a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

max time kernel
599s
max time network
600s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-04-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

9.4MB
MD5

db3edf03a8a2c8e96fe2d2deaaec76ff
SHA1

2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256

a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512

121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
SSDEEP

98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 10 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

2680 netsh.exe
2868 netsh.exe
1724 netsh.exe
2844 netsh.exe
1496 netsh.exe
1092 netsh.exe
336 netsh.exe
2684 netsh.exe
2052 netsh.exe
2940 netsh.exe
Executes dropped EXE 6 IoCs

Processes:

svchost.exe~tl437F.tmpsvchost.exe~tl1AE0.tmpsvchost.exe~tl8B20.tmp

pid process

2168 svchost.exe
2584 ~tl437F.tmp
2208 svchost.exe
1444 ~tl1AE0.tmp
2368 svchost.exe
2944 ~tl8B20.tmp

pid	process
2680	netsh.exe
2868	netsh.exe
1724	netsh.exe
2844	netsh.exe
1496	netsh.exe
1092	netsh.exe
336	netsh.exe
2684	netsh.exe
2052	netsh.exe
2940	netsh.exe

pid	process
2168	svchost.exe
2584	~tl437F.tmp
2208	svchost.exe
1444	~tl1AE0.tmp
2368	svchost.exe
2944	~tl8B20.tmp

Loads dropped DLL 11 IoCs

Processes:

tmp.exesvchost.exe~tl437F.tmpsvchost.exetaskeng.exesvchost.exe

pid	process
2932	tmp.exe
2932	tmp.exe
2168	svchost.exe
2168	svchost.exe
2584	~tl437F.tmp
2584	~tl437F.tmp
2208	svchost.exe
2208	svchost.exe
2056	taskeng.exe
2368	svchost.exe
2368	svchost.exe

Drops file in System32 directory 9 IoCs

Processes:

svchost.exepowershell.exepowershell.exepowershell.exe~tl8B20.tmppowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl8B20.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl8B20.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exe~tl437F.tmpsvchost.exesvchost.exetmp.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl437F.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl437F.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	tmp.exe
File created	C:\Windows\System\svchost.exe	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2748 schtasks.exe
944 schtasks.exe

pid	process
2748	schtasks.exe
944	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

~tl8B20.tmpsvchost.exenetsh.exenetsh.exepowershell.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-d1-1c-00-6d-56\WpadDecisionTime = 801fb256028dda01	~tl8B20.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	~tl8B20.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	~tl8B20.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	~tl8B20.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-d1-1c-00-6d-56\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0ce464d028dda01	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	~tl8B20.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	~tl8B20.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-d1-1c-00-6d-56\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	~tl8B20.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-d1-1c-00-6d-56\WpadDecisionReason = "1"	~tl8B20.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-d1-1c-00-6d-56	~tl8B20.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1BEEA6A-E618-495A-8269-162956B5203E}\WpadDecisionTime = 801fb256028dda01	~tl8B20.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1BEEA6A-E618-495A-8269-162956B5203E}\WpadDecisionTime = 4003e543028dda01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1BEEA6A-E618-495A-8269-162956B5203E}\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl8B20.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-d1-1c-00-6d-56\WpadDecision = "0"	~tl8B20.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-d1-1c-00-6d-56	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	~tl8B20.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	~tl8B20.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	~tl8B20.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	~tl8B20.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1BEEA6A-E618-495A-8269-162956B5203E}\WpadNetworkName = "Network 3"	~tl8B20.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1BEEA6A-E618-495A-8269-162956B5203E}\WpadNetworkName = "Network 3"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1BEEA6A-E618-495A-8269-162956B5203E}\WpadDecisionReason = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1BEEA6A-E618-495A-8269-162956B5203E}\ea-d1-1c-00-6d-56	~tl8B20.tmp

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.exepowershell.exe~tl437F.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl1AE0.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl8B20.tmppowershell.exepowershell.exe

pid	process
2564	powershell.exe
1356	powershell.exe
2932	tmp.exe
2644	powershell.exe
928	powershell.exe
2584	~tl437F.tmp
1768	powershell.exe
2752	powershell.exe
2584	~tl437F.tmp
2208	svchost.exe
2100	powershell.exe
2316	powershell.exe
1444	~tl1AE0.tmp
1996	powershell.exe
1568	powershell.exe
2368	svchost.exe
2624	powershell.exe
2632	powershell.exe
2944	~tl8B20.tmp
1824	powershell.exe
848	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exesvchost.exe~tl437F.tmpsvchost.exe

description	pid	process	target process
PID 2932 wrote to memory of 2564	2932	tmp.exe	powershell.exe
PID 2932 wrote to memory of 2564	2932	tmp.exe	powershell.exe
PID 2932 wrote to memory of 2564	2932	tmp.exe	powershell.exe
PID 2932 wrote to memory of 1356	2932	tmp.exe	powershell.exe
PID 2932 wrote to memory of 1356	2932	tmp.exe	powershell.exe
PID 2932 wrote to memory of 1356	2932	tmp.exe	powershell.exe
PID 2932 wrote to memory of 2280	2932	tmp.exe	schtasks.exe
PID 2932 wrote to memory of 2280	2932	tmp.exe	schtasks.exe
PID 2932 wrote to memory of 2280	2932	tmp.exe	schtasks.exe
PID 2932 wrote to memory of 2748	2932	tmp.exe	schtasks.exe
PID 2932 wrote to memory of 2748	2932	tmp.exe	schtasks.exe
PID 2932 wrote to memory of 2748	2932	tmp.exe	schtasks.exe
PID 2932 wrote to memory of 2168	2932	tmp.exe	svchost.exe
PID 2932 wrote to memory of 2168	2932	tmp.exe	svchost.exe
PID 2932 wrote to memory of 2168	2932	tmp.exe	svchost.exe
PID 2168 wrote to memory of 2644	2168	svchost.exe	powershell.exe
PID 2168 wrote to memory of 2644	2168	svchost.exe	powershell.exe
PID 2168 wrote to memory of 2644	2168	svchost.exe	powershell.exe
PID 2168 wrote to memory of 928	2168	svchost.exe	powershell.exe
PID 2168 wrote to memory of 928	2168	svchost.exe	powershell.exe
PID 2168 wrote to memory of 928	2168	svchost.exe	powershell.exe
PID 2168 wrote to memory of 2584	2168	svchost.exe	~tl437F.tmp
PID 2168 wrote to memory of 2584	2168	svchost.exe	~tl437F.tmp
PID 2168 wrote to memory of 2584	2168	svchost.exe	~tl437F.tmp
PID 2584 wrote to memory of 2620	2584	~tl437F.tmp	netsh.exe
PID 2584 wrote to memory of 2620	2584	~tl437F.tmp	netsh.exe
PID 2584 wrote to memory of 2620	2584	~tl437F.tmp	netsh.exe
PID 2584 wrote to memory of 2844	2584	~tl437F.tmp	netsh.exe
PID 2584 wrote to memory of 2844	2584	~tl437F.tmp	netsh.exe
PID 2584 wrote to memory of 2844	2584	~tl437F.tmp	netsh.exe
PID 2584 wrote to memory of 2940	2584	~tl437F.tmp	netsh.exe
PID 2584 wrote to memory of 2940	2584	~tl437F.tmp	netsh.exe
PID 2584 wrote to memory of 2940	2584	~tl437F.tmp	netsh.exe
PID 2584 wrote to memory of 1768	2584	~tl437F.tmp	powershell.exe
PID 2584 wrote to memory of 1768	2584	~tl437F.tmp	powershell.exe
PID 2584 wrote to memory of 1768	2584	~tl437F.tmp	powershell.exe
PID 2584 wrote to memory of 2752	2584	~tl437F.tmp	powershell.exe
PID 2584 wrote to memory of 2752	2584	~tl437F.tmp	powershell.exe
PID 2584 wrote to memory of 2752	2584	~tl437F.tmp	powershell.exe
PID 2584 wrote to memory of 2008	2584	~tl437F.tmp	schtasks.exe
PID 2584 wrote to memory of 2008	2584	~tl437F.tmp	schtasks.exe
PID 2584 wrote to memory of 2008	2584	~tl437F.tmp	schtasks.exe
PID 2584 wrote to memory of 944	2584	~tl437F.tmp	schtasks.exe
PID 2584 wrote to memory of 944	2584	~tl437F.tmp	schtasks.exe
PID 2584 wrote to memory of 944	2584	~tl437F.tmp	schtasks.exe
PID 2584 wrote to memory of 2208	2584	~tl437F.tmp	svchost.exe
PID 2584 wrote to memory of 2208	2584	~tl437F.tmp	svchost.exe
PID 2584 wrote to memory of 2208	2584	~tl437F.tmp	svchost.exe
PID 2208 wrote to memory of 700	2208	svchost.exe	netsh.exe
PID 2208 wrote to memory of 700	2208	svchost.exe	netsh.exe
PID 2208 wrote to memory of 700	2208	svchost.exe	netsh.exe
PID 2208 wrote to memory of 1496	2208	svchost.exe	netsh.exe
PID 2208 wrote to memory of 1496	2208	svchost.exe	netsh.exe
PID 2208 wrote to memory of 1496	2208	svchost.exe	netsh.exe
PID 2208 wrote to memory of 1092	2208	svchost.exe	netsh.exe
PID 2208 wrote to memory of 1092	2208	svchost.exe	netsh.exe
PID 2208 wrote to memory of 1092	2208	svchost.exe	netsh.exe
PID 2208 wrote to memory of 2100	2208	svchost.exe	powershell.exe
PID 2208 wrote to memory of 2100	2208	svchost.exe	powershell.exe
PID 2208 wrote to memory of 2100	2208	svchost.exe	powershell.exe
PID 2208 wrote to memory of 2316	2208	svchost.exe	powershell.exe
PID 2208 wrote to memory of 2316	2208	svchost.exe	powershell.exe
PID 2208 wrote to memory of 2316	2208	svchost.exe	powershell.exe
PID 2208 wrote to memory of 1444	2208	svchost.exe	~tl1AE0.tmp

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:2280

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:2748

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Users\Admin\AppData\Local\Temp\~tl437F.tmp
C:\Users\Admin\AppData\Local\Temp\~tl437F.tmp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:2620

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2844

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:2008

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:944

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:700

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1496

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Users\Admin\AppData\Local\Temp\~tl1AE0.tmp
C:\Users\Admin\AppData\Local\Temp\~tl1AE0.tmp
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1444

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:2568

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:336

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\taskeng.exe
taskeng.exe {2584E277-6137-414A-A52D-ADED94E09530} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2056

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2368

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
- Modifies data under HKEY_USERS
PID:2208

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2680

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\TEMP\~tl8B20.tmp
C:\Windows\TEMP\~tl8B20.tmp
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
- Modifies data under HKEY_USERS
PID:1716

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2052

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9390.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl1AE0.tmp
Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
326c140cd681bb0918b995deca4b75a8

SHA1
2c8100c40ce4a581787a743001858a19cd3dfe58

SHA256
bc0ed4f9854c8b0c7f5f4cb663801d6f24081597a8ff3b4f1f50032be0c5fba9

SHA512
629e564480a3f39a1912cda8932e92b69ffccac582170adf8298efa4fb0fa522c5ba0158acaee89100d5272f0049ecebedda937bc535b9a9db347a75d71118ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J7GI94R7JK0F7CQ6Z25F.temp
Filesize
7KB

MD5
2fe6b9f6c70db6e7490345ad246255a4

SHA1
d1cf405cec2559a31e0c8c9fa06a53cac7fb99b0

SHA256
f6b7e6d3aaf98d7e1d4cf22c92d471546c952cd0206c522df90a9e574d2a9020

SHA512
dfb3facb8c04cb68901f81d6942e688a5a250894e9dd6b388e7c50f8530258a65abaabb606ee7e6d41ce9e9ee5dde8b34ef6b3631094113bf4bdb0e4fe90b55e

Download Submit
C:\Windows\System\svchost.exe
Filesize
385KB

MD5
e4947751f6277ee8a777b9b984b83df2

SHA1
00142511fd103d3a87229efbbf1d360b9ce7af06

SHA256
e49b0873063e2765239b4dcc80b61cc0ec53d8ad6653b2b9fb08b9a62bfa9ea3

SHA512
47f436ed0ffbe80dc7893de230d1798e433ef2389de379eeb18f9c646504d1a9b0663b494ecd47d6fccbdbe0c24448a92c883b9babd8b49e6f2170c8845e006c

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\~tl437F.tmp
Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
\Windows\system\svchost.exe
Filesize
9.4MB

MD5
db3edf03a8a2c8e96fe2d2deaaec76ff

SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1

SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135

Download Submit
memory/928-74-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/928-71-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/928-69-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/928-70-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/928-72-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/928-73-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/928-75-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1356-32-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1356-26-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/1356-29-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/1356-28-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1356-31-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1356-30-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1356-25-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1356-33-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/1356-27-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1444-529-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1444-556-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1444-531-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1444-557-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1768-471-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-457-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/1768-460-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/1768-461-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-462-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/1768-463-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/1768-464-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/1768-459-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1768-458-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/2100-501-0x0000000002B90000-0x0000000002C10000-memory.dmp

Filesize
512KB

Download
memory/2100-500-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2100-506-0x0000000002B90000-0x0000000002C10000-memory.dmp

Filesize
512KB

Download
memory/2100-502-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2100-511-0x0000000002B9B000-0x0000000002C02000-memory.dmp

Filesize
412KB

Download
memory/2168-47-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2168-450-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2168-76-0x0000000180000000-0x000000018070E000-memory.dmp

Filesize
7.1MB

Download
memory/2168-45-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2168-50-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2208-494-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2208-492-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2208-528-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2316-510-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/2368-594-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2368-604-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2368-579-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2564-14-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/2564-13-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2564-16-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2564-15-0x0000000002BF4000-0x0000000002BF7000-memory.dmp

Filesize
12KB

Download
memory/2564-18-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/2564-19-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2564-12-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2564-10-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2564-17-0x0000000002BFB000-0x0000000002C62000-memory.dmp

Filesize
412KB

Download
memory/2584-434-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2584-451-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2584-493-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2584-435-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2644-63-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

Filesize
9.6MB

Download
memory/2644-59-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download
memory/2644-60-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download
memory/2644-58-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download
memory/2644-61-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

Filesize
9.6MB

Download
memory/2644-57-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

Filesize
9.6MB

Download
memory/2644-62-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download
memory/2752-476-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2752-474-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/2752-477-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2752-478-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/2752-473-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2752-472-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/2752-475-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2932-3-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2932-48-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2932-0-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2932-2-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2932-11-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2932-4-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2944-608-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2944-624-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2944-626-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download