1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

max time kernel
1198s
max time network
1200s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/04/2024, 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

5.3MB
MD5

5fe4ea367cee11e92ad4644d8ac3cef7
SHA1

44faea4a352b7860a9eafca82bd3c9b054b6db29
SHA256

1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b
SHA512

1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f
SSDEEP

98304:lgU5484Bq1qdguoOzv4I3KOn6Ka1uFof9Hn6sdw5yOc4:iU54mqL9zvH3qO

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 14 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1636	netsh.exe
864	netsh.exe
624	netsh.exe
2500	netsh.exe
2540	netsh.exe
2688	netsh.exe
2160	netsh.exe
2292	netsh.exe
1720	netsh.exe
2284	netsh.exe
1968	netsh.exe
2084	netsh.exe
2484	netsh.exe
2508	netsh.exe

Executes dropped EXE 8 IoCs

pid	Process
1016	svchost.exe
2536	~tl478B.tmp
1064	svchost.exe
2340	~tl2175.tmp
1580	svchost.exe
2320	~tl2388.tmp
1256	svchost.exe
2672	~tl7F8C.tmp

Loads dropped DLL 14 IoCs

pid	Process
1228	tmp.exe
1228	tmp.exe
1016	svchost.exe
1016	svchost.exe
2536	~tl478B.tmp
2536	~tl478B.tmp
1064	svchost.exe
1064	svchost.exe
1540	taskeng.exe
1580	svchost.exe
1580	svchost.exe
848	taskeng.exe
1256	svchost.exe
1256	svchost.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl2388.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl7F8C.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[2].htm	~tl7F8C.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[3].htm	~tl7F8C.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl2388.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl7F8C.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	~tl478B.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl478B.tmp
File created	C:\Windows\System\xxx1.bak	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1940	schtasks.exe
336	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	~tl7F8C.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl2388.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	~tl7F8C.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000c09686ca9789da01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-50-8c-b8-69-46\WpadDecisionTime = c0f5d2d39789da01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EA2C266D-6D68-4DB4-8A24-A2A885483C26}\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	~tl7F8C.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EA2C266D-6D68-4DB4-8A24-A2A885483C26}\f6-50-8c-b8-69-46	~tl7F8C.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-50-8c-b8-69-46\WpadDetectedUrl	~tl2388.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EA2C266D-6D68-4DB4-8A24-A2A885483C26}\WpadNetworkName = "Network 3"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-50-8c-b8-69-46\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EA2C266D-6D68-4DB4-8A24-A2A885483C26}\f6-50-8c-b8-69-46	~tl2388.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	~tl7F8C.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	~tl2388.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	~tl2388.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	~tl2388.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EA2C266D-6D68-4DB4-8A24-A2A885483C26}\WpadDecisionReason = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EA2C266D-6D68-4DB4-8A24-A2A885483C26}\WpadNetworkName = "Network 3"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	~tl2388.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-50-8c-b8-69-46\WpadDecision = "0"	~tl7F8C.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-50-8c-b8-69-46\WpadDetectedUrl	~tl7F8C.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EA2C266D-6D68-4DB4-8A24-A2A885483C26}\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EA2C266D-6D68-4DB4-8A24-A2A885483C26}\WpadDecisionReason = "1"	~tl7F8C.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	~tl7F8C.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	~tl2388.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EA2C266D-6D68-4DB4-8A24-A2A885483C26}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	~tl7F8C.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EA2C266D-6D68-4DB4-8A24-A2A885483C26}\WpadNetworkName = "Network 3"	~tl7F8C.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	~tl2388.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-50-8c-b8-69-46	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-50-8c-b8-69-46\WpadDetectedUrl	svchost.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
328	powershell.exe
1564	powershell.exe
1228	tmp.exe
1144	powershell.exe
996	powershell.exe
2536	~tl478B.tmp
2664	powershell.exe
2220	powershell.exe
2536	~tl478B.tmp
1064	svchost.exe
1144	powershell.exe
988	powershell.exe
2340	~tl2175.tmp
2904	powershell.exe
1812	powershell.exe
1580	svchost.exe
1064	powershell.exe
2276	powershell.exe
2320	~tl2388.tmp
2040	powershell.exe
328	powershell.exe
1256	svchost.exe
1444	powershell.exe
2816	powershell.exe
2672	~tl7F8C.tmp
2076	powershell.exe
1668	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 328	1228	tmp.exe	32
PID 1228 wrote to memory of 328	1228	tmp.exe	32
PID 1228 wrote to memory of 328	1228	tmp.exe	32
PID 1228 wrote to memory of 1564	1228	tmp.exe	34
PID 1228 wrote to memory of 1564	1228	tmp.exe	34
PID 1228 wrote to memory of 1564	1228	tmp.exe	34
PID 1228 wrote to memory of 1940	1228	tmp.exe	36
PID 1228 wrote to memory of 1940	1228	tmp.exe	36
PID 1228 wrote to memory of 1940	1228	tmp.exe	36
PID 1228 wrote to memory of 1016	1228	tmp.exe	38
PID 1228 wrote to memory of 1016	1228	tmp.exe	38
PID 1228 wrote to memory of 1016	1228	tmp.exe	38
PID 1016 wrote to memory of 1144	1016	svchost.exe	40
PID 1016 wrote to memory of 1144	1016	svchost.exe	40
PID 1016 wrote to memory of 1144	1016	svchost.exe	40
PID 1016 wrote to memory of 996	1016	svchost.exe	42
PID 1016 wrote to memory of 996	1016	svchost.exe	42
PID 1016 wrote to memory of 996	1016	svchost.exe	42
PID 1016 wrote to memory of 2536	1016	svchost.exe	44
PID 1016 wrote to memory of 2536	1016	svchost.exe	44
PID 1016 wrote to memory of 2536	1016	svchost.exe	44
PID 2536 wrote to memory of 1668	2536	~tl478B.tmp	46
PID 2536 wrote to memory of 1668	2536	~tl478B.tmp	46
PID 2536 wrote to memory of 1668	2536	~tl478B.tmp	46
PID 2536 wrote to memory of 2688	2536	~tl478B.tmp	48
PID 2536 wrote to memory of 2688	2536	~tl478B.tmp	48
PID 2536 wrote to memory of 2688	2536	~tl478B.tmp	48
PID 2536 wrote to memory of 1968	2536	~tl478B.tmp	50
PID 2536 wrote to memory of 1968	2536	~tl478B.tmp	50
PID 2536 wrote to memory of 1968	2536	~tl478B.tmp	50
PID 2536 wrote to memory of 2664	2536	~tl478B.tmp	52
PID 2536 wrote to memory of 2664	2536	~tl478B.tmp	52
PID 2536 wrote to memory of 2664	2536	~tl478B.tmp	52
PID 2536 wrote to memory of 2220	2536	~tl478B.tmp	54
PID 2536 wrote to memory of 2220	2536	~tl478B.tmp	54
PID 2536 wrote to memory of 2220	2536	~tl478B.tmp	54
PID 2536 wrote to memory of 2824	2536	~tl478B.tmp	56
PID 2536 wrote to memory of 2824	2536	~tl478B.tmp	56
PID 2536 wrote to memory of 2824	2536	~tl478B.tmp	56
PID 2536 wrote to memory of 336	2536	~tl478B.tmp	58
PID 2536 wrote to memory of 336	2536	~tl478B.tmp	58
PID 2536 wrote to memory of 336	2536	~tl478B.tmp	58
PID 2536 wrote to memory of 1064	2536	~tl478B.tmp	60
PID 2536 wrote to memory of 1064	2536	~tl478B.tmp	60
PID 2536 wrote to memory of 1064	2536	~tl478B.tmp	60
PID 1064 wrote to memory of 1052	1064	svchost.exe	62
PID 1064 wrote to memory of 1052	1064	svchost.exe	62
PID 1064 wrote to memory of 1052	1064	svchost.exe	62
PID 1064 wrote to memory of 1636	1064	svchost.exe	64
PID 1064 wrote to memory of 1636	1064	svchost.exe	64
PID 1064 wrote to memory of 1636	1064	svchost.exe	64
PID 1064 wrote to memory of 2160	1064	svchost.exe	66
PID 1064 wrote to memory of 2160	1064	svchost.exe	66
PID 1064 wrote to memory of 2160	1064	svchost.exe	66
PID 1064 wrote to memory of 1144	1064	svchost.exe	68
PID 1064 wrote to memory of 1144	1064	svchost.exe	68
PID 1064 wrote to memory of 1144	1064	svchost.exe	68
PID 1064 wrote to memory of 988	1064	svchost.exe	70
PID 1064 wrote to memory of 988	1064	svchost.exe	70
PID 1064 wrote to memory of 988	1064	svchost.exe	70
PID 1064 wrote to memory of 2340	1064	svchost.exe	72
PID 1064 wrote to memory of 2340	1064	svchost.exe	72
PID 1064 wrote to memory of 2340	1064	svchost.exe	72
PID 2340 wrote to memory of 2788	2340	~tl2175.tmp	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\system32\schtasks.exe
  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:1940
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- - C:\Users\Admin\AppData\Local\Temp\~tl478B.tmp
    C:\Users\Admin\AppData\Local\Temp\~tl478B.tmp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\system32\netsh.exe
      netsh int ipv4 set dynamicport tcp start=1025 num=64511
      4⤵
      PID:1668
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2688
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2220
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /TN "Timer"
      4⤵
      PID:2824
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      4⤵
      Creates scheduled task(s)
      PID:336
  - - C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\system32\netsh.exe
        
        netsh int ipv4 set dynamicport tcp start=1025 num=64511
        5⤵
        
        PID:1052
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1636
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
    - - C:\Users\Admin\AppData\Local\Temp\~tl2175.tmp
        
        C:\Users\Admin\AppData\Local\Temp\~tl2175.tmp
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\system32\netsh.exe
        
        netsh int ipv4 set dynamicport tcp start=1025 num=64511
        6⤵
        
        PID:2788
      - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:864
      - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2500
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812

C:\Windows\system32\taskeng.exe
taskeng.exe {DFB76D71-350E-427C-A0C8-249DB3A14E8F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1540
- \??\c:\windows\system\svchost.exe
  c:\windows\system\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1580
- - C:\Windows\system32\netsh.exe
    netsh int ipv4 set dynamicport tcp start=1025 num=64511
    3⤵
    - Modifies data under HKEY_USERS
    PID:1728
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Modifies data under HKEY_USERS
    PID:2084
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Modifies data under HKEY_USERS
    PID:2292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- - C:\Windows\TEMP\~tl2388.tmp
    C:\Windows\TEMP\~tl2388.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2320
  - - C:\Windows\system32\netsh.exe
      netsh int ipv4 set dynamicport tcp start=1025 num=64511
      4⤵
      Modifies data under HKEY_USERS
      PID:2776
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:2484
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:2508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:328

C:\Windows\system32\taskeng.exe
taskeng.exe {0BDFBCDD-1744-4B4C-BA39-EA22C5642A37} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:848
- \??\c:\windows\system\svchost.exe
  c:\windows\system\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1256
- - C:\Windows\system32\netsh.exe
    netsh int ipv4 set dynamicport tcp start=1025 num=64511
    3⤵
    - Modifies data under HKEY_USERS
    PID:1756
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Modifies data under HKEY_USERS
    PID:1720
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Modifies data under HKEY_USERS
    PID:624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\TEMP\~tl7F8C.tmp
    C:\Windows\TEMP\~tl7F8C.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2672
  - - C:\Windows\system32\netsh.exe
      netsh int ipv4 set dynamicport tcp start=1025 num=64511
      4⤵
      Modifies data under HKEY_USERS
      PID:2368
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:2540
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~tl478B.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GJY6CX3PM342SR8DXGMU.temp

Filesize
7KB

MD5
6c837882cd2d840d6c636fd9769270d2

SHA1
d77f8c791b41b9ba43b34641e65a7c864c7d8f78

SHA256
d4634192acdb22c9fb7a763db5ef1a0e796c0cbb53965b8230ac97e66a7d6332

SHA512
d44899fc682fb1229584097e355d1e3b028546e5f1e54d10be29546fbb10647d089f09e9f47971607b250f5ffc452fa81a6238424f974ccd4340d106e6b79dcd

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
3d9e913624f11b802d45870d6f87e283

SHA1
e2555c3387e2c2a3cb8b44872c89b41b05807cc5

SHA256
404ace31a22f0f3599cc210b178869cfeb5b3a6357b2197f5806ed7992818740

SHA512
eca3ca6a4fdfa331c3624c5efc647b7b1a7242f39abb678ebe382a81d9f369ac080a0e5d5c251e7bd4577e91cef8944e0c76379780a9f260b9f4450062f3766e

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.9MB

MD5
d58f76316d52f0ce11e9868decd6932e

SHA1
b4b87314b467d6f760b12a4541b0911efd7fdb00

SHA256
5a63c92ec7c8173daf9cfe47c3a6a6a82747e596f598ded6829c06c4356c86c3

SHA512
0998c5621636c49f117ac2b3fc357e8d85b88c7fafd06b052411a71224bab85dbad82d633694301a69178d477ab25cb6ec377d1d6bcbf083d55e9b3656673e91

Download Submit
C:\Windows\system\svchost.exe

Filesize
5.3MB

MD5
5fe4ea367cee11e92ad4644d8ac3cef7

SHA1
44faea4a352b7860a9eafca82bd3c9b054b6db29

SHA256
1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

SHA512
1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f

Download Submit
\Users\Admin\AppData\Local\Temp\~tl2175.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
memory/328-14-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/328-26-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download
memory/328-28-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

Filesize
9.6MB

Download
memory/328-20-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download
memory/328-27-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

Filesize
9.6MB

Download
memory/328-15-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/328-21-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

Filesize
9.6MB

Download
memory/328-24-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download
memory/988-186-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/988-184-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/988-182-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/988-183-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp

Filesize
9.6MB

Download
memory/996-68-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/996-62-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/996-60-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/996-64-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/996-63-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/996-61-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/996-59-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/1016-42-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/1016-120-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/1016-69-0x000000001E9C0000-0x000000001EEBC000-memory.dmp

Filesize
5.0MB

Download
memory/1064-163-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1064-165-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1064-201-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1144-67-0x00000000028DB000-0x0000000002942000-memory.dmp

Filesize
412KB

Download
memory/1144-181-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/1144-66-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/1144-65-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1144-57-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1144-56-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/1144-171-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp

Filesize
9.6MB

Download
memory/1144-48-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1144-172-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/1144-58-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/1144-107-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1144-185-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp

Filesize
9.6MB

Download
memory/1144-51-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/1144-187-0x0000000002DFB000-0x0000000002E62000-memory.dmp

Filesize
412KB

Download
memory/1144-173-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp

Filesize
9.6MB

Download
memory/1144-176-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/1228-0-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/1228-3-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/1228-4-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/1228-1-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/1228-39-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/1564-19-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/1564-23-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1564-25-0x000000000294B000-0x00000000029B2000-memory.dmp

Filesize
412KB

Download
memory/1564-22-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

Filesize
9.6MB

Download
memory/1564-18-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

Filesize
9.6MB

Download
memory/1564-17-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/1564-16-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

Filesize
9.6MB

Download
memory/1580-276-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1580-249-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1580-269-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2220-145-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2220-143-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2220-141-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2220-148-0x00000000027BB000-0x0000000002822000-memory.dmp

Filesize
412KB

Download
memory/2220-142-0x000007FEF4380000-0x000007FEF4D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-149-0x000007FEF4380000-0x000007FEF4D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-147-0x000007FEF4380000-0x000007FEF4D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2320-297-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2320-281-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2340-227-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2340-205-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2340-202-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2536-124-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2536-123-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2536-122-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2536-121-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2536-164-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2664-132-0x000007FEF4380000-0x000007FEF4D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-146-0x0000000002AFB000-0x0000000002B62000-memory.dmp

Filesize
412KB

Download
memory/2664-144-0x000007FEF4380000-0x000007FEF4D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-130-0x000007FEF4380000-0x000007FEF4D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-131-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/2664-139-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/2664-140-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download