asyncrat | 65351e13cea23ec8e910fe0f7a10c286033e330eeec1c09c77242f3f4e1518d0

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe
Size

4.1MB
MD5

2a9bf696f1af170e0e1b5ede752a1578
SHA1

96b9f6c7398fc9c0cc44534dfabe08f0583baf3a
SHA256

d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f
SHA512

8236468322838e166fe46614dd0f90c576031ef55abfd79b249def9d320bd89b277bf3b7c84bf669480b0504637d1b93b565be5d17eae6065d2418604c25c80d
SSDEEP

98304:alO2xqX9gK/NBJMYpntAecuJ4hLm0amUXzEnk4:a82x3KHJMOAecuJ4hLGmd

Score

10^/10

asyncrat babylonrat darkcomet warzonerat xenorat 2024+june1-newcrt 2024+june111-newcrt new-july-july4-0 new-july-july4-02 evasion infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

2024+June111-newcrt

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-TF0M80E

Attributes

gencode
FStELhsGExZX
install
false
offline_keylogger
false
password
hhhhhh
persistence
false

Extracted

Family

asyncrat

Version

0.5.6A

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

v5tvc5rc5ex77777

Attributes

delay
5
install
true
install_file
audiodvs.exe
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

2024+June1-newcrt

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-62B5ZW6

Attributes

InstallPath
word.exe
gencode
T8Q4ENhuqy1g
install
true
offline_keylogger
false
password
hhhhhh
persistence
true
reg_key
word

Extracted

Family

babylonrat

dgorijan20785.hopto.org

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

xenorat

dgorijan20785.hopto.org

Mutex

win_sv88778sl

Attributes

delay
5000
install_path
temp
port
4488
startup_name
logons

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\word.exe"	sms614A.tmp

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000700000002340f-69.dat	family_asyncrat

Warzone RAT payload 6 IoCs

rat

resource	yara_rule
behavioral2/memory/5688-455-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5688-458-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/1372-461-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/1372-464-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/1908-497-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1908-496-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	sms59D8.tmp
File opened for modification	C:\Windows\system32\drivers\etc\hosts	sms614A.tmp

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	sms614A.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WRAR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	sms59D8.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	sms5EE9.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wintsklt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	EDGEN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	wintskl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINCPUL.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINCPUL.EXE

Executes dropped EXE 44 IoCs

pid	Process
2904	sms59D8.tmp
3520	EDGEN.EXE
2700	USBDRV.EXE
2804	WINLISTS.EXE
2068	WINNOTE.EXE
4416	WRAR.EXE
968	sms5EE9.tmp
1016	sms614A.tmp
4596	sms64A5.tmp
2784	viewpdf.exe
4120	word.exe
3648	audiodvs.exe
1616	ADOBESERV.EXE
1908	AUDIOPT.EXE
2376	DRVVIDEO.EXE
1540	WINCPUL.EXE
4572	EDGEN.EXE
2552	WINLOGONL.EXE
2668	WINPLAY.EXE
1604	ADOBESERV.EXE
4580	AUDIOPT.EXE
4452	DRVVIDEO.EXE
4360	EDGEN.EXE
1644	WINCPUL.EXE
5040	WINLOGONL.EXE
4388	WINPLAY.EXE
5636	AUDIOPT.EXE
5360	EDGEN.EXE
5688	DRVVIDEO.EXE
1372	WINCPUL.EXE
3288	WINPLAY.EXE
4000	WINPLAY.EXE
6120	WINPLAY.EXE
2520	wintsklt.exe
5732	WINCPUL.EXE
2028	WINPLAY.EXE
1908	WINLOGONL.EXE
3900	AUDIOPT.EXE
4352	WINLOGONL.EXE
4444	DRVVIDEO.EXE
3604	wintskl.exe
1644	wintsklt.exe
5616	wintsklt.exe
3756	wintskl.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000001e92c-7.dat	upx
behavioral2/memory/2904-9-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/2904-12-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/files/0x0007000000023410-79.dat	upx
behavioral2/memory/1016-80-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/4120-175-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/1016-177-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/2904-187-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/4120-189-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/2904-201-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/1548-209-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1548-210-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1548-207-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1548-316-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1548-317-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/4120-432-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/2904-431-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/2904-434-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/4120-435-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/2904-437-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/4120-438-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/5636-441-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5636-445-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5636-444-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5636-449-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5636-448-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4716-471-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4716-470-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4716-468-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4716-472-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\winpdf = "C:\\ProgramData\\pdfview\\viewpdf.exe"	viewpdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\Documents\\word.exe"	word.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINCPUL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\winpdf = "C:\\ProgramData\\pdfview\\viewpdf.exe"	sms64A5.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	WRAR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\Documents\\word.exe"	sms614A.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 4416 set thread context of 1548	4416	WRAR.EXE	112
PID 3520 set thread context of 4572	3520	EDGEN.EXE	117
PID 1908 set thread context of 5636	1908	AUDIOPT.EXE	155
PID 4360 set thread context of 5360	4360	EDGEN.EXE	156
PID 2376 set thread context of 5688	2376	DRVVIDEO.EXE	157
PID 1540 set thread context of 1372	1540	WINCPUL.EXE	159
PID 1616 set thread context of 4716	1616	ADOBESERV.EXE	160
PID 2668 set thread context of 6120	2668	WINPLAY.EXE	165
PID 1644 set thread context of 5732	1644	WINCPUL.EXE	167
PID 4388 set thread context of 2028	4388	WINPLAY.EXE	168
PID 2552 set thread context of 1908	2552	WINLOGONL.EXE	169
PID 1604 set thread context of 3520	1604	ADOBESERV.EXE	174
PID 4580 set thread context of 3900	4580	AUDIOPT.EXE	175
PID 5040 set thread context of 4352	5040	WINLOGONL.EXE	178
PID 4452 set thread context of 4444	4452	DRVVIDEO.EXE	179
PID 2520 set thread context of 5616	2520	wintsklt.exe	195
PID 3604 set thread context of 3756	3604	wintskl.exe	196

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2540	schtasks.exe
1376	schtasks.exe
5040	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3844	timeout.exe
1592	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sms614A.tmp

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINCPUL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3224	powershell.exe
3224	powershell.exe
3224	powershell.exe
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
968	sms5EE9.tmp
4416	WRAR.EXE
4416	WRAR.EXE
3648	audiodvs.exe
3648	audiodvs.exe
836	powershell.exe
836	powershell.exe
4864	powershell.exe
4864	powershell.exe
5004	powershell.exe
5004	powershell.exe
4164	powershell.exe
4164	powershell.exe
3300	powershell.exe
3300	powershell.exe
3016	powershell.exe
3016	powershell.exe
4248	powershell.exe
4248	powershell.exe
1428	powershell.exe
1428	powershell.exe
3752	powershell.exe
3752	powershell.exe
3860	powershell.exe
3860	powershell.exe
1196	powershell.exe
1196	powershell.exe
5096	powershell.exe
5096	powershell.exe
4864	powershell.exe
4864	powershell.exe
836	powershell.exe
836	powershell.exe
5004	powershell.exe
5004	powershell.exe
4164	powershell.exe
3300	powershell.exe
1428	powershell.exe
3016	powershell.exe
4248	powershell.exe
3752	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2784	viewpdf.exe
4716	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2904	sms59D8.tmp
Token: SeSecurityPrivilege	2904	sms59D8.tmp
Token: SeTakeOwnershipPrivilege	2904	sms59D8.tmp
Token: SeLoadDriverPrivilege	2904	sms59D8.tmp
Token: SeSystemProfilePrivilege	2904	sms59D8.tmp
Token: SeSystemtimePrivilege	2904	sms59D8.tmp
Token: SeProfSingleProcessPrivilege	2904	sms59D8.tmp
Token: SeIncBasePriorityPrivilege	2904	sms59D8.tmp
Token: SeCreatePagefilePrivilege	2904	sms59D8.tmp
Token: SeBackupPrivilege	2904	sms59D8.tmp
Token: SeRestorePrivilege	2904	sms59D8.tmp
Token: SeShutdownPrivilege	2904	sms59D8.tmp
Token: SeDebugPrivilege	2904	sms59D8.tmp
Token: SeSystemEnvironmentPrivilege	2904	sms59D8.tmp
Token: SeChangeNotifyPrivilege	2904	sms59D8.tmp
Token: SeRemoteShutdownPrivilege	2904	sms59D8.tmp
Token: SeUndockPrivilege	2904	sms59D8.tmp
Token: SeManageVolumePrivilege	2904	sms59D8.tmp
Token: SeImpersonatePrivilege	2904	sms59D8.tmp
Token: SeCreateGlobalPrivilege	2904	sms59D8.tmp
Token: 33	2904	sms59D8.tmp
Token: 34	2904	sms59D8.tmp
Token: 35	2904	sms59D8.tmp
Token: 36	2904	sms59D8.tmp
Token: SeIncreaseQuotaPrivilege	1016	sms614A.tmp
Token: SeSecurityPrivilege	1016	sms614A.tmp
Token: SeTakeOwnershipPrivilege	1016	sms614A.tmp
Token: SeLoadDriverPrivilege	1016	sms614A.tmp
Token: SeSystemProfilePrivilege	1016	sms614A.tmp
Token: SeSystemtimePrivilege	1016	sms614A.tmp
Token: SeProfSingleProcessPrivilege	1016	sms614A.tmp
Token: SeIncBasePriorityPrivilege	1016	sms614A.tmp
Token: SeCreatePagefilePrivilege	1016	sms614A.tmp
Token: SeBackupPrivilege	1016	sms614A.tmp
Token: SeRestorePrivilege	1016	sms614A.tmp
Token: SeShutdownPrivilege	1016	sms614A.tmp
Token: SeDebugPrivilege	1016	sms614A.tmp
Token: SeSystemEnvironmentPrivilege	1016	sms614A.tmp
Token: SeChangeNotifyPrivilege	1016	sms614A.tmp
Token: SeRemoteShutdownPrivilege	1016	sms614A.tmp
Token: SeUndockPrivilege	1016	sms614A.tmp
Token: SeManageVolumePrivilege	1016	sms614A.tmp
Token: SeImpersonatePrivilege	1016	sms614A.tmp
Token: SeCreateGlobalPrivilege	1016	sms614A.tmp
Token: 33	1016	sms614A.tmp
Token: 34	1016	sms614A.tmp
Token: 35	1016	sms614A.tmp
Token: 36	1016	sms614A.tmp
Token: SeShutdownPrivilege	4596	sms64A5.tmp
Token: SeDebugPrivilege	4596	sms64A5.tmp
Token: SeTcbPrivilege	4596	sms64A5.tmp
Token: SeShutdownPrivilege	2784	viewpdf.exe
Token: SeDebugPrivilege	2784	viewpdf.exe
Token: SeTcbPrivilege	2784	viewpdf.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeIncreaseQuotaPrivilege	4120	word.exe
Token: SeSecurityPrivilege	4120	word.exe
Token: SeTakeOwnershipPrivilege	4120	word.exe
Token: SeLoadDriverPrivilege	4120	word.exe
Token: SeSystemProfilePrivilege	4120	word.exe
Token: SeSystemtimePrivilege	4120	word.exe
Token: SeProfSingleProcessPrivilege	4120	word.exe
Token: SeIncBasePriorityPrivilege	4120	word.exe
Token: SeCreatePagefilePrivilege	4120	word.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2784	viewpdf.exe
1548	InstallUtil.exe
5636	AUDIOPT.EXE
4716	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 2904	740	d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe	86
PID 740 wrote to memory of 2904	740	d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe	86
PID 740 wrote to memory of 2904	740	d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe	86
PID 2904 wrote to memory of 3520	2904	sms59D8.tmp	87
PID 2904 wrote to memory of 3520	2904	sms59D8.tmp	87
PID 2904 wrote to memory of 3520	2904	sms59D8.tmp	87
PID 2904 wrote to memory of 2700	2904	sms59D8.tmp	88
PID 2904 wrote to memory of 2700	2904	sms59D8.tmp	88
PID 2904 wrote to memory of 2804	2904	sms59D8.tmp	90
PID 2904 wrote to memory of 2804	2904	sms59D8.tmp	90
PID 2904 wrote to memory of 2068	2904	sms59D8.tmp	92
PID 2904 wrote to memory of 2068	2904	sms59D8.tmp	92
PID 2904 wrote to memory of 4416	2904	sms59D8.tmp	94
PID 2904 wrote to memory of 4416	2904	sms59D8.tmp	94
PID 2904 wrote to memory of 4416	2904	sms59D8.tmp	94
PID 2804 wrote to memory of 968	2804	WINLISTS.EXE	95
PID 2804 wrote to memory of 968	2804	WINLISTS.EXE	95
PID 2700 wrote to memory of 1016	2700	USBDRV.EXE	96
PID 2700 wrote to memory of 1016	2700	USBDRV.EXE	96
PID 2700 wrote to memory of 1016	2700	USBDRV.EXE	96
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 1016 wrote to memory of 2564	1016	sms614A.tmp	97
PID 2068 wrote to memory of 4596	2068	WINNOTE.EXE	98
PID 2068 wrote to memory of 4596	2068	WINNOTE.EXE	98
PID 2068 wrote to memory of 4596	2068	WINNOTE.EXE	98
PID 4416 wrote to memory of 3224	4416	WRAR.EXE	99
PID 4416 wrote to memory of 3224	4416	WRAR.EXE	99
PID 4416 wrote to memory of 3224	4416	WRAR.EXE	99
PID 4596 wrote to memory of 2784	4596	sms64A5.tmp	101
PID 4596 wrote to memory of 2784	4596	sms64A5.tmp	101
PID 4596 wrote to memory of 2784	4596	sms64A5.tmp	101
PID 1016 wrote to memory of 4120	1016	sms614A.tmp	102
PID 1016 wrote to memory of 4120	1016	sms614A.tmp	102
PID 1016 wrote to memory of 4120	1016	sms614A.tmp	102
PID 4120 wrote to memory of 4648	4120	word.exe	103
PID 4120 wrote to memory of 4648	4120	word.exe	103
PID 4120 wrote to memory of 4648	4120	word.exe	103
PID 4120 wrote to memory of 4648	4120	word.exe	103
PID 4120 wrote to memory of 4648	4120	word.exe	103
PID 4120 wrote to memory of 4648	4120	word.exe	103
PID 4120 wrote to memory of 4648	4120	word.exe	103
PID 4120 wrote to memory of 4648	4120	word.exe	103
PID 4120 wrote to memory of 4648	4120	word.exe	103
PID 4120 wrote to memory of 4648	4120	word.exe	103
PID 4120 wrote to memory of 4648	4120	word.exe	103
PID 4120 wrote to memory of 4648	4120	word.exe	103
PID 4120 wrote to memory of 4648	4120	word.exe	103
PID 4120 wrote to memory of 4648	4120	word.exe	103
PID 4120 wrote to memory of 4648	4120	word.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe
"C:\Users\Admin\AppData\Local\Temp\d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Local\Temp\sms59D8.tmp
  "C:\Users\Admin\AppData\Local\Temp\sms59D8.tmp"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
    "C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
      "C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4572
    - - C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4360
      - C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE"
        6⤵
        Executes dropped EXE
        
        PID:5360
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "logons" /XML "C:\Users\Admin\AppData\Local\Temp\tmp430F.tmp" /F
        7⤵
        Creates scheduled task(s)
        
        PID:2540
- - C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
    "C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\sms614A.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms614A.tmp"
      4⤵
      Modifies WinLogon for persistence
      Drops file in Drivers directory
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:2564
    - - C:\Users\Admin\Documents\word.exe
        
        "C:\Users\Admin\Documents\word.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4120
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        
        PID:4648
- - C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\sms5EE9.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms5EE9.tmp"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:968
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodvs"' /tr "'C:\Users\Admin\AppData\Roaming\audiodvs.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:5040
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA160.tmp.bat""
        5⤵
        
        PID:3988
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:3844
      - C:\Users\Admin\AppData\Roaming\audiodvs.exe
        
        "C:\Users\Admin\AppData\Roaming\audiodvs.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3648
- - C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\sms64A5.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms64A5.tmp"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\ProgramData\pdfview\viewpdf.exe
        
        "C:\ProgramData\pdfview\viewpdf.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2784
- - C:\Users\Admin\AppData\Local\Temp\WRAR.EXE
    "C:\Users\Admin\AppData\Local\Temp\WRAR.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3224
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      Drops file in Drivers directory
      Suspicious use of SetWindowsHookEx
      PID:1548
    - - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1616
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4164
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:4716
    - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1908
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:836
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5636
    - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2376
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4864
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:5688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:5204
    - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1540
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5004
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        
        PID:1372
        
        C:\Users\Admin\Documents\wintsklt.exe
        
        "C:\Users\Admin\Documents\wintsklt.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2520
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:4864
        
        C:\Users\Admin\Documents\wintsklt.exe
        
        C:\Users\Admin\Documents\wintsklt.exe
        8⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Users\Admin\Documents\wintsklt.exe
        
        C:\Users\Admin\Documents\wintsklt.exe
        8⤵
        Executes dropped EXE
        
        PID:5616
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2552
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3300
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:3712
    - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2668
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1428
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Executes dropped EXE
        
        PID:3288
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Executes dropped EXE
        
        PID:4000
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6120
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7932.tmp.bat""
        7⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        "C:\Users\Admin\AppData\Roaming\wintskl.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        9⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        9⤵
        Executes dropped EXE
        
        PID:3756
    - - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1604
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4248
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:5164
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:5388
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:5076
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:4896
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:3520
    - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4580
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3752
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3900
    - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4452
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5096
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:4444
    - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1644
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:908
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:5040
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1196
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        Executes dropped EXE
        
        PID:4352
    - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4388
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3860
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Executes dropped EXE
        
        PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ADOBESERV.EXE.log

Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EDGEN.EXE.log

Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
c5684a74500e66c232bee9bc73a992be

SHA1
316311e430dc1ba3c97591bb921a63ef56d9506a

SHA256
4c55c7d716faa1d7b495c68c5a25cbb2330645e75b8ee05499a7e1033a816cca

SHA512
3d01270db5d0e77e254cc136af9dd31f52161c59f6f3751eac10e63af55ef17073817ff237a61180ebec3062414c50037b36e8997ed620c894d7f4db6604dcfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
4890e4e9ec707b3b81fa58e957ab8e0d

SHA1
9290bed0e7f2afbb4158db878b8f165ebdb1fd3f

SHA256
5040abc45f40728e3355b1f4d757c19652733cd91e823580983ed20f2c26a039

SHA512
dd64c9e9318b36f47d589a5c0fbce357d582a7e275d07c50da2f0f0cc925f72f34db0f36c8d9cd5780365b3b36d63df65d90a7ec5ae13da80dd21925cfb891dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
1b22096826abf9190ff0feb56ee74e5d

SHA1
b58499e87004230dd774f69415109a72df9250c7

SHA256
d9618ea40a707a7b87c9c6a850ccc15c38e41194c2b886ae5970f6b2dd74250b

SHA512
268813131d72b12f78d7994b830ea8c58962362b43d4796b03f3144a3f4a4146a5df0e766acade9534a9e1190a4fbae9e3ebe69617c4216a0d6abc08d22da069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
ea3eb8cccdb62766789782e0e58dab18

SHA1
dc9fc6030648f85857f0ae56cbf9809b07eef978

SHA256
65178cfb37c7142a243eabe2b33c3e189608af247307b3b0452f01614219419d

SHA512
867f8e69ad613bc64f32a76e4f52548fdc9495d6a56a50b25a493ff75f313b4a2aa6929bcddb9215b59b503a30b648ac36aedf7c15604541f7ed6056c214dab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
f85fe569064d1b2df4c224c52e04a8b5

SHA1
08ed1366ecbeab7e7040baa20a33f9389501739f

SHA256
f8c0b7d4d41c898a7f53a2378926a9dd09ba576a14263659d8054a6a14e48602

SHA512
2621e051b88c4482cb9ec26db9cda59e07201bd2def3fdf4bd55549eeaa20ecb77591bf59297fcdf050d20cf8b60fba2298f8f932d5bc86ccb0aa3b870fd4553

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE

Filesize
272KB

MD5
f15e71a4533bed5e3d3a79f6b73862a6

SHA1
f1007480f2924e6b35d96b65e6cc0fdee6edb07c

SHA256
63b57bcc9105ace9e2dc463a160c5a7c4d2b22f17229a0c9b5c58454a42d7a89

SHA512
31dbdd945a121d8b8408be150d336a98f04f9dd1df5505d79c61d404aeff61d92d0eaaa973d34c2aaff95280c00431d26198a2ee3ec616c1edce9dca8624e99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE

Filesize
421KB

MD5
be6c7a291d10a15274a0613a3d7d373d

SHA1
e9a7d7ee40f875b5f6b2a5ae85825f5f1b510011

SHA256
13f76dc27178fc55f0a9dc756e894195683668d1592f399eab4399825abbdcec

SHA512
5b40578a08b0b44b27ad27cda6d2aafb3ec51b209b0c16f4bfdf589131b36770b738c0278870c5d57fc0daadf9638ded25362363a12ceff1c932afb6c4301bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE

Filesize
177KB

MD5
e4cee8675eb9bee518fceb46df6b0171

SHA1
e7a4d534e4fe3930d34178d1e50866201dd9f4dd

SHA256
dbe3e996ba14398b16753ce4be959bde4fb308e0e81c1a24c1632560b4e8396a

SHA512
612a02353ba58f0649ccb89a10ef87ab72968734301c8e97f5c69631177dffbd29b03bcab30e44706dcd7103bdc1f735935012fed5dd219e13fe7ed9bae46205

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE

Filesize
850KB

MD5
adc072db38c95f07ba096def8010ec23

SHA1
97470255c4075752e4e0f120847107ed9bad60f8

SHA256
f20d872a03c3a41b240d03b30ad8417e841e5bcfb659bd2ad863a02e215e22f4

SHA512
bec583fa431c13443238db3cec8f555914df682666ae5cf8b7151401728ab26dcc1431d4bb903c5e56f9e26cdd06c8e777eba267549bbf7da1e09688822cb4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRAR.EXE

Filesize
2.1MB

MD5
d047d98c07f60feceabedb071932b56a

SHA1
ceb1a880d36ad0c79d75081c6004c4820d18c16d

SHA256
16991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355

SHA512
6438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yuumm3ys.iam.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms59D8.tmp

Filesize
3.8MB

MD5
03813d38cc7820f9c68f6764e477bd68

SHA1
ef02c9634f6d7a17a66d78dcc98f6154971d1e73

SHA256
572cf83b14d8eb05be377d4cc8ad6196c9994f815a2ff47cfee2d68219d83c4d

SHA512
1d17f353e3c0adccae832fffbc4d189e7b1b9868f5f4410205e53796387a9f1fe5c7a87bde1546fc022eb671b68ceb7fb67da59846a4dc880dcf230aeb50edd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms5EE9.tmp

Filesize
46KB

MD5
10b549c788d008fc48cccac97d0d41f5

SHA1
f0c723bb0c9123875a1a208e3ec46f4ec4108be0

SHA256
589c8fa2d213b58ab009ff4caae02a61d4d60a6fa61567f208017fef136363a9

SHA512
bc7f033012190ba6ccc2c76c4d32a1814bb4960d209d39edf5960f27b51f3e448b4ae0d26c8b68f3239eb499abfdc1bea2324fc3d7841ea1521c5f0c42f4df88

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms614A.tmp

Filesize
283KB

MD5
02ea195dd67861f845f7fd66af7a0599

SHA1
e9b9e4a8fb39b838c4ffd7321f26b53eff9aca73

SHA256
df4fa66d72e0dec0ad47af48f25e8fe0e9cf2361ba19340b014e871f418ff207

SHA512
d198baa7a8f20922ef63d34504b0cbfe1dfefb4b72d7763063480699ae4184e1d48e7dd64ddb6f18414c508ce6e80085e42a86daea5ea678a8942b3b628de8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms64A5.tmp

Filesize
733KB

MD5
e071c8ee33d217c10b415c30365e608b

SHA1
91e6cecaa37634d500db49536876cbc9ecb09683

SHA256
835c2a9f31f166d13dd4db17b76a4731194214566e7a39df674afa292feef6b8

SHA512
17b5f6229a74fb85af3aec28768f1be072ae99e5f2596fca7737e91e525bdf67865caa906f3c4c6eadfaa4df9a1aee7a1adc3effa72fa1cc68bbc8e41daba960

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA160.tmp.bat

Filesize
152B

MD5
f0f69a7a8c85d973724de67bfda564d0

SHA1
ce7a0b693eb11211d7dab2fb22794d4243b885b3

SHA256
5b67b4c9a9e6fb4b69b252a7a57e6a3823b51c3975b430572dd6b3bb0ebc34e3

SHA512
bba007832316afa793a836231f8ee3208a56bc5161d338c831caaf94939432a21da09d8d552de386a3b329398fde6aeed044848c652d4f0300823f857634fd45

Download Submit
C:\Users\Admin\AppData\Roaming\audiodvs.exe

Filesize
39.2MB

MD5
b542cfe8e28ade31e4853164554b5774

SHA1
838087ea588d8f3b7d1f6e5d80cdc7499816672c

SHA256
fd7364c0bb1cf733fa3c253b1a6369290bb13bd1df0855fd7a7fb7d3ebb9a05a

SHA512
4fad887931bcd19bde15503aa60d13f768f3fd9d4e5c4fa28a29c8936c02b07ca010987473e13370b5fbd1a4235ec988637ca75777f2305f8ee9abdf2b23caec

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/740-174-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/740-3-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/740-2-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/740-0-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/740-186-0x0000000000FF2000-0x0000000000FF3000-memory.dmp

Filesize
4KB

Download
memory/740-1-0x0000000000FF2000-0x0000000000FF3000-memory.dmp

Filesize
4KB

Download
memory/740-4-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/836-337-0x00000000060F0000-0x0000000006444000-memory.dmp

Filesize
3.3MB

Download
memory/908-526-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/968-71-0x0000000000D10000-0x0000000000D22000-memory.dmp

Filesize
72KB

Download
memory/1016-177-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1016-80-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1372-461-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1372-464-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1540-271-0x0000000000DE0000-0x0000000000E68000-memory.dmp

Filesize
544KB

Download
memory/1540-294-0x0000000006CE0000-0x0000000006D3C000-memory.dmp

Filesize
368KB

Download
memory/1548-209-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1548-316-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1548-317-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1548-207-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1548-210-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1616-292-0x0000000006D10000-0x0000000006DB2000-memory.dmp

Filesize
648KB

Download
memory/1616-254-0x0000000001480000-0x0000000001486000-memory.dmp

Filesize
24KB

Download
memory/1616-253-0x0000000000AA0000-0x0000000000B9A000-memory.dmp

Filesize
1000KB

Download
memory/1908-252-0x0000000000560000-0x0000000000618000-memory.dmp

Filesize
736KB

Download
memory/1908-291-0x0000000005080000-0x0000000005108000-memory.dmp

Filesize
544KB

Download
memory/1908-496-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1908-497-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2068-58-0x0000000000400000-0x000000000074F018-memory.dmp

Filesize
3.3MB

Download
memory/2068-154-0x0000000000400000-0x000000000074F018-memory.dmp

Filesize
3.3MB

Download
memory/2376-270-0x0000000000410000-0x0000000000496000-memory.dmp

Filesize
536KB

Download
memory/2376-293-0x00000000050D0000-0x000000000512C000-memory.dmp

Filesize
368KB

Download
memory/2552-289-0x00000000005B0000-0x0000000000636000-memory.dmp

Filesize
536KB

Download
memory/2552-312-0x00000000053D0000-0x000000000542A000-memory.dmp

Filesize
360KB

Download
memory/2564-86-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2668-304-0x0000000000BE0000-0x0000000000C5C000-memory.dmp

Filesize
496KB

Download
memory/2668-315-0x0000000006AE0000-0x0000000006B30000-memory.dmp

Filesize
320KB

Download
memory/2700-180-0x0000000000400000-0x00000000005A1130-memory.dmp

Filesize
1.6MB

Download
memory/2700-42-0x0000000000400000-0x00000000005A1130-memory.dmp

Filesize
1.6MB

Download
memory/2804-43-0x0000000000400000-0x00000000004B0574-memory.dmp

Filesize
705KB

Download
memory/2804-66-0x0000000000464000-0x0000000000465000-memory.dmp

Filesize
4KB

Download
memory/2804-67-0x0000000000400000-0x00000000004B0574-memory.dmp

Filesize
705KB

Download
memory/2904-9-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2904-201-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2904-12-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2904-187-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2904-437-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2904-434-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2904-431-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/3224-163-0x0000000005D80000-0x00000000060D4000-memory.dmp

Filesize
3.3MB

Download
memory/3224-181-0x0000000006490000-0x00000000064DC000-memory.dmp

Filesize
304KB

Download
memory/3224-184-0x00000000068F0000-0x000000000690A000-memory.dmp

Filesize
104KB

Download
memory/3224-160-0x00000000055D0000-0x00000000055F2000-memory.dmp

Filesize
136KB

Download
memory/3224-183-0x0000000007C00000-0x000000000827A000-memory.dmp

Filesize
6.5MB

Download
memory/3224-161-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/3224-162-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/3224-156-0x0000000005600000-0x0000000005C28000-memory.dmp

Filesize
6.2MB

Download
memory/3224-155-0x0000000004DD0000-0x0000000004E06000-memory.dmp

Filesize
216KB

Download
memory/3224-179-0x0000000006410000-0x000000000642E000-memory.dmp

Filesize
120KB

Download
memory/3520-44-0x0000000072E3E000-0x0000000072E3F000-memory.dmp

Filesize
4KB

Download
memory/3520-63-0x0000000004A10000-0x0000000004AA2000-memory.dmp

Filesize
584KB

Download
memory/3520-257-0x0000000004BA0000-0x0000000004BCE000-memory.dmp

Filesize
184KB

Download
memory/3520-75-0x0000000004CA0000-0x0000000004D16000-memory.dmp

Filesize
472KB

Download
memory/3520-74-0x0000000004990000-0x000000000499A000-memory.dmp

Filesize
40KB

Download
memory/3520-60-0x0000000004F20000-0x00000000054C4000-memory.dmp

Filesize
5.6MB

Download
memory/3520-269-0x0000000004C10000-0x0000000004C2E000-memory.dmp

Filesize
120KB

Download
memory/3520-55-0x0000000000080000-0x00000000000CA000-memory.dmp

Filesize
296KB

Download
memory/4120-432-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4120-438-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4120-189-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4120-175-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4120-435-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4416-136-0x00000000066B0000-0x00000000066FC000-memory.dmp

Filesize
304KB

Download
memory/4416-70-0x0000000000440000-0x000000000066A000-memory.dmp

Filesize
2.2MB

Download
memory/4416-87-0x0000000006450000-0x000000000663C000-memory.dmp

Filesize
1.9MB

Download
memory/4416-72-0x0000000004E20000-0x0000000004E26000-memory.dmp

Filesize
24KB

Download
memory/4572-285-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4648-173-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4716-468-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4716-472-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4716-471-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4716-470-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4864-411-0x0000000006160000-0x00000000061AC000-memory.dmp

Filesize
304KB

Download
memory/5204-499-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/5636-449-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5636-444-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5636-448-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5636-445-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5636-441-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5688-458-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5688-455-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/6120-478-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/6120-532-0x0000000004D90000-0x0000000004E2C000-memory.dmp

Filesize
624KB

Download