asyncrat | edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e

Analysis

max time kernel
108s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.exe
Size

2.6MB
MD5

e8285f01dff90fca4b37d4df7da03c4b
SHA1

fb19156b1aab033ed8b5212821a8b039a2c363d9
SHA256

edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e
SHA512

f39a69d1c546adb1ba1b744d02bc6407e36c51396d825c03957b584ac22ce1a0b21846a9181e57cb186d34d40cb32bed2662e0bf2caca1bd99f74ee457154a0d
SSDEEP

49152:862EA6E97H+leX14OKwpGpKqYygbN3+3+C+m32sBHEAdpvQKQKd719O03WMl:862nJIO14OKT12Out22sBHXIKQe7e0x

Score

10^/10

asyncrat stormkitty discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4024-638-0x0000000001140000-0x000000000138C000-memory.dmp	family_stormkitty
behavioral2/memory/2328-653-0x0000000001400000-0x000000000164C000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

Tracks.pif

description pid process target process

PID 2680 created 3452 2680 Tracks.pif Explorer.EXE
PID 2680 created 3452 2680 Tracks.pif Explorer.EXE

description	pid	process	target process
PID 2680 created 3452	2680	Tracks.pif	Explorer.EXE
PID 2680 created 3452	2680	Tracks.pif	Explorer.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

Tracks.pifwinservices.exewinservices.exe

pid process

2680 Tracks.pif
924 winservices.exe
1052 winservices.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4492 tasklist.exe
4924 tasklist.exe

pid	process
4492	tasklist.exe
4924	tasklist.exe

Drops file in Windows directory 4 IoCs

Processes:

edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.exe

description	ioc	process
File opened for modification	C:\Windows\WizardHighlighted	edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.exe
File opened for modification	C:\Windows\BarryInk	edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.exe
File opened for modification	C:\Windows\SrReduction	edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.exe
File opened for modification	C:\Windows\LunchLeaf	edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MSBuild.execmd.execmd.execmd.exetasklist.exefindstr.exefindstr.exeTracks.pifwinservices.execmd.execmd.exeedc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.execmd.execmd.execmd.exeschtasks.exeschtasks.exetimeout.execmd.exeschtasks.exewinservices.exeMSBuild.exefindstr.exetasklist.exechoice.exetimeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tracks.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winservices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winservices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exe

pid process

4324 cmd.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

892 timeout.exe
3496 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2040 schtasks.exe
4328 schtasks.exe
460 schtasks.exe

pid	process
4324	cmd.exe

pid	process
892	timeout.exe
3496	timeout.exe

pid	process
2040	schtasks.exe
4328	schtasks.exe
460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Tracks.pifMSBuild.exeMSBuild.exe

pid	process
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
4024	MSBuild.exe
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2680	Tracks.pif
2328	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tasklist.exetasklist.exeMSBuild.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	4492	tasklist.exe
Token: SeDebugPrivilege	4924	tasklist.exe
Token: SeDebugPrivilege	4024	MSBuild.exe
Token: SeDebugPrivilege	2328	MSBuild.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Tracks.pif

pid process

2680 Tracks.pif
2680 Tracks.pif
2680 Tracks.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Tracks.pif

pid process

2680 Tracks.pif
2680 Tracks.pif
2680 Tracks.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.execmd.exeTracks.pifcmd.exeMSBuild.execmd.execmd.exe

description	pid	process	target process
PID 3672 wrote to memory of 1076	3672	edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.exe	cmd.exe
PID 3672 wrote to memory of 1076	3672	edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.exe	cmd.exe
PID 3672 wrote to memory of 1076	3672	edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.exe	cmd.exe
PID 1076 wrote to memory of 4492	1076	cmd.exe	tasklist.exe
PID 1076 wrote to memory of 4492	1076	cmd.exe	tasklist.exe
PID 1076 wrote to memory of 4492	1076	cmd.exe	tasklist.exe
PID 1076 wrote to memory of 1580	1076	cmd.exe	findstr.exe
PID 1076 wrote to memory of 1580	1076	cmd.exe	findstr.exe
PID 1076 wrote to memory of 1580	1076	cmd.exe	findstr.exe
PID 1076 wrote to memory of 4924	1076	cmd.exe	tasklist.exe
PID 1076 wrote to memory of 4924	1076	cmd.exe	tasklist.exe
PID 1076 wrote to memory of 4924	1076	cmd.exe	tasklist.exe
PID 1076 wrote to memory of 1468	1076	cmd.exe	findstr.exe
PID 1076 wrote to memory of 1468	1076	cmd.exe	findstr.exe
PID 1076 wrote to memory of 1468	1076	cmd.exe	findstr.exe
PID 1076 wrote to memory of 1452	1076	cmd.exe	cmd.exe
PID 1076 wrote to memory of 1452	1076	cmd.exe	cmd.exe
PID 1076 wrote to memory of 1452	1076	cmd.exe	cmd.exe
PID 1076 wrote to memory of 1432	1076	cmd.exe	findstr.exe
PID 1076 wrote to memory of 1432	1076	cmd.exe	findstr.exe
PID 1076 wrote to memory of 1432	1076	cmd.exe	findstr.exe
PID 1076 wrote to memory of 4324	1076	cmd.exe	cmd.exe
PID 1076 wrote to memory of 4324	1076	cmd.exe	cmd.exe
PID 1076 wrote to memory of 4324	1076	cmd.exe	cmd.exe
PID 1076 wrote to memory of 2680	1076	cmd.exe	Tracks.pif
PID 1076 wrote to memory of 2680	1076	cmd.exe	Tracks.pif
PID 1076 wrote to memory of 2680	1076	cmd.exe	Tracks.pif
PID 1076 wrote to memory of 3936	1076	cmd.exe	choice.exe
PID 1076 wrote to memory of 3936	1076	cmd.exe	choice.exe
PID 1076 wrote to memory of 3936	1076	cmd.exe	choice.exe
PID 2680 wrote to memory of 880	2680	Tracks.pif	cmd.exe
PID 2680 wrote to memory of 880	2680	Tracks.pif	cmd.exe
PID 2680 wrote to memory of 880	2680	Tracks.pif	cmd.exe
PID 2680 wrote to memory of 2280	2680	Tracks.pif	cmd.exe
PID 2680 wrote to memory of 2280	2680	Tracks.pif	cmd.exe
PID 2680 wrote to memory of 2280	2680	Tracks.pif	cmd.exe
PID 880 wrote to memory of 2040	880	cmd.exe	schtasks.exe
PID 880 wrote to memory of 2040	880	cmd.exe	schtasks.exe
PID 880 wrote to memory of 2040	880	cmd.exe	schtasks.exe
PID 2680 wrote to memory of 4024	2680	Tracks.pif	MSBuild.exe
PID 2680 wrote to memory of 4024	2680	Tracks.pif	MSBuild.exe
PID 2680 wrote to memory of 4024	2680	Tracks.pif	MSBuild.exe
PID 2680 wrote to memory of 4024	2680	Tracks.pif	MSBuild.exe
PID 2680 wrote to memory of 4024	2680	Tracks.pif	MSBuild.exe
PID 4024 wrote to memory of 2436	4024	MSBuild.exe	cmd.exe
PID 4024 wrote to memory of 2436	4024	MSBuild.exe	cmd.exe
PID 4024 wrote to memory of 2436	4024	MSBuild.exe	cmd.exe
PID 4024 wrote to memory of 3732	4024	MSBuild.exe	cmd.exe
PID 4024 wrote to memory of 3732	4024	MSBuild.exe	cmd.exe
PID 4024 wrote to memory of 3732	4024	MSBuild.exe	cmd.exe
PID 3732 wrote to memory of 892	3732	cmd.exe	timeout.exe
PID 3732 wrote to memory of 892	3732	cmd.exe	timeout.exe
PID 3732 wrote to memory of 892	3732	cmd.exe	timeout.exe
PID 2436 wrote to memory of 4328	2436	cmd.exe	schtasks.exe
PID 2436 wrote to memory of 4328	2436	cmd.exe	schtasks.exe
PID 2436 wrote to memory of 4328	2436	cmd.exe	schtasks.exe
PID 3732 wrote to memory of 924	3732	cmd.exe	winservices.exe
PID 3732 wrote to memory of 924	3732	cmd.exe	winservices.exe
PID 3732 wrote to memory of 924	3732	cmd.exe	winservices.exe
PID 2680 wrote to memory of 2328	2680	Tracks.pif	MSBuild.exe
PID 2680 wrote to memory of 2328	2680	Tracks.pif	MSBuild.exe
PID 2680 wrote to memory of 2328	2680	Tracks.pif	MSBuild.exe
PID 2680 wrote to memory of 2328	2680	Tracks.pif	MSBuild.exe
PID 2680 wrote to memory of 2328	2680	Tracks.pif	MSBuild.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.exe
  "C:\Users\Admin\AppData\Local\Temp\edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Swing Swing.cmd & Swing.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4492
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1580
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4924
  - - C:\Windows\SysWOW64\findstr.exe
      findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1468
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 186040
      4⤵
      System Location Discovery: System Language Discovery
      PID:1452
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "toolkitczechhappenwestminster" Texture
      4⤵
      System Location Discovery: System Language Discovery
      PID:1432
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Junk + ..\Screenshot + ..\Colombia + ..\Escorts + ..\Waiver + ..\Aboriginal + ..\Wherever + ..\Higher + ..\Amazon + ..\Releases + ..\Dame + ..\Economic + ..\Innovations + ..\Sampling + ..\Nuke + ..\Fellowship + ..\Brain + ..\Eat + ..\Shopping + ..\Constitution + ..\Planes + ..\Railroad + ..\Enhancing + ..\Locator + ..\Occasion + ..\Pay + ..\Cinema L
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4324
  - - C:\Users\Admin\AppData\Local\Temp\186040\Tracks.pif
      Tracks.pif L
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4024
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\Admin\AppData\Roaming\winservices.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\Admin\AppData\Roaming\winservices.exe"'
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp33AD.tmp.bat""
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\winservices.exe
        
        "C:\Users\Admin\AppData\Roaming\winservices.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:924
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\Admin\AppData\Roaming\winservices.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\Admin\AppData\Roaming\winservices.exe"'
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:460
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3733.tmp.bat""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3496
        
        C:\Users\Admin\AppData\Roaming\winservices.exe
        
        "C:\Users\Admin\AppData\Roaming\winservices.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1052
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:3936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url" & echo URL="C:\Users\Admin\AppData\Local\EchoArtisan Technologies\EchoCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
942B

MD5
08fd55ab7b211d3fba9ba080bb93fc07

SHA1
3519a855c1d90857159c68422848785d68a89591

SHA256
eb1d1fa6b376f369681435d4e310dc2e6e832877a6e2880640727f9390559614

SHA512
61c362ac9ac9809532be0383eb239e06290b1387bc6e49e0ab0045bd7e4b904032f8def000d4b1e4800b6387c193f4ab78f8c507138030490014104cecb726d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\winservices.exe.log

Filesize
841B

MD5
0efd0cfcc86075d96e951890baf0fa87

SHA1
6e98c66d43aa3f01b2395048e754d69b7386b511

SHA256
ff981780f37479af6a428dd121eef68cf6e0b471ae92f080893a55320cc993f7

SHA512
4e79f5a8494aac94f98af8dbbc71bdd0a57b02103757ad970da7e7d4e6a0dc5015ca008256a6bd2c5bdec3a0f5736a994e17b3ef004b0f374a3339e480ac41b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\186040\L

Filesize
2.0MB

MD5
b9586122bdf0187cf4764ab1094d86b6

SHA1
14d3cdd0350ded70287f5231194bac85f90f0941

SHA256
e87ac417d2ef91b903903033c9aeff31df705c977c14485d6453f6a094a01375

SHA512
98f274907f71e9a7358ae53a367ce9c59b73b102ae434c5d3afbf9a48a60d52b48136bb1f8a7e5f1e0ce74f68ac9e1d527a1cf6cebe2dc973570cac1acf272e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\186040\Tracks.pif

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aboriginal

Filesize
77KB

MD5
7ab5890b2c3d1005c28c835cb3028e24

SHA1
192566f40c73bf626827202702498c26c5edfcda

SHA256
a749362cd7db4197b678abb7966888748f560d62ba4cc1de6423c5bc7c006794

SHA512
5f1993bb56e75752946557abeb07d6f4e02cd508facd4dafa9e1bedcbdf4807635d55e87fe2889b913c42c38d51b223ef7b8ea118f91633c307521f38bb17569

Download Submit
C:\Users\Admin\AppData\Local\Temp\Amazon

Filesize
98KB

MD5
eb647ff6dc919549935f3cbe209dabb6

SHA1
d06a5e76c060b18ffa920e871b609464457772e6

SHA256
8d74444489acb94aa0ce525f04b3a8dc6af5748afc9fca0b9a70102b86950036

SHA512
3493ad2670b0f698de3258a885e14fb04b3d651232a85f561de683ac5283ae42d6801110447623779942d4b5fbfa4d058403d50ce5caa7460f321f2b915294c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brain

Filesize
93KB

MD5
2d9e36c8c1b9f4c37d96fd5ed70c30cd

SHA1
62fc604b58e51fbe1b7cf5185779ab645c5ae73c

SHA256
f53808fb75ca0103b87a4ad30e493ecf6504744e52a92a55b255a0d5b648f1c8

SHA512
2487ec445644a03cfd51f292d7bdd3635c82563042e1583a68a8440a6fbc09342f052abddefefff9112839b54c07c3342eefc4c980e621e2f970a3e0b09d2ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cinema

Filesize
18KB

MD5
5fff72d3b82f077572e01ef4beb21888

SHA1
fa14a33f0b04b9126e29431fad8c4494acc145ea

SHA256
49ab2cf269c14e143486c63e1c92731e856ff14dd1f64349bbe8dbf6c7e3bc96

SHA512
dc94a9988a850170d2c860a018734b801821c193f3e1b87dc33d3f30013e462298318b701a763b686bf83cadf65a5f372871557b48d9d17d946dc9dceaa4fe50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Colombia

Filesize
88KB

MD5
6515719027cc1f2ed807ed0a3f3f8c0c

SHA1
3c962d8600b593d3f9b8058e978ddb76a251e176

SHA256
1dfa978e54ccdaed1552afa966477d98110b5fb1926cfed050ca2513528beae3

SHA512
9d7db5fbc727fef6520017934b0a9bff79ad8b32e4e97af1653a7d1f25bdd6ca670ff985393feda35d01c5b097ca607b33983622389600b48b3aad3eff7cc97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Constitution

Filesize
65KB

MD5
de8e529c939f257f5fb44f918df40a27

SHA1
99a214cb643fbce8e2fa066620f71a92a2b6a48c

SHA256
f12de7f6c53ea7304e2110113063e930c22d991e386fc8dc5d7218ba7e922de9

SHA512
87de0edeb63963f9332174555f3edd499c6d47118682be6dc27aa7cc84b94dbd833992bb2ff7beda0d5e59f2d3feffc21b79cd92c83d15fbb52faed6571fecaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dame

Filesize
64KB

MD5
b60a210a563020f6b385e5d9d2a5d48a

SHA1
12c5ff09e31223125cf07d7e07493675f37abb77

SHA256
804d9cba05bde7fadb13557d754c0b4a94f1304796d7f1184d6b2945d5468428

SHA512
eed1b684a95144badd207c32ce06993f7063b16ba4fb68d3d2d70567938f408cfa143ae3d09440986064bc060a80c32331f86cd300b6be83648c6f97071a94b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eat

Filesize
99KB

MD5
566b1c377acc552cd1dfccac12b76864

SHA1
be3c712fb4fab2f8e1e2c8501e3f98a4b0c9eba8

SHA256
52535fd7b193b6af02ec9bab6a9b1ba4c732dce8b7752df63fc5e843bd6d42ca

SHA512
684fdfe65c74c6d874bd8100a862183c68ccea76aff99f0c14aaf6b0689661fe35570411f4325db60f3234221cb51df58290baef1a6708d48c3069c34ccf8d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Economic

Filesize
73KB

MD5
5f7388b9727596fb03ae3d82e7f7d896

SHA1
bf516f10cd9e29e8820ac1e3a52649842b2dbd9a

SHA256
e5f2629af661686dfd66803c2e56e150edd1058fb0d56042bd19c989f45bc4b4

SHA512
cb5cf2c053a7f712e165d184d57bf9c5495a9b99ab8354083966027ee155fd210596cb2378a906836a23f03131a58f04119dcf96a0c14a2fe25f2debe5d8508f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enhancing

Filesize
99KB

MD5
2b92b119cce7513b80c8f0851c286638

SHA1
ea7dad1f6590119d5b07d4d76c61e111b8921dfe

SHA256
4d8187a53d6fc2b4eb6d5c78f30980b953cf11e91279b1c5ac09d780142a9970

SHA512
dc2d1b0ea28986c38afe09048412d21c990e557054f700eddc9c642a0f7cc6d1d9052dec554b3e8240c61d1071d2deeb5ef69872926b4e237fc0093fe3fed615

Download Submit
C:\Users\Admin\AppData\Local\Temp\Escorts

Filesize
77KB

MD5
86dd0753017bc54ea11771b82d9680cb

SHA1
cbce300dcf51b8c242bd97d1a8b2f24719199283

SHA256
10d58246c582fef665f213d47a85974e1d7e75ecfcddf20c421abc26d1f50afc

SHA512
342e72340298145a54481bf2439872153cd684d0e6bfc4a4757bc157721975435b60dee616181696953796216cf6dc64db29b0e885b5670e7b2e4fdf1afbd63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fellowship

Filesize
51KB

MD5
58fb7e3f879e283acc165dca8327a325

SHA1
13ef0f2a03ca390976267bf224bc1674ddafb37d

SHA256
8d746180b3757a8bb6af017e278ed55f1fb581f65f23f51e43eef14e6f6ec17d

SHA512
b25fc894bf17d67ad62fdbc4fc0744af25a66294d687230ec8671224915372c8ea5408cd0bf057217f677f9822eb78278d39233eb131303c1ff8d3dedfb57142

Download Submit
C:\Users\Admin\AppData\Local\Temp\Higher

Filesize
72KB

MD5
3b8bf47a8cfff3aa65cc4bc82d2f1a7b

SHA1
261c1433a8e73307555ff3609c175bb0987da05e

SHA256
2fce4a26806fc82ca4102a5fd93a0ad6338fff812fbc400f087439362ed961f8

SHA512
523dcada289e640c0b418f4d8d17fd7fafadf07e01bde2d48cec9a84c137beb75e9e4fd35eb3561e84ddd675b7fbd4a20c5dac60a59ed1a24b144d6aca7598f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Innovations

Filesize
81KB

MD5
c53b54af05351be4f42da05b3def04c9

SHA1
229057f0131b55e8152bc47ffca0b3ddb43440bd

SHA256
15a82526a33ebfce05033766f6b9054a7e07a4e1e904aa89efbc8ad3925a9303

SHA512
03525b9000b6a5fad262c6e537fe50963eee2373791ae2cf173a23bf89b38c1274856fa7e4e61191b1004904855ba3cb07b51f95698d51ea81164bb3ec90135b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Junk

Filesize
86KB

MD5
4854ad3bb2de6717b4604dae386e8735

SHA1
e6db96ecd91e2df6bef48c86899ad62505f20a86

SHA256
60bd9b18204947e0c57edb861fbeb37c5b187ba22a24a37a710d3767e0893806

SHA512
685b2a241769c0935d134fe4dd03683fd416998d7709bcb829c910ebb57137d390d70347b6f2127e782f06e685ef1ecbf80982bc637994d83d5cb4464ce78c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Locator

Filesize
51KB

MD5
44f957cf6dc48b8dc6172e57cc89e8e5

SHA1
9b82721d4c07a947980a00d4a9e002e42dd98201

SHA256
04a01f532ed7f16c83bab6ee3dc4a40c1ce085c6fab2c9965a52c2d1da1777c3

SHA512
68a8a187391f73948d15b892680a2499cd2747a74a9d98ec46b076d9c0897a7dd185c6e0d3330705185ec7e35b3991a3b26d30c86aeedc0e842b5d72fc38cd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nuke

Filesize
99KB

MD5
3308846aa767ed140327f884079d644a

SHA1
22815e4e79181506ddf19ef404ec70fbcda9a5f5

SHA256
6b3e1b83ee14b18eb7fde4e0804d706f1389f0cb151ba8fa2933e733773beb61

SHA512
f772e8f03bcfba93855075cbfd721c73021a88c287ed23252675124c9f43bf4a4e52c6f79e9724f3e2252570a8bf6ab0702b7a2a1d7a1855a491afb31038d8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Occasion

Filesize
84KB

MD5
6c10b68bf7aba704ece3ecc96f4b95f1

SHA1
e4644e930156619f34ef24f00470c441a5140314

SHA256
b72b98e7a4c332c3bbcb75f2663057b17b8057ea32d6c4888e0586f0b9a8c83c

SHA512
bddbcc422a5c1ee403046384d1b2541f5f515bba84f751e4e0ca6fea0a50d9713f578f46dc58c361905a2cbe0fa6dad93c99fbfa9cd75124d3e4fcc3a600654f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pay

Filesize
76KB

MD5
adf6489b1a6cbaff9a5fd03fe8042d01

SHA1
e52c5ba48f8dcad3276f5de899c9c2ca9bd0c879

SHA256
682f34f554f796c0786b7c67dd3f0c27d548fe3dcb760b352ec21e75946046fa

SHA512
6e6f0299bd2ac5423d9658342a2acd5326130c98dee169b3e2e9d24e753433b23db0f0b8460523f79ac1ea6b5d8e07c5a11d8f9a4777807834bd07238e45c15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Planes

Filesize
90KB

MD5
514930ccbdda4e08827dc6abf1d35a3a

SHA1
76684e3d93de907d7163e65fff83930854a67785

SHA256
c4e653df2540f85654e9a6760a4ff2757ed2bb214109543fefa9b849a9a085a4

SHA512
69c46264825aacfbe527f6e824d087910ea6d02ab8d52eea88e163e27602983b1fc04e62a493fe0e70165126624a1b1f4f5a5d843c7403013377d0fd4f972820

Download Submit
C:\Users\Admin\AppData\Local\Temp\Railroad

Filesize
92KB

MD5
a3b72986b91a93cc80723d256a16c6ea

SHA1
b4a16a8d7e2bc7068e1e0843cd7e4e63655570e2

SHA256
7f9d45fbfa44368bd8a55dfe1b19c5530be45cb32c9b17db34861934ff240553

SHA512
65239d800a2f3658b08b5c7a515bc04d515bf204dff45aa40f36d37e1204c3369f0225ed03c3f12c71a7faf41300719a0c8b0d810aca3929ff925bbf091b2c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Releases

Filesize
63KB

MD5
7fb358f9fa61d607ccf3a80e2b30bb6e

SHA1
84ed440c1ef86d09500dd80adac09f1114dcf688

SHA256
7e136bf84e068cac90ecf239eb901421eaf2691f164db0007a7acc562354850c

SHA512
a9a59a4c317e28ecf1f4f85ea1746ed8d5d13a5711c87671af9357b6d72c07c17048a9ead185bc29eedc47c1a8133c1c6b32c83abf0ffab86b5c77067a93a09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sampling

Filesize
73KB

MD5
da8abc322b34f150ada125abeb27b760

SHA1
b04b8310121e46fc1901c0c8a815520f4066093a

SHA256
dec3eb5ec594ec5b84d41f9040d13280b43622eeb9c6ac34d294ad6c803bf7bc

SHA512
50bafb440488132ea39021c9fece1f136e19916483b43d11db197d5fa72df578deca3cac8af6dbcfc5a2fea10658579f05e818f5303f9e59b3185ca5a6268870

Download Submit
C:\Users\Admin\AppData\Local\Temp\Screenshot

Filesize
90KB

MD5
dc541d0734dd7fd24bcadec2d98d46a4

SHA1
2cfb587db62271b41dff35a3abbb86eabc09b24e

SHA256
3ef403f831de29368bda0483804832f65500fc5c43d1b0f4b090675330589ed7

SHA512
05b0fcad905408a663071fdb27cecb301c6f09f14e4a622b77d13753c7be83ba6208e79facfbe2341b761468e81aca77aede9a97e0f5a52ddb3beeca96f5be80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shopping

Filesize
83KB

MD5
907ff27fe2f074a39d39a3289545d312

SHA1
2d63251c4b4538c2bd0005b2294d01f6a43e1955

SHA256
93f2d28948fedd87e1f4d5aa6e6301c88b138125a3f7ef0bf2023a1f2e52f0aa

SHA512
90badeb83667e072e4b583230237a1630a5cc33b1eb6374a83986faeee6cfa0c330ccc9c3895fa27a9386527019454d89002a518961c607618c6097938e63ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skirts

Filesize
911KB

MD5
d1670fa3b18dc68dfa7240100cc66286

SHA1
b293d460a085aeff86620f11a14e0bd7c8cec2cf

SHA256
a90890fb22c02d1f4cd668017cc76830d412011d2d01c48306820f870a7a9817

SHA512
de421d7b0a6cb4e3c4bc3c3c3d500c03c5fc6f2cd0e2a3ef19fbaca7921f80e629db42f1a42cb42d25e87b1b29de9052cb785d68483678da6cad70da9f2629ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swing

Filesize
27KB

MD5
49b5fe73fb3ce14cc33bb20aa2fff02b

SHA1
2e2b6517667189a46c23b407edec120b79c7626e

SHA256
79967f8cd81007ded7841643b89cdbe45f735bf8b8cf6608ee8fe166797c47b8

SHA512
03625342b90d8ba5000855b77223af587a65fec205fed5c37ff2d5fdd63c1712e44931ce2dd4261e13760873cb20eeee04987c36019b770ab8ad9c4352d624d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Texture

Filesize
10KB

MD5
d0a0cf2c907855f1064ddf91b76f21c3

SHA1
5245eb91f26d81b12b6ae5fc21f253e92f3a44d3

SHA256
3d049cc1bf849ceeced53798b4f924d4f57e77a632ede1ef539c1efee87bde64

SHA512
e3b9038726ac30ead9d7020d30c05dc325e5dad506af27c6c2cf6f3b59d51b37b8a907e4d531e1b0c9bb74dc073b6ea28a64965a4125b62c617ebdc9cdcc814a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Waiver

Filesize
60KB

MD5
b1f9d3abcf001bd1bb798315fdfe39cb

SHA1
25f1c325a42163915e17a34dc69fe36f67223fcc

SHA256
4ded02b2418a07abb23445ab56ccad835667f9f2a96d1a030f738209b0f865da

SHA512
ca88346d6cb2393240c3d2296ba5d54ef6b94dd7fdbb5c1be3a104ab0fb64542c43351664bf8ff5362e180f393a60b626551d443859051453fd6ba15c16cc217

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wherever

Filesize
95KB

MD5
d09af5d18cad12006c6ac381273b407c

SHA1
95063cf75867de0bf91a37662f46bf5af236ea15

SHA256
2cda0fe6bbff9c7bf7252ec356f68881c521ed6ceeeebc9542ad87b943390d00

SHA512
9b9662af5336d531a87b9d6dac702b9f664c9dc3410424c82fc4f06bc539adc07f9a95924a4fb7904af2cd211b0e5634662218ae60f9681310aecdb395ad8648

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp33AD.tmp.bat

Filesize
155B

MD5
acdb89704d225386c5bb5edad713ec84

SHA1
fa82d7d6e7e3f6ee60e4ef3f664e89c23b8452aa

SHA256
1dbe7646bd208aa92ef74a5d94db840f82621ddedca9f685c36baeb322bd7a01

SHA512
511194bb88908818b90c853cffeea178c2541e3771e044ff25c1e0ff057aead699464a0d620206f5e71dfbc8a55dd2c98838da98a012b8c83d93011b6452a5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3733.tmp.bat

Filesize
155B

MD5
b2a7b28232278c546051c51bebf7f586

SHA1
14342413d99d43517338539a20340a0ca2227c6a

SHA256
98aaf20b6ae29b63490ea439812dddc8ffad311ff7a7da2987814e72a8d5b3fd

SHA512
f4618a7c943c10f6fca6d1cac63e3cdefd647d1f9b6137e5ce4294a505025521b66d1d358517664dbb88c639e4cc0fb1bc3058a7173a43101038b0742c160348

Download Submit
C:\Users\Admin\AppData\Roaming\DataLogs\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\winservices.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
memory/924-649-0x00000000005A0000-0x00000000005E0000-memory.dmp

Filesize
256KB

Download
memory/924-650-0x0000000004DA0000-0x0000000004DBA000-memory.dmp

Filesize
104KB

Download
memory/924-651-0x0000000005030000-0x000000000518A000-memory.dmp

Filesize
1.4MB

Download
memory/2328-653-0x0000000001400000-0x000000000164C000-memory.dmp

Filesize
2.3MB

Download
memory/4024-639-0x0000000005FF0000-0x0000000006594000-memory.dmp

Filesize
5.6MB

Download
memory/4024-638-0x0000000001140000-0x000000000138C000-memory.dmp

Filesize
2.3MB

Download