a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

max time kernel
1200s
max time network
1206s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

9.4MB
MD5

db3edf03a8a2c8e96fe2d2deaaec76ff
SHA1

2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256

a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512

121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
SSDEEP

98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK

Score

8^/10

discovery evasion

Malware Config

Signatures

Contacts a large (546) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Windows Firewall 2 TTPs 10 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

2724 netsh.exe
232 netsh.exe
4924 netsh.exe
4488 netsh.exe
900 netsh.exe
4592 netsh.exe
3676 netsh.exe
1340 netsh.exe
440 netsh.exe
388 netsh.exe

pid	process
2724	netsh.exe
232	netsh.exe
4924	netsh.exe
4488	netsh.exe
900	netsh.exe
4592	netsh.exe
3676	netsh.exe
1340	netsh.exe
440	netsh.exe
388	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

~tlB203.tmptmp.exesvchost.exe~tlCCC4.tmpsvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	~tlB203.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	~tlCCC4.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 7 IoCs

Processes:

svchost.exesvchost.exe~tlCCC4.tmpsvchost.exe~tlB203.tmpsvchost.exe~tlCB8E.tmp

pid process

2228 svchost.exe
3200 svchost.exe
3608 ~tlCCC4.tmp
4744 svchost.exe
1068 ~tlB203.tmp
3020 svchost.exe
2024 ~tlCB8E.tmp

pid	process
2228	svchost.exe
3200	svchost.exe
3608	~tlCCC4.tmp
4744	svchost.exe
1068	~tlB203.tmp
3020	svchost.exe
2024	~tlCB8E.tmp

Drops file in System32 directory 8 IoCs

Processes:

svchost.exepowershell.exepowershell.exe~tlCB8E.tmppowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlCB8E.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Windows directory 8 IoCs

Processes:

tmp.exesvchost.exe~tlCCC4.tmpsvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\svchost.exe	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tlCCC4.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tlCCC4.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2300 schtasks.exe
3412 schtasks.exe

pid	process
2300	schtasks.exe
3412	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlCB8E.tmpsvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	~tlCB8E.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	~tlCB8E.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	~tlCB8E.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	~tlCB8E.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.exepowershell.exe~tlCCC4.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlB203.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlCB8E.tmppowershell.exepowershell.exe

pid	process
2220	powershell.exe
2220	powershell.exe
4112	powershell.exe
4112	powershell.exe
5052	tmp.exe
5052	tmp.exe
4888	powershell.exe
4888	powershell.exe
4728	powershell.exe
4728	powershell.exe
3608	~tlCCC4.tmp
3608	~tlCCC4.tmp
4080	powershell.exe
4080	powershell.exe
764	powershell.exe
764	powershell.exe
3608	~tlCCC4.tmp
3608	~tlCCC4.tmp
4744	svchost.exe
4744	svchost.exe
3384	powershell.exe
3384	powershell.exe
3720	powershell.exe
3720	powershell.exe
1068	~tlB203.tmp
1068	~tlB203.tmp
2044	powershell.exe
4480	powershell.exe
2044	powershell.exe
4480	powershell.exe
3020	svchost.exe
3020	svchost.exe
4940	powershell.exe
2756	powershell.exe
2756	powershell.exe
4940	powershell.exe
2024	~tlCB8E.tmp
2024	~tlCB8E.tmp
444	powershell.exe
444	powershell.exe
4348	powershell.exe
4348	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exesvchost.exe~tlCCC4.tmpsvchost.exe~tlB203.tmpsvchost.exe

description	pid	process	target process
PID 5052 wrote to memory of 2220	5052	tmp.exe	powershell.exe
PID 5052 wrote to memory of 2220	5052	tmp.exe	powershell.exe
PID 5052 wrote to memory of 4112	5052	tmp.exe	powershell.exe
PID 5052 wrote to memory of 4112	5052	tmp.exe	powershell.exe
PID 5052 wrote to memory of 2936	5052	tmp.exe	schtasks.exe
PID 5052 wrote to memory of 2936	5052	tmp.exe	schtasks.exe
PID 5052 wrote to memory of 2300	5052	tmp.exe	schtasks.exe
PID 5052 wrote to memory of 2300	5052	tmp.exe	schtasks.exe
PID 5052 wrote to memory of 2228	5052	tmp.exe	svchost.exe
PID 5052 wrote to memory of 2228	5052	tmp.exe	svchost.exe
PID 2228 wrote to memory of 4888	2228	svchost.exe	powershell.exe
PID 2228 wrote to memory of 4888	2228	svchost.exe	powershell.exe
PID 2228 wrote to memory of 4728	2228	svchost.exe	powershell.exe
PID 2228 wrote to memory of 4728	2228	svchost.exe	powershell.exe
PID 2228 wrote to memory of 3608	2228	svchost.exe	~tlCCC4.tmp
PID 2228 wrote to memory of 3608	2228	svchost.exe	~tlCCC4.tmp
PID 3608 wrote to memory of 116	3608	~tlCCC4.tmp	netsh.exe
PID 3608 wrote to memory of 116	3608	~tlCCC4.tmp	netsh.exe
PID 3608 wrote to memory of 2724	3608	~tlCCC4.tmp	netsh.exe
PID 3608 wrote to memory of 2724	3608	~tlCCC4.tmp	netsh.exe
PID 3608 wrote to memory of 4592	3608	~tlCCC4.tmp	netsh.exe
PID 3608 wrote to memory of 4592	3608	~tlCCC4.tmp	netsh.exe
PID 3608 wrote to memory of 4080	3608	~tlCCC4.tmp	powershell.exe
PID 3608 wrote to memory of 4080	3608	~tlCCC4.tmp	powershell.exe
PID 3608 wrote to memory of 764	3608	~tlCCC4.tmp	powershell.exe
PID 3608 wrote to memory of 764	3608	~tlCCC4.tmp	powershell.exe
PID 3608 wrote to memory of 4628	3608	~tlCCC4.tmp	schtasks.exe
PID 3608 wrote to memory of 4628	3608	~tlCCC4.tmp	schtasks.exe
PID 3608 wrote to memory of 3412	3608	~tlCCC4.tmp	schtasks.exe
PID 3608 wrote to memory of 3412	3608	~tlCCC4.tmp	schtasks.exe
PID 3608 wrote to memory of 4744	3608	~tlCCC4.tmp	svchost.exe
PID 3608 wrote to memory of 4744	3608	~tlCCC4.tmp	svchost.exe
PID 4744 wrote to memory of 4692	4744	svchost.exe	netsh.exe
PID 4744 wrote to memory of 4692	4744	svchost.exe	netsh.exe
PID 4744 wrote to memory of 3676	4744	svchost.exe	netsh.exe
PID 4744 wrote to memory of 3676	4744	svchost.exe	netsh.exe
PID 4744 wrote to memory of 232	4744	svchost.exe	netsh.exe
PID 4744 wrote to memory of 232	4744	svchost.exe	netsh.exe
PID 4744 wrote to memory of 3384	4744	svchost.exe	powershell.exe
PID 4744 wrote to memory of 3384	4744	svchost.exe	powershell.exe
PID 4744 wrote to memory of 3720	4744	svchost.exe	powershell.exe
PID 4744 wrote to memory of 3720	4744	svchost.exe	powershell.exe
PID 4744 wrote to memory of 1068	4744	svchost.exe	~tlB203.tmp
PID 4744 wrote to memory of 1068	4744	svchost.exe	~tlB203.tmp
PID 1068 wrote to memory of 1004	1068	~tlB203.tmp	netsh.exe
PID 1068 wrote to memory of 1004	1068	~tlB203.tmp	netsh.exe
PID 1068 wrote to memory of 1340	1068	~tlB203.tmp	netsh.exe
PID 1068 wrote to memory of 1340	1068	~tlB203.tmp	netsh.exe
PID 1068 wrote to memory of 440	1068	~tlB203.tmp	netsh.exe
PID 1068 wrote to memory of 440	1068	~tlB203.tmp	netsh.exe
PID 1068 wrote to memory of 2044	1068	~tlB203.tmp	powershell.exe
PID 1068 wrote to memory of 2044	1068	~tlB203.tmp	powershell.exe
PID 1068 wrote to memory of 4480	1068	~tlB203.tmp	powershell.exe
PID 1068 wrote to memory of 4480	1068	~tlB203.tmp	powershell.exe
PID 3020 wrote to memory of 2608	3020	svchost.exe	netsh.exe
PID 3020 wrote to memory of 2608	3020	svchost.exe	netsh.exe
PID 3020 wrote to memory of 388	3020	svchost.exe	netsh.exe
PID 3020 wrote to memory of 388	3020	svchost.exe	netsh.exe
PID 3020 wrote to memory of 4924	3020	svchost.exe	netsh.exe
PID 3020 wrote to memory of 4924	3020	svchost.exe	netsh.exe
PID 3020 wrote to memory of 4940	3020	svchost.exe	powershell.exe
PID 3020 wrote to memory of 4940	3020	svchost.exe	powershell.exe
PID 3020 wrote to memory of 2756	3020	svchost.exe	powershell.exe
PID 3020 wrote to memory of 2756	3020	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:2936

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:2300

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Users\Admin\AppData\Local\Temp\~tlCCC4.tmp
C:\Users\Admin\AppData\Local\Temp\~tlCCC4.tmp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:116

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2724

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:4628

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:3412

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:4692

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:3676

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Users\Admin\AppData\Local\Temp\~tlB203.tmp
C:\Users\Admin\AppData\Local\Temp\~tlB203.tmp
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:1004

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:1340

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3200

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:2608

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:388

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\TEMP\~tlCB8E.tmp
C:\Windows\TEMP\~tlCB8E.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2024

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:5028

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4488

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
86c5bb4050b403a58a51d72e1239f472

SHA1
4c29b4c9812fdacc05840f9cf79136404d98bb18

SHA256
ce6fb9b85e91f0bbddf2c3b407459234085c5a1ad39add16060d73af1f2ecfe7

SHA512
2daf6dbd34eddd2705edd4c1864e4d9aea69281e56080f9884f43d0982399f840e03a6f85d7fb6467ac1901a8c0b027f5849222378120a9e73c045b3055b7df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
6cae1cb788cb1d44853f9b6b01af6ae5

SHA1
9d64268d4ea3b6301c9e4ea779fd9420e214f210

SHA256
b8bc0283af9a4e041daedf331df4cf7ed4c96444ae08234758f6ef33056cd043

SHA512
102dccc5402113ff75532a3b565858a375c8057b27555fb6b0e1e25d8abdcb04124717d3c808ab1d6c9adb2f5006613963ee367d59dcc070608acd2c203cc5b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8d44ffebf70407f0441229796ba01467

SHA1
55dbacaffa698cf0386f28acb804ae0a7f86e72b

SHA256
cf50beee043d87364dbdfc079467f8fafc6782134fd3d9e7ddab1a50af53f298

SHA512
fa43622358ea73a261ed725bfc3caf5c6314eea172b2409256c5c63e308ff2ddae60a4003638263f87c77915790d3e867dab8ff98dc737fd5e8dc48464d9a504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9293ef980c925abe33d940554ed8575

SHA1
9b6d85f2595f7fd4923f52b21ab7607279066969

SHA256
8313a191aa9d11cce868d95ac9a9b1609275bfe93131fcb6e547b985b0242fbe

SHA512
2003d90bb2bc89378ccaeb9c5edf76b2dfd93c80369d063e56141abb8d7fea6acee6a103874ab227bc1548437269c8e4ee5174bf482ecf3d66c38f3e0ba35d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb033be02578f9635ec47bdc1de5c3fb

SHA1
ec356bc87381354a06baa9c30e8c3ac3d30e0f6f

SHA256
bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063

SHA512
4d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
07a771c4f31f62b2d04e2befaa36dce7

SHA1
662952ede6c1acbb575e8149a5ac2f08edade811

SHA256
a2df2570980e1123d9af8e12a27a82d3a4d332f0e7dd44e4e225743207c099b3

SHA512
9e339a2d0bfaf5bbe5252f69061652c5880fe1233930830ca7190a65516366e05129907b1656a6790c0093ad82ac73ddee6738d0b78ecb1e3d888f467b889fe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cc19bcff372d20459d3651ba8aef50e7

SHA1
3c6f1d4cdd647864fb97a16b1aefba67fcee11f7

SHA256
366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9

SHA512
a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d35mvisc.wi5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlB203.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlCCC4.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Windows\System\svchost.exe

Filesize
9.4MB

MD5
db3edf03a8a2c8e96fe2d2deaaec76ff

SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1

SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
612B

MD5
1b9a646b11a0efe01dd4125771aa15c7

SHA1
aef669e0aec8527dcd25b6dc6128d2b20441c97f

SHA256
5f2c16d97bd683696d6f1e261c6d8c4e09a7c21b03fc8752802a00fde9ec2801

SHA512
96aefc0558e52ec8f65b8a93d99197e493dd44c492fe0bce520b874c2a060cceae76e1e18adc67cce375c2a2406d8456136adad99e2c0b0923e26a5f9111017e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3af6b6752764b70e843397de266e5e5

SHA1
067a680a02a8eab0ce869b9d7adcecde95668b33

SHA256
a6187a6b67113725ad9c54050be51232ee15408e6fac2b8a6166e87af04689c4

SHA512
de1e1af659dd1ebb18ca008ea3103f14b66396c7af2a0a73e999d05d5572cafbe1f84816e330953e2f4d136fecad983a03f747480c9ddb92895204b34fe232e2

Download Submit
memory/764-212-0x000002026F0B0000-0x000002026F0C0000-memory.dmp

Filesize
64KB

Download
memory/764-197-0x00007FFB1D7D0000-0x00007FFB1E291000-memory.dmp

Filesize
10.8MB

Download
memory/764-198-0x000002026F0B0000-0x000002026F0C0000-memory.dmp

Filesize
64KB

Download
memory/764-215-0x00007FFB1D7D0000-0x00007FFB1E291000-memory.dmp

Filesize
10.8MB

Download
memory/1068-304-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1068-272-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1068-271-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1068-273-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1068-268-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1068-305-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2044-297-0x00000196A4CC0000-0x00000196A4CD0000-memory.dmp

Filesize
64KB

Download
memory/2044-274-0x00007FFB1D7D0000-0x00007FFB1E291000-memory.dmp

Filesize
10.8MB

Download
memory/2044-300-0x00007FFB1D7D0000-0x00007FFB1E291000-memory.dmp

Filesize
10.8MB

Download
memory/2220-23-0x00007FFB1C840000-0x00007FFB1D301000-memory.dmp

Filesize
10.8MB

Download
memory/2220-20-0x00000208CB710000-0x00000208CB720000-memory.dmp

Filesize
64KB

Download
memory/2220-18-0x00000208CB710000-0x00000208CB720000-memory.dmp

Filesize
64KB

Download
memory/2220-19-0x00000208CB710000-0x00000208CB720000-memory.dmp

Filesize
64KB

Download
memory/2220-17-0x00007FFB1C840000-0x00007FFB1D301000-memory.dmp

Filesize
10.8MB

Download
memory/2220-16-0x00000208E5FC0000-0x00000208E5FE2000-memory.dmp

Filesize
136KB

Download
memory/2228-55-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2228-182-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2228-52-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2228-89-0x0000000180000000-0x000000018070E000-memory.dmp

Filesize
7.1MB

Download
memory/3020-337-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3020-335-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3200-160-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3200-162-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3200-163-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3384-256-0x00007FFB1D7D0000-0x00007FFB1E291000-memory.dmp

Filesize
10.8MB

Download
memory/3384-252-0x0000025534200000-0x0000025534210000-memory.dmp

Filesize
64KB

Download
memory/3384-254-0x0000025534200000-0x0000025534210000-memory.dmp

Filesize
64KB

Download
memory/3384-230-0x00007FFB1D7D0000-0x00007FFB1E291000-memory.dmp

Filesize
10.8MB

Download
memory/3384-231-0x0000025534200000-0x0000025534210000-memory.dmp

Filesize
64KB

Download
memory/3608-171-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3608-170-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3608-169-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3608-168-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3608-228-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3608-183-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3720-253-0x0000028EF3E40000-0x0000028EF3E50000-memory.dmp

Filesize
64KB

Download
memory/3720-260-0x00007FFB1D7D0000-0x00007FFB1E291000-memory.dmp

Filesize
10.8MB

Download
memory/3720-257-0x0000028EF3E40000-0x0000028EF3E50000-memory.dmp

Filesize
64KB

Download
memory/3720-242-0x00007FFB1D7D0000-0x00007FFB1E291000-memory.dmp

Filesize
10.8MB

Download
memory/4080-195-0x00000196600C0000-0x00000196600D0000-memory.dmp

Filesize
64KB

Download
memory/4080-210-0x00007FFB1D7D0000-0x00007FFB1E291000-memory.dmp

Filesize
10.8MB

Download
memory/4080-208-0x00000196600C0000-0x00000196600D0000-memory.dmp

Filesize
64KB

Download
memory/4080-194-0x00000196600C0000-0x00000196600D0000-memory.dmp

Filesize
64KB

Download
memory/4080-193-0x00007FFB1D7D0000-0x00007FFB1E291000-memory.dmp

Filesize
10.8MB

Download
memory/4112-40-0x00007FFB1C840000-0x00007FFB1D301000-memory.dmp

Filesize
10.8MB

Download
memory/4112-38-0x000002DD45430000-0x000002DD45440000-memory.dmp

Filesize
64KB

Download
memory/4112-25-0x00007FFB1C840000-0x00007FFB1D301000-memory.dmp

Filesize
10.8MB

Download
memory/4112-31-0x000002DD45430000-0x000002DD45440000-memory.dmp

Filesize
64KB

Download
memory/4112-36-0x000002DD45430000-0x000002DD45440000-memory.dmp

Filesize
64KB

Download
memory/4480-294-0x00007FFB1D7D0000-0x00007FFB1E291000-memory.dmp

Filesize
10.8MB

Download
memory/4480-295-0x0000020A3B540000-0x0000020A3B550000-memory.dmp

Filesize
64KB

Download
memory/4480-303-0x00007FFB1D7D0000-0x00007FFB1E291000-memory.dmp

Filesize
10.8MB

Download
memory/4480-296-0x0000020A3B540000-0x0000020A3B550000-memory.dmp

Filesize
64KB

Download
memory/4728-86-0x000002D12D9E0000-0x000002D12D9F0000-memory.dmp

Filesize
64KB

Download
memory/4728-73-0x00007FFB1C840000-0x00007FFB1D301000-memory.dmp

Filesize
10.8MB

Download
memory/4728-88-0x00007FFB1C840000-0x00007FFB1D301000-memory.dmp

Filesize
10.8MB

Download
memory/4728-78-0x000002D12D9E0000-0x000002D12D9F0000-memory.dmp

Filesize
64KB

Download
memory/4728-79-0x000002D12D9E0000-0x000002D12D9F0000-memory.dmp

Filesize
64KB

Download
memory/4728-85-0x000002D12D9E0000-0x000002D12D9F0000-memory.dmp

Filesize
64KB

Download
memory/4744-226-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4744-269-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4744-229-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4888-71-0x00007FFB1C840000-0x00007FFB1D301000-memory.dmp

Filesize
10.8MB

Download
memory/4888-66-0x00007FFB1C840000-0x00007FFB1D301000-memory.dmp

Filesize
10.8MB

Download
memory/4888-69-0x000001DB26890000-0x000001DB268A0000-memory.dmp

Filesize
64KB

Download
memory/4888-68-0x000001DB26890000-0x000001DB268A0000-memory.dmp

Filesize
64KB

Download
memory/4888-67-0x000001DB26890000-0x000001DB268A0000-memory.dmp

Filesize
64KB

Download
memory/4940-339-0x00007FFB1D7D0000-0x00007FFB1E291000-memory.dmp

Filesize
10.8MB

Download
memory/5052-53-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/5052-6-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/5052-0-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/5052-4-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/5052-3-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/5052-1-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/5052-2-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download