a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

max time kernel
599s
max time network
605s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2024 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

9.4MB
MD5

db3edf03a8a2c8e96fe2d2deaaec76ff
SHA1

2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256

a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512

121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
SSDEEP

98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 10 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

4836 netsh.exe
3276 netsh.exe
304 netsh.exe
2996 netsh.exe
4724 netsh.exe
4092 netsh.exe
4052 netsh.exe
4476 netsh.exe
2400 netsh.exe
60 netsh.exe
Executes dropped EXE 6 IoCs

Processes:

svchost.exe~tl3CDD.tmpsvchost.exe~tl2316.tmpsvchost.exe~tlA48B.tmp

pid process

3916 svchost.exe
4940 ~tl3CDD.tmp
2116 svchost.exe
4312 ~tl2316.tmp
2220 svchost.exe
3340 ~tlA48B.tmp

pid	process
4836	netsh.exe
3276	netsh.exe
304	netsh.exe
2996	netsh.exe
4724	netsh.exe
4092	netsh.exe
4052	netsh.exe
4476	netsh.exe
2400	netsh.exe
60	netsh.exe

pid	process
3916	svchost.exe
4940	~tl3CDD.tmp
2116	svchost.exe
4312	~tl2316.tmp
2220	svchost.exe
3340	~tlA48B.tmp

Drops file in System32 directory 10 IoCs

Processes:

svchost.exe~tlA48B.tmppowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tlA48B.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlA48B.tmp

Drops file in Windows directory 8 IoCs

Processes:

~tl3CDD.tmpsvchost.exesvchost.exetmp.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	~tl3CDD.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl3CDD.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	tmp.exe
File created	C:\Windows\System\svchost.exe	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2212 schtasks.exe
3048 schtasks.exe

pid	process
2212	schtasks.exe
3048	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe~tlA48B.tmpnetsh.exenetsh.exenetsh.exesvchost.exenetsh.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	~tlA48B.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	~tlA48B.tmp
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	~tlA48B.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.exepowershell.exe~tl3CDD.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl2316.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlA48B.tmppowershell.exepowershell.exe

pid	process
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
4832	tmp.exe
4832	tmp.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
3396	powershell.exe
3396	powershell.exe
3396	powershell.exe
4940	~tl3CDD.tmp
4940	~tl3CDD.tmp
2876	powershell.exe
2876	powershell.exe
1748	powershell.exe
1748	powershell.exe
2876	powershell.exe
1748	powershell.exe
4940	~tl3CDD.tmp
4940	~tl3CDD.tmp
2116	svchost.exe
2116	svchost.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
3076	powershell.exe
3076	powershell.exe
3076	powershell.exe
4312	~tl2316.tmp
4312	~tl2316.tmp
1800	powershell.exe
1800	powershell.exe
3644	powershell.exe
3644	powershell.exe
1800	powershell.exe
3644	powershell.exe
2220	svchost.exe
2220	svchost.exe
620	powershell.exe
2092	powershell.exe
620	powershell.exe
2092	powershell.exe
620	powershell.exe
2092	powershell.exe
3340	~tlA48B.tmp
3340	~tlA48B.tmp
1156	powershell.exe
1156	powershell.exe
2320	powershell.exe
1156	powershell.exe
2320	powershell.exe
2320	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeIncreaseQuotaPrivilege	3636	powershell.exe
Token: SeSecurityPrivilege	3636	powershell.exe
Token: SeTakeOwnershipPrivilege	3636	powershell.exe
Token: SeLoadDriverPrivilege	3636	powershell.exe
Token: SeSystemProfilePrivilege	3636	powershell.exe
Token: SeSystemtimePrivilege	3636	powershell.exe
Token: SeProfSingleProcessPrivilege	3636	powershell.exe
Token: SeIncBasePriorityPrivilege	3636	powershell.exe
Token: SeCreatePagefilePrivilege	3636	powershell.exe
Token: SeBackupPrivilege	3636	powershell.exe
Token: SeRestorePrivilege	3636	powershell.exe
Token: SeShutdownPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeSystemEnvironmentPrivilege	3636	powershell.exe
Token: SeRemoteShutdownPrivilege	3636	powershell.exe
Token: SeUndockPrivilege	3636	powershell.exe
Token: SeManageVolumePrivilege	3636	powershell.exe
Token: 33	3636	powershell.exe
Token: 34	3636	powershell.exe
Token: 35	3636	powershell.exe
Token: 36	3636	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeIncreaseQuotaPrivilege	4800	powershell.exe
Token: SeSecurityPrivilege	4800	powershell.exe
Token: SeTakeOwnershipPrivilege	4800	powershell.exe
Token: SeLoadDriverPrivilege	4800	powershell.exe
Token: SeSystemProfilePrivilege	4800	powershell.exe
Token: SeSystemtimePrivilege	4800	powershell.exe
Token: SeProfSingleProcessPrivilege	4800	powershell.exe
Token: SeIncBasePriorityPrivilege	4800	powershell.exe
Token: SeCreatePagefilePrivilege	4800	powershell.exe
Token: SeBackupPrivilege	4800	powershell.exe
Token: SeRestorePrivilege	4800	powershell.exe
Token: SeShutdownPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeSystemEnvironmentPrivilege	4800	powershell.exe
Token: SeRemoteShutdownPrivilege	4800	powershell.exe
Token: SeUndockPrivilege	4800	powershell.exe
Token: SeManageVolumePrivilege	4800	powershell.exe
Token: 33	4800	powershell.exe
Token: 34	4800	powershell.exe
Token: 35	4800	powershell.exe
Token: 36	4800	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeIncreaseQuotaPrivilege	2876	powershell.exe
Token: SeSecurityPrivilege	2876	powershell.exe
Token: SeTakeOwnershipPrivilege	2876	powershell.exe
Token: SeLoadDriverPrivilege	2876	powershell.exe
Token: SeSystemProfilePrivilege	2876	powershell.exe
Token: SeSystemtimePrivilege	2876	powershell.exe
Token: SeProfSingleProcessPrivilege	2876	powershell.exe
Token: SeIncBasePriorityPrivilege	2876	powershell.exe
Token: SeCreatePagefilePrivilege	2876	powershell.exe
Token: SeBackupPrivilege	2876	powershell.exe
Token: SeRestorePrivilege	2876	powershell.exe
Token: SeShutdownPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeSystemEnvironmentPrivilege	2876	powershell.exe
Token: SeRemoteShutdownPrivilege	2876	powershell.exe
Token: SeUndockPrivilege	2876	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exesvchost.exe~tl3CDD.tmpsvchost.exe~tl2316.tmpsvchost.exe

description	pid	process	target process
PID 4832 wrote to memory of 3636	4832	tmp.exe	powershell.exe
PID 4832 wrote to memory of 3636	4832	tmp.exe	powershell.exe
PID 4832 wrote to memory of 1536	4832	tmp.exe	powershell.exe
PID 4832 wrote to memory of 1536	4832	tmp.exe	powershell.exe
PID 4832 wrote to memory of 812	4832	tmp.exe	schtasks.exe
PID 4832 wrote to memory of 812	4832	tmp.exe	schtasks.exe
PID 4832 wrote to memory of 2212	4832	tmp.exe	schtasks.exe
PID 4832 wrote to memory of 2212	4832	tmp.exe	schtasks.exe
PID 4832 wrote to memory of 3916	4832	tmp.exe	svchost.exe
PID 4832 wrote to memory of 3916	4832	tmp.exe	svchost.exe
PID 3916 wrote to memory of 4800	3916	svchost.exe	powershell.exe
PID 3916 wrote to memory of 4800	3916	svchost.exe	powershell.exe
PID 3916 wrote to memory of 3396	3916	svchost.exe	powershell.exe
PID 3916 wrote to memory of 3396	3916	svchost.exe	powershell.exe
PID 3916 wrote to memory of 4940	3916	svchost.exe	~tl3CDD.tmp
PID 3916 wrote to memory of 4940	3916	svchost.exe	~tl3CDD.tmp
PID 4940 wrote to memory of 1460	4940	~tl3CDD.tmp	netsh.exe
PID 4940 wrote to memory of 1460	4940	~tl3CDD.tmp	netsh.exe
PID 4940 wrote to memory of 304	4940	~tl3CDD.tmp	netsh.exe
PID 4940 wrote to memory of 304	4940	~tl3CDD.tmp	netsh.exe
PID 4940 wrote to memory of 4476	4940	~tl3CDD.tmp	netsh.exe
PID 4940 wrote to memory of 4476	4940	~tl3CDD.tmp	netsh.exe
PID 4940 wrote to memory of 2876	4940	~tl3CDD.tmp	powershell.exe
PID 4940 wrote to memory of 2876	4940	~tl3CDD.tmp	powershell.exe
PID 4940 wrote to memory of 1748	4940	~tl3CDD.tmp	powershell.exe
PID 4940 wrote to memory of 1748	4940	~tl3CDD.tmp	powershell.exe
PID 4940 wrote to memory of 2444	4940	~tl3CDD.tmp	schtasks.exe
PID 4940 wrote to memory of 2444	4940	~tl3CDD.tmp	schtasks.exe
PID 4940 wrote to memory of 3048	4940	~tl3CDD.tmp	schtasks.exe
PID 4940 wrote to memory of 3048	4940	~tl3CDD.tmp	schtasks.exe
PID 4940 wrote to memory of 2116	4940	~tl3CDD.tmp	svchost.exe
PID 4940 wrote to memory of 2116	4940	~tl3CDD.tmp	svchost.exe
PID 2116 wrote to memory of 8	2116	svchost.exe	netsh.exe
PID 2116 wrote to memory of 8	2116	svchost.exe	netsh.exe
PID 2116 wrote to memory of 2996	2116	svchost.exe	netsh.exe
PID 2116 wrote to memory of 2996	2116	svchost.exe	netsh.exe
PID 2116 wrote to memory of 2400	2116	svchost.exe	netsh.exe
PID 2116 wrote to memory of 2400	2116	svchost.exe	netsh.exe
PID 2116 wrote to memory of 5060	2116	svchost.exe	powershell.exe
PID 2116 wrote to memory of 5060	2116	svchost.exe	powershell.exe
PID 2116 wrote to memory of 3076	2116	svchost.exe	powershell.exe
PID 2116 wrote to memory of 3076	2116	svchost.exe	powershell.exe
PID 2116 wrote to memory of 4312	2116	svchost.exe	~tl2316.tmp
PID 2116 wrote to memory of 4312	2116	svchost.exe	~tl2316.tmp
PID 4312 wrote to memory of 3672	4312	~tl2316.tmp	netsh.exe
PID 4312 wrote to memory of 3672	4312	~tl2316.tmp	netsh.exe
PID 4312 wrote to memory of 60	4312	~tl2316.tmp	netsh.exe
PID 4312 wrote to memory of 60	4312	~tl2316.tmp	netsh.exe
PID 4312 wrote to memory of 4724	4312	~tl2316.tmp	netsh.exe
PID 4312 wrote to memory of 4724	4312	~tl2316.tmp	netsh.exe
PID 4312 wrote to memory of 1800	4312	~tl2316.tmp	powershell.exe
PID 4312 wrote to memory of 1800	4312	~tl2316.tmp	powershell.exe
PID 4312 wrote to memory of 3644	4312	~tl2316.tmp	powershell.exe
PID 4312 wrote to memory of 3644	4312	~tl2316.tmp	powershell.exe
PID 2220 wrote to memory of 4056	2220	svchost.exe	netsh.exe
PID 2220 wrote to memory of 4056	2220	svchost.exe	netsh.exe
PID 2220 wrote to memory of 4092	2220	svchost.exe	netsh.exe
PID 2220 wrote to memory of 4092	2220	svchost.exe	netsh.exe
PID 2220 wrote to memory of 4052	2220	svchost.exe	netsh.exe
PID 2220 wrote to memory of 4052	2220	svchost.exe	netsh.exe
PID 2220 wrote to memory of 2092	2220	svchost.exe	powershell.exe
PID 2220 wrote to memory of 2092	2220	svchost.exe	powershell.exe
PID 2220 wrote to memory of 620	2220	svchost.exe	powershell.exe
PID 2220 wrote to memory of 620	2220	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:812

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:2212

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Users\Admin\AppData\Local\Temp\~tl3CDD.tmp
C:\Users\Admin\AppData\Local\Temp\~tl3CDD.tmp
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:1460

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:304

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:2444

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:3048

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:8

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2996

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3076

C:\Users\Admin\AppData\Local\Temp\~tl2316.tmp
C:\Users\Admin\AppData\Local\Temp\~tl2316.tmp
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:3672

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:60

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:4724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3644

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:4056

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4092

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:620

C:\Windows\TEMP\~tlA48B.tmp
C:\Windows\TEMP\~tlA48B.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3340

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
- Modifies data under HKEY_USERS
PID:4336

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4836

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:3276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2320

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
af500f13a4d59084f0304e761c3c38ab

SHA1
528462e5dc80e8b7143656ca03f6ddd2300ea9c4

SHA256
80f6adb1de0d700b09a304bf05c9ca59021ea27bcf362fbe558bace7dbabbf08

SHA512
5abafb125f25453931349f143b771e797a0d0f9ba77322f51e60f167a6ba562e25611890f4a340ff155207f3a3736093e9cae33492758378ed21115b9a690a99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dfd512a8c5859bed6919bba7cb6dd958

SHA1
3f9f582bc02ba768e69cbdf777c43fdb185d4c83

SHA256
4e18cde8a270e6e163694c828a88950c2b6e11baeca8095dde44144b96a625fd

SHA512
46f48a214d5f1cc60b767c4685af5bf7949375388b670823ed628f55cb11617fc61e884b925df7e498a51befc114e8459a9d29bf8a01ec6242cabf0dad96a1b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fd481d829fde5903f507c3604c97b9f0

SHA1
3d5a6868b3971e2d25f58ceb60dcc3ecb5f153ab

SHA256
5545b5d1895c07a310b4bf04c1e1a780dc559acfa8a9d86344c163a554c3c565

SHA512
8c362d3d4ced6f965adff3c4aa448d8e378a1b76cc76c4a9c9fd5788adf3761679404f2f66bdfce50554722a52f963ff81476ef791e57ce380f409842b4e0fb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5989952a84a41a66bc4919e86daae2d7

SHA1
315689f33a1ac3e1639e1543a9963ba5a74a9727

SHA256
c6a84da6c4c714df4813875e7f0823895ccc9bf661a80b0c2b51fb98634e3514

SHA512
35d83353c24164195872ff907a3e45b48f8bd8515b76a7370bdf5249a81be4240674a7e9cac90600bf5a0c34ff1eca321c5f851f570706fbb0cdb3da6212735e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3ab7821c216593f561c8124ee80aa01c

SHA1
9d014ddb9d72496f0f36f5091b8a10ca7ca408cb

SHA256
56244103eb19c1bedf7bd21ade2328d4b9fd1474cafb5c7d53fbd44aa10f2d65

SHA512
de57082c189520d6ff5c7d067fb4f948a285f304dd56985a8e5d5e330428daa4e4314d22c2d27b6b4a2c00c18a744b1e3f4afff11f34ae387a9eff40cf923f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ulrev2f.zdi.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl2316.tmp
Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl3CDD.tmp
Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Windows\System\svchost.exe
Filesize
9.4MB

MD5
db3edf03a8a2c8e96fe2d2deaaec76ff

SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1

SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
478f1c1fcff584f4f440469ed71d2d43

SHA1
0900e9dc39580d527c145715f985a5a86e80b66c

SHA256
c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb

SHA512
4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f8697ab13449f1dd15f9c5990a8e0db7

SHA1
74975f068982576ce7d67f8ad3785f12d0bc8e5f

SHA256
53ea421a89225f45b8d979af2973a9235ca92cd022622c9f548ddb1bfd1aa264

SHA512
5b95a3c883c2a56b8c2b84c299a44a186a11374c4451726f4ca92c6e34f34a44eeb38b06f3722169f98d1803f79310b7be9ed0ac23d05c7e1ae1b4c0174a4770

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
memory/1536-111-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/1536-45-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/1536-52-0x000001EE6DEB0000-0x000001EE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/1536-53-0x000001EE6DEB0000-0x000001EE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/1536-72-0x000001EE6DEB0000-0x000001EE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/1536-105-0x000001EE6DEB0000-0x000001EE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/1748-413-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/1748-329-0x000001DED23D0000-0x000001DED23E0000-memory.dmp

Filesize
64KB

Download
memory/1748-326-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/1748-330-0x000001DED23D0000-0x000001DED23E0000-memory.dmp

Filesize
64KB

Download
memory/1748-371-0x000001DED23D0000-0x000001DED23E0000-memory.dmp

Filesize
64KB

Download
memory/1748-408-0x000001DED23D0000-0x000001DED23E0000-memory.dmp

Filesize
64KB

Download
memory/1800-556-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/2116-429-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2116-432-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2116-543-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2220-982-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2220-552-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2220-550-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2876-422-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-357-0x0000025CCBED0000-0x0000025CCBEE0000-memory.dmp

Filesize
64KB

Download
memory/2876-321-0x0000025CCBED0000-0x0000025CCBEE0000-memory.dmp

Filesize
64KB

Download
memory/2876-322-0x0000025CCBED0000-0x0000025CCBEE0000-memory.dmp

Filesize
64KB

Download
memory/2876-320-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-414-0x0000025CCBED0000-0x0000025CCBEE0000-memory.dmp

Filesize
64KB

Download
memory/3076-527-0x0000020447870000-0x0000020447880000-memory.dmp

Filesize
64KB

Download
memory/3076-445-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/3076-533-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/3076-493-0x0000020447870000-0x0000020447880000-memory.dmp

Filesize
64KB

Download
memory/3076-457-0x0000020447870000-0x0000020447880000-memory.dmp

Filesize
64KB

Download
memory/3076-456-0x0000020447870000-0x0000020447880000-memory.dmp

Filesize
64KB

Download
memory/3340-1305-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3340-1303-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3340-986-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3396-161-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/3396-225-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/3396-221-0x000001D46F490000-0x000001D46F4A0000-memory.dmp

Filesize
64KB

Download
memory/3396-194-0x000001D46F490000-0x000001D46F4A0000-memory.dmp

Filesize
64KB

Download
memory/3396-166-0x000001D46F490000-0x000001D46F4A0000-memory.dmp

Filesize
64KB

Download
memory/3396-167-0x000001D46F490000-0x000001D46F4A0000-memory.dmp

Filesize
64KB

Download
memory/3636-14-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/3636-106-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/3636-15-0x00000288E91A0000-0x00000288E91B0000-memory.dmp

Filesize
64KB

Download
memory/3636-16-0x00000288E92B0000-0x00000288E9326000-memory.dmp

Filesize
472KB

Download
memory/3636-17-0x00000288E91A0000-0x00000288E91B0000-memory.dmp

Filesize
64KB

Download
memory/3636-30-0x00000288E91A0000-0x00000288E91B0000-memory.dmp

Filesize
64KB

Download
memory/3636-101-0x00000288E91A0000-0x00000288E91B0000-memory.dmp

Filesize
64KB

Download
memory/3636-11-0x00000288E90F0000-0x00000288E9112000-memory.dmp

Filesize
136KB

Download
memory/3916-120-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3916-314-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3916-226-0x0000000180000000-0x000000018070E000-memory.dmp

Filesize
7.1MB

Download
memory/3916-123-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4312-985-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4312-974-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4312-551-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4312-546-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4312-545-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4312-542-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4800-178-0x00000253F3940000-0x00000253F3950000-memory.dmp

Filesize
64KB

Download
memory/4800-128-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/4800-146-0x00000253F3940000-0x00000253F3950000-memory.dmp

Filesize
64KB

Download
memory/4800-130-0x00000253F3940000-0x00000253F3950000-memory.dmp

Filesize
64KB

Download
memory/4800-129-0x00000253F3940000-0x00000253F3950000-memory.dmp

Filesize
64KB

Download
memory/4800-190-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/4832-9-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4832-4-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4832-121-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4832-0-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4832-1-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4832-2-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4832-3-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4940-302-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4940-315-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4940-431-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4940-303-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4940-300-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4940-301-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/5060-463-0x000001F033C40000-0x000001F033C50000-memory.dmp

Filesize
64KB

Download
memory/5060-439-0x000001F033C40000-0x000001F033C50000-memory.dmp

Filesize
64KB

Download
memory/5060-534-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download
memory/5060-438-0x000001F033C40000-0x000001F033C50000-memory.dmp

Filesize
64KB

Download
memory/5060-520-0x000001F033C40000-0x000001F033C50000-memory.dmp

Filesize
64KB

Download
memory/5060-436-0x00007FFB2F260000-0x00007FFB2FC4C000-memory.dmp

Filesize
9.9MB

Download