5656064ae4d3c302be4f376131bce57fa83ba30e94c329f33adb91836d7f4bf8

Analysis

max time kernel
4s
max time network
153s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Size

1.9MB
MD5

34655ac11b4f6a8d6f1ea8e2fbbe0676
SHA1

d17ed388047ec77145ef4c96e3760ea94985caa7
SHA256

75b2e0c469d7b50ea3a5f022b84db475f4009e17265ead71e5a68a9a90a44688
SHA512

2c2bf7b06e1a6ddfc2bbfe21a9c1a21cea9a33015ad62837dd1dee81e8a096b951c1dae3f3a95ae052f014e563b040da9d3ee9c96565116933603a99ab9e61e2
SSDEEP

24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1712	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1712	schtasks.exe	28

UAC bypass 3 TTPs 3 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2148	powershell.exe
2812	powershell.exe
1880	powershell.exe
1680	powershell.exe
2644	powershell.exe
580	powershell.exe
2156	powershell.exe
2100	powershell.exe
1948	powershell.exe
2484	powershell.exe
3040	powershell.exe
2692	powershell.exe
2956	powershell.exe
2368	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2776	schtasks.exe
1864	schtasks.exe
2024	schtasks.exe
2340	schtasks.exe
1388	schtasks.exe
1840	schtasks.exe
2212	schtasks.exe
2124	schtasks.exe
1568	schtasks.exe
2076	schtasks.exe
764	schtasks.exe
2068	schtasks.exe
2820	schtasks.exe
1072	schtasks.exe
2456	schtasks.exe
1868	schtasks.exe
332	schtasks.exe
1736	schtasks.exe
1720	schtasks.exe
608	schtasks.exe
2360	schtasks.exe
2788	schtasks.exe
1140	schtasks.exe
1796	schtasks.exe
3040	schtasks.exe
2696	schtasks.exe
2396	schtasks.exe
1056	schtasks.exe
936	schtasks.exe
2504	schtasks.exe
2452	schtasks.exe
856	schtasks.exe
396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2644	1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	38
PID 1900 wrote to memory of 2644	1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	38
PID 1900 wrote to memory of 2644	1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	38
PID 1900 wrote to memory of 2692	1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	39
PID 1900 wrote to memory of 2692	1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	39
PID 1900 wrote to memory of 2692	1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	39
PID 1900 wrote to memory of 3040	1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	40
PID 1900 wrote to memory of 3040	1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	40
PID 1900 wrote to memory of 3040	1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	40
PID 1900 wrote to memory of 1680	1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	41
PID 1900 wrote to memory of 1680	1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	41
PID 1900 wrote to memory of 1680	1900	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	41

System policy modification 1 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
"C:\Users\Admin\AppData\Local\Temp\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
  "C:\Users\Admin\AppData\Local\Temp\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe"
  2⤵
  PID:2468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\Idle.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2956
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MZYQImRpZ2.bat"
    3⤵
    PID:2524
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
      "C:\Users\Admin\AppData\Local\Temp\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe"
      4⤵
      PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1948
    - - C:\Windows\ehome\csrss.exe
        
        "C:\Windows\ehome\csrss.exe"
        5⤵
        
        PID:952
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abb0f1fd-edf5-45dd-85c7-638d8e4f5327.vbs"
        6⤵
        
        PID:2528
        
        C:\Windows\ehome\csrss.exe
        
        C:\Windows\ehome\csrss.exe
        7⤵
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98fca7e4-d307-4aa1-bfbf-22b2d8286309.vbs"
        8⤵
        
        PID:1800
        
        C:\Windows\ehome\csrss.exe
        
        C:\Windows\ehome\csrss.exe
        9⤵
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfc9dadd-8942-42af-b620-9dd1181f2f26.vbs"
        10⤵
        
        PID:632
        
        C:\Windows\ehome\csrss.exe
        
        C:\Windows\ehome\csrss.exe
        11⤵
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74f265a8-9f2f-40aa-a7a9-4c24f48ae320.vbs"
        12⤵
        
        PID:2080
        
        C:\Windows\ehome\csrss.exe
        
        C:\Windows\ehome\csrss.exe
        13⤵
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26990a8f-5a9a-4801-9e47-777dd10ff554.vbs"
        14⤵
        
        PID:1748
        
        C:\Windows\ehome\csrss.exe
        
        C:\Windows\ehome\csrss.exe
        15⤵
        
        PID:1056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca8b2141-afb2-4c46-ae9b-34d9d9a297e9.vbs"
        16⤵
        
        PID:2312
        
        C:\Windows\ehome\csrss.exe
        
        C:\Windows\ehome\csrss.exe
        17⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\138f9ac2-385b-418f-a22b-eea0722b4323.vbs"
        18⤵
        
        PID:2500
        
        C:\Windows\ehome\csrss.exe
        
        C:\Windows\ehome\csrss.exe
        19⤵
        
        PID:912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f740780-25a7-49f0-acc9-38e42abdbf02.vbs"
        20⤵
        
        PID:648
        
        C:\Windows\ehome\csrss.exe
        
        C:\Windows\ehome\csrss.exe
        21⤵
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f99aa93f-99b4-4e84-a3b5-dc4b8d5440fb.vbs"
        22⤵
        
        PID:940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\828af219-9ec6-48b2-aae5-910e67c5d582.vbs"
        22⤵
        
        PID:1340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dc34111-f417-4166-8072-2bb94ba740ac.vbs"
        20⤵
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc71c143-2de1-400c-b8b7-61ccb79a0b43.vbs"
        18⤵
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47b8a251-647a-47e5-8128-fc9afb12604c.vbs"
        16⤵
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc4f35a3-7d83-4616-8eeb-784f928dfd02.vbs"
        14⤵
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bec87195-0611-4382-b22d-01b41ceeaa50.vbs"
        12⤵
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3c18d44-3315-4230-ba93-fbfee69dab72.vbs"
        10⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\578be573-8b02-417b-aaf9-0e36a21856cf.vbs"
        8⤵
        
        PID:2240
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2894f8b4-a5ac-4c08-85bf-0983564407b3.vbs"
        6⤵
        
        PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Application Data\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ehome\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe

Filesize
1.9MB

MD5
57926e3cf110b7ceb0560cb99f5d3400

SHA1
3cd4ba7192f468b49428be4feb6eb3c0e59ba721

SHA256
52146c77202906e180e9871efe611e93538d1638ca8d3f62f730b5bfc27c0c57

SHA512
2330b86d0799ee9672c84b4ee5b06a9f8b8c2678e7d0b833298ad112fd813b092e6f78aac4db17eb2ef4d07ac59a04ab211b4f5c5b7f96515760ccf351805e0f

Download Submit
C:\ProgramData\dwm.exe

Filesize
1.9MB

MD5
ef3db408401ca1d1d7b0c4bc9fce92be

SHA1
769f2f71d7c5f263bdb1253891c582de6dc07e8c

SHA256
eb281397d55dd80e4f3527630885d8f0cd381fe84184480cc9dd05ec96c9a822

SHA512
95a85c5c4e74e5fd6a7fffb29b7c9c508d4855344e70eafc0648e031fbd9e6c045dfa000034fa25d6dc9fb21b0752ee208efd25d173386fa671c72304c5b861c

Download Submit
C:\Users\Admin\AppData\Local\Temp\138f9ac2-385b-418f-a22b-eea0722b4323.vbs

Filesize
702B

MD5
5a027f4c3d9ff38ed611f462ce466146

SHA1
664cc702ee7570df13a259084e9646a2b687f2dc

SHA256
bcb64d63cd5233cb44c44df9cfc0a165cea6c23790a53f07799e9049ae92bd9d

SHA512
88e25135039c0ee712813ca5f8ba1439984d7947c7788d4414d214b2e26a17c38c207a3578d41d7c67cf717f07aef7c7a1def169a764dd98353257b17ab82095

Download Submit
C:\Users\Admin\AppData\Local\Temp\26990a8f-5a9a-4801-9e47-777dd10ff554.vbs

Filesize
702B

MD5
d31cb20987ce53f4ccd2ecd72ef14b39

SHA1
06129b4d2fa38ef26eb0a3e472df0944e04185b0

SHA256
7f08416fcb5821008de91b3e24ce564046a000a567b28812af6c48bba4066a99

SHA512
f74a542f545d84f2f17973bf2a945b5b4392a7024d2db4aeb84cef7495a6a5fe16368a935cee7775a50c4347b9cdd00df141cbaa760ca6ef1468e44462541bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2894f8b4-a5ac-4c08-85bf-0983564407b3.vbs

Filesize
478B

MD5
844f4e4f4464df6dd336c85f7991dde6

SHA1
9f17baf4a48b409c7cf9871a0d9bcb2f7faca80f

SHA256
58f4755700ee36d563d95169f80f1c62c6289e52d4c3d3415731d276251ee5f7

SHA512
bbdfade8813b2962c7dddd7659392c3a9315530a09f66db619cbbd5b14efba27ec92d8e3d591efbb0f92267e22319d1b75508c84991d682db8e6c48751d9c41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f740780-25a7-49f0-acc9-38e42abdbf02.vbs

Filesize
701B

MD5
2f66f2b7b2c7e00cde70b33088d37e4d

SHA1
4ee30c61876f46cc7e2e81ab60c366abe4843a89

SHA256
6c7ce8fb72eb1ef21fe6c668aff826065c0eda03f4e99ccb1dc9ffab7a7e075a

SHA512
da8221decae2e8dfb885536a96cbbf9550c395766a0dc829eb280c422e56fa6c0093024a39b97b9cd22b41a20a0dcc341e11d69c4af05ffe56a083d99a271432

Download Submit
C:\Users\Admin\AppData\Local\Temp\383677fb9da9db087f07deb3b9e7710355c83852.exe

Filesize
769KB

MD5
1022861d1ac907dff443d65bf5ef6344

SHA1
940d421a9e4661b90b326762ebc1df4ee4f38ad7

SHA256
51cf01947cdff7c40e001ab1808fe98857c37b0ce25d54de8709f76b11081c7c

SHA512
4731d65b622d722c930f86c0b57905f792e2bd858fb82c4e018facb1d3a1735d15305e158cb753771095f340449af663a0190fe312c3ea5b956415bf826f240d

Download Submit
C:\Users\Admin\AppData\Local\Temp\74f265a8-9f2f-40aa-a7a9-4c24f48ae320.vbs

Filesize
702B

MD5
a34daf8108dcbfbfd141c7c42155b921

SHA1
b4698928019909f2457b9eeab7dc55fdd990f6c0

SHA256
7dc18b5a9cf7f93c9a8eb1cb5378196cc4ab9348e65c084e74f547000c599031

SHA512
cf7aa4cc593b545429a577f1503849ed9bb059af53561fe381b16e6476a68b0494b6818fee8006d8d2e409e372f9685a336b90cd7137a3600d7fc8381b29c99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\98fca7e4-d307-4aa1-bfbf-22b2d8286309.vbs

Filesize
702B

MD5
8bb2bc93b84846eec7cd37c697dccc86

SHA1
405a416b1afa81a4c507e7714d91d0598cad6a88

SHA256
f103d8af5064daa6be60d10147a8a2cd53735e52d396f3fd2b072018bfad0790

SHA512
e87c8c9a8284791d9402361eec7c1155d218f98380e5ec0f79eb11703e7fe05723e57166f5670a0378cb11f1716b91c1d1d05b0699d0b3e28879e7216d2ffa48

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZYQImRpZ2.bat

Filesize
235B

MD5
f3582d3b75151278bdaa42ff413ba732

SHA1
f799130c6a4639a9393540e75eaad6b05dd375fd

SHA256
47c8c52204dd77fc8fd10a2e379b70951c1c83383420e1f21a956a90df9e9ec3

SHA512
c07c297568903ae69bfc4c42be39c3d5e7bbd5250958e1b986cc179b766ee7881038228a2809bd5f04691290ce687f45c183e9f4c65e16a4477ec27a47029db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX9E14.tmp

Filesize
1.9MB

MD5
34655ac11b4f6a8d6f1ea8e2fbbe0676

SHA1
d17ed388047ec77145ef4c96e3760ea94985caa7

SHA256
75b2e0c469d7b50ea3a5f022b84db475f4009e17265ead71e5a68a9a90a44688

SHA512
2c2bf7b06e1a6ddfc2bbfe21a9c1a21cea9a33015ad62837dd1dee81e8a096b951c1dae3f3a95ae052f014e563b040da9d3ee9c96565116933603a99ab9e61e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\abb0f1fd-edf5-45dd-85c7-638d8e4f5327.vbs

Filesize
701B

MD5
c2913b0adba4647beefbfdebee7e214f

SHA1
ac839a2756cd163b3dfd721df4e8004c7e689a8a

SHA256
550bbf7e2e6fb0ffc6587578ad486176cde533cd2a955c6e4aa842221a43359f

SHA512
d8cd9b10c1738ba5e6b12fd6879b21aaaa71db1783952079e48b772212c27bd482bf311b79230b41c9652793e693ac552aab159e312e9bea29953e8c021ee781

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca8b2141-afb2-4c46-ae9b-34d9d9a297e9.vbs

Filesize
702B

MD5
0d51525ca9d56a5d6f145075d6648bb3

SHA1
5c0cfa87c389e13cd58cb7d99eeb53121ffd11a1

SHA256
829ef727677b5e27cb593b3d54fbbb7663397434205ccf05b03778cbb3ba5f70

SHA512
e6b0fa50c05430312f0ea71998f4e279acb2ea28c59192a87af5aebd6d52b85b590e0a46b4125d8f8c1b650965832ce08e31662f9575361a96150906d0f2b922

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfc9dadd-8942-42af-b620-9dd1181f2f26.vbs

Filesize
702B

MD5
8c9ce7ac04d79a5bb94f778a7f58e0ef

SHA1
30dd6c5b723a6f04e7fce8febb3c0de7005bac4e

SHA256
d568bd7ff69a80617980cb3478c4b7243e7a2b4613d1f87fac99cc9354236998

SHA512
fca1b6f336ba53633e0363d9b01c5ab1b65383ecfffc107307ee777e167f92628a8c92284994cfb7c02eed9ec226a92cedf3d1f510851a780b48dbdb99c3e8fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\f99aa93f-99b4-4e84-a3b5-dc4b8d5440fb.vbs

Filesize
702B

MD5
c18eefa289d829f80750610a15342796

SHA1
acf969a66c3249a0bbe6c7689232f62c6501cd11

SHA256
c52f14625ebe5e03ebb3f0b2f75c8b12d064396de05f055e144dbf96b6a27acd

SHA512
dc556d49588becd6143bdf1d23b32ee54867cd71405e9442244f9c5c55ced9bcd7d52cff94898f9c256ae5e389dd6a30e229c1bb4e0dd10464ab775cefa3ef5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2DEA.tmp

Filesize
700B

MD5
447dcdceaa00aded7f89f2bc55f15a58

SHA1
62a9ed8915cb97a1fc931d5d12b15e8aeee05438

SHA256
9115b198c6d8d0b0c6fcfa5d949ba92a2c0a77342ac2aed89069f7b5a948131d

SHA512
5f8d4ac4420f1f4fba78e8005414a27e227c72228ae19b8aae2117a0e974599118dcb30cd1035f1a8167be188098d95d084f0fd84e5a4a0440eec76b239eefa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2DEA.tmp

Filesize
376B

MD5
5d24e6dba224cc0e030c13e295138e4d

SHA1
6749267a2b1438119eb31b464afb9f14073d8c9e

SHA256
323957a6806330f09c060ec8307d9654821c05f7eb83348c45ca880d57059a8b

SHA512
b674b58824f92e7951041874971aa79c1be0abef29796fa1cc3de1ba3d424c8fe944f152a4f6dbfe552ddd2bac419bddfcfd69044c544ffb20475a2d7236ad64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
45e4ec020837f43c7698111ad3a7ab8f

SHA1
8819b154c9f0baa9bb71e1e9e8efcf88b0cee78f

SHA256
54d9e26af49393571dafd7367e5aa5d5bf2a7551ef52ce1deca7479e4ce31fe4

SHA512
caf65d0e39c8bb1a01e245bbf1da5879324e07be571e1b4b955a873719f4b239081022fb92e0d10e67c9dc47e3a0cf96358006f5e43174de957757356b5da19d

Download Submit
C:\Windows\ehome\csrss.exe

Filesize
1.5MB

MD5
c66264cf3256b7e595e5cf66905c3092

SHA1
5ca570ed34542e9c90ef179fa275634952f87886

SHA256
136ed035a79c93a8dcc6002de685795890b2a19a19aa4c23bba380a5fa3e3ded

SHA512
4fbf66ea86250c54dd14754f1a2fe58c52c76c12e0b0514cb0bb1319afadd7fca495028454bdb482d97c26cde74e061f7eabb8b360e4b3d7072b7c6f2e6911d9

Download Submit
C:\Windows\ehome\csrss.exe

Filesize
937KB

MD5
530f8f655fa3d1fb3a94528521fc0e26

SHA1
99905d34afb9e65f666d139f9be014020535f7b9

SHA256
ff97e19c7a683bb70ccb3892d62e649dde6584ceca71c4df8f575b06c88780a5

SHA512
e8d5f70b64644547de3bef1199a19e039a90be1ce387c97aa853ba08a8d0a476a35e5a1474158e499b60b8be65753e62fff67f915122c36ee2d8ac27d263f3b2

Download Submit
memory/912-277-0x00000000005C0000-0x0000000000616000-memory.dmp

Filesize
344KB

Download
memory/952-189-0x00000000009B0000-0x0000000000B9A000-memory.dmp

Filesize
1.9MB

Download
memory/1056-253-0x0000000001310000-0x00000000014FA000-memory.dmp

Filesize
1.9MB

Download
memory/1056-254-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/1900-18-0x000000001A830000-0x000000001A83C000-memory.dmp

Filesize
48KB

Download
memory/1900-16-0x000000001A810000-0x000000001A818000-memory.dmp

Filesize
32KB

Download
memory/1900-88-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/1900-12-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1900-9-0x0000000002110000-0x000000000211C000-memory.dmp

Filesize
48KB

Download
memory/1900-1-0x0000000000130000-0x000000000031A000-memory.dmp

Filesize
1.9MB

Download
memory/1900-2-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/1900-6-0x00000000007D0000-0x00000000007E6000-memory.dmp

Filesize
88KB

Download
memory/1900-7-0x0000000002100000-0x000000000210A000-memory.dmp

Filesize
40KB

Download
memory/1900-14-0x0000000002370000-0x000000000237A000-memory.dmp

Filesize
40KB

Download
memory/1900-15-0x000000001A800000-0x000000001A80E000-memory.dmp

Filesize
56KB

Download
memory/1900-10-0x0000000002120000-0x0000000002128000-memory.dmp

Filesize
32KB

Download
memory/1900-5-0x00000000007C0000-0x00000000007D0000-memory.dmp

Filesize
64KB

Download
memory/1900-8-0x00000000022D0000-0x0000000002326000-memory.dmp

Filesize
344KB

Download
memory/1900-17-0x000000001A820000-0x000000001A82C000-memory.dmp

Filesize
48KB

Download
memory/1900-4-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/1900-0-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

Filesize
4KB

Download
memory/1900-3-0x0000000000790000-0x00000000007AC000-memory.dmp

Filesize
112KB

Download
memory/1900-13-0x0000000002340000-0x000000000234C000-memory.dmp

Filesize
48KB

Download
memory/2100-143-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2148-132-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2456-218-0x0000000000BC0000-0x0000000000C16000-memory.dmp

Filesize
344KB

Download
memory/2468-89-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/2600-152-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/2600-151-0x0000000000360000-0x000000000054A000-memory.dmp

Filesize
1.9MB

Download
memory/2692-87-0x0000000001F10000-0x0000000001F18000-memory.dmp

Filesize
32KB

Download
memory/2696-206-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2696-205-0x0000000000D80000-0x0000000000F6A000-memory.dmp

Filesize
1.9MB

Download
memory/3024-230-0x0000000000D70000-0x0000000000D82000-memory.dmp

Filesize
72KB

Download
memory/3040-86-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download