a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

max time kernel
597s
max time network
598s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-04-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

9.4MB
MD5

db3edf03a8a2c8e96fe2d2deaaec76ff
SHA1

2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256

a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512

121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
SSDEEP

98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 10 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

3484 netsh.exe
1948 netsh.exe
4400 netsh.exe
2092 netsh.exe
5016 netsh.exe
2512 netsh.exe
4284 netsh.exe
2284 netsh.exe
2248 netsh.exe
4284 netsh.exe
Executes dropped EXE 6 IoCs

Processes:

svchost.exe~tlE39B.tmpsvchost.exe~tlBC19.tmpsvchost.exe~tlBF66.tmp

pid process

4860 svchost.exe
4676 ~tlE39B.tmp
1656 svchost.exe
204 ~tlBC19.tmp
2420 svchost.exe
4652 ~tlBF66.tmp

pid	process
3484	netsh.exe
1948	netsh.exe
4400	netsh.exe
2092	netsh.exe
5016	netsh.exe
2512	netsh.exe
4284	netsh.exe
2284	netsh.exe
2248	netsh.exe
4284	netsh.exe

pid	process
4860	svchost.exe
4676	~tlE39B.tmp
1656	svchost.exe
204	~tlBC19.tmp
2420	svchost.exe
4652	~tlBF66.tmp

Drops file in System32 directory 10 IoCs

Processes:

~tlBF66.tmpsvchost.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tlBF66.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlBF66.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Windows directory 8 IoCs

Processes:

~tlE39B.tmpsvchost.exesvchost.exetmp.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System\svchost.exe	~tlE39B.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	tmp.exe
File created	C:\Windows\System\svchost.exe	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tlE39B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1924 schtasks.exe
1344 schtasks.exe

pid	process
1924	schtasks.exe
1344	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

netsh.exepowershell.exepowershell.exepowershell.exepowershell.exe~tlBF66.tmpnetsh.exesvchost.exenetsh.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	~tlBF66.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	~tlBF66.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	~tlBF66.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.exepowershell.exe~tlE39B.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlBC19.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlBF66.tmppowershell.exepowershell.exe

pid	process
204	powershell.exe
204	powershell.exe
204	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
4192	tmp.exe
4192	tmp.exe
4520	powershell.exe
4520	powershell.exe
4520	powershell.exe
4684	powershell.exe
4684	powershell.exe
4684	powershell.exe
4676	~tlE39B.tmp
4676	~tlE39B.tmp
1612	powershell.exe
1612	powershell.exe
4684	powershell.exe
4684	powershell.exe
1612	powershell.exe
4684	powershell.exe
4676	~tlE39B.tmp
4676	~tlE39B.tmp
1656	svchost.exe
1656	svchost.exe
2928	powershell.exe
2928	powershell.exe
4560	powershell.exe
2928	powershell.exe
4560	powershell.exe
4560	powershell.exe
204	~tlBC19.tmp
204	~tlBC19.tmp
3128	powershell.exe
3128	powershell.exe
504	powershell.exe
504	powershell.exe
3128	powershell.exe
504	powershell.exe
2420	svchost.exe
2420	svchost.exe
3068	powershell.exe
4460	powershell.exe
4460	powershell.exe
3068	powershell.exe
3068	powershell.exe
4460	powershell.exe
4652	~tlBF66.tmp
4652	~tlBF66.tmp
604	powershell.exe
604	powershell.exe
2148	powershell.exe
604	powershell.exe
2148	powershell.exe
2148	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	204	powershell.exe
Token: SeIncreaseQuotaPrivilege	204	powershell.exe
Token: SeSecurityPrivilege	204	powershell.exe
Token: SeTakeOwnershipPrivilege	204	powershell.exe
Token: SeLoadDriverPrivilege	204	powershell.exe
Token: SeSystemProfilePrivilege	204	powershell.exe
Token: SeSystemtimePrivilege	204	powershell.exe
Token: SeProfSingleProcessPrivilege	204	powershell.exe
Token: SeIncBasePriorityPrivilege	204	powershell.exe
Token: SeCreatePagefilePrivilege	204	powershell.exe
Token: SeBackupPrivilege	204	powershell.exe
Token: SeRestorePrivilege	204	powershell.exe
Token: SeShutdownPrivilege	204	powershell.exe
Token: SeDebugPrivilege	204	powershell.exe
Token: SeSystemEnvironmentPrivilege	204	powershell.exe
Token: SeRemoteShutdownPrivilege	204	powershell.exe
Token: SeUndockPrivilege	204	powershell.exe
Token: SeManageVolumePrivilege	204	powershell.exe
Token: 33	204	powershell.exe
Token: 34	204	powershell.exe
Token: 35	204	powershell.exe
Token: 36	204	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeIncreaseQuotaPrivilege	4520	powershell.exe
Token: SeSecurityPrivilege	4520	powershell.exe
Token: SeTakeOwnershipPrivilege	4520	powershell.exe
Token: SeLoadDriverPrivilege	4520	powershell.exe
Token: SeSystemProfilePrivilege	4520	powershell.exe
Token: SeSystemtimePrivilege	4520	powershell.exe
Token: SeProfSingleProcessPrivilege	4520	powershell.exe
Token: SeIncBasePriorityPrivilege	4520	powershell.exe
Token: SeCreatePagefilePrivilege	4520	powershell.exe
Token: SeBackupPrivilege	4520	powershell.exe
Token: SeRestorePrivilege	4520	powershell.exe
Token: SeShutdownPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeSystemEnvironmentPrivilege	4520	powershell.exe
Token: SeRemoteShutdownPrivilege	4520	powershell.exe
Token: SeUndockPrivilege	4520	powershell.exe
Token: SeManageVolumePrivilege	4520	powershell.exe
Token: 33	4520	powershell.exe
Token: 34	4520	powershell.exe
Token: 35	4520	powershell.exe
Token: 36	4520	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeIncreaseQuotaPrivilege	1612	powershell.exe
Token: SeSecurityPrivilege	1612	powershell.exe
Token: SeTakeOwnershipPrivilege	1612	powershell.exe
Token: SeLoadDriverPrivilege	1612	powershell.exe
Token: SeSystemProfilePrivilege	1612	powershell.exe
Token: SeSystemtimePrivilege	1612	powershell.exe
Token: SeProfSingleProcessPrivilege	1612	powershell.exe
Token: SeIncBasePriorityPrivilege	1612	powershell.exe
Token: SeCreatePagefilePrivilege	1612	powershell.exe
Token: SeBackupPrivilege	1612	powershell.exe
Token: SeRestorePrivilege	1612	powershell.exe
Token: SeShutdownPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeSystemEnvironmentPrivilege	1612	powershell.exe
Token: SeRemoteShutdownPrivilege	1612	powershell.exe
Token: SeUndockPrivilege	1612	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exesvchost.exe~tlE39B.tmpsvchost.exe~tlBC19.tmpsvchost.exe

description	pid	process	target process
PID 4192 wrote to memory of 204	4192	tmp.exe	powershell.exe
PID 4192 wrote to memory of 204	4192	tmp.exe	powershell.exe
PID 4192 wrote to memory of 4116	4192	tmp.exe	powershell.exe
PID 4192 wrote to memory of 4116	4192	tmp.exe	powershell.exe
PID 4192 wrote to memory of 2592	4192	tmp.exe	schtasks.exe
PID 4192 wrote to memory of 2592	4192	tmp.exe	schtasks.exe
PID 4192 wrote to memory of 1924	4192	tmp.exe	schtasks.exe
PID 4192 wrote to memory of 1924	4192	tmp.exe	schtasks.exe
PID 4192 wrote to memory of 4860	4192	tmp.exe	svchost.exe
PID 4192 wrote to memory of 4860	4192	tmp.exe	svchost.exe
PID 4860 wrote to memory of 4520	4860	svchost.exe	powershell.exe
PID 4860 wrote to memory of 4520	4860	svchost.exe	powershell.exe
PID 4860 wrote to memory of 4684	4860	svchost.exe	powershell.exe
PID 4860 wrote to memory of 4684	4860	svchost.exe	powershell.exe
PID 4860 wrote to memory of 4676	4860	svchost.exe	~tlE39B.tmp
PID 4860 wrote to memory of 4676	4860	svchost.exe	~tlE39B.tmp
PID 4676 wrote to memory of 1540	4676	~tlE39B.tmp	netsh.exe
PID 4676 wrote to memory of 1540	4676	~tlE39B.tmp	netsh.exe
PID 4676 wrote to memory of 2284	4676	~tlE39B.tmp	netsh.exe
PID 4676 wrote to memory of 2284	4676	~tlE39B.tmp	netsh.exe
PID 4676 wrote to memory of 2092	4676	~tlE39B.tmp	netsh.exe
PID 4676 wrote to memory of 2092	4676	~tlE39B.tmp	netsh.exe
PID 4676 wrote to memory of 1612	4676	~tlE39B.tmp	powershell.exe
PID 4676 wrote to memory of 1612	4676	~tlE39B.tmp	powershell.exe
PID 4676 wrote to memory of 4684	4676	~tlE39B.tmp	powershell.exe
PID 4676 wrote to memory of 4684	4676	~tlE39B.tmp	powershell.exe
PID 4676 wrote to memory of 1840	4676	~tlE39B.tmp	schtasks.exe
PID 4676 wrote to memory of 1840	4676	~tlE39B.tmp	schtasks.exe
PID 4676 wrote to memory of 1344	4676	~tlE39B.tmp	schtasks.exe
PID 4676 wrote to memory of 1344	4676	~tlE39B.tmp	schtasks.exe
PID 4676 wrote to memory of 1656	4676	~tlE39B.tmp	svchost.exe
PID 4676 wrote to memory of 1656	4676	~tlE39B.tmp	svchost.exe
PID 1656 wrote to memory of 3864	1656	svchost.exe	netsh.exe
PID 1656 wrote to memory of 3864	1656	svchost.exe	netsh.exe
PID 1656 wrote to memory of 2248	1656	svchost.exe	netsh.exe
PID 1656 wrote to memory of 2248	1656	svchost.exe	netsh.exe
PID 1656 wrote to memory of 5016	1656	svchost.exe	netsh.exe
PID 1656 wrote to memory of 5016	1656	svchost.exe	netsh.exe
PID 1656 wrote to memory of 2928	1656	svchost.exe	powershell.exe
PID 1656 wrote to memory of 2928	1656	svchost.exe	powershell.exe
PID 1656 wrote to memory of 4560	1656	svchost.exe	powershell.exe
PID 1656 wrote to memory of 4560	1656	svchost.exe	powershell.exe
PID 1656 wrote to memory of 204	1656	svchost.exe	~tlBC19.tmp
PID 1656 wrote to memory of 204	1656	svchost.exe	~tlBC19.tmp
PID 204 wrote to memory of 4492	204	~tlBC19.tmp	netsh.exe
PID 204 wrote to memory of 4492	204	~tlBC19.tmp	netsh.exe
PID 204 wrote to memory of 2512	204	~tlBC19.tmp	netsh.exe
PID 204 wrote to memory of 2512	204	~tlBC19.tmp	netsh.exe
PID 204 wrote to memory of 3484	204	~tlBC19.tmp	netsh.exe
PID 204 wrote to memory of 3484	204	~tlBC19.tmp	netsh.exe
PID 204 wrote to memory of 3128	204	~tlBC19.tmp	powershell.exe
PID 204 wrote to memory of 3128	204	~tlBC19.tmp	powershell.exe
PID 204 wrote to memory of 504	204	~tlBC19.tmp	powershell.exe
PID 204 wrote to memory of 504	204	~tlBC19.tmp	powershell.exe
PID 2420 wrote to memory of 1912	2420	svchost.exe	netsh.exe
PID 2420 wrote to memory of 1912	2420	svchost.exe	netsh.exe
PID 2420 wrote to memory of 1948	2420	svchost.exe	netsh.exe
PID 2420 wrote to memory of 1948	2420	svchost.exe	netsh.exe
PID 2420 wrote to memory of 4284	2420	svchost.exe	netsh.exe
PID 2420 wrote to memory of 4284	2420	svchost.exe	netsh.exe
PID 2420 wrote to memory of 3068	2420	svchost.exe	powershell.exe
PID 2420 wrote to memory of 3068	2420	svchost.exe	powershell.exe
PID 2420 wrote to memory of 4460	2420	svchost.exe	powershell.exe
PID 2420 wrote to memory of 4460	2420	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:2592

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:1924

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Users\Admin\AppData\Local\Temp\~tlE39B.tmp
C:\Users\Admin\AppData\Local\Temp\~tlE39B.tmp
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:1540

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2284

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:1840

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:1344

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:3864

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2248

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:5016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4560

C:\Users\Admin\AppData\Local\Temp\~tlBC19.tmp
C:\Users\Admin\AppData\Local\Temp\~tlBC19.tmp
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:4492

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2512

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:3484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:504

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
- Modifies data under HKEY_USERS
PID:1912

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1948

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4460

C:\Windows\TEMP\~tlBF66.tmp
C:\Windows\TEMP\~tlBF66.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4652

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:524

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4284

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
92d14a3f7847f5a713bcd7e82fd9c599

SHA1
35cd512d1b2367f7ed8c057beed9ccb19f7e6d20

SHA256
f971049b7f2093dc579294a83317ad1170669a0b4dd37e4f59cedbeb9da022ef

SHA512
7cd1185756c8b37e560f9cbbb02a4d201dbd135853c77a809da3a8379cae50bae1d57fcccb63dfd497418f0bb3dee43f030fce3d72a1f08bf0342270f0dd2aec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c91d41ad0c5f83421d87953b483c3fff

SHA1
320e7920d4c85ae33b2ffb5d16a892425b158f3d

SHA256
b9b58ba12c64d47ed0224ced54475dd31b18fb3dd284a8d600bfaef1b52c937f

SHA512
451eff37931889736f614b945ae780f1af9bd969f8cbf98baca1a1ddd59c50235bf6088f92d141476e03da62e1c71bf63266bb2e06469e7e15a01e241c1e9f85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9cd9a8373986f2d67e03dbecaea8b23a

SHA1
dbb3719b3a3c0771f9d7f75db438feae228f9102

SHA256
9987140816fa933e624985bb5da06350647ca45428ad32093527459bf4f483c4

SHA512
009bf7f680f930bb0a0f4e753d6a6e09ad0694bea8f4d6e7dd111ad5ab75ce0f5faa427134d3a24b6dc21239a13449424704f8230ce1d88f980980f9012ffa53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3637d2ab8b609d7d992660eea913a47c

SHA1
ab6409f7824f97421b31982aef9412c29bb41e52

SHA256
6a34349a9be0e268987fe45a5360c05bcf028efb44834e949ac5b445e117ff03

SHA512
dec52bad0b77dfb2bc999d6bfc5354abcdd2f650f0c12c13b33ad92b2afb6d7fdb1a900ac9099b0062fbd8a7b49fd10d247fd3e7a0df21229b9daa21992d30a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
80ea9effc91f2cb336d171c7c5e9d978

SHA1
e4621ca3eb3cb93e41ccc8bb6996a35ccb0311c1

SHA256
96dd96085d5ac21eed83f32e138dbe8ff813dd992ec384c15d204bd6c5a98135

SHA512
7cf0a55be90da354736e161c9b5857b959cb0add0ebae6309becd64662450140e30d0db5f22edca5d4ef4922fb23cc839e2b5e6377777a438aaf0afdef25d33a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2c2668677f1754274965457fef86e5c7

SHA1
c1d80236b3c1c090fb79677a9975e88f257ab753

SHA256
d4558a86ad40a3e15c6a66351f4ea118453cc96984c06c4e2f0f641d35412907

SHA512
7848c09d32700495efcd9198e3f83645bc3e710f60fd52ab2083c673eff75f8f3a22e1ee7748c208f0da164d2785365299ef2ddd76615b5341a69a2ce8510e48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
26ab3d3c1f2b873020cd7c69875a8397

SHA1
bea26e9cb5711aeaa7a82d5d1f82d7c1cbf16e1e

SHA256
179240534feb66d72904e3f4b161b7eba9601e1462eb302f0a34da76202a37b5

SHA512
3b8dc967439e53ca1f51a02abab6143663651157dbc414591206c0416495aef30dacf69f3eceef181152835424f19147db8b4e5da2ba956662168bbbfcba652f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_25mw2pky.o5i.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlBC19.tmp
Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlE39B.tmp
Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Windows\System\svchost.exe
Filesize
9.4MB

MD5
db3edf03a8a2c8e96fe2d2deaaec76ff

SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1

SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
478f1c1fcff584f4f440469ed71d2d43

SHA1
0900e9dc39580d527c145715f985a5a86e80b66c

SHA256
c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb

SHA512
4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
493B

MD5
afbd1d504046f46328def6cc60d435fb

SHA1
27207194fad24de5daeb4cf80fe3479de7e2512f

SHA256
b58ab9ec09f90050c002472a3ad147242949f894b8dac96c67960d552542593f

SHA512
0244b30b71e0481b439921f527ccea27a036d153060ae10f68347b264b471fabbb380fe9bfb1b7958f68a9c9910950f0985cf6c37e11a97c3b3b253cbdce171a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
memory/204-542-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/204-57-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

Filesize
9.9MB

Download
memory/204-30-0x0000020410AB0000-0x0000020410AC0000-memory.dmp

Filesize
64KB

Download
memory/204-540-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/204-17-0x0000020429030000-0x00000204290A6000-memory.dmp

Filesize
472KB

Download
memory/204-11-0x0000020410A00000-0x0000020410A22000-memory.dmp

Filesize
136KB

Download
memory/204-541-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/204-538-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/204-15-0x0000020410AB0000-0x0000020410AC0000-memory.dmp

Filesize
64KB

Download
memory/204-13-0x0000020410AB0000-0x0000020410AC0000-memory.dmp

Filesize
64KB

Download
memory/204-543-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/204-647-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/204-53-0x0000020410AB0000-0x0000020410AC0000-memory.dmp

Filesize
64KB

Download
memory/204-12-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

Filesize
9.9MB

Download
memory/1612-357-0x00000182A64C0000-0x00000182A64D0000-memory.dmp

Filesize
64KB

Download
memory/1612-417-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

Filesize
9.9MB

Download
memory/1612-322-0x00000182A64C0000-0x00000182A64D0000-memory.dmp

Filesize
64KB

Download
memory/1612-321-0x00000182A64C0000-0x00000182A64D0000-memory.dmp

Filesize
64KB

Download
memory/1612-318-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

Filesize
9.9MB

Download
memory/1612-410-0x00000182A64C0000-0x00000182A64D0000-memory.dmp

Filesize
64KB

Download
memory/1656-428-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1656-426-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1656-425-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1656-539-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2420-667-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2420-993-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2928-435-0x000002CCEA700000-0x000002CCEA710000-memory.dmp

Filesize
64KB

Download
memory/2928-516-0x000002CCEA700000-0x000002CCEA710000-memory.dmp

Filesize
64KB

Download
memory/2928-526-0x00007FFB5D380000-0x00007FFB5DD6C000-memory.dmp

Filesize
9.9MB

Download
memory/2928-469-0x000002CCEA700000-0x000002CCEA710000-memory.dmp

Filesize
64KB

Download
memory/2928-434-0x000002CCEA700000-0x000002CCEA710000-memory.dmp

Filesize
64KB

Download
memory/2928-432-0x00007FFB5D380000-0x00007FFB5DD6C000-memory.dmp

Filesize
9.9MB

Download
memory/3128-546-0x00007FFB5D2D0000-0x00007FFB5DCBC000-memory.dmp

Filesize
9.9MB

Download
memory/4116-63-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

Filesize
9.9MB

Download
memory/4116-65-0x000001776A430000-0x000001776A440000-memory.dmp

Filesize
64KB

Download
memory/4116-64-0x000001776A430000-0x000001776A440000-memory.dmp

Filesize
64KB

Download
memory/4116-82-0x000001776A430000-0x000001776A440000-memory.dmp

Filesize
64KB

Download
memory/4116-108-0x000001776A430000-0x000001776A440000-memory.dmp

Filesize
64KB

Download
memory/4116-111-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

Filesize
9.9MB

Download
memory/4192-6-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4192-121-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4192-2-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4192-1-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4192-0-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4192-3-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4192-4-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4520-129-0x000001F9F7990000-0x000001F9F79A0000-memory.dmp

Filesize
64KB

Download
memory/4520-172-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

Filesize
9.9MB

Download
memory/4520-169-0x000001F9F7990000-0x000001F9F79A0000-memory.dmp

Filesize
64KB

Download
memory/4520-146-0x000001F9F7990000-0x000001F9F79A0000-memory.dmp

Filesize
64KB

Download
memory/4520-127-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

Filesize
9.9MB

Download
memory/4520-130-0x000001F9F7990000-0x000001F9F79A0000-memory.dmp

Filesize
64KB

Download
memory/4560-444-0x000001FDAAE40000-0x000001FDAAE50000-memory.dmp

Filesize
64KB

Download
memory/4560-480-0x000001FDAAE40000-0x000001FDAAE50000-memory.dmp

Filesize
64KB

Download
memory/4560-530-0x00007FFB5D380000-0x00007FFB5DD6C000-memory.dmp

Filesize
9.9MB

Download
memory/4560-440-0x00007FFB5D380000-0x00007FFB5DD6C000-memory.dmp

Filesize
9.9MB

Download
memory/4560-525-0x000001FDAAE40000-0x000001FDAAE50000-memory.dmp

Filesize
64KB

Download
memory/4560-445-0x000001FDAAE40000-0x000001FDAAE50000-memory.dmp

Filesize
64KB

Download
memory/4652-997-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4652-1314-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4676-300-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4676-427-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4676-303-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4676-301-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4676-302-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4676-315-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4684-330-0x0000028838910000-0x0000028838920000-memory.dmp

Filesize
64KB

Download
memory/4684-222-0x0000019791FB0000-0x0000019791FC0000-memory.dmp

Filesize
64KB

Download
memory/4684-327-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

Filesize
9.9MB

Download
memory/4684-329-0x0000028838910000-0x0000028838920000-memory.dmp

Filesize
64KB

Download
memory/4684-372-0x0000028838910000-0x0000028838920000-memory.dmp

Filesize
64KB

Download
memory/4684-412-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

Filesize
9.9MB

Download
memory/4684-225-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

Filesize
9.9MB

Download
memory/4684-407-0x0000028838910000-0x0000028838920000-memory.dmp

Filesize
64KB

Download
memory/4684-195-0x0000019791FB0000-0x0000019791FC0000-memory.dmp

Filesize
64KB

Download
memory/4684-179-0x0000019791FB0000-0x0000019791FC0000-memory.dmp

Filesize
64KB

Download
memory/4684-178-0x0000019791FB0000-0x0000019791FC0000-memory.dmp

Filesize
64KB

Download
memory/4684-176-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

Filesize
9.9MB

Download
memory/4860-123-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4860-314-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4860-120-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4860-226-0x0000000180000000-0x000000018070E000-memory.dmp

Filesize
7.1MB

Download