asyncrat | d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a9bf696f1af170e0e1b5ede752a1578.exe
Size

4.1MB
MD5

2a9bf696f1af170e0e1b5ede752a1578
SHA1

96b9f6c7398fc9c0cc44534dfabe08f0583baf3a
SHA256

d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f
SHA512

8236468322838e166fe46614dd0f90c576031ef55abfd79b249def9d320bd89b277bf3b7c84bf669480b0504637d1b93b565be5d17eae6065d2418604c25c80d
SSDEEP

98304:alO2xqX9gK/NBJMYpntAecuJ4hLm0amUXzEnk4:a82x3KHJMOAecuJ4hLGmd

Score

10^/10

asyncrat babylonrat darkcomet warzonerat xenorat 2024+june1-newcrt 2024+june111-newcrt evasion infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

2024+June111-newcrt

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-TF0M80E

Attributes

gencode
FStELhsGExZX
install
false
offline_keylogger
false
password
hhhhhh
persistence
false

Extracted

Family

asyncrat

Version

0.5.6A

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

v5tvc5rc5ex77777

Attributes

delay
5
install
true
install_file
audiodvs.exe
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

2024+June1-newcrt

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-62B5ZW6

Attributes

InstallPath
word.exe
gencode
T8Q4ENhuqy1g
install
true
offline_keylogger
false
password
hhhhhh
persistence
true
reg_key
word

Extracted

Family

xenorat

dgorijan20785.hopto.org

Mutex

win_sv88778sl

Attributes

delay
5000
install_path
temp
port
4488
startup_name
logons

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

sms4C6B.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\word.exe"	sms4C6B.tmp

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms4B24.tmp	family_asyncrat

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 5 IoCs

Processes:

sms42EA.tmpsms4C6B.tmpInstallUtil.exeAUDIOPT.EXEAUDIOPT.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	sms42EA.tmp
File opened for modification	C:\Windows\system32\drivers\etc\hosts	sms4C6B.tmp
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE

Executes dropped EXE 58 IoCs

Processes:

sms42EA.tmpEDGEN.EXEUSBDRV.EXEWINLISTS.EXEWINNOTE.EXEWRAR.EXEsms4B24.tmpsms4C6B.tmpsms4DF1.tmpviewpdf.exeword.exeaudiodvs.exeAUDIOPT.EXEADOBESERV.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEADOBESERV.EXEDRVVIDEO.EXEWINLOGONL.EXEAUDIOPT.EXEWINCPUL.EXEWINPLAY.EXEEDGEN.EXEEDGEN.EXEDRVVIDEO.EXEWINCPUL.EXEWINCPUL.EXEWINCPUL.EXEWINCPUL.EXEWINCPUL.EXEWINCPUL.EXEWINCPUL.EXEWINCPUL.EXEWINCPUL.EXEWINCPUL.EXEWINPLAY.EXEWINPLAY.EXEWINCPUL.EXEWINCPUL.EXEWINCPUL.EXEWINCPUL.EXEWINCPUL.EXEWINCPUL.EXEWINCPUL.EXEAUDIOPT.EXEWINCPUL.EXEWINCPUL.EXEWINCPUL.EXEWINLOGONL.EXEDRVVIDEO.EXEWINLOGONL.EXEAUDIOPT.EXEEDGEN.EXEEDGEN.EXEwintskl.exewintskl.exe

pid	process
2916	sms42EA.tmp
2804	EDGEN.EXE
3060	USBDRV.EXE
2712	WINLISTS.EXE
2616	WINNOTE.EXE
2672	WRAR.EXE
2936	sms4B24.tmp
760	sms4C6B.tmp
800	sms4DF1.tmp
536	viewpdf.exe
572	word.exe
984	audiodvs.exe
2920	AUDIOPT.EXE
3008	ADOBESERV.EXE
2364	DRVVIDEO.EXE
2732	WINCPUL.EXE
2492	WINLOGONL.EXE
2984	WINPLAY.EXE
2172	ADOBESERV.EXE
1732	DRVVIDEO.EXE
2216	WINLOGONL.EXE
2184	AUDIOPT.EXE
348	WINCPUL.EXE
2428	WINPLAY.EXE
1372	EDGEN.EXE
2776	EDGEN.EXE
1296	DRVVIDEO.EXE
1088	WINCPUL.EXE
1836	WINCPUL.EXE
1976	WINCPUL.EXE
1424	WINCPUL.EXE
900	WINCPUL.EXE
1664	WINCPUL.EXE
2212	WINCPUL.EXE
2644	WINCPUL.EXE
1680	WINCPUL.EXE
2652	WINCPUL.EXE
2632	WINPLAY.EXE
1760	WINPLAY.EXE
1800	WINCPUL.EXE
744	WINCPUL.EXE
2452	WINCPUL.EXE
1940	WINCPUL.EXE
2820	WINCPUL.EXE
2328	WINCPUL.EXE
2660	WINCPUL.EXE
2196	AUDIOPT.EXE
2748	WINCPUL.EXE
2612	WINCPUL.EXE
2644	WINCPUL.EXE
1664	WINLOGONL.EXE
2420	DRVVIDEO.EXE
2056	WINLOGONL.EXE
2996	AUDIOPT.EXE
2128	EDGEN.EXE
1616	EDGEN.EXE
2156	wintskl.exe
1080	wintskl.exe

Loads dropped DLL 59 IoCs

Processes:

sms42EA.tmpsms4DF1.tmpsms4C6B.tmpInstallUtil.exeEDGEN.EXEEDGEN.EXEDRVVIDEO.EXEWINCPUL.EXEWINPLAY.EXEWINPLAY.EXEWINCPUL.EXEAUDIOPT.EXEWINLOGONL.EXEDRVVIDEO.EXEWINLOGONL.EXEAUDIOPT.EXEEDGEN.EXEcmd.exe

pid	process
2916	sms42EA.tmp
2916	sms42EA.tmp
2916	sms42EA.tmp
2916	sms42EA.tmp
2916	sms42EA.tmp
2916	sms42EA.tmp
2916	sms42EA.tmp
2708
2604
2524
2916	sms42EA.tmp
800	sms4DF1.tmp
760	sms4C6B.tmp
760	sms4C6B.tmp
2248	InstallUtil.exe
2248	InstallUtil.exe
2248	InstallUtil.exe
2248	InstallUtil.exe
2248	InstallUtil.exe
2248	InstallUtil.exe
2248	InstallUtil.exe
2248	InstallUtil.exe
2248	InstallUtil.exe
2248	InstallUtil.exe
2248	InstallUtil.exe
2248	InstallUtil.exe
2804	EDGEN.EXE
1372	EDGEN.EXE
2364	DRVVIDEO.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2984	WINPLAY.EXE
2428	WINPLAY.EXE
348	WINCPUL.EXE
348	WINCPUL.EXE
348	WINCPUL.EXE
348	WINCPUL.EXE
348	WINCPUL.EXE
348	WINCPUL.EXE
348	WINCPUL.EXE
348	WINCPUL.EXE
2920	AUDIOPT.EXE
348	WINCPUL.EXE
2216	WINLOGONL.EXE
348	WINCPUL.EXE
1732	DRVVIDEO.EXE
2492	WINLOGONL.EXE
2184	AUDIOPT.EXE
2776	EDGEN.EXE
2776	EDGEN.EXE
532	cmd.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	upx
behavioral1/memory/2916-11-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral1/memory/2916-16-0x0000000000400000-0x000000000089A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	upx
behavioral1/memory/760-79-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral1/memory/572-179-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral1/memory/760-185-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral1/memory/2916-193-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral1/memory/572-363-0x0000000000400000-0x00000000004C7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AUDIOPT.EXEWINLOGONL.EXEWINLOGONL.EXEword.exeDRVVIDEO.EXEAUDIOPT.EXEsms4C6B.tmpviewpdf.exeDRVVIDEO.EXEADOBESERV.EXEsms4DF1.tmpWRAR.EXEADOBESERV.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\Documents\\word.exe"	word.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\Documents\\word.exe"	sms4C6B.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\winpdf = "C:\\ProgramData\\pdfview\\viewpdf.exe"	viewpdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\winpdf = "C:\\ProgramData\\pdfview\\viewpdf.exe"	sms4DF1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	WRAR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE

Suspicious use of SetThreadContext 14 IoCs

Processes:

WRAR.EXEEDGEN.EXEDRVVIDEO.EXEWINPLAY.EXEWINPLAY.EXEAUDIOPT.EXEWINLOGONL.EXEDRVVIDEO.EXEADOBESERV.EXEWINLOGONL.EXEADOBESERV.EXEAUDIOPT.EXEEDGEN.EXEwintskl.exe

description	pid	process	target process
PID 2672 set thread context of 2248	2672	WRAR.EXE	InstallUtil.exe
PID 2804 set thread context of 1372	2804	EDGEN.EXE	EDGEN.EXE
PID 2364 set thread context of 1296	2364	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 2984 set thread context of 2632	2984	WINPLAY.EXE	WINPLAY.EXE
PID 2428 set thread context of 1760	2428	WINPLAY.EXE	WINPLAY.EXE
PID 2920 set thread context of 2196	2920	AUDIOPT.EXE	AUDIOPT.EXE
PID 2216 set thread context of 1664	2216	WINLOGONL.EXE	WINLOGONL.EXE
PID 1732 set thread context of 2420	1732	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 3008 set thread context of 1748	3008	ADOBESERV.EXE	InstallUtil.exe
PID 2492 set thread context of 2056	2492	WINLOGONL.EXE	WINLOGONL.EXE
PID 2172 set thread context of 2096	2172	ADOBESERV.EXE	InstallUtil.exe
PID 2184 set thread context of 2996	2184	AUDIOPT.EXE	AUDIOPT.EXE
PID 2776 set thread context of 1616	2776	EDGEN.EXE	EDGEN.EXE
PID 2156 set thread context of 1080	2156	wintskl.exe	wintskl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1432 timeout.exe
2216 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

352 schtasks.exe
1788 schtasks.exe
884 schtasks.exe

pid	process
1432	timeout.exe
2216	timeout.exe

pid	process
352	schtasks.exe
1788	schtasks.exe
884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exesms4B24.tmpWRAR.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaudiodvs.exeDRVVIDEO.EXEWINCPUL.EXE

pid	process
1780	powershell.exe
2936	sms4B24.tmp
2936	sms4B24.tmp
2936	sms4B24.tmp
2672	WRAR.EXE
2672	WRAR.EXE
2208	powershell.exe
316	powershell.exe
2568	powershell.exe
480	powershell.exe
800	powershell.exe
2480	powershell.exe
2152	powershell.exe
3060	powershell.exe
2932	powershell.exe
352	powershell.exe
328	powershell.exe
2052	powershell.exe
984	audiodvs.exe
2364	DRVVIDEO.EXE
2364	DRVVIDEO.EXE
2364	DRVVIDEO.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE
2732	WINCPUL.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

viewpdf.exeInstallUtil.exe

pid process

536 viewpdf.exe
1748 InstallUtil.exe

pid	process
536	viewpdf.exe
1748	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sms42EA.tmpsms4C6B.tmpsms4DF1.tmpviewpdf.exeword.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2916	sms42EA.tmp
Token: SeSecurityPrivilege	2916	sms42EA.tmp
Token: SeTakeOwnershipPrivilege	2916	sms42EA.tmp
Token: SeLoadDriverPrivilege	2916	sms42EA.tmp
Token: SeSystemProfilePrivilege	2916	sms42EA.tmp
Token: SeSystemtimePrivilege	2916	sms42EA.tmp
Token: SeProfSingleProcessPrivilege	2916	sms42EA.tmp
Token: SeIncBasePriorityPrivilege	2916	sms42EA.tmp
Token: SeCreatePagefilePrivilege	2916	sms42EA.tmp
Token: SeBackupPrivilege	2916	sms42EA.tmp
Token: SeRestorePrivilege	2916	sms42EA.tmp
Token: SeShutdownPrivilege	2916	sms42EA.tmp
Token: SeDebugPrivilege	2916	sms42EA.tmp
Token: SeSystemEnvironmentPrivilege	2916	sms42EA.tmp
Token: SeChangeNotifyPrivilege	2916	sms42EA.tmp
Token: SeRemoteShutdownPrivilege	2916	sms42EA.tmp
Token: SeUndockPrivilege	2916	sms42EA.tmp
Token: SeManageVolumePrivilege	2916	sms42EA.tmp
Token: SeImpersonatePrivilege	2916	sms42EA.tmp
Token: SeCreateGlobalPrivilege	2916	sms42EA.tmp
Token: 33	2916	sms42EA.tmp
Token: 34	2916	sms42EA.tmp
Token: 35	2916	sms42EA.tmp
Token: SeIncreaseQuotaPrivilege	760	sms4C6B.tmp
Token: SeSecurityPrivilege	760	sms4C6B.tmp
Token: SeTakeOwnershipPrivilege	760	sms4C6B.tmp
Token: SeLoadDriverPrivilege	760	sms4C6B.tmp
Token: SeSystemProfilePrivilege	760	sms4C6B.tmp
Token: SeSystemtimePrivilege	760	sms4C6B.tmp
Token: SeProfSingleProcessPrivilege	760	sms4C6B.tmp
Token: SeIncBasePriorityPrivilege	760	sms4C6B.tmp
Token: SeCreatePagefilePrivilege	760	sms4C6B.tmp
Token: SeBackupPrivilege	760	sms4C6B.tmp
Token: SeRestorePrivilege	760	sms4C6B.tmp
Token: SeShutdownPrivilege	760	sms4C6B.tmp
Token: SeDebugPrivilege	760	sms4C6B.tmp
Token: SeSystemEnvironmentPrivilege	760	sms4C6B.tmp
Token: SeChangeNotifyPrivilege	760	sms4C6B.tmp
Token: SeRemoteShutdownPrivilege	760	sms4C6B.tmp
Token: SeUndockPrivilege	760	sms4C6B.tmp
Token: SeManageVolumePrivilege	760	sms4C6B.tmp
Token: SeImpersonatePrivilege	760	sms4C6B.tmp
Token: SeCreateGlobalPrivilege	760	sms4C6B.tmp
Token: 33	760	sms4C6B.tmp
Token: 34	760	sms4C6B.tmp
Token: 35	760	sms4C6B.tmp
Token: SeShutdownPrivilege	800	sms4DF1.tmp
Token: SeDebugPrivilege	800	sms4DF1.tmp
Token: SeTcbPrivilege	800	sms4DF1.tmp
Token: SeShutdownPrivilege	536	viewpdf.exe
Token: SeDebugPrivilege	536	viewpdf.exe
Token: SeTcbPrivilege	536	viewpdf.exe
Token: SeIncreaseQuotaPrivilege	572	word.exe
Token: SeSecurityPrivilege	572	word.exe
Token: SeTakeOwnershipPrivilege	572	word.exe
Token: SeLoadDriverPrivilege	572	word.exe
Token: SeSystemProfilePrivilege	572	word.exe
Token: SeSystemtimePrivilege	572	word.exe
Token: SeProfSingleProcessPrivilege	572	word.exe
Token: SeIncBasePriorityPrivilege	572	word.exe
Token: SeCreatePagefilePrivilege	572	word.exe
Token: SeBackupPrivilege	572	word.exe
Token: SeRestorePrivilege	572	word.exe
Token: SeShutdownPrivilege	572	word.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

viewpdf.exeInstallUtil.exeAUDIOPT.EXEInstallUtil.exe

pid process

536 viewpdf.exe
2248 InstallUtil.exe
2196 AUDIOPT.EXE
1748 InstallUtil.exe

pid	process
536	viewpdf.exe
2248	InstallUtil.exe
2196	AUDIOPT.EXE
1748	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2a9bf696f1af170e0e1b5ede752a1578.exesms42EA.tmpWINLISTS.EXEUSBDRV.EXEsms4C6B.tmpWINNOTE.EXEsms4DF1.tmpword.exe

description	pid	process	target process
PID 1192 wrote to memory of 2916	1192	2a9bf696f1af170e0e1b5ede752a1578.exe	sms42EA.tmp
PID 1192 wrote to memory of 2916	1192	2a9bf696f1af170e0e1b5ede752a1578.exe	sms42EA.tmp
PID 1192 wrote to memory of 2916	1192	2a9bf696f1af170e0e1b5ede752a1578.exe	sms42EA.tmp
PID 1192 wrote to memory of 2916	1192	2a9bf696f1af170e0e1b5ede752a1578.exe	sms42EA.tmp
PID 2916 wrote to memory of 2804	2916	sms42EA.tmp	EDGEN.EXE
PID 2916 wrote to memory of 2804	2916	sms42EA.tmp	EDGEN.EXE
PID 2916 wrote to memory of 2804	2916	sms42EA.tmp	EDGEN.EXE
PID 2916 wrote to memory of 2804	2916	sms42EA.tmp	EDGEN.EXE
PID 2916 wrote to memory of 3060	2916	sms42EA.tmp	USBDRV.EXE
PID 2916 wrote to memory of 3060	2916	sms42EA.tmp	USBDRV.EXE
PID 2916 wrote to memory of 3060	2916	sms42EA.tmp	USBDRV.EXE
PID 2916 wrote to memory of 3060	2916	sms42EA.tmp	USBDRV.EXE
PID 2916 wrote to memory of 2712	2916	sms42EA.tmp	WINLISTS.EXE
PID 2916 wrote to memory of 2712	2916	sms42EA.tmp	WINLISTS.EXE
PID 2916 wrote to memory of 2712	2916	sms42EA.tmp	WINLISTS.EXE
PID 2916 wrote to memory of 2712	2916	sms42EA.tmp	WINLISTS.EXE
PID 2916 wrote to memory of 2616	2916	sms42EA.tmp	WINNOTE.EXE
PID 2916 wrote to memory of 2616	2916	sms42EA.tmp	WINNOTE.EXE
PID 2916 wrote to memory of 2616	2916	sms42EA.tmp	WINNOTE.EXE
PID 2916 wrote to memory of 2616	2916	sms42EA.tmp	WINNOTE.EXE
PID 2916 wrote to memory of 2672	2916	sms42EA.tmp	WRAR.EXE
PID 2916 wrote to memory of 2672	2916	sms42EA.tmp	WRAR.EXE
PID 2916 wrote to memory of 2672	2916	sms42EA.tmp	WRAR.EXE
PID 2916 wrote to memory of 2672	2916	sms42EA.tmp	WRAR.EXE
PID 2712 wrote to memory of 2936	2712	WINLISTS.EXE	sms4B24.tmp
PID 2712 wrote to memory of 2936	2712	WINLISTS.EXE	sms4B24.tmp
PID 2712 wrote to memory of 2936	2712	WINLISTS.EXE	sms4B24.tmp
PID 3060 wrote to memory of 760	3060	USBDRV.EXE	sms4C6B.tmp
PID 3060 wrote to memory of 760	3060	USBDRV.EXE	sms4C6B.tmp
PID 3060 wrote to memory of 760	3060	USBDRV.EXE	sms4C6B.tmp
PID 3060 wrote to memory of 760	3060	USBDRV.EXE	sms4C6B.tmp
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 760 wrote to memory of 2224	760	sms4C6B.tmp	notepad.exe
PID 2616 wrote to memory of 800	2616	WINNOTE.EXE	sms4DF1.tmp
PID 2616 wrote to memory of 800	2616	WINNOTE.EXE	sms4DF1.tmp
PID 2616 wrote to memory of 800	2616	WINNOTE.EXE	sms4DF1.tmp
PID 2616 wrote to memory of 800	2616	WINNOTE.EXE	sms4DF1.tmp
PID 800 wrote to memory of 536	800	sms4DF1.tmp	viewpdf.exe
PID 800 wrote to memory of 536	800	sms4DF1.tmp	viewpdf.exe
PID 800 wrote to memory of 536	800	sms4DF1.tmp	viewpdf.exe
PID 800 wrote to memory of 536	800	sms4DF1.tmp	viewpdf.exe
PID 760 wrote to memory of 572	760	sms4C6B.tmp	word.exe
PID 760 wrote to memory of 572	760	sms4C6B.tmp	word.exe
PID 760 wrote to memory of 572	760	sms4C6B.tmp	word.exe
PID 760 wrote to memory of 572	760	sms4C6B.tmp	word.exe
PID 572 wrote to memory of 1612	572	word.exe	notepad.exe
PID 572 wrote to memory of 1612	572	word.exe	notepad.exe
PID 572 wrote to memory of 1612	572	word.exe	notepad.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2a9bf696f1af170e0e1b5ede752a1578.exe
"C:\Users\Admin\AppData\Local\Temp\2a9bf696f1af170e0e1b5ede752a1578.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp
  "C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
    "C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
      "C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1372
    - - C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2776
      - C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE"
        6⤵
        Executes dropped EXE
        
        PID:2128
      - C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE"
        6⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "logons" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2607.tmp" /F
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1788
- - C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
    "C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp"
      4⤵
      Modifies WinLogon for persistence
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:760
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:2224
    - - C:\Users\Admin\Documents\word.exe
        
        "C:\Users\Admin\Documents\word.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:572
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        
        PID:1612
- - C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\sms4B24.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms4B24.tmp"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2936
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodvs"' /tr "'C:\Users\Admin\AppData\Roaming\audiodvs.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:352
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8D13.tmp.bat""
        5⤵
        
        PID:1928
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:1432
      - C:\Users\Admin\AppData\Roaming\audiodvs.exe
        
        "C:\Users\Admin\AppData\Roaming\audiodvs.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:984
- - C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:800
    - - C:\ProgramData\pdfview\viewpdf.exe
        
        "C:\ProgramData\pdfview\viewpdf.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:536
- - C:\Users\Admin\AppData\Local\Temp\WRAR.EXE
    "C:\Users\Admin\AppData\Local\Temp\WRAR.EXE"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:2672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1780
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      Drops file in Drivers directory
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2248
    - - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3008
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2152
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2920
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2196
    - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2364
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:2756
    - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2568
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:1088
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:1836
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:1424
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:900
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:1664
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:2212
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:1680
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:2644
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2492
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:480
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2984
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:800
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3CB2.tmp.bat""
        7⤵
        Loads dropped DLL
        
        PID:532
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:2216
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        "C:\Users\Admin\AppData\Roaming\wintskl.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2156
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        9⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        9⤵
        Executes dropped EXE
        
        PID:1080
    - - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2172
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2932
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:2096
    - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2184
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:328
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1732
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:2420
    - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:348
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2052
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:744
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:2452
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:1940
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:2820
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:2328
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:2660
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:2748
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:2612
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:2644
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2216
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3060
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        Executes dropped EXE
        
        PID:1664
    - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2428
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:352
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Executes dropped EXE
        
        PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE

Filesize
421KB

MD5
be6c7a291d10a15274a0613a3d7d373d

SHA1
e9a7d7ee40f875b5f6b2a5ae85825f5f1b510011

SHA256
13f76dc27178fc55f0a9dc756e894195683668d1592f399eab4399825abbdcec

SHA512
5b40578a08b0b44b27ad27cda6d2aafb3ec51b209b0c16f4bfdf589131b36770b738c0278870c5d57fc0daadf9638ded25362363a12ceff1c932afb6c4301bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE

Filesize
177KB

MD5
e4cee8675eb9bee518fceb46df6b0171

SHA1
e7a4d534e4fe3930d34178d1e50866201dd9f4dd

SHA256
dbe3e996ba14398b16753ce4be959bde4fb308e0e81c1a24c1632560b4e8396a

SHA512
612a02353ba58f0649ccb89a10ef87ab72968734301c8e97f5c69631177dffbd29b03bcab30e44706dcd7103bdc1f735935012fed5dd219e13fe7ed9bae46205

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE

Filesize
850KB

MD5
adc072db38c95f07ba096def8010ec23

SHA1
97470255c4075752e4e0f120847107ed9bad60f8

SHA256
f20d872a03c3a41b240d03b30ad8417e841e5bcfb659bd2ad863a02e215e22f4

SHA512
bec583fa431c13443238db3cec8f555914df682666ae5cf8b7151401728ab26dcc1431d4bb903c5e56f9e26cdd06c8e777eba267549bbf7da1e09688822cb4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRAR.EXE

Filesize
2.1MB

MD5
d047d98c07f60feceabedb071932b56a

SHA1
ceb1a880d36ad0c79d75081c6004c4820d18c16d

SHA256
16991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355

SHA512
6438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp

Filesize
3.8MB

MD5
03813d38cc7820f9c68f6764e477bd68

SHA1
ef02c9634f6d7a17a66d78dcc98f6154971d1e73

SHA256
572cf83b14d8eb05be377d4cc8ad6196c9994f815a2ff47cfee2d68219d83c4d

SHA512
1d17f353e3c0adccae832fffbc4d189e7b1b9868f5f4410205e53796387a9f1fe5c7a87bde1546fc022eb671b68ceb7fb67da59846a4dc880dcf230aeb50edd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms4B24.tmp

Filesize
46KB

MD5
10b549c788d008fc48cccac97d0d41f5

SHA1
f0c723bb0c9123875a1a208e3ec46f4ec4108be0

SHA256
589c8fa2d213b58ab009ff4caae02a61d4d60a6fa61567f208017fef136363a9

SHA512
bc7f033012190ba6ccc2c76c4d32a1814bb4960d209d39edf5960f27b51f3e448b4ae0d26c8b68f3239eb499abfdc1bea2324fc3d7841ea1521c5f0c42f4df88

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp

Filesize
283KB

MD5
02ea195dd67861f845f7fd66af7a0599

SHA1
e9b9e4a8fb39b838c4ffd7321f26b53eff9aca73

SHA256
df4fa66d72e0dec0ad47af48f25e8fe0e9cf2361ba19340b014e871f418ff207

SHA512
d198baa7a8f20922ef63d34504b0cbfe1dfefb4b72d7763063480699ae4184e1d48e7dd64ddb6f18414c508ce6e80085e42a86daea5ea678a8942b3b628de8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp

Filesize
733KB

MD5
e071c8ee33d217c10b415c30365e608b

SHA1
91e6cecaa37634d500db49536876cbc9ecb09683

SHA256
835c2a9f31f166d13dd4db17b76a4731194214566e7a39df674afa292feef6b8

SHA512
17b5f6229a74fb85af3aec28768f1be072ae99e5f2596fca7737e91e525bdf67865caa906f3c4c6eadfaa4df9a1aee7a1adc3effa72fa1cc68bbc8e41daba960

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3CB2.tmp.bat

Filesize
151B

MD5
58654dd3ebf7499eb974760ced8d4876

SHA1
b19a11b5c0935d8af2d80086e78e614cadfd213c

SHA256
046571a55cbb0a0a24b960dee91e9278829b634ff7d161aa3c5e683b65585c23

SHA512
4d7df70b7c6ee56332c18a38f894a198de33e81fedd12be429f3600fa0409a06d8dc61cba8ff2f031e48da6fbe2e2ddadfc5facce7f61fbc2d827d67dd19909c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8D13.tmp.bat

Filesize
152B

MD5
6dfba0f95b662a38762f4337edeff2bd

SHA1
b446a3f562bae7d3e0ad257caac20ee640c653da

SHA256
b541a0b0a1b1c3135c794425d121e751b2de2a1fa994066ddd9c60fc2b6aa1a1

SHA512
7279087e83d54e6fe8c23707fb653660c2f784d3b1c5e6bcee2721e27c095c44a246a346d78c4b9392864479697af947cb00ae9a4702968332c3b2954b47d6a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\83PRCAY3W5PQYVXZ986Q.temp

Filesize
7KB

MD5
c6ee5a1be9c5b7c35cab9cf5e6f689c4

SHA1
0a6c4cd9a7e3d1dd9a11742de6efadaa28875b2c

SHA256
0cfbb2a100772c26f1ec0ba70c8cfc54b12f7f132ae4a9e001a466536186de4c

SHA512
fced974d92bff8d05b21b1210781260e22c5c9fe417749c9039fab93b69ee8b415d3ad8602c96c615feb13bd4227934bb5c509c8a508a2326a2676d59dd74c99

Download Submit
C:\Users\Admin\AppData\Roaming\audiodvs.exe

Filesize
47.7MB

MD5
776d03ee3ff34cdda7c370b03106ee49

SHA1
d02c04eae689a7a91116d62b5584ee447997a9bb

SHA256
bced54d9a343ba12abab3d3b797947344baffef6af651fb6b6cb35b3ec64667e

SHA512
ea61d89684fab7a4ed5daade4ea5e58eb9c7f4eaa4b14a61c24edf9306dd2158b0a787a4514cd33cf212433b2d67ff7403181c5cb48b6755436d95f07aa72ab7

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe

Filesize
46.4MB

MD5
893ba5076bdd51e397382cabaf95561a

SHA1
f3b3fc1e87d66a09803fe3af0c3914ff0b110914

SHA256
f078de22db5f1103abf1c44db78aa1a49de77ad292beb76920832637e7f15d1c

SHA512
25cca36d7617944a3916ce09a633db59ebc63a4bb170a2dfdd3f9f2b6761f79006c47958d888477c5e4bb329ed1204e8c190fd315117f7d97dceed9269083cc3

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
\Users\Admin\AppData\Local\Temp\EDGEN.EXE

Filesize
272KB

MD5
f15e71a4533bed5e3d3a79f6b73862a6

SHA1
f1007480f2924e6b35d96b65e6cc0fdee6edb07c

SHA256
63b57bcc9105ace9e2dc463a160c5a7c4d2b22f17229a0c9b5c58454a42d7a89

SHA512
31dbdd945a121d8b8408be150d336a98f04f9dd1df5505d79c61d404aeff61d92d0eaaa973d34c2aaff95280c00431d26198a2ee3ec616c1edce9dca8624e99b

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
memory/572-179-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/572-363-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/760-185-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/760-177-0x0000000003E00000-0x0000000003EC7000-memory.dmp

Filesize
796KB

Download
memory/760-178-0x0000000003E00000-0x0000000003EC7000-memory.dmp

Filesize
796KB

Download
memory/760-79-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/984-217-0x0000000000F80000-0x0000000000F92000-memory.dmp

Filesize
72KB

Download
memory/1192-189-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/1192-0-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/1192-1-0x0000000000FF2000-0x0000000000FF3000-memory.dmp

Filesize
4KB

Download
memory/1192-2-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/1192-3-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/1192-4-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/1192-191-0x0000000000FF2000-0x0000000000FF3000-memory.dmp

Filesize
4KB

Download
memory/1372-356-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2156-561-0x0000000000DB0000-0x0000000000E2C000-memory.dmp

Filesize
496KB

Download
memory/2224-86-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2224-114-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2364-275-0x0000000000D30000-0x0000000000DB6000-memory.dmp

Filesize
536KB

Download
memory/2364-277-0x0000000000670000-0x00000000006CC000-memory.dmp

Filesize
368KB

Download
memory/2492-282-0x0000000000D00000-0x0000000000D86000-memory.dmp

Filesize
536KB

Download
memory/2492-284-0x0000000000C20000-0x0000000000C7A000-memory.dmp

Filesize
360KB

Download
memory/2616-127-0x0000000000400000-0x000000000074F018-memory.dmp

Filesize
3.3MB

Download
memory/2616-57-0x0000000000400000-0x000000000074F018-memory.dmp

Filesize
3.3MB

Download
memory/2632-399-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2672-180-0x00000000056D0000-0x00000000058BC000-memory.dmp

Filesize
1.9MB

Download
memory/2672-65-0x0000000000890000-0x0000000000ABA000-memory.dmp

Filesize
2.2MB

Download
memory/2672-181-0x00000000047F0000-0x000000000483C000-memory.dmp

Filesize
304KB

Download
memory/2672-73-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2712-44-0x0000000000400000-0x00000000004B0574-memory.dmp

Filesize
705KB

Download
memory/2712-200-0x0000000000400000-0x00000000004B0574-memory.dmp

Filesize
705KB

Download
memory/2732-279-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/2732-280-0x0000000001F80000-0x0000000001FDC000-memory.dmp

Filesize
368KB

Download
memory/2776-361-0x0000000001350000-0x000000000139A000-memory.dmp

Filesize
296KB

Download
memory/2804-343-0x0000000000550000-0x000000000057E000-memory.dmp

Filesize
184KB

Download
memory/2804-66-0x00000000000C0000-0x000000000010A000-memory.dmp

Filesize
296KB

Download
memory/2804-58-0x000000007411E000-0x000000007411F000-memory.dmp

Filesize
4KB

Download
memory/2916-16-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2916-213-0x00000000038B0000-0x0000000003C00000-memory.dmp

Filesize
3.3MB

Download
memory/2916-43-0x00000000038B0000-0x0000000003961000-memory.dmp

Filesize
708KB

Download
memory/2916-199-0x00000000038B0000-0x0000000003961000-memory.dmp

Filesize
708KB

Download
memory/2916-54-0x00000000038B0000-0x0000000003C00000-memory.dmp

Filesize
3.3MB

Download
memory/2916-11-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2916-193-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2916-201-0x00000000038B0000-0x0000000003C00000-memory.dmp

Filesize
3.3MB

Download
memory/2916-197-0x00000000038B0000-0x0000000003A52000-memory.dmp

Filesize
1.6MB

Download
memory/2916-55-0x00000000038B0000-0x0000000003C00000-memory.dmp

Filesize
3.3MB

Download
memory/2916-39-0x00000000038B0000-0x0000000003A52000-memory.dmp

Filesize
1.6MB

Download
memory/2916-198-0x00000000038B0000-0x0000000003961000-memory.dmp

Filesize
708KB

Download
memory/2916-42-0x00000000038B0000-0x0000000003961000-memory.dmp

Filesize
708KB

Download
memory/2920-273-0x00000000013B0000-0x0000000001468000-memory.dmp

Filesize
736KB

Download
memory/2920-274-0x0000000000E90000-0x0000000000F18000-memory.dmp

Filesize
544KB

Download
memory/2936-71-0x0000000000C60000-0x0000000000C72000-memory.dmp

Filesize
72KB

Download
memory/2984-281-0x0000000001350000-0x00000000013CC000-memory.dmp

Filesize
496KB

Download
memory/2984-283-0x0000000000510000-0x0000000000560000-memory.dmp

Filesize
320KB

Download
memory/3008-276-0x0000000000EA0000-0x0000000000F9A000-memory.dmp

Filesize
1000KB

Download
memory/3008-278-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/3008-291-0x00000000043A0000-0x0000000004442000-memory.dmp

Filesize
648KB

Download
memory/3060-41-0x0000000000400000-0x00000000005A1130-memory.dmp

Filesize
1.6MB

Download
memory/3060-187-0x0000000000400000-0x00000000005A1130-memory.dmp

Filesize
1.6MB

Download