7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
1799s
max time network
1805s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

discovery evasion

Malware Config

Signatures

Contacts a large (949) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 26 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
952	netsh.exe
1632	netsh.exe
3012	netsh.exe
744	netsh.exe
2772	netsh.exe
2644	netsh.exe
2452	netsh.exe
2320	netsh.exe
2596	netsh.exe
1504	netsh.exe
2980	netsh.exe
952	netsh.exe
1396	netsh.exe
2960	netsh.exe
1324	netsh.exe
1556	netsh.exe
2480	netsh.exe
2304	netsh.exe
2992	netsh.exe
2992	netsh.exe
2488	netsh.exe
1800	netsh.exe
2040	netsh.exe
1880	netsh.exe
3048	netsh.exe
240	netsh.exe

Executes dropped EXE 12 IoCs

Processes:

svchost.exe~tl1C38.tmpsvchost.exe~tlF91E.tmpsvchost.exe~tl3498.tmpsvchost.exe~tl9454.tmpsvchost.exe~tlFD53.tmpsvchost.exe~tl6864.tmp

pid	process
1120	svchost.exe
2696	~tl1C38.tmp
2000	svchost.exe
1744	~tlF91E.tmp
904	svchost.exe
2184	~tl3498.tmp
1860	svchost.exe
2740	~tl9454.tmp
1956	svchost.exe
328	~tlFD53.tmp
2300	svchost.exe
2052	~tl6864.tmp

Loads dropped DLL 20 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tl1C38.tmpsvchost.exetaskeng.exesvchost.exetaskeng.exesvchost.exetaskeng.exesvchost.exetaskeng.exesvchost.exe

pid	process
1904	svchost_dump_SCY - Copy.exe
1904	svchost_dump_SCY - Copy.exe
1120	svchost.exe
1120	svchost.exe
2696	~tl1C38.tmp
2696	~tl1C38.tmp
2000	svchost.exe
2000	svchost.exe
2532	taskeng.exe
904	svchost.exe
904	svchost.exe
1068	taskeng.exe
1860	svchost.exe
1860	svchost.exe
2580	taskeng.exe
1956	svchost.exe
1956	svchost.exe
1496	taskeng.exe
2300	svchost.exe
2300	svchost.exe

Drops file in System32 directory 39 IoCs

Processes:

powershell.exesvchost.exepowershell.exepowershell.exepowershell.exe~tl3498.tmpsvchost.exesvchost.exe~tlFD53.tmp~tl6864.tmppowershell.exe~tl9454.tmppowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl3498.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[2].htm	~tlFD53.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[2].htm	~tl6864.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl9454.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tlFD53.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl6864.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl3498.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl6864.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl9454.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[2].htm	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tlFD53.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

Drops file in Windows directory 11 IoCs

Processes:

svchost_dump_SCY - Copy.exe~tl1C38.tmpsvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	~tl1C38.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl1C38.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2404 schtasks.exe
2564 schtasks.exe

pid	process
2404	schtasks.exe
2564	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

~tlFD53.tmp~tl6864.tmpsvchost.exenetsh.exe~tl3498.tmp~tl9454.tmpnetsh.exenetsh.exesvchost.exesvchost.exenetsh.exesvchost.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	~tlFD53.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	~tl6864.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C549D6C-5D4C-457A-A5BC-E225EBA36F33}	~tl6864.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	~tl6864.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C549D6C-5D4C-457A-A5BC-E225EBA36F33}\WpadDecisionTime = 704100274d8ada01	~tl3498.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C549D6C-5D4C-457A-A5BC-E225EBA36F33}\WpadDecisionReason = "1"	~tl9454.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C549D6C-5D4C-457A-A5BC-E225EBA36F33}\WpadNetworkName = "Network 3"	~tlFD53.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C549D6C-5D4C-457A-A5BC-E225EBA36F33}\WpadDecisionTime = 90a1690f4e8ada01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C549D6C-5D4C-457A-A5BC-E225EBA36F33}\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000009000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ce000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl6864.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C549D6C-5D4C-457A-A5BC-E225EBA36F33}\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-c6-03-02-d5-19\WpadDetectedUrl	~tl9454.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ce000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl6864.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ce000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl3498.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-c6-03-02-d5-19\WpadDetectedUrl	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-c6-03-02-d5-19\WpadDecisionTime = 30d7b6094f8ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-c6-03-02-d5-19\WpadDecisionTime = 30d7b6094f8ada01	~tlFD53.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-c6-03-02-d5-19\WpadDecisionTime = d03c02154d8ada01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	~tl3498.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000008000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ce000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tlFD53.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-c6-03-02-d5-19\WpadDecisionTime = 50920d04508ada01	~tl6864.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	~tl3498.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C549D6C-5D4C-457A-A5BC-E225EBA36F33}\56-c6-03-02-d5-19	~tl3498.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-c6-03-02-d5-19	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C549D6C-5D4C-457A-A5BC-E225EBA36F33}\56-c6-03-02-d5-19	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ce000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl9454.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	~tl6864.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-c6-03-02-d5-19\WpadDecisionTime = d03c02154d8ada01	~tl3498.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	~tl3498.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C549D6C-5D4C-457A-A5BC-E225EBA36F33}\WpadDecision = "0"	~tlFD53.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	~tl3498.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	~tl9454.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	~tlFD53.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000008000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ce000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tl1C38.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlF91E.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl3498.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl9454.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlFD53.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl6864.tmppowershell.exepowershell.exe

pid	process
2612	powershell.exe
2444	powershell.exe
1904	svchost_dump_SCY - Copy.exe
1724	powershell.exe
2060	powershell.exe
2696	~tl1C38.tmp
1068	powershell.exe
1112	powershell.exe
2696	~tl1C38.tmp
2000	svchost.exe
2528	powershell.exe
1648	powershell.exe
1744	~tlF91E.tmp
2176	powershell.exe
1228	powershell.exe
904	svchost.exe
1736	powershell.exe
2412	powershell.exe
2184	~tl3498.tmp
544	powershell.exe
2976	powershell.exe
1860	svchost.exe
2488	powershell.exe
3036	powershell.exe
2740	~tl9454.tmp
1076	powershell.exe
2028	powershell.exe
1956	svchost.exe
1624	powershell.exe
2936	powershell.exe
328	~tlFD53.tmp
2024	powershell.exe
2028	powershell.exe
2300	svchost.exe
2312	powershell.exe
1228	powershell.exe
2052	~tl6864.tmp
1112	powershell.exe
2196	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeSecurityPrivilege	2620	WMIC.exe
Token: SeTakeOwnershipPrivilege	2620	WMIC.exe
Token: SeLoadDriverPrivilege	2620	WMIC.exe
Token: SeSystemProfilePrivilege	2620	WMIC.exe
Token: SeSystemtimePrivilege	2620	WMIC.exe
Token: SeProfSingleProcessPrivilege	2620	WMIC.exe
Token: SeIncBasePriorityPrivilege	2620	WMIC.exe
Token: SeCreatePagefilePrivilege	2620	WMIC.exe
Token: SeBackupPrivilege	2620	WMIC.exe
Token: SeRestorePrivilege	2620	WMIC.exe
Token: SeShutdownPrivilege	2620	WMIC.exe
Token: SeDebugPrivilege	2620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2620	WMIC.exe
Token: SeRemoteShutdownPrivilege	2620	WMIC.exe
Token: SeUndockPrivilege	2620	WMIC.exe
Token: SeManageVolumePrivilege	2620	WMIC.exe
Token: 33	2620	WMIC.exe
Token: 34	2620	WMIC.exe
Token: 35	2620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeSecurityPrivilege	2620	WMIC.exe
Token: SeTakeOwnershipPrivilege	2620	WMIC.exe
Token: SeLoadDriverPrivilege	2620	WMIC.exe
Token: SeSystemProfilePrivilege	2620	WMIC.exe
Token: SeSystemtimePrivilege	2620	WMIC.exe
Token: SeProfSingleProcessPrivilege	2620	WMIC.exe
Token: SeIncBasePriorityPrivilege	2620	WMIC.exe
Token: SeCreatePagefilePrivilege	2620	WMIC.exe
Token: SeBackupPrivilege	2620	WMIC.exe
Token: SeRestorePrivilege	2620	WMIC.exe
Token: SeShutdownPrivilege	2620	WMIC.exe
Token: SeDebugPrivilege	2620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2620	WMIC.exe
Token: SeRemoteShutdownPrivilege	2620	WMIC.exe
Token: SeUndockPrivilege	2620	WMIC.exe
Token: SeManageVolumePrivilege	2620	WMIC.exe
Token: 33	2620	WMIC.exe
Token: 34	2620	WMIC.exe
Token: 35	2620	WMIC.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeIncreaseQuotaPrivilege	940	WMIC.exe
Token: SeSecurityPrivilege	940	WMIC.exe
Token: SeTakeOwnershipPrivilege	940	WMIC.exe
Token: SeLoadDriverPrivilege	940	WMIC.exe
Token: SeSystemProfilePrivilege	940	WMIC.exe
Token: SeSystemtimePrivilege	940	WMIC.exe
Token: SeProfSingleProcessPrivilege	940	WMIC.exe
Token: SeIncBasePriorityPrivilege	940	WMIC.exe
Token: SeCreatePagefilePrivilege	940	WMIC.exe
Token: SeBackupPrivilege	940	WMIC.exe
Token: SeRestorePrivilege	940	WMIC.exe
Token: SeShutdownPrivilege	940	WMIC.exe
Token: SeDebugPrivilege	940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	940	WMIC.exe
Token: SeRemoteShutdownPrivilege	940	WMIC.exe
Token: SeUndockPrivilege	940	WMIC.exe
Token: SeManageVolumePrivilege	940	WMIC.exe
Token: 33	940	WMIC.exe
Token: 34	940	WMIC.exe
Token: 35	940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	940	WMIC.exe
Token: SeSecurityPrivilege	940	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tl1C38.tmp

description	pid	process	target process
PID 1904 wrote to memory of 2620	1904	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 1904 wrote to memory of 2620	1904	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 1904 wrote to memory of 2620	1904	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 1904 wrote to memory of 2304	1904	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1904 wrote to memory of 2304	1904	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1904 wrote to memory of 2304	1904	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1904 wrote to memory of 2644	1904	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1904 wrote to memory of 2644	1904	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1904 wrote to memory of 2644	1904	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1904 wrote to memory of 2444	1904	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1904 wrote to memory of 2444	1904	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1904 wrote to memory of 2444	1904	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1904 wrote to memory of 2612	1904	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1904 wrote to memory of 2612	1904	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1904 wrote to memory of 2612	1904	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1904 wrote to memory of 1640	1904	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1904 wrote to memory of 1640	1904	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1904 wrote to memory of 1640	1904	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1904 wrote to memory of 2404	1904	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1904 wrote to memory of 2404	1904	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1904 wrote to memory of 2404	1904	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1904 wrote to memory of 1120	1904	svchost_dump_SCY - Copy.exe	svchost.exe
PID 1904 wrote to memory of 1120	1904	svchost_dump_SCY - Copy.exe	svchost.exe
PID 1904 wrote to memory of 1120	1904	svchost_dump_SCY - Copy.exe	svchost.exe
PID 1120 wrote to memory of 940	1120	svchost.exe	WMIC.exe
PID 1120 wrote to memory of 940	1120	svchost.exe	WMIC.exe
PID 1120 wrote to memory of 940	1120	svchost.exe	WMIC.exe
PID 1120 wrote to memory of 2040	1120	svchost.exe	netsh.exe
PID 1120 wrote to memory of 2040	1120	svchost.exe	netsh.exe
PID 1120 wrote to memory of 2040	1120	svchost.exe	netsh.exe
PID 1120 wrote to memory of 2992	1120	svchost.exe	netsh.exe
PID 1120 wrote to memory of 2992	1120	svchost.exe	netsh.exe
PID 1120 wrote to memory of 2992	1120	svchost.exe	netsh.exe
PID 1120 wrote to memory of 1724	1120	svchost.exe	powershell.exe
PID 1120 wrote to memory of 1724	1120	svchost.exe	powershell.exe
PID 1120 wrote to memory of 1724	1120	svchost.exe	powershell.exe
PID 1120 wrote to memory of 2060	1120	svchost.exe	powershell.exe
PID 1120 wrote to memory of 2060	1120	svchost.exe	powershell.exe
PID 1120 wrote to memory of 2060	1120	svchost.exe	powershell.exe
PID 1120 wrote to memory of 2696	1120	svchost.exe	~tl1C38.tmp
PID 1120 wrote to memory of 2696	1120	svchost.exe	~tl1C38.tmp
PID 1120 wrote to memory of 2696	1120	svchost.exe	~tl1C38.tmp
PID 2696 wrote to memory of 2872	2696	~tl1C38.tmp	netsh.exe
PID 2696 wrote to memory of 2872	2696	~tl1C38.tmp	netsh.exe
PID 2696 wrote to memory of 2872	2696	~tl1C38.tmp	netsh.exe
PID 2696 wrote to memory of 2992	2696	~tl1C38.tmp	netsh.exe
PID 2696 wrote to memory of 2992	2696	~tl1C38.tmp	netsh.exe
PID 2696 wrote to memory of 2992	2696	~tl1C38.tmp	netsh.exe
PID 2696 wrote to memory of 1504	2696	~tl1C38.tmp	netsh.exe
PID 2696 wrote to memory of 1504	2696	~tl1C38.tmp	netsh.exe
PID 2696 wrote to memory of 1504	2696	~tl1C38.tmp	netsh.exe
PID 2696 wrote to memory of 1068	2696	~tl1C38.tmp	powershell.exe
PID 2696 wrote to memory of 1068	2696	~tl1C38.tmp	powershell.exe
PID 2696 wrote to memory of 1068	2696	~tl1C38.tmp	powershell.exe
PID 2696 wrote to memory of 1112	2696	~tl1C38.tmp	powershell.exe
PID 2696 wrote to memory of 1112	2696	~tl1C38.tmp	powershell.exe
PID 2696 wrote to memory of 1112	2696	~tl1C38.tmp	powershell.exe
PID 2696 wrote to memory of 2268	2696	~tl1C38.tmp	schtasks.exe
PID 2696 wrote to memory of 2268	2696	~tl1C38.tmp	schtasks.exe
PID 2696 wrote to memory of 2268	2696	~tl1C38.tmp	schtasks.exe
PID 2696 wrote to memory of 2564	2696	~tl1C38.tmp	schtasks.exe
PID 2696 wrote to memory of 2564	2696	~tl1C38.tmp	schtasks.exe
PID 2696 wrote to memory of 2564	2696	~tl1C38.tmp	schtasks.exe
PID 2696 wrote to memory of 2000	2696	~tl1C38.tmp	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2304

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:1640

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:2404

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2040

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Users\Admin\AppData\Local\Temp\~tl1C38.tmp
C:\Users\Admin\AppData\Local\Temp\~tl1C38.tmp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:2872

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2992

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1112

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:2268

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:2564

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:944

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1880

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1648

C:\Users\Admin\AppData\Local\Temp\~tlF91E.tmp
C:\Users\Admin\AppData\Local\Temp\~tlF91E.tmp
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1744

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:1588

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:1396

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1228

C:\Windows\system32\taskeng.exe
taskeng.exe {95CE68B7-2838-4B8B-9A6A-D4CEAB6F2ABE} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2532

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:2540

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2960

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Windows\TEMP\~tl3498.tmp
C:\Windows\TEMP\~tl3498.tmp
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2184

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:1772

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2320

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2976

C:\Windows\system32\taskeng.exe
taskeng.exe {BAA608AF-48E9-448C-BCD6-1E2FC2F3D5F8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1068

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:608

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1324

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:3048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Windows\TEMP\~tl9454.tmp
C:\Windows\TEMP\~tl9454.tmp
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2740

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:1132

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:952

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Windows\system32\taskeng.exe
taskeng.exe {621A9E8F-8CE3-4FC3-9A77-B3B01FC4BF67} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1956

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
- Modifies data under HKEY_USERS
PID:2712

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2772

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2936

C:\Windows\TEMP\~tlFD53.tmp
C:\Windows\TEMP\~tlFD53.tmp
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:328

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
- Modifies data under HKEY_USERS
PID:588

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:744

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Windows\system32\taskeng.exe
taskeng.exe {8D64F8B8-8E56-4162-8134-0EACFA889176} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1496

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:1816

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:952

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1228

C:\Windows\TEMP\~tl6864.tmp
C:\Windows\TEMP\~tl6864.tmp
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2052

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:2520

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1556

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a3355f7db1f2a4fbe7f0e55ca64d2610

SHA1
077292aea5405137af659ea1e4fb3f95890c2649

SHA256
9c2a8c64b506dc049243a1a3109cc85d87f08166a4eea13261a25862f83bc665

SHA512
fb09e25d61ff21042983e1ee2b7de88b8d74b8a1a2388f32a11143d945f3ccc722375c6ae9eff755c6bc69f9229a5e23301ad42d1ef48251e240c81a822cde09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b18d065f6ff1b1031eac7ce180cec5c7

SHA1
0bcc14c474ad63e382cbf264583a51b172d0b327

SHA256
d532a08840f5a3d2ae7c2a467af999c3d34ada262000dfc1931882d0d4a452a5

SHA512
c901bfffce16fe5654af54725b58ee55ca3d66c0a9f40c5901ca331903085b0a20a7e46ee56b6084ad9eddb1120840c31a7a7ade0e1202df275fa2fede61ba24

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
3af58b6add70a3559c53205e4aefd0f9

SHA1
5c1a95db8a1695b14b26cb5e8ae92fea5bd9da41

SHA256
d9595b5e4bb49267b93c50334024de412c0e8a2831f2caa1102529292b9c2a7e

SHA512
21b93f9444d559aa19fd36afd939120623187fd42cf43296447cfa8794d7a72773900405b37587def2e794b7e829d337aaf5b397a8882552875a89023f104f97

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.7MB

MD5
63223a99e9eee471674ce3009d4b2539

SHA1
04356354cf2ab63ed199dacd4c61ee9408307202

SHA256
e517118f3673978f3a5d96b4823c30dbc6e70e46891db11c5778f3923adb5d9b

SHA512
314637d2d9e2b28becc36583f3fe2a2479f612dc50da596c14659b79e92b2718fc46bf726382336fe8e0643845c268c2d76d9c3c7cd9318dc3a02259ca76e6ee

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg

Filesize
393KB

MD5
72e28e2092a43e0d70289f62bec20e65

SHA1
944f2b81392ee946f4767376882c5c1bda6dddb5

SHA256
6ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f

SHA512
31c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\~tl1C38.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
\Users\Admin\AppData\Local\Temp\~tlF91E.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
\Windows\system\svchost.exe

Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
memory/904-281-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/904-251-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1068-139-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/1068-137-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/1068-155-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/1068-136-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/1068-145-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/1068-144-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/1068-135-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/1068-151-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/1112-150-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1112-149-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/1112-147-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/1112-146-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1112-152-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1112-154-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/1112-148-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1120-68-0x000000001A0B0000-0x000000001A592000-memory.dmp

Filesize
4.9MB

Download
memory/1120-59-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1120-38-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1120-126-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1648-189-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1724-47-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/1724-45-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/1724-60-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/1724-49-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/1724-52-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1724-46-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/1724-48-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1724-50-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1724-51-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1744-236-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1744-237-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1744-208-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1744-211-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1904-37-0x000000001F130000-0x000000001F766000-memory.dmp

Filesize
6.2MB

Download
memory/1904-39-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1904-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1904-24-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1904-35-0x000000001F130000-0x000000001F766000-memory.dmp

Filesize
6.2MB

Download
memory/2000-168-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2000-169-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2000-172-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2000-207-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2060-66-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2060-63-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2060-67-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2060-64-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2060-62-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2060-61-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2060-65-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2184-286-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2184-303-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2444-21-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2444-10-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download
memory/2444-14-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-12-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-19-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2444-26-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-22-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2444-13-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2528-178-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-179-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/2528-188-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/2528-187-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-180-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/2612-18-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/2612-20-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/2612-16-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-23-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-25-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-17-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/2612-11-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/2612-15-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/2696-171-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2696-129-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2696-128-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2696-127-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download