asyncrat | 30ec0a2d9d0564bb7596326733902c73b69c5ab3572a84e1c077c680372f2cc3

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PK SEARCH 1.2.exe
Size

8.3MB
MD5

af1683832f44bb89893c189f94786304
SHA1

ea14d8ce6acdbc76a3612e4576831c483ffda674
SHA256

30ec0a2d9d0564bb7596326733902c73b69c5ab3572a84e1c077c680372f2cc3
SHA512

a4c375a7e68c1b92d28996916257cc3088288fec44f42b6442dfd16b70c91960d976599d02710640260dd3dd8b12c37444b3ef3584938b0caf36a61b676427ae
SSDEEP

196608:Fb8a9BzzLO6QTKsk7asm10p50wcYkOnQsG22INZBM:Fb8SBTO6iKsk7tmep50wr6wNfM

Score

10^/10

asyncrat pksearch discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

pksearch

186.26.107.205:4400

Mutex

zifbymzliwgywfwv

Attributes

delay
1
install
true
install_file
PK SEARCH.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

VenomRAT 2 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/files/0x000b000000014fe1-5.dat	VenomRAT
behavioral1/memory/1216-7-0x0000000000ED0000-0x0000000000EE8000-memory.dmp	VenomRAT

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b000000014fe1-5.dat	family_asyncrat

Executes dropped EXE 59 IoCs

pid	Process
1216	PK SEARCH.exe
2480	PK SEARCH.exe
2468	PK SEARCH.exe
1320	PK SEARCH.exe
2200	PK SEARCH.exe
884	PK SEARCH.exe
2960	PK SEARCH.exe
1924	PK SEARCH.exe
1968	PK SEARCH.exe
1536	PK SEARCH.exe
2684	PK SEARCH.exe
2556	PK SEARCH.exe
388	PK SEARCH.exe
2172	PK SEARCH.exe
1188	PK SEARCH.exe
3012	PK SEARCH.exe
1064	PK SEARCH.exe
720	PK SEARCH.exe
2088	PK SEARCH.exe
1732	PK SEARCH.exe
2464	PK SEARCH.exe
2516	PK SEARCH.exe
1192	PK SEARCH.exe
2044	PK SEARCH.exe
952	PK SEARCH.exe
3012	PK SEARCH.exe
1700	PK SEARCH.exe
2208	PK SEARCH.exe
2204	PK SEARCH.exe
2828	PK SEARCH.exe
2424	PK SEARCH.exe
2100	PK SEARCH.exe
1348	PK SEARCH.exe
2136	PK SEARCH.exe
764	PK SEARCH.exe
1100	PK SEARCH.exe
2792	PK SEARCH.exe
2852	PK SEARCH.exe
1988	PK SEARCH.exe
2944	PK SEARCH.exe
1732	PK SEARCH.exe
2380	PK SEARCH.exe
1252	PK SEARCH.exe
1916	PK SEARCH.exe
2008	PK SEARCH.exe
764	PK SEARCH.exe
2112	PK SEARCH.exe
1828	PK SEARCH.exe
1624	PK SEARCH.exe
2896	PK SEARCH.exe
1184	PK SEARCH.exe
2128	PK SEARCH.exe
2660	PK SEARCH.exe
1960	PK SEARCH.exe
1516	PK SEARCH.exe
2164	PK SEARCH.exe
1772	PK SEARCH.exe
1816	PK SEARCH.exe
976	PK SEARCH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe
1216	PK SEARCH.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	PK SEARCH.exe
Token: SeDebugPrivilege	2480	PK SEARCH.exe
Token: SeDebugPrivilege	2468	PK SEARCH.exe
Token: SeDebugPrivilege	1320	PK SEARCH.exe
Token: SeDebugPrivilege	2200	PK SEARCH.exe
Token: SeDebugPrivilege	884	PK SEARCH.exe
Token: SeDebugPrivilege	2960	PK SEARCH.exe
Token: SeDebugPrivilege	1924	PK SEARCH.exe
Token: SeDebugPrivilege	1968	PK SEARCH.exe
Token: SeDebugPrivilege	1536	PK SEARCH.exe
Token: SeDebugPrivilege	2684	PK SEARCH.exe
Token: SeDebugPrivilege	2556	PK SEARCH.exe
Token: SeDebugPrivilege	388	PK SEARCH.exe
Token: SeDebugPrivilege	2172	PK SEARCH.exe
Token: SeDebugPrivilege	1188	PK SEARCH.exe
Token: SeDebugPrivilege	3012	PK SEARCH.exe
Token: SeDebugPrivilege	1064	PK SEARCH.exe
Token: SeDebugPrivilege	720	PK SEARCH.exe
Token: SeDebugPrivilege	2088	PK SEARCH.exe
Token: SeDebugPrivilege	1732	PK SEARCH.exe
Token: SeDebugPrivilege	2464	PK SEARCH.exe
Token: SeDebugPrivilege	2516	PK SEARCH.exe
Token: SeDebugPrivilege	1192	PK SEARCH.exe
Token: SeDebugPrivilege	2044	PK SEARCH.exe
Token: SeDebugPrivilege	952	PK SEARCH.exe
Token: SeDebugPrivilege	3012	PK SEARCH.exe
Token: SeDebugPrivilege	1700	PK SEARCH.exe
Token: SeDebugPrivilege	2208	PK SEARCH.exe
Token: SeDebugPrivilege	2204	PK SEARCH.exe
Token: SeDebugPrivilege	2828	PK SEARCH.exe
Token: SeDebugPrivilege	2424	PK SEARCH.exe
Token: SeDebugPrivilege	2100	PK SEARCH.exe
Token: SeDebugPrivilege	1348	PK SEARCH.exe
Token: SeDebugPrivilege	2136	PK SEARCH.exe
Token: SeDebugPrivilege	764	PK SEARCH.exe
Token: SeDebugPrivilege	1100	PK SEARCH.exe
Token: SeDebugPrivilege	2792	PK SEARCH.exe
Token: SeDebugPrivilege	2852	PK SEARCH.exe
Token: SeDebugPrivilege	1988	PK SEARCH.exe
Token: SeDebugPrivilege	2944	PK SEARCH.exe
Token: SeDebugPrivilege	1732	PK SEARCH.exe
Token: SeDebugPrivilege	2380	PK SEARCH.exe
Token: SeDebugPrivilege	1252	PK SEARCH.exe
Token: SeDebugPrivilege	1916	PK SEARCH.exe
Token: SeDebugPrivilege	2008	PK SEARCH.exe
Token: SeDebugPrivilege	764	PK SEARCH.exe
Token: SeDebugPrivilege	2112	PK SEARCH.exe
Token: SeDebugPrivilege	1828	PK SEARCH.exe
Token: SeDebugPrivilege	1624	PK SEARCH.exe
Token: SeDebugPrivilege	2896	PK SEARCH.exe
Token: SeDebugPrivilege	1184	PK SEARCH.exe
Token: SeDebugPrivilege	2128	PK SEARCH.exe
Token: SeDebugPrivilege	2660	PK SEARCH.exe
Token: SeDebugPrivilege	1960	PK SEARCH.exe
Token: SeDebugPrivilege	1516	PK SEARCH.exe
Token: SeDebugPrivilege	2164	PK SEARCH.exe
Token: SeDebugPrivilege	1772	PK SEARCH.exe
Token: SeDebugPrivilege	1816	PK SEARCH.exe
Token: SeDebugPrivilege	976	PK SEARCH.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1216	PK SEARCH.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1216	2804	PK SEARCH 1.2.exe	28
PID 2804 wrote to memory of 1216	2804	PK SEARCH 1.2.exe	28
PID 2804 wrote to memory of 1216	2804	PK SEARCH 1.2.exe	28
PID 2804 wrote to memory of 2680	2804	PK SEARCH 1.2.exe	29
PID 2804 wrote to memory of 2680	2804	PK SEARCH 1.2.exe	29
PID 2804 wrote to memory of 2680	2804	PK SEARCH 1.2.exe	29
PID 2680 wrote to memory of 2480	2680	PK SEARCH 1.2.exe	30
PID 2680 wrote to memory of 2480	2680	PK SEARCH 1.2.exe	30
PID 2680 wrote to memory of 2480	2680	PK SEARCH 1.2.exe	30
PID 2680 wrote to memory of 2568	2680	PK SEARCH 1.2.exe	31
PID 2680 wrote to memory of 2568	2680	PK SEARCH 1.2.exe	31
PID 2680 wrote to memory of 2568	2680	PK SEARCH 1.2.exe	31
PID 2568 wrote to memory of 2468	2568	PK SEARCH 1.2.exe	32
PID 2568 wrote to memory of 2468	2568	PK SEARCH 1.2.exe	32
PID 2568 wrote to memory of 2468	2568	PK SEARCH 1.2.exe	32
PID 2568 wrote to memory of 2332	2568	PK SEARCH 1.2.exe	33
PID 2568 wrote to memory of 2332	2568	PK SEARCH 1.2.exe	33
PID 2568 wrote to memory of 2332	2568	PK SEARCH 1.2.exe	33
PID 2332 wrote to memory of 1320	2332	PK SEARCH 1.2.exe	35
PID 2332 wrote to memory of 1320	2332	PK SEARCH 1.2.exe	35
PID 2332 wrote to memory of 1320	2332	PK SEARCH 1.2.exe	35
PID 2332 wrote to memory of 828	2332	PK SEARCH 1.2.exe	36
PID 2332 wrote to memory of 828	2332	PK SEARCH 1.2.exe	36
PID 2332 wrote to memory of 828	2332	PK SEARCH 1.2.exe	36
PID 828 wrote to memory of 2200	828	PK SEARCH 1.2.exe	37
PID 828 wrote to memory of 2200	828	PK SEARCH 1.2.exe	37
PID 828 wrote to memory of 2200	828	PK SEARCH 1.2.exe	37
PID 828 wrote to memory of 2176	828	PK SEARCH 1.2.exe	38
PID 828 wrote to memory of 2176	828	PK SEARCH 1.2.exe	38
PID 828 wrote to memory of 2176	828	PK SEARCH 1.2.exe	38
PID 2176 wrote to memory of 884	2176	PK SEARCH 1.2.exe	39
PID 2176 wrote to memory of 884	2176	PK SEARCH 1.2.exe	39
PID 2176 wrote to memory of 884	2176	PK SEARCH 1.2.exe	39
PID 2176 wrote to memory of 1756	2176	PK SEARCH 1.2.exe	40
PID 2176 wrote to memory of 1756	2176	PK SEARCH 1.2.exe	40
PID 2176 wrote to memory of 1756	2176	PK SEARCH 1.2.exe	40
PID 1756 wrote to memory of 2960	1756	PK SEARCH 1.2.exe	41
PID 1756 wrote to memory of 2960	1756	PK SEARCH 1.2.exe	41
PID 1756 wrote to memory of 2960	1756	PK SEARCH 1.2.exe	41
PID 1756 wrote to memory of 2748	1756	PK SEARCH 1.2.exe	42
PID 1756 wrote to memory of 2748	1756	PK SEARCH 1.2.exe	42
PID 1756 wrote to memory of 2748	1756	PK SEARCH 1.2.exe	42
PID 2748 wrote to memory of 1924	2748	PK SEARCH 1.2.exe	43
PID 2748 wrote to memory of 1924	2748	PK SEARCH 1.2.exe	43
PID 2748 wrote to memory of 1924	2748	PK SEARCH 1.2.exe	43
PID 2748 wrote to memory of 1988	2748	PK SEARCH 1.2.exe	44
PID 2748 wrote to memory of 1988	2748	PK SEARCH 1.2.exe	44
PID 2748 wrote to memory of 1988	2748	PK SEARCH 1.2.exe	44
PID 1988 wrote to memory of 1968	1988	PK SEARCH 1.2.exe	45
PID 1988 wrote to memory of 1968	1988	PK SEARCH 1.2.exe	45
PID 1988 wrote to memory of 1968	1988	PK SEARCH 1.2.exe	45
PID 1988 wrote to memory of 1992	1988	PK SEARCH 1.2.exe	46
PID 1988 wrote to memory of 1992	1988	PK SEARCH 1.2.exe	46
PID 1988 wrote to memory of 1992	1988	PK SEARCH 1.2.exe	46
PID 1992 wrote to memory of 1536	1992	PK SEARCH 1.2.exe	47
PID 1992 wrote to memory of 1536	1992	PK SEARCH 1.2.exe	47
PID 1992 wrote to memory of 1536	1992	PK SEARCH 1.2.exe	47
PID 1992 wrote to memory of 2736	1992	PK SEARCH 1.2.exe	48
PID 1992 wrote to memory of 2736	1992	PK SEARCH 1.2.exe	48
PID 1992 wrote to memory of 2736	1992	PK SEARCH 1.2.exe	48
PID 2736 wrote to memory of 2684	2736	PK SEARCH 1.2.exe	51
PID 2736 wrote to memory of 2684	2736	PK SEARCH 1.2.exe	51
PID 2736 wrote to memory of 2684	2736	PK SEARCH 1.2.exe	51
PID 2736 wrote to memory of 1724	2736	PK SEARCH 1.2.exe	52

C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
"C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
  "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1216
- C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
  "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
    "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
    "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
      "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
      "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:828
      - C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        12⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        13⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        14⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        15⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        16⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        17⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        18⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        19⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        20⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        21⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        22⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        23⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        24⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        25⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        26⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        27⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        28⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        29⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        30⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        31⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        32⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        33⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        34⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        35⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        36⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        37⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        38⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        39⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        40⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        41⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        42⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        43⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        44⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        45⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        46⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        47⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        48⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        49⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        50⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        51⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        52⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        53⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        54⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        55⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        56⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        57⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        58⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        59⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        60⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe"
        61⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PK SEARCH 1.2.exe"
        61⤵
        
        PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PK SEARCH.exe

Filesize
74KB

MD5
01e77a0b330b7432c5ab92a199c9255a

SHA1
35b532360acb7d7caacb168033f598843f05dc5a

SHA256
c4ed073ef70f66ad998f88bbb06f376bd5a99ec850c9f6550f258fe295de1730

SHA512
48aecc2f00d682efa79e8d717302fa621b1bdc01cc3917ad1e30e4d28de610f5debb96e5dfdda5c517d0625daf0d69744f4108df20421ba66f4a55f27c475103

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB3DC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/1216-7-0x0000000000ED0000-0x0000000000EE8000-memory.dmp

Filesize
96KB

Download
memory/1216-11-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/1216-10-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/1216-99-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/1216-101-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-9-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-0-0x000007FEF53D3000-0x000007FEF53D4000-memory.dmp

Filesize
4KB

Download
memory/2804-1-0x000000013F9D0000-0x0000000140228000-memory.dmp

Filesize
8.3MB

Download