp"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2418164512054112209-625566759-1608686377-15694664911246524704-1695725515-133110106"
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\drvmonit.exe

Filesize
150KB

MD5
c415a21e89694c691c2808ef19e8e7d9

SHA1
644ba9c39d3579a0419cd1ca52ed361eab8c50b6

SHA256
771cf79fda975168bdb756280aafc59d96f767b03928e48d8b2935548702237a

SHA512
823de8d7a58c88df0a9cf093223a1eab106d68e5939bd9a1d7954ac69f9d5f6237b01d4943ad996dcbed312baf331d7fd99c53d096be40ceddcb99514e412343

Download Submit
C:\Users\Admin\AppData\Local\Temp\rarwin.exe

Filesize
2.1MB

MD5
fe9307672b900d6638ef9653a80eeabd

SHA1
865071fedd32abd1fc159584229095cc98e25464

SHA256
8620630492a1e6a6ebe6172249ba1425895af430bd77c8f1e2a2bfe407a231ee

SHA512
3d67204db32d496b44f6aaad59ce2fd40c51a003ab82d36f1cb47d6caa5d458ee75192ded9fde8683f2c850e4eaad9b8a984387d2951d2bf1bb9bbc5b40eaabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms1268.tmp

Filesize
3.6MB

MD5
c0811a2b760f26064e108332abb981b0

SHA1
9cddfea05f18c464822c822199a890bc24e4c592

SHA256
8cd70df79057b6cf818686eccc6aeef128e75d49288dc737c434987a759067b0

SHA512
cdfafb3c0ff42d8998b57913eea7594fdfb61de1972c6da10ce9f220618652682672ef1d8f3503ac8ddf54d2e411d1e69622fa0d3094d8d4d56740d9fbbb9ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms1314.tmp

Filesize
46KB

MD5
a091efe9f16f062fc0985704029b18ef

SHA1
41a58ee152864c3c2eb450e93455a095db24e3fe

SHA256
5a1e12022bdc3f4a423852e24065d9aaf3eb2ee65ca584be71a8c228dd23a7af

SHA512
a0518b633d43d75aa8a1483d4eb15e43fdde301757407de7357e3dffe260d44bc31dce3392b98c6fa989c9c969601575264f15ee178728cac2b90c0b190ea718

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms1536.tmp

Filesize
45KB

MD5
8ccf0cd31941c113e7ed1047cf6cd7d2

SHA1
e460bf7e54ffb34dc66c0bf49ef08fe9e886517d

SHA256
694f320302a9bf8a79ca16e91d8ab7dabef9ff05d2b450bd5ffad4fb6b62eff5

SHA512
cb2beb5af8ff4eaa6cf85502afa195f8a37adae18b4dc1b6d1855ffac656fefdad24035ba77a7e56278bd12b9b1b27682e7bacdf5779e7c0674edb7c732c7fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms167D.tmp

Filesize
733KB

MD5
04e6960a21235431867b45d9b98e637a

SHA1
62e8b447a96a21a3c359e4beee0431542bbfd5d6

SHA256
516d2df50001db9fda81065f989f574bfdafa3f25fda48cb9afdba756301152a

SHA512
95c21edac1233ec31170efcf47fc10f3b652c29eadac2cd795a214373e66b22c64d8caa7f18d19b93bfb587c9d68be29ebdd55105522528cdedf094a034068fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms16FA.tmp

Filesize
658KB

MD5
114ceda9d99182aff52b3a6faa1bd2a5

SHA1
f5cc13c4a61546fa8e5a43c25483edf773127d79

SHA256
be1d435fda61f1389c6218d5e107e87a2b61f6dc818466bdc6f2b5b631834d3f

SHA512
e8a788398e48c7640c8326dec20c9c459d506be530c3f0845172f6ad371ca2d2276c003a402874daa5cf453a11840c570f95f03229c0f0801416a6616be1f246

Download Submit
C:\Users\Admin\AppData\Local\Temp\svlhost.exe

Filesize
746KB

MD5
a560aec0d762f7d49aa35cab16241688

SHA1
80cdb8bd681d072c696a75607bad696f92c67329

SHA256
73dc84de5b8abe542496d8621faed0c2957a7971e55f56f8d3923f5e3aa82b59

SHA512
046f9b799a5cd53b8bc71d56bf59bb479972d098d85ed385dc1ef218d17f25078eaca7de516357fa620d6fe1ce2c594b3bdd508687fc9e415eb64d13a2032721

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B83.tmp

Filesize
1KB

MD5
a65790d60afe7f29b546aeb30d6418ea

SHA1
16c17e7ff6ceb356edd377ee81556e76e1d17c76

SHA256
d75cb1474855704eac6fd2718796f4bb149b99a338351f5f187329cf0c00785a

SHA512
b8fd846a46cf4525ac2fd0fa5f04d504bc559ee7635edd695bcbfae9ec9601f955fbef9a44d429c70c0a5823597587a08bd3b063c284f37f85f4445cadcffb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp389D.tmp.bat

Filesize
151B

MD5
fbfc0c80277d9ba2eec321840c18d3ac

SHA1
fced74d9ab58933eb386530623b15f0707f1275c

SHA256
500d2b69cec431aae79be7ab2a0c2e76f46802759a6ee89c82b466a546e5fe41

SHA512
9a90ef5e2b77709ef1c86dd994a932573f585848b621bde2346a5a1faafed66053f85edb404d6385cfab8883e03358efcdf9fe8ffd6f1f7332c2e9b9c7d7ba90

Download Submit
C:\Users\Admin\AppData\Local\Temp\usbserv.exe

Filesize
202KB

MD5
505c9499e2e9d1d898a66084b24b7fa0

SHA1
eb9cc5e05250e4b632139daadcbd337bcebb6ca1

SHA256
0f0b7aac076e447f866220e179d30b8f2623e71f2fae519a02249a83ae9808f6

SHA512
5a0047ca876827211ed5e7e6645135ee5c561ace1d2e2f4f6284daa13530ee652ad9723a3682e9e0b307b5bd814e79f4e9e72099296437b882b3eaf356b7dc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlists.exe

Filesize
671KB

MD5
f159464e574a24e7b075bc82241bb094

SHA1
fba9d7b3ddc51f2b52a62d701a512f57ab3445cc

SHA256
d6b681cd4e8214b2263f4ee48a4c8f93bc7aeedbfd256a6647471b252093b51b

SHA512
6e30961b7d46e09756932b19ad5eb1da3e7cd12cba840c76573920fc85985556f2459a76a214bf5dc129c8961b749545316171211e28f08e9b6f73d0792ea703

Download Submit
C:\Users\Admin\AppData\Local\Temp\wintskl.exe

Filesize
58KB

MD5
99c597e6e14f7ea4725d7157329657e8

SHA1
66bbcf2696ee8d4c96dde1b3d9be8ca212102b08

SHA256
e9292b321ecf224f4ff9a61481957ec9c6aba73bf930fce593cab13e883b6bfc

SHA512
b31c8652252772438445c9134d5a175c08cbd67d3f6575ee7e66e27b59b83e7213852b6736fdccbd873fa77eb66918b15b2ff690e3bee8ccf45dca207a6ec52e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UH38V9B965BA13H8QHFJ.temp

Filesize
7KB

MD5
9041aa3c0b17cc3f729737751e962768

SHA1
f94478fc10e2ead4ab7e55c9efe88ef8f7f2cf24

SHA256
30b38489112278baafabf32ac11c8eb1c5003f109dfc7988d994f1dabfd5722b

SHA512
7db7c88b658cf4ccf1d9250000ce87b8c6e684bd3743b07663217fbbfb36a157030ef85d4c41a6f96392b13166c9a45018f442ea365b190f54717f7742efde0a

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe

Filesize
44.6MB

MD5
f4deef32ec7ed9d724347e78c5b07fe2

SHA1
fea67a7dc8368130b3bd68b40dc96c782284d1a6

SHA256
7c34d09f5768c1b090b16a94552a26487f1ca93d3c6408f7983da8d638138c5f

SHA512
f2ddbe01df599f19e47d7650ca81150ac05d0a99d3f328528779b8c7ad3edc433b187e5455685f567f1d43546d4553c18422b94d54f206efeecbe123321b6d23

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
\Users\Admin\AppData\Local\Temp\logons.exe

Filesize
59KB

MD5
466a4fab74714d28172502dc09ada184

SHA1
2588e5a49b4c58f61627cfecab983705ff54dda1

SHA256
badd6f0f78c14773e916ae11ace9f83b6db9cb52f242a16a86a1ac7f418dfe15

SHA512
6b897c5ba51fe79a1320ddd2f3fa6fe0af482f711ea37d3b6412e026514cca5d2450068d1e485a33236f4c9bbea29a182e9c652517dd01ee34818afb193f6354

Download Submit
memory/924-131-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/924-130-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/924-163-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/924-164-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/924-168-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/924-167-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/924-165-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/924-132-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/924-133-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/924-134-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/1128-121-0x0000000000B10000-0x0000000000B48000-memory.dmp

Filesize
224KB

Download
memory/1128-123-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/1316-97-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/1316-48-0x00000000011D0000-0x00000000011FC000-memory.dmp

Filesize
176KB

Download
memory/1316-107-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/1944-252-0x0000000001110000-0x0000000001196000-memory.dmp

Filesize
536KB

Download
memory/2004-166-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2004-115-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2004-162-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2056-253-0x00000000009A0000-0x0000000000A1C000-memory.dmp

Filesize
496KB

Download
memory/2400-208-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2400-219-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/2400-206-0x0000000000820000-0x000000000091A000-memory.dmp

Filesize
1000KB

Download
memory/2400-224-0x00000000021C0000-0x0000000002262000-memory.dmp

Filesize
648KB

Download
memory/2400-209-0x00000000043E0000-0x0000000004420000-memory.dmp

Filesize
256KB

Download
memory/2452-217-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2452-207-0x0000000000AA0000-0x0000000000B28000-memory.dmp

Filesize
544KB

Download
memory/2452-205-0x00000000012D0000-0x0000000001388000-memory.dmp

Filesize
736KB

Download
memory/2508-179-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2508-158-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/2508-156-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2508-127-0x0000000004800000-0x000000000484C000-memory.dmp

Filesize
304KB

Download
memory/2508-103-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2508-126-0x0000000005400000-0x00000000055EC000-memory.dmp

Filesize
1.9MB

Download
memory/2508-114-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/2508-108-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2508-72-0x0000000000820000-0x0000000000A38000-memory.dmp

Filesize
2.1MB

Download
memory/2536-180-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2536-311-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2536-175-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2536-183-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2536-182-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2536-266-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2536-185-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2536-173-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2536-171-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2536-170-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2536-265-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2536-177-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2552-159-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/2552-203-0x00000000002D0000-0x0000000000350000-memory.dmp

Filesize
512KB

Download
memory/2552-74-0x0000000000A20000-0x0000000000A32000-memory.dmp

Filesize
72KB

Download
memory/2552-124-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/2552-136-0x00000000002D0000-0x0000000000350000-memory.dmp

Filesize
512KB

Download
memory/2628-125-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2628-160-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2628-106-0x0000000000CD0000-0x0000000000CFC000-memory.dmp

Filesize
176KB

Download
memory/2628-161-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/2688-102-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2688-122-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2688-109-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2688-76-0x0000000000970000-0x00000000009A8000-memory.dmp

Filesize
224KB

Download
memory/2688-112-0x00000000047A0000-0x00000000047E0000-memory.dmp

Filesize
256KB

Download
memory/2732-242-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2732-251-0x0000000000150000-0x00000000001D8000-memory.dmp

Filesize
544KB

Download
memory/2752-250-0x000000006F590000-0x000000006FB3B000-memory.dmp

Filesize
5.7MB

Download
memory/2752-249-0x000000006F590000-0x000000006FB3B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-220-0x00000000009B0000-0x0000000000A36000-memory.dmp

Filesize
536KB

Download
memory/2772-221-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/2772-222-0x0000000000920000-0x000000000097C000-memory.dmp

Filesize
368KB

Download
memory/2772-218-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2944-111-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2944-135-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/2944-86-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2944-184-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/2944-157-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/3372-327-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3372-320-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3372-322-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3372-323-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3372-324-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3372-326-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3372-318-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3372-329-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3372-330-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3372-314-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3372-316-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3576-340-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3576-347-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3576-335-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3576-342-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3576-343-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3576-344-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3576-346-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3576-338-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3576-348-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3576-333-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3576-334-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3864-358-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3864-354-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3880-361-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3880-365-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3880-366-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download