08f5f24c8ef6b7c7931798906143ff6eb6859c79c40de90be2bca3ded66c58d0

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
Size

855KB
MD5

2b7761d63ad43b505d1a89607b182500
SHA1

b758584f3e7c93f3790d4c6c570a373fed19d123
SHA256

401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b
SHA512

436b5fabae435238e1d7768447661c8493a72e9cead567bb16cad0d35d967cfc65d16e033705c618a7b812193d87318b2de0dea5d998666ef26bca23d9e4e8a9
SSDEEP

12288:Nk/7EenhzI/6QX4DKy3HdMQKYn/GAq9VhwzV1Xkrmhejsg:eBhzI/604GyHuQVOgLXkrmhw9

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2628	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2628	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	2628	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	2628	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	2628	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2628	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2628	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2628	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2628	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	2628	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	2628	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2628	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2628	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2628	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2628	schtasks.exe	91

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 8 IoCs

pid	Process
4328	RuntimeBroker.exe
5036	RuntimeBroker.exe
4572	RuntimeBroker.exe
3456	RuntimeBroker.exe
4896	RuntimeBroker.exe
2100	RuntimeBroker.exe
2320	RuntimeBroker.exe
3800	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
79	pastebin.com
55	pastebin.com
56	pastebin.com
68	pastebin.com
78	pastebin.com
85	pastebin.com
69	pastebin.com
75	pastebin.com
80	pastebin.com
81	pastebin.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\eddb19405b7ce1	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
File created	C:\Program Files\ModifiableWindowsApps\backgroundTaskHost.exe	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\55b276f4edf653	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
File created	C:\Program Files (x86)\Common Files\Adobe\csrss.exe	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
File created	C:\Program Files (x86)\Common Files\Adobe\886983d96e3d3e	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\AppReadiness\RuntimeBroker.exe	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
File opened for modification	C:\Windows\AppReadiness\RuntimeBroker.exe	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
File created	C:\Windows\AppReadiness\9e8d7a4ca61bd9	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\sihost.exe	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\66fc9ff0ee96c2	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
808	schtasks.exe
4516	schtasks.exe
764	schtasks.exe
740	schtasks.exe
1968	schtasks.exe
4696	schtasks.exe
2300	schtasks.exe
1708	schtasks.exe
2732	schtasks.exe
652	schtasks.exe
5020	schtasks.exe
4956	schtasks.exe
1228	schtasks.exe
936	schtasks.exe
2752	schtasks.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	RuntimeBroker.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
3980	PING.EXE
3772	PING.EXE
3432	PING.EXE
3636	PING.EXE
4388	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	4328	RuntimeBroker.exe
Token: SeDebugPrivilege	5036	RuntimeBroker.exe
Token: SeDebugPrivilege	4572	RuntimeBroker.exe
Token: SeDebugPrivilege	3456	RuntimeBroker.exe
Token: SeDebugPrivilege	4896	RuntimeBroker.exe
Token: SeDebugPrivilege	2100	RuntimeBroker.exe
Token: SeDebugPrivilege	2320	RuntimeBroker.exe
Token: SeDebugPrivilege	3800	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 1620	4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe	108
PID 4700 wrote to memory of 1620	4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe	108
PID 4700 wrote to memory of 2648	4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe	109
PID 4700 wrote to memory of 2648	4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe	109
PID 4700 wrote to memory of 3764	4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe	110
PID 4700 wrote to memory of 3764	4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe	110
PID 4700 wrote to memory of 3024	4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe	112
PID 4700 wrote to memory of 3024	4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe	112
PID 4700 wrote to memory of 948	4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe	114
PID 4700 wrote to memory of 948	4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe	114
PID 4700 wrote to memory of 1828	4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe	118
PID 4700 wrote to memory of 1828	4700	401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe	118
PID 1828 wrote to memory of 4616	1828	cmd.exe	120
PID 1828 wrote to memory of 4616	1828	cmd.exe	120
PID 1828 wrote to memory of 3772	1828	cmd.exe	121
PID 1828 wrote to memory of 3772	1828	cmd.exe	121
PID 1828 wrote to memory of 4328	1828	cmd.exe	123
PID 1828 wrote to memory of 4328	1828	cmd.exe	123
PID 4328 wrote to memory of 392	4328	RuntimeBroker.exe	131
PID 4328 wrote to memory of 392	4328	RuntimeBroker.exe	131
PID 392 wrote to memory of 912	392	cmd.exe	133
PID 392 wrote to memory of 912	392	cmd.exe	133
PID 392 wrote to memory of 3980	392	cmd.exe	134
PID 392 wrote to memory of 3980	392	cmd.exe	134
PID 392 wrote to memory of 5036	392	cmd.exe	142
PID 392 wrote to memory of 5036	392	cmd.exe	142
PID 5036 wrote to memory of 912	5036	RuntimeBroker.exe	143
PID 5036 wrote to memory of 912	5036	RuntimeBroker.exe	143
PID 912 wrote to memory of 3128	912	cmd.exe	145
PID 912 wrote to memory of 3128	912	cmd.exe	145
PID 912 wrote to memory of 1484	912	cmd.exe	146
PID 912 wrote to memory of 1484	912	cmd.exe	146
PID 912 wrote to memory of 4572	912	cmd.exe	147
PID 912 wrote to memory of 4572	912	cmd.exe	147
PID 4572 wrote to memory of 3112	4572	RuntimeBroker.exe	149
PID 4572 wrote to memory of 3112	4572	RuntimeBroker.exe	149
PID 3112 wrote to memory of 392	3112	cmd.exe	151
PID 3112 wrote to memory of 392	3112	cmd.exe	151
PID 3112 wrote to memory of 3432	3112	cmd.exe	152
PID 3112 wrote to memory of 3432	3112	cmd.exe	152
PID 3112 wrote to memory of 3456	3112	cmd.exe	153
PID 3112 wrote to memory of 3456	3112	cmd.exe	153
PID 3456 wrote to memory of 2228	3456	RuntimeBroker.exe	154
PID 3456 wrote to memory of 2228	3456	RuntimeBroker.exe	154
PID 2228 wrote to memory of 2300	2228	cmd.exe	156
PID 2228 wrote to memory of 2300	2228	cmd.exe	156
PID 2228 wrote to memory of 3636	2228	cmd.exe	157
PID 2228 wrote to memory of 3636	2228	cmd.exe	157
PID 2228 wrote to memory of 4896	2228	cmd.exe	158
PID 2228 wrote to memory of 4896	2228	cmd.exe	158
PID 4896 wrote to memory of 2372	4896	RuntimeBroker.exe	159
PID 4896 wrote to memory of 2372	4896	RuntimeBroker.exe	159
PID 2372 wrote to memory of 1228	2372	cmd.exe	161
PID 2372 wrote to memory of 1228	2372	cmd.exe	161
PID 2372 wrote to memory of 3676	2372	cmd.exe	162
PID 2372 wrote to memory of 3676	2372	cmd.exe	162
PID 2372 wrote to memory of 2100	2372	cmd.exe	163
PID 2372 wrote to memory of 2100	2372	cmd.exe	163
PID 2100 wrote to memory of 4092	2100	RuntimeBroker.exe	164
PID 2100 wrote to memory of 4092	2100	RuntimeBroker.exe	164
PID 4092 wrote to memory of 2084	4092	cmd.exe	166
PID 4092 wrote to memory of 2084	4092	cmd.exe	166
PID 4092 wrote to memory of 5032	4092	cmd.exe	167
PID 4092 wrote to memory of 5032	4092	cmd.exe	167

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe
"C:\Users\Admin\AppData\Local\Temp\401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\RuntimeBroker.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\AppData\Local\sihost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\csrss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\woQk0u98lt.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4616
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:3772
- - C:\Windows\AppReadiness\RuntimeBroker.exe
    "C:\Windows\AppReadiness\RuntimeBroker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7oBPqXqtON.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:912
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3980
    - - C:\Windows\AppReadiness\RuntimeBroker.exe
        
        "C:\Windows\AppReadiness\RuntimeBroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UR8LTwG0HJ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1484
        
        C:\Windows\AppReadiness\RuntimeBroker.exe
        
        "C:\Windows\AppReadiness\RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9PDuMdk3a6.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:3432
        
        C:\Windows\AppReadiness\RuntimeBroker.exe
        
        "C:\Windows\AppReadiness\RuntimeBroker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YEunsIO9tk.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:3636
        
        C:\Windows\AppReadiness\RuntimeBroker.exe
        
        "C:\Windows\AppReadiness\RuntimeBroker.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\02VouYs0zf.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3676
        
        C:\Windows\AppReadiness\RuntimeBroker.exe
        
        "C:\Windows\AppReadiness\RuntimeBroker.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ikqvEHWfWg.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:5032
        
        C:\Windows\AppReadiness\RuntimeBroker.exe
        
        "C:\Windows\AppReadiness\RuntimeBroker.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Vfp7xrD4Gh.bat"
        16⤵
        
        PID:1528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:4388
        
        C:\Windows\AppReadiness\RuntimeBroker.exe
        
        "C:\Windows\AppReadiness\RuntimeBroker.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xFiNVDkrNE.bat"
        18⤵
        
        PID:3096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\NetworkService\AppData\Local\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\AppData\Local\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\NetworkService\AppData\Local\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Adobe\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Adobe\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe

Filesize
855KB

MD5
2b7761d63ad43b505d1a89607b182500

SHA1
b758584f3e7c93f3790d4c6c570a373fed19d123

SHA256
401b41cc3b16d57c53f26a8a65233e4f3677579ad590f480c5efae55de0fa87b

SHA512
436b5fabae435238e1d7768447661c8493a72e9cead567bb16cad0d35d967cfc65d16e033705c618a7b812193d87318b2de0dea5d998666ef26bca23d9e4e8a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
bfaab3c7bbb572ec17dbf57e20ad0421

SHA1
b49da2855cc20734687bb5072b46c3b192a2119e

SHA256
7b113aae4a46ab83be4b0ec43213c8bdc7cd5ae89f05c90ec537d342f7f1ed0b

SHA512
83dc87080a210aafe30c981463d1fb6e952cd6d92d5be788360dc1398595d84fa6e35fe2b70339a6b4006bc28543a3194888caf3c8e56ad172bd48352bb0d5d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\02VouYs0zf.bat

Filesize
217B

MD5
327fd6477919071b5aa2c6de33b15810

SHA1
25b5baff848216854783bd0bc2692bc4541ff757

SHA256
75347973c1cdcc5a5f936377f4767b35e62a7b6bf3f7a0f548d7941d8985853b

SHA512
f4eb33f09c06c352118c8f246377d4a9414076cab48eb7fe2eb51cf73134b71491a222ecd355790647e63342d3f2eddea673bcf9ba76a45b089591b7317d3146

Download Submit
C:\Users\Admin\AppData\Local\Temp\7oBPqXqtON.bat

Filesize
217B

MD5
8028e2e0bb98195ba9b66e1ce225efe1

SHA1
afb3f3ff5ea5e3f9ffb4ca6b74ed86deb3a8aa82

SHA256
9eac359921e6732a2ff52f8514528cd1c285aca7e0cbf25838c0cf4d0bc43f88

SHA512
151751520e3949ac9cad3e8026101b1f1c2e9db6bdb7a5ca2e23d0e4c5704083cab1011ce05bcc65b1c2aae7829c7a300f13ebd4073d11a7e2c17e5ea1c8d5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9PDuMdk3a6.bat

Filesize
169B

MD5
8e782c0657e029c658f17892089d6bbc

SHA1
77a7c4e9bf3ab3c932774114fc1391f3b88628a0

SHA256
1361b884048ef867445541fd7de9f7a4a44e0da51b2a36d11eef02d78b3bf1c1

SHA512
a755579e260141dd9a4c58feb0822d025fac3255ac85c279056208ec905e803a0e96a1a73ace79a7ff562294ba7a0e1b03591b19724a224deab28496142a2d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\UR8LTwG0HJ.bat

Filesize
217B

MD5
50f98274db401020748bad2df03660e8

SHA1
9e1567a6130cdd9f534399d51745cf6269b870bd

SHA256
60ef0d7adbb7af8c259906591595085788ce357d6b8540a2886994ad29d07a4a

SHA512
72a236a319a387f4b861db84b7d0d0ced9894fe45432bf5887c35a4e06ec5f2c015300d4aca0659ccf414bd7d9594c964411b122f1c9c8784907c28c3576673b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vfp7xrD4Gh.bat

Filesize
169B

MD5
e79aa3e02236b652ed0ed3eacf5cd13f

SHA1
659c0820da4d984dc61d39ea446f22fd7a01db86

SHA256
a200769276e3b5af7f4ef41f0bb1973d2dea916c9ae6d50a9f2da82e9f35cd28

SHA512
2ae2f8c7f430ac40772af7ab05b05067c335fef7f89afaad0269e65bdba5e653e37811b690066871ebc1707a30c175bd5820e3fb7c30797c7a99e371c093d42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEunsIO9tk.bat

Filesize
169B

MD5
b551136da7ebb6f22804b59f89a8d4b5

SHA1
03ee93f85a2aeec5bd72a78d154efa9e9c0a43c0

SHA256
c33c69d221b2bef54b4de452a26d9c32dcd56829229ea00411f53e54150b67cf

SHA512
697c8b93f642cc0bd52222bc48480b0d1e5ef9512b6079cc213ce6ab00818ee246ca609ad6b4bda861ac170bf1c5480fd0de0d4ed19462603000b94223c1d39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_amlqab5n.x3h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikqvEHWfWg.bat

Filesize
217B

MD5
27c65a348c18b96b584971ce794455d8

SHA1
c6441ef6f1f63be9361037ba9459ae7c4e1f1561

SHA256
8de207b54d7c360ddc27e7f732f0699c78f5f8340591ea449b1eff04f92cc7bf

SHA512
bc6df85d8064ea83be706732caf40dfade948999b33efa86506949c242155a79919c7cb5577bc97f576e4741fb800299cddcf1e0e3267f7e0cc8fc83b9ef304d

Download Submit
C:\Users\Admin\AppData\Local\Temp\woQk0u98lt.bat

Filesize
169B

MD5
4907a90d698c6b44ac126f9bd3a785aa

SHA1
0e20ba4b3a17cf4866b4b84805293f23dbb45139

SHA256
b4921330cfff63cbd8e34f27ce566417fc3937e63b4bd566002587251b453b1f

SHA512
8c4f69a9e358fc43362b2bac01a242bebabccd410f379c858b0f53f8dd476c905e1f0fbb39f0c23bf981688082e5cf0d3c618c393adc628866acdac19dffebde

Download Submit
C:\Users\Admin\AppData\Local\Temp\xFiNVDkrNE.bat

Filesize
169B

MD5
4ce3731e5abce6514a1f729e3546ed14

SHA1
320610c54877cd0eddead689f20da7c00f142963

SHA256
42ad8c4fbb75c7a8ec454f7fd27ac27354a47ddf8e0ca90fdba0faf0d63ab67b

SHA512
80ae28c65b5baf0a9f990c15069a457eae8aeb1abf32f2c57bbc111a119c36db1a313d654f37c739585f49c80fb198a95f0499dd9fb68c2a01116861fad93bd0

Download Submit
memory/948-98-0x00007FFB02160000-0x00007FFB02C21000-memory.dmp

Filesize
10.8MB

Download
memory/948-137-0x00007FFB02160000-0x00007FFB02C21000-memory.dmp

Filesize
10.8MB

Download
memory/948-118-0x00000115D0DD0000-0x00000115D0DE0000-memory.dmp

Filesize
64KB

Download
memory/1620-121-0x00000233B50A0000-0x00000233B50B0000-memory.dmp

Filesize
64KB

Download
memory/1620-68-0x00007FFB02160000-0x00007FFB02C21000-memory.dmp

Filesize
10.8MB

Download
memory/1620-76-0x00000233B50A0000-0x00000233B50B0000-memory.dmp

Filesize
64KB

Download
memory/1620-139-0x00007FFB02160000-0x00007FFB02C21000-memory.dmp

Filesize
10.8MB

Download
memory/1620-72-0x00000233B50A0000-0x00000233B50B0000-memory.dmp

Filesize
64KB

Download
memory/2100-307-0x000000001DF00000-0x000000001DFA9000-memory.dmp

Filesize
676KB

Download
memory/2320-332-0x000000001E000000-0x000000001E0A9000-memory.dmp

Filesize
676KB

Download
memory/2648-140-0x00007FFB02160000-0x00007FFB02C21000-memory.dmp

Filesize
10.8MB

Download
memory/2648-55-0x00007FFB02160000-0x00007FFB02C21000-memory.dmp

Filesize
10.8MB

Download
memory/2648-57-0x000002AB39F90000-0x000002AB39FA0000-memory.dmp

Filesize
64KB

Download
memory/2648-56-0x000002AB39F90000-0x000002AB39FA0000-memory.dmp

Filesize
64KB

Download
memory/3024-122-0x0000026728180000-0x0000026728190000-memory.dmp

Filesize
64KB

Download
memory/3024-80-0x00007FFB02160000-0x00007FFB02C21000-memory.dmp

Filesize
10.8MB

Download
memory/3024-99-0x00000267280F0000-0x0000026728112000-memory.dmp

Filesize
136KB

Download
memory/3024-58-0x0000026728180000-0x0000026728190000-memory.dmp

Filesize
64KB

Download
memory/3024-112-0x0000026728180000-0x0000026728190000-memory.dmp

Filesize
64KB

Download
memory/3024-136-0x00007FFB02160000-0x00007FFB02C21000-memory.dmp

Filesize
10.8MB

Download
memory/3456-253-0x000000001DC00000-0x000000001DCA9000-memory.dmp

Filesize
676KB

Download
memory/3764-79-0x00007FFB02160000-0x00007FFB02C21000-memory.dmp

Filesize
10.8MB

Download
memory/3764-138-0x00007FFB02160000-0x00007FFB02C21000-memory.dmp

Filesize
10.8MB

Download
memory/3764-120-0x0000019541900000-0x0000019541910000-memory.dmp

Filesize
64KB

Download
memory/3800-359-0x000000001D2A0000-0x000000001D349000-memory.dmp

Filesize
676KB

Download
memory/4328-145-0x00007FFB1F230000-0x00007FFB1F2EE000-memory.dmp

Filesize
760KB

Download
memory/4328-144-0x00007FFB024E0000-0x00007FFB02FA1000-memory.dmp

Filesize
10.8MB

Download
memory/4328-168-0x000000001D690000-0x000000001D739000-memory.dmp

Filesize
676KB

Download
memory/4328-162-0x000000001D690000-0x000000001D739000-memory.dmp

Filesize
676KB

Download
memory/4328-154-0x00007FFB1F0B0000-0x00007FFB1F0B1000-memory.dmp

Filesize
4KB

Download
memory/4328-152-0x00007FFB1F0C0000-0x00007FFB1F0C1000-memory.dmp

Filesize
4KB

Download
memory/4328-150-0x00007FFB1F0D0000-0x00007FFB1F0D1000-memory.dmp

Filesize
4KB

Download
memory/4328-149-0x00007FFB1F0E0000-0x00007FFB1F0E1000-memory.dmp

Filesize
4KB

Download
memory/4328-147-0x00007FFB1F0F0000-0x00007FFB1F0F1000-memory.dmp

Filesize
4KB

Download
memory/4572-226-0x000000001DD00000-0x000000001DDA9000-memory.dmp

Filesize
676KB

Download
memory/4572-221-0x000000001DD00000-0x000000001DDA9000-memory.dmp

Filesize
676KB

Download
memory/4700-19-0x00000000031C0000-0x00000000031CE000-memory.dmp

Filesize
56KB

Download
memory/4700-35-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/4700-34-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/4700-32-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/4700-31-0x00007FFB1F080000-0x00007FFB1F081000-memory.dmp

Filesize
4KB

Download
memory/4700-30-0x00007FFB02160000-0x00007FFB02C21000-memory.dmp

Filesize
10.8MB

Download
memory/4700-29-0x000000001C710000-0x000000001C71C000-memory.dmp

Filesize
48KB

Download
memory/4700-26-0x000000001C700000-0x000000001C70E000-memory.dmp

Filesize
56KB

Download
memory/4700-27-0x00007FFB1F090000-0x00007FFB1F091000-memory.dmp

Filesize
4KB

Download
memory/4700-21-0x00007FFB1F0A0000-0x00007FFB1F0A1000-memory.dmp

Filesize
4KB

Download
memory/4700-24-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/4700-23-0x000000001C6F0000-0x000000001C6FC000-memory.dmp

Filesize
48KB

Download
memory/4700-20-0x00007FFB1F0B0000-0x00007FFB1F0B1000-memory.dmp

Filesize
4KB

Download
memory/4700-50-0x000000001CE20000-0x000000001CEC9000-memory.dmp

Filesize
676KB

Download
memory/4700-117-0x00007FFB02160000-0x00007FFB02C21000-memory.dmp

Filesize
10.8MB

Download
memory/4700-0-0x0000000000EC0000-0x0000000000F98000-memory.dmp

Filesize
864KB

Download
memory/4700-116-0x000000001CE20000-0x000000001CEC9000-memory.dmp

Filesize
676KB

Download
memory/4700-33-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/4700-113-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/4700-119-0x00007FFB1F230000-0x00007FFB1F2EE000-memory.dmp

Filesize
760KB

Download
memory/4700-111-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/4700-36-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/4700-37-0x00007FFB1F230000-0x00007FFB1F2EE000-memory.dmp

Filesize
760KB

Download
memory/4700-15-0x00007FFB1F0C0000-0x00007FFB1F0C1000-memory.dmp

Filesize
4KB

Download
memory/4700-17-0x00000000031B0000-0x00000000031BE000-memory.dmp

Filesize
56KB

Download
memory/4700-1-0x0000000001840000-0x0000000001880000-memory.dmp

Filesize
256KB

Download
memory/4700-14-0x00000000018A0000-0x00000000018AE000-memory.dmp

Filesize
56KB

Download
memory/4700-39-0x000000001D320000-0x000000001D420000-memory.dmp

Filesize
1024KB

Download
memory/4700-38-0x000000001D320000-0x000000001D420000-memory.dmp

Filesize
1024KB

Download
memory/4700-12-0x00007FFB1F0D0000-0x00007FFB1F0D1000-memory.dmp

Filesize
4KB

Download
memory/4700-11-0x00007FFB1F0E0000-0x00007FFB1F0E1000-memory.dmp

Filesize
4KB

Download
memory/4700-10-0x00000000018E0000-0x00000000018F8000-memory.dmp

Filesize
96KB

Download
memory/4700-2-0x00007FFB02160000-0x00007FFB02C21000-memory.dmp

Filesize
10.8MB

Download
memory/4700-8-0x000000001C6A0000-0x000000001C6F0000-memory.dmp

Filesize
320KB

Download
memory/4700-7-0x00000000018C0000-0x00000000018DC000-memory.dmp

Filesize
112KB

Download
memory/4700-5-0x00007FFB1F0F0000-0x00007FFB1F0F1000-memory.dmp

Filesize
4KB

Download
memory/4700-4-0x00007FFB1F230000-0x00007FFB1F2EE000-memory.dmp

Filesize
760KB

Download
memory/4700-3-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/4896-280-0x000000001D0F0000-0x000000001D199000-memory.dmp

Filesize
676KB

Download
memory/5036-196-0x000000001D410000-0x000000001D4B9000-memory.dmp

Filesize
676KB

Download