zgrat | 0266dc2bf6eb73b5ef4770bedecadbffb0c35cd3b17c9a97e39712d92f17d199

Analysis

max time kernel
136s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0266dc2bf6eb73b5ef4770bedecadbffb0c35cd3b17c9a97e39712d92f17d199.exe
Size

3.7MB
MD5

33c53419f5450d013fd20a76468d43d2
SHA1

40b6d4224504f1f0dfea827c8c853dce79a77287
SHA256

0266dc2bf6eb73b5ef4770bedecadbffb0c35cd3b17c9a97e39712d92f17d199
SHA512

e202c49fe373e094e5b619de43e852e0e09edbb9ebda444be762c0b46939f843cf9cffa4f24726e46ac096135b0cdd1332aa0c386c1a4f9525a95910af682c14
SSDEEP

98304:ypcjyoyOglp/VanCJgUEIvX8jMrbL7589kE9PQqP:8s7glp/VaCJAIQs7m9kERQc

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2584-15-0x000000001ACD0000-0x000000001B08E000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-17-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-18-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-20-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-22-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-24-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-26-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-28-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-30-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-32-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-34-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-36-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-38-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-40-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-42-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-44-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-46-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-48-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-50-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-52-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-54-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-56-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-58-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-60-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-62-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-64-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-66-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-68-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-70-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-72-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-74-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-76-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-78-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1
behavioral1/memory/2584-80-0x000000001ACD0000-0x000000001B088000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1664	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1664	schtasks.exe	34

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 34 IoCs

resource	yara_rule
behavioral1/memory/2584-15-0x000000001ACD0000-0x000000001B08E000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-17-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-18-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-20-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-22-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-24-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-26-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-28-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-30-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-32-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-34-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-36-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-38-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-40-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-42-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-44-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-46-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-48-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-50-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-52-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-54-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-56-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-58-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-60-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-62-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-64-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-66-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-68-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-70-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-72-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-74-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-76-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-78-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-80-0x000000001ACD0000-0x000000001B088000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 2 IoCs

pid	Process
2584	serverDriver.exe
1204	serverDriver.exe

Loads dropped DLL 2 IoCs

pid	Process
2988	cmd.exe
2988	cmd.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe	serverDriver.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\cc11b995f2a76d	serverDriver.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe	serverDriver.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\6cb0b6c459d5d3	serverDriver.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe	serverDriver.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e	serverDriver.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\csrss.exe	serverDriver.exe
File created	C:\Windows\AppCompat\Programs\886983d96e3d3e	serverDriver.exe
File created	C:\Windows\AppCompat\Programs\serverDriver.exe	serverDriver.exe
File opened for modification	C:\Windows\AppCompat\Programs\serverDriver.exe	serverDriver.exe
File created	C:\Windows\AppCompat\Programs\1ced8b9c1f03b8	serverDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
596	schtasks.exe
840	schtasks.exe
2468	schtasks.exe
2236	schtasks.exe
2352	schtasks.exe
1496	schtasks.exe
2656	schtasks.exe
1560	schtasks.exe
1172	schtasks.exe
1036	schtasks.exe
2448	schtasks.exe
1936	schtasks.exe
296	schtasks.exe
2832	schtasks.exe
2916	schtasks.exe
1120	schtasks.exe
1332	schtasks.exe
2244	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	serverDriver.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	serverDriver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe
2584	serverDriver.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	serverDriver.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1204	serverDriver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1204	serverDriver.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1404	1196	0266dc2bf6eb73b5ef4770bedecadbffb0c35cd3b17c9a97e39712d92f17d199.exe	28
PID 1196 wrote to memory of 1404	1196	0266dc2bf6eb73b5ef4770bedecadbffb0c35cd3b17c9a97e39712d92f17d199.exe	28
PID 1196 wrote to memory of 1404	1196	0266dc2bf6eb73b5ef4770bedecadbffb0c35cd3b17c9a97e39712d92f17d199.exe	28
PID 1196 wrote to memory of 1404	1196	0266dc2bf6eb73b5ef4770bedecadbffb0c35cd3b17c9a97e39712d92f17d199.exe	28
PID 1404 wrote to memory of 2988	1404	WScript.exe	29
PID 1404 wrote to memory of 2988	1404	WScript.exe	29
PID 1404 wrote to memory of 2988	1404	WScript.exe	29
PID 1404 wrote to memory of 2988	1404	WScript.exe	29
PID 2988 wrote to memory of 2584	2988	cmd.exe	31
PID 2988 wrote to memory of 2584	2988	cmd.exe	31
PID 2988 wrote to memory of 2584	2988	cmd.exe	31
PID 2988 wrote to memory of 2584	2988	cmd.exe	31
PID 2584 wrote to memory of 1508	2584	serverDriver.exe	53
PID 2584 wrote to memory of 1508	2584	serverDriver.exe	53
PID 2584 wrote to memory of 1508	2584	serverDriver.exe	53
PID 2584 wrote to memory of 1776	2584	serverDriver.exe	54
PID 2584 wrote to memory of 1776	2584	serverDriver.exe	54
PID 2584 wrote to memory of 1776	2584	serverDriver.exe	54
PID 2584 wrote to memory of 1100	2584	serverDriver.exe	56
PID 2584 wrote to memory of 1100	2584	serverDriver.exe	56
PID 2584 wrote to memory of 1100	2584	serverDriver.exe	56
PID 2584 wrote to memory of 1992	2584	serverDriver.exe	58
PID 2584 wrote to memory of 1992	2584	serverDriver.exe	58
PID 2584 wrote to memory of 1992	2584	serverDriver.exe	58
PID 2584 wrote to memory of 1784	2584	serverDriver.exe	60
PID 2584 wrote to memory of 1784	2584	serverDriver.exe	60
PID 2584 wrote to memory of 1784	2584	serverDriver.exe	60
PID 2584 wrote to memory of 808	2584	serverDriver.exe	61
PID 2584 wrote to memory of 808	2584	serverDriver.exe	61
PID 2584 wrote to memory of 808	2584	serverDriver.exe	61
PID 2584 wrote to memory of 764	2584	serverDriver.exe	64
PID 2584 wrote to memory of 764	2584	serverDriver.exe	64
PID 2584 wrote to memory of 764	2584	serverDriver.exe	64
PID 2584 wrote to memory of 2304	2584	serverDriver.exe	65
PID 2584 wrote to memory of 2304	2584	serverDriver.exe	65
PID 2584 wrote to memory of 2304	2584	serverDriver.exe	65
PID 2584 wrote to memory of 900	2584	serverDriver.exe	66
PID 2584 wrote to memory of 900	2584	serverDriver.exe	66
PID 2584 wrote to memory of 900	2584	serverDriver.exe	66
PID 2584 wrote to memory of 636	2584	serverDriver.exe	67
PID 2584 wrote to memory of 636	2584	serverDriver.exe	67
PID 2584 wrote to memory of 636	2584	serverDriver.exe	67
PID 2584 wrote to memory of 592	2584	serverDriver.exe	68
PID 2584 wrote to memory of 592	2584	serverDriver.exe	68
PID 2584 wrote to memory of 592	2584	serverDriver.exe	68
PID 2584 wrote to memory of 2068	2584	serverDriver.exe	69
PID 2584 wrote to memory of 2068	2584	serverDriver.exe	69
PID 2584 wrote to memory of 2068	2584	serverDriver.exe	69
PID 2584 wrote to memory of 3032	2584	serverDriver.exe	73
PID 2584 wrote to memory of 3032	2584	serverDriver.exe	73
PID 2584 wrote to memory of 3032	2584	serverDriver.exe	73
PID 2584 wrote to memory of 1940	2584	serverDriver.exe	74
PID 2584 wrote to memory of 1940	2584	serverDriver.exe	74
PID 2584 wrote to memory of 1940	2584	serverDriver.exe	74
PID 2584 wrote to memory of 1280	2584	serverDriver.exe	75
PID 2584 wrote to memory of 1280	2584	serverDriver.exe	75
PID 2584 wrote to memory of 1280	2584	serverDriver.exe	75
PID 2584 wrote to memory of 1712	2584	serverDriver.exe	76
PID 2584 wrote to memory of 1712	2584	serverDriver.exe	76
PID 2584 wrote to memory of 1712	2584	serverDriver.exe	76
PID 2584 wrote to memory of 1132	2584	serverDriver.exe	77
PID 2584 wrote to memory of 1132	2584	serverDriver.exe	77
PID 2584 wrote to memory of 1132	2584	serverDriver.exe	77
PID 2584 wrote to memory of 2968	2584	serverDriver.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0266dc2bf6eb73b5ef4770bedecadbffb0c35cd3b17c9a97e39712d92f17d199.exe
"C:\Users\Admin\AppData\Local\Temp\0266dc2bf6eb73b5ef4770bedecadbffb0c35cd3b17c9a97e39712d92f17d199.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\msComwin\cZA5KaguC4o8PZDkwLzCSV.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\msComwin\jPMpoQeQp16cuCKUjlVM4BatpZBs5KbDfkAsAnootEh6QE.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\msComwin\serverDriver.exe
      "C:\msComwin/serverDriver.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/msComwin/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\csrss.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\serverDriver.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msComwin\serverDriver.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O0znAHssau.bat"
        5⤵
        
        PID:2172
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2920
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2028
      - C:\Windows\AppCompat\Programs\serverDriver.exe
        
        "C:\Windows\AppCompat\Programs\serverDriver.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "serverDrivers" /sc MINUTE /mo 6 /tr "'C:\Windows\AppCompat\Programs\serverDriver.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "serverDriver" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\serverDriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "serverDrivers" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\serverDriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "serverDrivers" /sc MINUTE /mo 13 /tr "'C:\msComwin\serverDriver.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "serverDriver" /sc ONLOGON /tr "'C:\msComwin\serverDriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "serverDrivers" /sc MINUTE /mo 11 /tr "'C:\msComwin\serverDriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\O0znAHssau.bat

Filesize
222B

MD5
21d4da39ade11bcdacfa0a9ba298f6dc

SHA1
681a0af4ee9f5a8a7e1370d2a287fec2e92065ca

SHA256
b6a378198fb5e88c65146878ab5fa7b241c6c05254dcb81bf97c4039cd847c33

SHA512
5228c696c0f1d9900196db0432803f3661d76dcd9a53e04e756aef9154a0328caf7412236148fc9d55b1654976d33845369b2bb8086ce016dc476d836d47b761

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
28c4173ec3ffaf1d9a3a53380da497da

SHA1
3b57614e708a29bfaef3b931af300b739716715e

SHA256
f34da92cedd5ce3bbb60552d0a1d18f1d44b711abc6ecd93166128049a42497b

SHA512
e25dded712d827fc0e6ccc8ec822066889b08872c8a648d2d3b9602c78833695e110667352d552a047d87f90ce10f4cee1469e19aac226488f82207d7d8320ef

Download Submit
C:\msComwin\cZA5KaguC4o8PZDkwLzCSV.vbe

Filesize
232B

MD5
7fad4b958a8b21ef6a8a5f2076b010e1

SHA1
3070e5adcab9ac193bce0176850bd210e86c942b

SHA256
5f515df09286381ec00cbe712ee5221e84f8f495146efd32901f4841b95dedc7

SHA512
cf7b0a1b6f6e4c1c24ba561990fca53e1b0540026d75418951961a2a4e7cefb448a599f99a0fc8e1c1a433037fd9b22b1eee7c99e9a6e0e04596d625546d8a55

Download Submit
C:\msComwin\jPMpoQeQp16cuCKUjlVM4BatpZBs5KbDfkAsAnootEh6QE.bat

Filesize
91B

MD5
af5da6a1a220f72f4923164d9f77a26f

SHA1
0200160613da7d7cc0559a6db2ab16f75c6c93b9

SHA256
f0055d73ff77312a21e2d23bd23c37e55710129a40dc694561b9409acf9a612b

SHA512
1d5bde455ca9eca01fe9eb3c8df893607a2b99805275df3be998e6d60ac73066619efc46374d00f85a1c9850d811037b001181fdc26e5718eda81873d8f6cc67

Download Submit
\msComwin\serverDriver.exe

Filesize
3.4MB

MD5
9cc469fa3ae795c1eeaa6e7c14deae67

SHA1
04e52f4a475271e9d4b617a65e41b83b4b866703

SHA256
d0102ec13b810c20f1a43950ac1aab7afc636b94ad13d15d1e6eaef49c3c1d6f

SHA512
50efc17e1b22e111b2832b3486a92e7cc2325706a95fe5efd3d916896a61e8c61b36da8e93d904049366a5b92c0aed7c2dbf1b5f44924ca67d89bb794d5a443d

Download Submit
memory/1776-3720-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1776-3727-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/1776-3767-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/1776-3769-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/1776-3768-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2584-3578-0x000000001B410000-0x000000001B490000-memory.dmp

Filesize
512KB

Download
memory/2584-3599-0x0000000076BE0000-0x0000000076BE1000-memory.dmp

Filesize
4KB

Download
memory/2584-17-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-18-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-20-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-22-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-24-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-26-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-28-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-30-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-32-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-34-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-36-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-38-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-40-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-42-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-44-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-46-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-48-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-50-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-52-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-54-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-56-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-58-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-60-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-62-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-64-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-66-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-3584-0x0000000076C30000-0x0000000076C31000-memory.dmp

Filesize
4KB

Download
memory/2584-70-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-72-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-74-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-76-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-78-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-80-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-3573-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2584-3589-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/2584-3575-0x000000001B410000-0x000000001B490000-memory.dmp

Filesize
512KB

Download
memory/2584-3579-0x0000000076C50000-0x0000000076C51000-memory.dmp

Filesize
4KB

Download
memory/2584-3580-0x000000001B410000-0x000000001B490000-memory.dmp

Filesize
512KB

Download
memory/2584-15-0x000000001ACD0000-0x000000001B08E000-memory.dmp

Filesize
3.7MB

Download
memory/2584-3577-0x0000000000560000-0x0000000000586000-memory.dmp

Filesize
152KB

Download
memory/2584-3582-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/2584-3583-0x0000000076C40000-0x0000000076C41000-memory.dmp

Filesize
4KB

Download
memory/2584-68-0x000000001ACD0000-0x000000001B088000-memory.dmp

Filesize
3.7MB

Download
memory/2584-16-0x000000001B410000-0x000000001B490000-memory.dmp

Filesize
512KB

Download
memory/2584-3574-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2584-3588-0x0000000076C20000-0x0000000076C21000-memory.dmp

Filesize
4KB

Download
memory/2584-3590-0x0000000076C10000-0x0000000076C11000-memory.dmp

Filesize
4KB

Download
memory/2584-3592-0x00000000005D0000-0x00000000005E8000-memory.dmp

Filesize
96KB

Download
memory/2584-3594-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2584-3595-0x0000000076C00000-0x0000000076C01000-memory.dmp

Filesize
4KB

Download
memory/2584-3597-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/2584-3598-0x0000000076BF0000-0x0000000076BF1000-memory.dmp

Filesize
4KB

Download
memory/2584-3601-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2584-3586-0x0000000000590000-0x00000000005AC000-memory.dmp

Filesize
112KB

Download
memory/2584-3603-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/2584-3604-0x0000000076BD0000-0x0000000076BD1000-memory.dmp

Filesize
4KB

Download
memory/2584-3605-0x0000000076BC0000-0x0000000076BC1000-memory.dmp

Filesize
4KB

Download
memory/2584-3607-0x0000000001EA0000-0x0000000001EAE000-memory.dmp

Filesize
56KB

Download
memory/2584-3609-0x0000000001EB0000-0x0000000001EBC000-memory.dmp

Filesize
48KB

Download
memory/2584-3611-0x0000000001FE0000-0x0000000001FF2000-memory.dmp

Filesize
72KB

Download
memory/2584-3613-0x0000000076BB0000-0x0000000076BB1000-memory.dmp

Filesize
4KB

Download
memory/2584-3618-0x0000000076B90000-0x0000000076B91000-memory.dmp

Filesize
4KB

Download
memory/2584-3617-0x000000001B410000-0x000000001B490000-memory.dmp

Filesize
512KB

Download
memory/2584-3616-0x0000000076BA0000-0x0000000076BA1000-memory.dmp

Filesize
4KB

Download
memory/2584-3615-0x0000000001EC0000-0x0000000001ECC000-memory.dmp

Filesize
48KB

Download
memory/2584-3612-0x000000001B410000-0x000000001B490000-memory.dmp

Filesize
512KB

Download
memory/2584-3619-0x0000000076B80000-0x0000000076B81000-memory.dmp

Filesize
4KB

Download
memory/2584-3621-0x0000000001ED0000-0x0000000001EE0000-memory.dmp

Filesize
64KB

Download
memory/2584-3623-0x000000001A6A0000-0x000000001A6B6000-memory.dmp

Filesize
88KB

Download
memory/2584-3624-0x0000000076B70000-0x0000000076B71000-memory.dmp

Filesize
4KB

Download
memory/2584-3626-0x000000001ABA0000-0x000000001ABB2000-memory.dmp

Filesize
72KB

Download
memory/2584-3627-0x0000000076B60000-0x0000000076B61000-memory.dmp

Filesize
4KB

Download
memory/2584-3629-0x0000000002000000-0x000000000200E000-memory.dmp

Filesize
56KB

Download
memory/2584-3631-0x0000000002010000-0x000000000201C000-memory.dmp

Filesize
48KB

Download
memory/2584-3633-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/2584-3634-0x0000000076B20000-0x0000000076B21000-memory.dmp

Filesize
4KB

Download
memory/2584-3636-0x000000001A7C0000-0x000000001A7D0000-memory.dmp

Filesize
64KB

Download
memory/2584-3637-0x0000000076B10000-0x0000000076B11000-memory.dmp

Filesize
4KB

Download
memory/2584-3639-0x000000001B370000-0x000000001B3CA000-memory.dmp

Filesize
360KB

Download
memory/2584-3641-0x000000001ABC0000-0x000000001ABCE000-memory.dmp

Filesize
56KB

Download
memory/2584-3643-0x000000001ABD0000-0x000000001ABE0000-memory.dmp

Filesize
64KB

Download
memory/2584-3645-0x000000001ABE0000-0x000000001ABEE000-memory.dmp

Filesize
56KB

Download
memory/2584-3647-0x000000001ABF0000-0x000000001ABF8000-memory.dmp

Filesize
32KB

Download
memory/2584-14-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2584-13-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/2584-3649-0x000000001AC20000-0x000000001AC38000-memory.dmp

Filesize
96KB

Download
memory/2584-3651-0x000000001AC00000-0x000000001AC0C000-memory.dmp

Filesize
48KB

Download
memory/2584-3653-0x000000001BAF0000-0x000000001BB3E000-memory.dmp

Filesize
312KB

Download
memory/2584-3665-0x000000001B410000-0x000000001B490000-memory.dmp

Filesize
512KB

Download
memory/2584-3670-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download