zgrat | ad8e6c62980f9eecc850d8de6059824f45e6dbf9f64f835a5b5304a55ae57507

Analysis

max time kernel
156s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 17:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1d122eed1c86e40a9bbf8cb361718430.exe
Size

3.9MB
MD5

1d122eed1c86e40a9bbf8cb361718430
SHA1

7ab23a119aa8ecd06ca48690be9886a45b65a1e2
SHA256

ad8e6c62980f9eecc850d8de6059824f45e6dbf9f64f835a5b5304a55ae57507
SHA512

5e0138cb388e1806b8b2a2731c106ed015841ba71555f6beb311185dcb88362a975c8dd3f37fa0b4124c7055a314458015b43b7ebbe0f3d3cc5134a2dcd9dd78
SSDEEP

49152:IBJznTEt1lGarXyrtk2rj7Vdb0HduaVUHDUWZnC3EU4EecMPcOhym16/mZSjCJ8m:ydSzMtk2rNF3aVb4n1oocOhde8qCSvu

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022e08-10.dat	family_zgrat_v1
behavioral2/files/0x0008000000022e08-11.dat	family_zgrat_v1
behavioral2/memory/1640-12-0x0000000000930000-0x0000000000CC4000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0008000000022e16-104.dat	family_zgrat_v1
behavioral2/files/0x0008000000022e08-469.dat	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	3796	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	3796	schtasks.exe	91

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\Control Panel\International\Geo\Nation	NEAS.1d122eed1c86e40a9bbf8cb361718430.exe
Key value queried	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\Control Panel\International\Geo\Nation	chainserverBrokerdll.exe

Executes dropped EXE 2 IoCs

pid	Process
1640	chainserverBrokerdll.exe
5716	chainserverBrokerdll.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\ja-JP\StartMenuExperienceHost.exe	chainserverBrokerdll.exe
File created	C:\Program Files\Windows Defender\ja-JP\55b276f4edf653	chainserverBrokerdll.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe	chainserverBrokerdll.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\9e8d7a4ca61bd9	chainserverBrokerdll.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Performance\Registry.exe	chainserverBrokerdll.exe
File created	C:\Windows\Performance\ee2ad38f3d4382	chainserverBrokerdll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4752	schtasks.exe
4884	schtasks.exe
4380	schtasks.exe
4164	schtasks.exe
2604	schtasks.exe
4580	schtasks.exe
1164	schtasks.exe
2336	schtasks.exe
4316	schtasks.exe
1496	schtasks.exe
3320	schtasks.exe
4564	schtasks.exe
2668	schtasks.exe
2816	schtasks.exe
4224	schtasks.exe
4536	schtasks.exe
4436	schtasks.exe
4804	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000_Classes\Local Settings	NEAS.1d122eed1c86e40a9bbf8cb361718430.exe
Key created	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000_Classes\Local Settings	chainserverBrokerdll.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5680	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe
1640	chainserverBrokerdll.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	chainserverBrokerdll.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	5716	chainserverBrokerdll.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 392	3912	NEAS.1d122eed1c86e40a9bbf8cb361718430.exe	86
PID 3912 wrote to memory of 392	3912	NEAS.1d122eed1c86e40a9bbf8cb361718430.exe	86
PID 3912 wrote to memory of 392	3912	NEAS.1d122eed1c86e40a9bbf8cb361718430.exe	86
PID 392 wrote to memory of 3536	392	WScript.exe	87
PID 392 wrote to memory of 3536	392	WScript.exe	87
PID 392 wrote to memory of 3536	392	WScript.exe	87
PID 3536 wrote to memory of 1640	3536	cmd.exe	89
PID 3536 wrote to memory of 1640	3536	cmd.exe	89
PID 1640 wrote to memory of 4676	1640	chainserverBrokerdll.exe	148
PID 1640 wrote to memory of 4676	1640	chainserverBrokerdll.exe	148
PID 1640 wrote to memory of 3092	1640	chainserverBrokerdll.exe	130
PID 1640 wrote to memory of 3092	1640	chainserverBrokerdll.exe	130
PID 1640 wrote to memory of 4244	1640	chainserverBrokerdll.exe	129
PID 1640 wrote to memory of 4244	1640	chainserverBrokerdll.exe	129
PID 1640 wrote to memory of 4252	1640	chainserverBrokerdll.exe	111
PID 1640 wrote to memory of 4252	1640	chainserverBrokerdll.exe	111
PID 1640 wrote to memory of 4220	1640	chainserverBrokerdll.exe	127
PID 1640 wrote to memory of 4220	1640	chainserverBrokerdll.exe	127
PID 1640 wrote to memory of 5076	1640	chainserverBrokerdll.exe	126
PID 1640 wrote to memory of 5076	1640	chainserverBrokerdll.exe	126
PID 1640 wrote to memory of 3696	1640	chainserverBrokerdll.exe	112
PID 1640 wrote to memory of 3696	1640	chainserverBrokerdll.exe	112
PID 1640 wrote to memory of 4908	1640	chainserverBrokerdll.exe	124
PID 1640 wrote to memory of 4908	1640	chainserverBrokerdll.exe	124
PID 1640 wrote to memory of 1568	1640	chainserverBrokerdll.exe	123
PID 1640 wrote to memory of 1568	1640	chainserverBrokerdll.exe	123
PID 1640 wrote to memory of 2684	1640	chainserverBrokerdll.exe	122
PID 1640 wrote to memory of 2684	1640	chainserverBrokerdll.exe	122
PID 1640 wrote to memory of 4632	1640	chainserverBrokerdll.exe	116
PID 1640 wrote to memory of 4632	1640	chainserverBrokerdll.exe	116
PID 1640 wrote to memory of 4196	1640	chainserverBrokerdll.exe	117
PID 1640 wrote to memory of 4196	1640	chainserverBrokerdll.exe	117
PID 1640 wrote to memory of 2036	1640	chainserverBrokerdll.exe	146
PID 1640 wrote to memory of 2036	1640	chainserverBrokerdll.exe	146
PID 1640 wrote to memory of 3932	1640	chainserverBrokerdll.exe	145
PID 1640 wrote to memory of 3932	1640	chainserverBrokerdll.exe	145
PID 1640 wrote to memory of 4468	1640	chainserverBrokerdll.exe	144
PID 1640 wrote to memory of 4468	1640	chainserverBrokerdll.exe	144
PID 1640 wrote to memory of 4184	1640	chainserverBrokerdll.exe	143
PID 1640 wrote to memory of 4184	1640	chainserverBrokerdll.exe	143
PID 1640 wrote to memory of 3012	1640	chainserverBrokerdll.exe	142
PID 1640 wrote to memory of 3012	1640	chainserverBrokerdll.exe	142
PID 1640 wrote to memory of 1144	1640	chainserverBrokerdll.exe	141
PID 1640 wrote to memory of 1144	1640	chainserverBrokerdll.exe	141
PID 1640 wrote to memory of 1008	1640	chainserverBrokerdll.exe	140
PID 1640 wrote to memory of 1008	1640	chainserverBrokerdll.exe	140
PID 1640 wrote to memory of 3440	1640	chainserverBrokerdll.exe	149
PID 1640 wrote to memory of 3440	1640	chainserverBrokerdll.exe	149
PID 3440 wrote to memory of 4940	3440	cmd.exe	151
PID 3440 wrote to memory of 4940	3440	cmd.exe	151
PID 3440 wrote to memory of 5680	3440	cmd.exe	152
PID 3440 wrote to memory of 5680	3440	cmd.exe	152
PID 3440 wrote to memory of 5716	3440	cmd.exe	153
PID 3440 wrote to memory of 5716	3440	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.1d122eed1c86e40a9bbf8cb361718430.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1d122eed1c86e40a9bbf8cb361718430.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\SavesHostcrt\MgzSGmOB4QZD1TY2B2q6i.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\SavesHostcrt\sqX.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\SavesHostcrt\chainserverBrokerdll.exe
      "C:\SavesHostcrt/chainserverBrokerdll.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/SavesHostcrt/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHostcrt\chainserverBrokerdll.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\chainserverBrokerdll.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\StartMenuExperienceHost.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\Registry.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHostcrt\RuntimeBroker.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1kLMMweZQv.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3440
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4940
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:5680
      - C:\SavesHostcrt\chainserverBrokerdll.exe
        
        "C:\SavesHostcrt\chainserverBrokerdll.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\SavesHostcrt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\SavesHostcrt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\SavesHostcrt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Performance\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\ja-JP\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\ja-JP\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainserverBrokerdllc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\chainserverBrokerdll.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainserverBrokerdll" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\chainserverBrokerdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainserverBrokerdllc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\chainserverBrokerdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainserverBrokerdllc" /sc MINUTE /mo 14 /tr "'C:\SavesHostcrt\chainserverBrokerdll.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainserverBrokerdll" /sc ONLOGON /tr "'C:\SavesHostcrt\chainserverBrokerdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainserverBrokerdllc" /sc MINUTE /mo 8 /tr "'C:\SavesHostcrt\chainserverBrokerdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender\ja-JP\StartMenuExperienceHost.exe

Filesize
3.6MB

MD5
a01672e4a0c647b5ee8e5fcde6fd3ac7

SHA1
812a47445ea6d270b813b16a4b63530b8e6a4bb8

SHA256
a52d7bce4c7e0e65f0f090fb09ef8fbf3fb77de4dbedf8856c7028581937076e

SHA512
441e3c407322dc7506aa9d181d9c5a9d019c218917b206b1d0b7cfdeb0cc1e899985382ea077ed5d8d88c2a61c38e10685a2d1fa8e48760a4ed3d6c3d34225e5

Download Submit
C:\SavesHostcrt\MgzSGmOB4QZD1TY2B2q6i.vbe

Filesize
193B

MD5
224d77a1394437bfe02bdd18ed489a34

SHA1
d7484e7e7e683f218c6f4a7a6ecee8451540e7c5

SHA256
eaae4a9e251d733e5049179a197870e35bf193cbcee937cd6ea1093496d22eaa

SHA512
a4073d6401e08b27b6b6b4e170e8651e58a781e0566aa6ce9c6553a7fcd5787046ade550406e35f7f619cda2d1aa8bcec57617c0c81abf19f3bb579dbc169f83

Download Submit
C:\SavesHostcrt\chainserverBrokerdll.exe

Filesize
3.6MB

MD5
a01672e4a0c647b5ee8e5fcde6fd3ac7

SHA1
812a47445ea6d270b813b16a4b63530b8e6a4bb8

SHA256
a52d7bce4c7e0e65f0f090fb09ef8fbf3fb77de4dbedf8856c7028581937076e

SHA512
441e3c407322dc7506aa9d181d9c5a9d019c218917b206b1d0b7cfdeb0cc1e899985382ea077ed5d8d88c2a61c38e10685a2d1fa8e48760a4ed3d6c3d34225e5

Download Submit
C:\SavesHostcrt\chainserverBrokerdll.exe

Filesize
3.6MB

MD5
a01672e4a0c647b5ee8e5fcde6fd3ac7

SHA1
812a47445ea6d270b813b16a4b63530b8e6a4bb8

SHA256
a52d7bce4c7e0e65f0f090fb09ef8fbf3fb77de4dbedf8856c7028581937076e

SHA512
441e3c407322dc7506aa9d181d9c5a9d019c218917b206b1d0b7cfdeb0cc1e899985382ea077ed5d8d88c2a61c38e10685a2d1fa8e48760a4ed3d6c3d34225e5

Download Submit
C:\SavesHostcrt\chainserverBrokerdll.exe

Filesize
3.6MB

MD5
a01672e4a0c647b5ee8e5fcde6fd3ac7

SHA1
812a47445ea6d270b813b16a4b63530b8e6a4bb8

SHA256
a52d7bce4c7e0e65f0f090fb09ef8fbf3fb77de4dbedf8856c7028581937076e

SHA512
441e3c407322dc7506aa9d181d9c5a9d019c218917b206b1d0b7cfdeb0cc1e899985382ea077ed5d8d88c2a61c38e10685a2d1fa8e48760a4ed3d6c3d34225e5

Download Submit
C:\SavesHostcrt\sqX.bat

Filesize
88B

MD5
c71dc7e35c86d2785f26cf9efe3c6a5c

SHA1
a91d798e8ab1e17ccf557be2a8b1061b6fe436d3

SHA256
73db3b6f708d16e29fe186010e47c64dd277a79757308d7bcd5909256db1870e

SHA512
5d70a5779969f546daa6693a63f377555e7629a7394e3e05c98d10e11ffe65910a0014d5e408dabdfb24a812b4f0548f1d5c1e06c38b330020be8979e268aa28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainserverBrokerdll.exe.log

Filesize
1KB

MD5
07309bd8d88aa32cac50b856dcde7ea4

SHA1
ff36ee74f17d7af6f2a59e4d868970b65d1181e2

SHA256
b9e8a168e9c52fef84060a8a9d03406e694b7b83fe5aacca905cc3f0bcf4b023

SHA512
3f0fa70207546a0150dad3bd4e817191561b2a97fcbb73db0bed9a6bb9462b10495c0aae11643d788b655893523c862f2c4a71f22ff611b2dfb4fe54a594bdc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kLMMweZQv.bat

Filesize
168B

MD5
13ebca0269deb6373347796b4fd5dc1e

SHA1
6dffcd8956a898ae6c154c6fcf529fefc1e5889b

SHA256
29305c7577120946bac050e65ab6a0aaf35646722014aeaee8565fbb9b237bc1

SHA512
be989f18a390df70161b9f9eab0586f3c3831194fed421888b768df78272bb5bd00d1c945921b604fad501eaaa59684536bcc346dc262106d3a16ff5991af4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xaduyxe0.2yp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1640-37-0x0000000002DF0000-0x0000000002DFE000-memory.dmp

Filesize
56KB

Download
memory/1640-89-0x00007FF917110000-0x00007FF917111000-memory.dmp

Filesize
4KB

Download
memory/1640-47-0x00007FF9172A0000-0x00007FF91735E000-memory.dmp

Filesize
760KB

Download
memory/1640-48-0x00007FF917210000-0x00007FF917211000-memory.dmp

Filesize
4KB

Download
memory/1640-46-0x000000001BA50000-0x000000001BA5E000-memory.dmp

Filesize
56KB

Download
memory/1640-49-0x00007FF917200000-0x00007FF917201000-memory.dmp

Filesize
4KB

Download
memory/1640-51-0x000000001BDC0000-0x000000001BDD2000-memory.dmp

Filesize
72KB

Download
memory/1640-53-0x000000001BDA0000-0x000000001BDAC000-memory.dmp

Filesize
48KB

Download
memory/1640-54-0x00007FF9172A0000-0x00007FF91735E000-memory.dmp

Filesize
760KB

Download
memory/1640-55-0x00007FF9171F0000-0x00007FF9171F1000-memory.dmp

Filesize
4KB

Download
memory/1640-56-0x00007FF9172A0000-0x00007FF91735E000-memory.dmp

Filesize
760KB

Download
memory/1640-59-0x000000001BDB0000-0x000000001BDC0000-memory.dmp

Filesize
64KB

Download
memory/1640-57-0x00007FF9171E0000-0x00007FF9171E1000-memory.dmp

Filesize
4KB

Download
memory/1640-62-0x000000001BE60000-0x000000001BE76000-memory.dmp

Filesize
88KB

Download
memory/1640-60-0x00007FF9171D0000-0x00007FF9171D1000-memory.dmp

Filesize
4KB

Download
memory/1640-63-0x00007FF9171C0000-0x00007FF9171C1000-memory.dmp

Filesize
4KB

Download
memory/1640-65-0x000000001BE80000-0x000000001BE92000-memory.dmp

Filesize
72KB

Download
memory/1640-66-0x000000001C3D0000-0x000000001C8F8000-memory.dmp

Filesize
5.2MB

Download
memory/1640-69-0x000000001BDE0000-0x000000001BDEE000-memory.dmp

Filesize
56KB

Download
memory/1640-67-0x00007FF917180000-0x00007FF917181000-memory.dmp

Filesize
4KB

Download
memory/1640-70-0x00007FF917170000-0x00007FF917171000-memory.dmp

Filesize
4KB

Download
memory/1640-72-0x000000001BE40000-0x000000001BE4C000-memory.dmp

Filesize
48KB

Download
memory/1640-73-0x00007FF917160000-0x00007FF917161000-memory.dmp

Filesize
4KB

Download
memory/1640-75-0x000000001BE50000-0x000000001BE60000-memory.dmp

Filesize
64KB

Download
memory/1640-77-0x00007FF917150000-0x00007FF917151000-memory.dmp

Filesize
4KB

Download
memory/1640-76-0x000000001BA60000-0x000000001BA70000-memory.dmp

Filesize
64KB

Download
memory/1640-79-0x000000001BEA0000-0x000000001BEB0000-memory.dmp

Filesize
64KB

Download
memory/1640-80-0x00007FF917140000-0x00007FF917141000-memory.dmp

Filesize
4KB

Download
memory/1640-82-0x000000001BF10000-0x000000001BF6A000-memory.dmp

Filesize
360KB

Download
memory/1640-83-0x00007FF917130000-0x00007FF917131000-memory.dmp

Filesize
4KB

Download
memory/1640-85-0x000000001BEB0000-0x000000001BEBE000-memory.dmp

Filesize
56KB

Download
memory/1640-86-0x00007FF917120000-0x00007FF917121000-memory.dmp

Filesize
4KB

Download
memory/1640-88-0x000000001BEC0000-0x000000001BED0000-memory.dmp

Filesize
64KB

Download
memory/1640-44-0x000000001BA40000-0x000000001BA4C000-memory.dmp

Filesize
48KB

Download
memory/1640-91-0x000000001BED0000-0x000000001BEDE000-memory.dmp

Filesize
56KB

Download
memory/1640-92-0x00007FF917100000-0x00007FF917101000-memory.dmp

Filesize
4KB

Download
memory/1640-94-0x000000001C170000-0x000000001C188000-memory.dmp

Filesize
96KB

Download
memory/1640-95-0x00007FF9170F0000-0x00007FF9170F1000-memory.dmp

Filesize
4KB

Download
memory/1640-97-0x000000001BEE0000-0x000000001BEEC000-memory.dmp

Filesize
48KB

Download
memory/1640-98-0x00007FF9170E0000-0x00007FF9170E1000-memory.dmp

Filesize
4KB

Download
memory/1640-42-0x00007FF917220000-0x00007FF917221000-memory.dmp

Filesize
4KB

Download
memory/1640-41-0x000000001BA60000-0x000000001BA70000-memory.dmp

Filesize
64KB

Download
memory/1640-225-0x000000001CA00000-0x000000001CAA9000-memory.dmp

Filesize
676KB

Download
memory/1640-337-0x000000001CA00000-0x000000001CAA9000-memory.dmp

Filesize
676KB

Download
memory/1640-40-0x00007FF917230000-0x00007FF917231000-memory.dmp

Filesize
4KB

Download
memory/1640-39-0x0000000002E00000-0x0000000002E0E000-memory.dmp

Filesize
56KB

Download
memory/1640-35-0x00007FF917240000-0x00007FF917241000-memory.dmp

Filesize
4KB

Download
memory/1640-34-0x000000001BA20000-0x000000001BA38000-memory.dmp

Filesize
96KB

Download
memory/1640-32-0x00007FF917250000-0x00007FF917251000-memory.dmp

Filesize
4KB

Download
memory/1640-31-0x000000001BDF0000-0x000000001BE40000-memory.dmp

Filesize
320KB

Download
memory/1640-28-0x00007FF917260000-0x00007FF917261000-memory.dmp

Filesize
4KB

Download
memory/1640-30-0x000000001B8F0000-0x000000001B90C000-memory.dmp

Filesize
112KB

Download
memory/1640-27-0x00007FF917280000-0x00007FF917281000-memory.dmp

Filesize
4KB

Download
memory/1640-26-0x0000000002DA0000-0x0000000002DAE000-memory.dmp

Filesize
56KB

Download
memory/1640-24-0x000000001BA60000-0x000000001BA70000-memory.dmp

Filesize
64KB

Download
memory/1640-23-0x00007FF9172A0000-0x00007FF91735E000-memory.dmp

Filesize
760KB

Download
memory/1640-22-0x00007FF8FA510000-0x00007FF8FAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/1640-20-0x00007FF9172A0000-0x00007FF91735E000-memory.dmp

Filesize
760KB

Download
memory/1640-21-0x00007FF917290000-0x00007FF917291000-memory.dmp

Filesize
4KB

Download
memory/1640-19-0x000000001BA70000-0x000000001BA96000-memory.dmp

Filesize
152KB

Download
memory/1640-17-0x00007FF9172A0000-0x00007FF91735E000-memory.dmp

Filesize
760KB

Download
memory/1640-16-0x000000001BA60000-0x000000001BA70000-memory.dmp

Filesize
64KB

Download
memory/1640-15-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/1640-14-0x000000001BA60000-0x000000001BA70000-memory.dmp

Filesize
64KB

Download
memory/1640-13-0x00007FF8FA510000-0x00007FF8FAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/1640-12-0x0000000000930000-0x0000000000CC4000-memory.dmp

Filesize
3.6MB

Download
memory/5716-532-0x000000001C100000-0x000000001C1A9000-memory.dmp

Filesize
676KB

Download
memory/5716-533-0x000000001D810000-0x000000001D925000-memory.dmp

Filesize
1.1MB

Download