asyncrat | 5c571eab4831d78279edf3ed574a10e42b877b430815b08b83bc2f18141d3ad0

Analysis

max time kernel
16s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release_lava.exe
Size

5.5MB
MD5

de557c3360f872d88f7a807b8cc0aabb
SHA1

8beb7bbb77e52d4076924791afacd50475d0c0d0
SHA256

5c571eab4831d78279edf3ed574a10e42b877b430815b08b83bc2f18141d3ad0
SHA512

d2cf879e061403c03fc61a797308fef01e9ecad4052fa674878d24c63bfd7af919b2ecb0229f4ba83bc78d3793e585d85f9a6f868b18d47ccaf48138d5d9b823
SSDEEP

98304:2+5NpZB2er+PqXfcGJy+P0gNiQIO0cpKmjDBhBtYlhW6mf9i3/n4d4:BpZBrHkkFJipRqKmZhYDW6+ivn

Score

10^/10

asyncrat stormkitty default evasion execution persistence rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6471941882:AAHasaNCecS7ngmuNpsLq1sIjTyBjQRkZ8U/sendMessage?chat_id=5383408154

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023489-15.dat	family_stormkitty
behavioral2/memory/4880-23-0x0000000000430000-0x0000000000462000-memory.dmp	family_stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023489-15.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4904	powershell.exe
1532	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	release.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	release_lava.exe

Executes dropped EXE 3 IoCs

pid	Process
4616	release.exe
4880	Server.exe
496	updater.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
26	pastebin.com
27	pastebin.com
48	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	release.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4616 set thread context of 4956	4616	release.exe	115
PID 496 set thread context of 6068	496	updater.exe	151
PID 496 set thread context of 6108	496	updater.exe	153
PID 496 set thread context of 1340	496	updater.exe	154

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2804	sc.exe
5892	sc.exe
1844	sc.exe
5840	sc.exe
5656	sc.exe
932	sc.exe
1912	sc.exe
1400	sc.exe
3124	sc.exe
5584	sc.exe
3104	sc.exe
1136	sc.exe
3924	sc.exe
5952	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4616	release.exe
4904	powershell.exe
4904	powershell.exe
4616	release.exe
4616	release.exe
4616	release.exe
4616	release.exe
4616	release.exe
4616	release.exe
4616	release.exe
4616	release.exe
4616	release.exe
4616	release.exe
4616	release.exe
4616	release.exe
4956	dialer.exe
4956	dialer.exe
4616	release.exe
4616	release.exe
4616	release.exe
496	updater.exe
1532	powershell.exe
1532	powershell.exe
4956	dialer.exe
4956	dialer.exe
4956	dialer.exe
4956	dialer.exe
4956	dialer.exe
4956	dialer.exe
1532	powershell.exe
4956	dialer.exe
4956	dialer.exe
4956	dialer.exe
4956	dialer.exe
4956	dialer.exe
4956	dialer.exe
4956	dialer.exe
4956	dialer.exe
1532	powershell.exe
4956	dialer.exe
4956	dialer.exe
4956	dialer.exe
4956	dialer.exe
4956	dialer.exe
4956	dialer.exe
4956	dialer.exe
496	updater.exe
496	updater.exe
496	updater.exe
4956	dialer.exe
4956	dialer.exe
496	updater.exe
496	updater.exe
4956	dialer.exe
4956	dialer.exe
496	updater.exe
496	updater.exe
496	updater.exe
496	updater.exe
496	updater.exe
496	updater.exe
496	updater.exe
6068	dialer.exe
6068	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4880	Server.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	4956	dialer.exe
Token: SeShutdownPrivilege	1756	powercfg.exe
Token: SeCreatePagefilePrivilege	1756	powercfg.exe
Token: SeShutdownPrivilege	3600	powercfg.exe
Token: SeCreatePagefilePrivilege	3600	powercfg.exe
Token: SeShutdownPrivilege	2636	powercfg.exe
Token: SeCreatePagefilePrivilege	2636	powercfg.exe
Token: SeShutdownPrivilege	216	powercfg.exe
Token: SeCreatePagefilePrivilege	216	powercfg.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeShutdownPrivilege	2076	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	2076	mousocoreworker.exe
Token: SeDebugPrivilege	6068	dialer.exe
Token: SeShutdownPrivilege	6004	powercfg.exe
Token: SeCreatePagefilePrivilege	6004	powercfg.exe
Token: SeShutdownPrivilege	6020	powercfg.exe
Token: SeCreatePagefilePrivilege	6020	powercfg.exe
Token: SeLockMemoryPrivilege	1340	dialer.exe
Token: SeShutdownPrivilege	6012	powercfg.exe
Token: SeCreatePagefilePrivilege	6012	powercfg.exe
Token: SeShutdownPrivilege	5996	powercfg.exe
Token: SeCreatePagefilePrivilege	5996	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	2140	svchost.exe
Token: SeIncreaseQuotaPrivilege	2140	svchost.exe
Token: SeSecurityPrivilege	2140	svchost.exe
Token: SeTakeOwnershipPrivilege	2140	svchost.exe
Token: SeLoadDriverPrivilege	2140	svchost.exe
Token: SeSystemtimePrivilege	2140	svchost.exe
Token: SeBackupPrivilege	2140	svchost.exe
Token: SeRestorePrivilege	2140	svchost.exe
Token: SeShutdownPrivilege	2140	svchost.exe
Token: SeSystemEnvironmentPrivilege	2140	svchost.exe
Token: SeUndockPrivilege	2140	svchost.exe
Token: SeManageVolumePrivilege	2140	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2140	svchost.exe
Token: SeIncreaseQuotaPrivilege	2140	svchost.exe
Token: SeSecurityPrivilege	2140	svchost.exe
Token: SeTakeOwnershipPrivilege	2140	svchost.exe
Token: SeLoadDriverPrivilege	2140	svchost.exe
Token: SeSystemtimePrivilege	2140	svchost.exe
Token: SeBackupPrivilege	2140	svchost.exe
Token: SeRestorePrivilege	2140	svchost.exe
Token: SeShutdownPrivilege	2140	svchost.exe
Token: SeSystemEnvironmentPrivilege	2140	svchost.exe
Token: SeUndockPrivilege	2140	svchost.exe
Token: SeManageVolumePrivilege	2140	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2140	svchost.exe
Token: SeIncreaseQuotaPrivilege	2140	svchost.exe
Token: SeSecurityPrivilege	2140	svchost.exe
Token: SeTakeOwnershipPrivilege	2140	svchost.exe
Token: SeLoadDriverPrivilege	2140	svchost.exe
Token: SeSystemtimePrivilege	2140	svchost.exe
Token: SeBackupPrivilege	2140	svchost.exe
Token: SeRestorePrivilege	2140	svchost.exe
Token: SeShutdownPrivilege	2140	svchost.exe
Token: SeSystemEnvironmentPrivilege	2140	svchost.exe
Token: SeUndockPrivilege	2140	svchost.exe
Token: SeManageVolumePrivilege	2140	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2140	svchost.exe
Token: SeIncreaseQuotaPrivilege	2140	svchost.exe
Token: SeSecurityPrivilege	2140	svchost.exe
Token: SeTakeOwnershipPrivilege	2140	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 4616	2576	release_lava.exe	93
PID 2576 wrote to memory of 4616	2576	release_lava.exe	93
PID 2576 wrote to memory of 4880	2576	release_lava.exe	94
PID 2576 wrote to memory of 4880	2576	release_lava.exe	94
PID 2576 wrote to memory of 4880	2576	release_lava.exe	94
PID 5052 wrote to memory of 3408	5052	cmd.exe	101
PID 5052 wrote to memory of 3408	5052	cmd.exe	101
PID 4616 wrote to memory of 4956	4616	release.exe	115
PID 4616 wrote to memory of 4956	4616	release.exe	115
PID 4616 wrote to memory of 4956	4616	release.exe	115
PID 4616 wrote to memory of 4956	4616	release.exe	115
PID 4616 wrote to memory of 4956	4616	release.exe	115
PID 4616 wrote to memory of 4956	4616	release.exe	115
PID 4616 wrote to memory of 4956	4616	release.exe	115
PID 4956 wrote to memory of 632	4956	dialer.exe	5
PID 4956 wrote to memory of 688	4956	dialer.exe	7
PID 4956 wrote to memory of 968	4956	dialer.exe	12
PID 4956 wrote to memory of 64	4956	dialer.exe	13
PID 4956 wrote to memory of 532	4956	dialer.exe	14
PID 4956 wrote to memory of 436	4956	dialer.exe	15
PID 4956 wrote to memory of 1036	4956	dialer.exe	16
PID 4956 wrote to memory of 1040	4956	dialer.exe	17
PID 4956 wrote to memory of 1192	4956	dialer.exe	19
PID 4956 wrote to memory of 1220	4956	dialer.exe	20
PID 4956 wrote to memory of 1292	4956	dialer.exe	21
PID 4956 wrote to memory of 1352	4956	dialer.exe	22
PID 4956 wrote to memory of 1372	4956	dialer.exe	23
PID 4956 wrote to memory of 1384	4956	dialer.exe	24
PID 4956 wrote to memory of 1392	4956	dialer.exe	25
PID 4956 wrote to memory of 1544	4956	dialer.exe	26
PID 4956 wrote to memory of 1564	4956	dialer.exe	27
PID 4956 wrote to memory of 1572	4956	dialer.exe	28
PID 4956 wrote to memory of 1636	4956	dialer.exe	29
PID 4956 wrote to memory of 1712	4956	dialer.exe	30
PID 4956 wrote to memory of 1796	4956	dialer.exe	31
PID 4956 wrote to memory of 1820	4956	dialer.exe	32
PID 4956 wrote to memory of 1944	4956	dialer.exe	33
PID 4956 wrote to memory of 1952	4956	dialer.exe	34
PID 4956 wrote to memory of 1964	4956	dialer.exe	35
PID 4956 wrote to memory of 2040	4956	dialer.exe	36
PID 4956 wrote to memory of 2120	4956	dialer.exe	37
PID 4956 wrote to memory of 2140	4956	dialer.exe	38
PID 4956 wrote to memory of 2260	4956	dialer.exe	40
PID 4956 wrote to memory of 2308	4956	dialer.exe	41
PID 4956 wrote to memory of 2444	4956	dialer.exe	42
PID 4956 wrote to memory of 2452	4956	dialer.exe	43
PID 4956 wrote to memory of 2588	4956	dialer.exe	44
PID 4956 wrote to memory of 2656	4956	dialer.exe	45
PID 4956 wrote to memory of 2684	4956	dialer.exe	46
PID 4956 wrote to memory of 2704	4956	dialer.exe	47
PID 4956 wrote to memory of 2724	4956	dialer.exe	48
PID 4956 wrote to memory of 2860	4956	dialer.exe	50
PID 4956 wrote to memory of 2940	4956	dialer.exe	51
PID 4956 wrote to memory of 2484	4956	dialer.exe	52
PID 4956 wrote to memory of 3080	4956	dialer.exe	53
PID 4956 wrote to memory of 3144	4956	dialer.exe	54
PID 4956 wrote to memory of 3456	4956	dialer.exe	55
PID 4956 wrote to memory of 3536	4956	dialer.exe	56
PID 4956 wrote to memory of 3656	4956	dialer.exe	57
PID 4956 wrote to memory of 3848	4956	dialer.exe	58
PID 4956 wrote to memory of 4048	4956	dialer.exe	60
PID 4956 wrote to memory of 4100	4956	dialer.exe	62
PID 4956 wrote to memory of 2464	4956	dialer.exe	64
PID 4956 wrote to memory of 3116	4956	dialer.exe	66

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1192
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1564
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2040

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2656

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2940

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3456

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3536
- C:\Users\Admin\AppData\Local\Temp\release_lava.exe
  "C:\Users\Admin\AppData\Local\Temp\release_lava.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\release.exe
    "C:\Users\Admin\AppData\Local\Temp\release.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3408
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:932
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2804
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:3104
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3124
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:1912
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1756
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:216
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3600
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2636
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4956
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:1400
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1136
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3924
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:1844
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1424
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      PID:5940
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5892
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5980
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        
        PID:6060
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:6096
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:3696
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:640
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:4688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4048

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4100

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1420

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2536

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4124

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2632

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3220

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:4016

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:3808

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4872

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:496
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5576
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5592
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5704
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5584
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5656
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5664
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5840
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5892
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5904
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5952
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5996
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6040
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6004
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6032
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6012
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6056
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6020
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6092
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6068
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:6108
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
175KB

MD5
df96a0997b631e96c050382b96804ebb

SHA1
9d3b7dfd52eb72bf1c124f0cf1574dc0ba174d90

SHA256
4408d454808a4e3ca0361423f310c3e6b4754c2d0c2be4973d39dea722409430

SHA512
6954f887f1a0d8224503c9585274aef3bf510b41f8f133a4dfc133e147c4a65a819b4fd35e3d78d8ac70397679fa6299bf441d9a9016ab6ac29b837887ce41cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dkyxxp1n.bw1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\release.exe

Filesize
5.3MB

MD5
f0c677d565a3299f693a68cdea0a4998

SHA1
4cd1ee7321e4c64bad5cabb01a7d56efccd4e058

SHA256
be9a43dffd8fa5ca2e10ef5493cbb1c647d8fefa829866f00c99162c45ccf456

SHA512
87986f5a4a2342cbf147c665e3f625ed44ea8e775fb770e2801fbdbac0d0b4817bfb08fdb76fdcb62724b7ab915673cb8f795c803a7525dfea3689b2c134337d

Download Submit
C:\Users\Admin\AppData\Local\c606181751ba3b9ecb9da200f97a30e0\Admin@YCLEXTAL_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\c606181751ba3b9ecb9da200f97a30e0\Admin@YCLEXTAL_en-US\System\Process.txt

Filesize
4KB

MD5
c6236f0fafc4ee37095d915e5c1dcaba

SHA1
24b4de7adcd69cf92ab362e105c5ea5833389a5e

SHA256
d491fad546cfb3657d651dd3be063dac9493f445178662f951db244481ebc85c

SHA512
7d7ad432478709f0b819d13bbfd616b1733c2b4cf996e2260cd3b50cfb97279e2825cfcb526696b106ea0c249de99659d5bce0b091e6388ac9a022f6f3ba9aaa

Download Submit
C:\Users\Admin\AppData\Local\f420fa05195407b1369cddac6e2198c0\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/64-78-0x00007FFA65A10000-0x00007FFA65A20000-memory.dmp

Filesize
64KB

Download
memory/64-77-0x000001B1D48B0000-0x000001B1D48DB000-memory.dmp

Filesize
172KB

Download
memory/632-67-0x000001F172A40000-0x000001F172A6B000-memory.dmp

Filesize
172KB

Download
memory/632-68-0x00007FFA65A10000-0x00007FFA65A20000-memory.dmp

Filesize
64KB

Download
memory/632-65-0x000001F172A10000-0x000001F172A34000-memory.dmp

Filesize
144KB

Download
memory/688-69-0x000001D8CCAB0000-0x000001D8CCADB000-memory.dmp

Filesize
172KB

Download
memory/688-71-0x00007FFA65A10000-0x00007FFA65A20000-memory.dmp

Filesize
64KB

Download
memory/1532-368-0x0000023EFA630000-0x0000023EFA6E5000-memory.dmp

Filesize
724KB

Download
memory/1532-367-0x0000023EFA610000-0x0000023EFA62C000-memory.dmp

Filesize
112KB

Download
memory/1532-375-0x0000023EFA840000-0x0000023EFA848000-memory.dmp

Filesize
32KB

Download
memory/1532-376-0x0000023EFA870000-0x0000023EFA876000-memory.dmp

Filesize
24KB

Download
memory/1532-377-0x0000023EFA880000-0x0000023EFA88A000-memory.dmp

Filesize
40KB

Download
memory/1532-374-0x0000023EFA890000-0x0000023EFA8AA000-memory.dmp

Filesize
104KB

Download
memory/1532-372-0x0000023EFA830000-0x0000023EFA83A000-memory.dmp

Filesize
40KB

Download
memory/1532-370-0x0000023EFA850000-0x0000023EFA86C000-memory.dmp

Filesize
112KB

Download
memory/1532-369-0x0000023EFA600000-0x0000023EFA60A000-memory.dmp

Filesize
40KB

Download
memory/4880-744-0x0000000005540000-0x00000000055D2000-memory.dmp

Filesize
584KB

Download
memory/4880-801-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/4880-772-0x0000000005AC0000-0x0000000005AD2000-memory.dmp

Filesize
72KB

Download
memory/4880-759-0x0000000005A70000-0x0000000005A7A000-memory.dmp

Filesize
40KB

Download
memory/4880-24-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/4880-766-0x00000000744BE000-0x00000000744BF000-memory.dmp

Filesize
4KB

Download
memory/4880-22-0x00000000744BE000-0x00000000744BF000-memory.dmp

Filesize
4KB

Download
memory/4880-745-0x0000000005E90000-0x0000000006434000-memory.dmp

Filesize
5.6MB

Download
memory/4880-406-0x0000000004D30000-0x0000000004D96000-memory.dmp

Filesize
408KB

Download
memory/4880-23-0x0000000000430000-0x0000000000462000-memory.dmp

Filesize
200KB

Download
memory/4904-26-0x000001E137270000-0x000001E137292000-memory.dmp

Filesize
136KB

Download
memory/4904-40-0x00007FFA86280000-0x00007FFA86D41000-memory.dmp

Filesize
10.8MB

Download
memory/4904-37-0x00007FFA86280000-0x00007FFA86D41000-memory.dmp

Filesize
10.8MB

Download
memory/4904-36-0x00007FFA86280000-0x00007FFA86D41000-memory.dmp

Filesize
10.8MB

Download
memory/4904-25-0x00007FFA86283000-0x00007FFA86285000-memory.dmp

Filesize
8KB

Download
memory/4956-48-0x00007FFAA5990000-0x00007FFAA5B85000-memory.dmp

Filesize
2.0MB

Download
memory/4956-45-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4956-42-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4956-44-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4956-43-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4956-62-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4956-47-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4956-49-0x00007FFAA4C00000-0x00007FFAA4CBE000-memory.dmp

Filesize
760KB

Download