7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
1800s
max time network
1801s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

discovery evasion

Malware Config

Signatures

Contacts a large (962) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 26 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
1608	netsh.exe
452	netsh.exe
4576	netsh.exe
1092	netsh.exe
4132	netsh.exe
1832	netsh.exe
2828	netsh.exe
2592	netsh.exe
1168	netsh.exe
1172	netsh.exe
4944	netsh.exe
4572	netsh.exe
1424	netsh.exe
3620	netsh.exe
2756	netsh.exe
3736	netsh.exe
3092	netsh.exe
3608	netsh.exe
3996	netsh.exe
5020	netsh.exe
3532	netsh.exe
4652	netsh.exe
1556	netsh.exe
4988	netsh.exe
4752	netsh.exe
4480	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tl7C55.tmpsvchost.exe~tl5F24.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	svchost_dump_SCY - Copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	~tl7C55.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	~tl5F24.tmp

Executes dropped EXE 12 IoCs

Processes:

svchost.exe~tl7C55.tmpsvchost.exe~tl5F24.tmpsvchost.exe~tlB345.tmpsvchost.exe~tl1260.tmpsvchost.exe~tl789E.tmpsvchost.exe~tlE4A9.tmp

pid	process
1604	svchost.exe
2168	~tl7C55.tmp
3912	svchost.exe
5044	~tl5F24.tmp
5048	svchost.exe
884	~tlB345.tmp
2944	svchost.exe
3208	~tl1260.tmp
2324	svchost.exe
2888	~tl789E.tmp
5112	svchost.exe
2760	~tlE4A9.tmp

Drops file in System32 directory 31 IoCs

Processes:

powershell.exesvchost.exepowershell.exepowershell.exe~tlB345.tmpsvchost.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exe~tl1260.tmp~tl789E.tmp~tlE4A9.tmpsvchost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlB345.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	~tl1260.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl789E.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl1260.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlE4A9.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Windows directory 11 IoCs

Processes:

svchost.exe~tl7C55.tmpsvchost.exesvchost_dump_SCY - Copy.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl7C55.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl7C55.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2028 schtasks.exe
1220 schtasks.exe

pid	process
2028	schtasks.exe
1220	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe~tl1260.tmp

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	~tl1260.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tl7C55.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl5F24.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlB345.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl1260.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl789E.tmp

pid	process
2388	powershell.exe
2388	powershell.exe
1580	powershell.exe
1580	powershell.exe
2388	powershell.exe
1580	powershell.exe
1784	svchost_dump_SCY - Copy.exe
1784	svchost_dump_SCY - Copy.exe
3088	powershell.exe
3088	powershell.exe
1696	powershell.exe
1696	powershell.exe
2168	~tl7C55.tmp
2168	~tl7C55.tmp
2552	powershell.exe
2552	powershell.exe
4432	powershell.exe
4432	powershell.exe
2168	~tl7C55.tmp
2168	~tl7C55.tmp
3912	svchost.exe
3912	svchost.exe
4488	powershell.exe
4488	powershell.exe
2872	powershell.exe
2872	powershell.exe
5044	~tl5F24.tmp
5044	~tl5F24.tmp
2036	powershell.exe
2036	powershell.exe
864	powershell.exe
864	powershell.exe
5048	svchost.exe
5048	svchost.exe
640	powershell.exe
640	powershell.exe
2760	powershell.exe
2760	powershell.exe
884	~tlB345.tmp
884	~tlB345.tmp
1640	powershell.exe
4004	powershell.exe
1640	powershell.exe
4004	powershell.exe
2944	svchost.exe
2944	svchost.exe
5036	powershell.exe
1232	powershell.exe
1232	powershell.exe
5036	powershell.exe
3208	~tl1260.tmp
3208	~tl1260.tmp
2324	powershell.exe
2324	powershell.exe
1272	powershell.exe
1272	powershell.exe
2324	svchost.exe
2324	svchost.exe
1608	powershell.exe
4300	powershell.exe
4300	powershell.exe
1608	powershell.exe
2888	~tl789E.tmp
2888	~tl789E.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4504	WMIC.exe
Token: SeSecurityPrivilege	4504	WMIC.exe
Token: SeTakeOwnershipPrivilege	4504	WMIC.exe
Token: SeLoadDriverPrivilege	4504	WMIC.exe
Token: SeSystemProfilePrivilege	4504	WMIC.exe
Token: SeSystemtimePrivilege	4504	WMIC.exe
Token: SeProfSingleProcessPrivilege	4504	WMIC.exe
Token: SeIncBasePriorityPrivilege	4504	WMIC.exe
Token: SeCreatePagefilePrivilege	4504	WMIC.exe
Token: SeBackupPrivilege	4504	WMIC.exe
Token: SeRestorePrivilege	4504	WMIC.exe
Token: SeShutdownPrivilege	4504	WMIC.exe
Token: SeDebugPrivilege	4504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4504	WMIC.exe
Token: SeRemoteShutdownPrivilege	4504	WMIC.exe
Token: SeUndockPrivilege	4504	WMIC.exe
Token: SeManageVolumePrivilege	4504	WMIC.exe
Token: 33	4504	WMIC.exe
Token: 34	4504	WMIC.exe
Token: 35	4504	WMIC.exe
Token: 36	4504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4504	WMIC.exe
Token: SeSecurityPrivilege	4504	WMIC.exe
Token: SeTakeOwnershipPrivilege	4504	WMIC.exe
Token: SeLoadDriverPrivilege	4504	WMIC.exe
Token: SeSystemProfilePrivilege	4504	WMIC.exe
Token: SeSystemtimePrivilege	4504	WMIC.exe
Token: SeProfSingleProcessPrivilege	4504	WMIC.exe
Token: SeIncBasePriorityPrivilege	4504	WMIC.exe
Token: SeCreatePagefilePrivilege	4504	WMIC.exe
Token: SeBackupPrivilege	4504	WMIC.exe
Token: SeRestorePrivilege	4504	WMIC.exe
Token: SeShutdownPrivilege	4504	WMIC.exe
Token: SeDebugPrivilege	4504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4504	WMIC.exe
Token: SeRemoteShutdownPrivilege	4504	WMIC.exe
Token: SeUndockPrivilege	4504	WMIC.exe
Token: SeManageVolumePrivilege	4504	WMIC.exe
Token: 33	4504	WMIC.exe
Token: 34	4504	WMIC.exe
Token: 35	4504	WMIC.exe
Token: 36	4504	WMIC.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeIncreaseQuotaPrivilege	5012	WMIC.exe
Token: SeSecurityPrivilege	5012	WMIC.exe
Token: SeTakeOwnershipPrivilege	5012	WMIC.exe
Token: SeLoadDriverPrivilege	5012	WMIC.exe
Token: SeSystemProfilePrivilege	5012	WMIC.exe
Token: SeSystemtimePrivilege	5012	WMIC.exe
Token: SeProfSingleProcessPrivilege	5012	WMIC.exe
Token: SeIncBasePriorityPrivilege	5012	WMIC.exe
Token: SeCreatePagefilePrivilege	5012	WMIC.exe
Token: SeBackupPrivilege	5012	WMIC.exe
Token: SeRestorePrivilege	5012	WMIC.exe
Token: SeShutdownPrivilege	5012	WMIC.exe
Token: SeDebugPrivilege	5012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5012	WMIC.exe
Token: SeRemoteShutdownPrivilege	5012	WMIC.exe
Token: SeUndockPrivilege	5012	WMIC.exe
Token: SeManageVolumePrivilege	5012	WMIC.exe
Token: 33	5012	WMIC.exe
Token: 34	5012	WMIC.exe
Token: 35	5012	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tl7C55.tmpsvchost.exe~tl5F24.tmp

description	pid	process	target process
PID 1784 wrote to memory of 4504	1784	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 1784 wrote to memory of 4504	1784	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 1784 wrote to memory of 4944	1784	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1784 wrote to memory of 4944	1784	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1784 wrote to memory of 3092	1784	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1784 wrote to memory of 3092	1784	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1784 wrote to memory of 2388	1784	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1784 wrote to memory of 2388	1784	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1784 wrote to memory of 1580	1784	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1784 wrote to memory of 1580	1784	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1784 wrote to memory of 3716	1784	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1784 wrote to memory of 3716	1784	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1784 wrote to memory of 2028	1784	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1784 wrote to memory of 2028	1784	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1784 wrote to memory of 1604	1784	svchost_dump_SCY - Copy.exe	svchost.exe
PID 1784 wrote to memory of 1604	1784	svchost_dump_SCY - Copy.exe	svchost.exe
PID 1604 wrote to memory of 5012	1604	svchost.exe	WMIC.exe
PID 1604 wrote to memory of 5012	1604	svchost.exe	WMIC.exe
PID 1604 wrote to memory of 3608	1604	svchost.exe	netsh.exe
PID 1604 wrote to memory of 3608	1604	svchost.exe	netsh.exe
PID 1604 wrote to memory of 2828	1604	svchost.exe	netsh.exe
PID 1604 wrote to memory of 2828	1604	svchost.exe	netsh.exe
PID 1604 wrote to memory of 3088	1604	svchost.exe	powershell.exe
PID 1604 wrote to memory of 3088	1604	svchost.exe	powershell.exe
PID 1604 wrote to memory of 1696	1604	svchost.exe	powershell.exe
PID 1604 wrote to memory of 1696	1604	svchost.exe	powershell.exe
PID 1604 wrote to memory of 2168	1604	svchost.exe	~tl7C55.tmp
PID 1604 wrote to memory of 2168	1604	svchost.exe	~tl7C55.tmp
PID 2168 wrote to memory of 336	2168	~tl7C55.tmp	netsh.exe
PID 2168 wrote to memory of 336	2168	~tl7C55.tmp	netsh.exe
PID 2168 wrote to memory of 4576	2168	~tl7C55.tmp	netsh.exe
PID 2168 wrote to memory of 4576	2168	~tl7C55.tmp	netsh.exe
PID 2168 wrote to memory of 1608	2168	~tl7C55.tmp	netsh.exe
PID 2168 wrote to memory of 1608	2168	~tl7C55.tmp	netsh.exe
PID 2168 wrote to memory of 2552	2168	~tl7C55.tmp	powershell.exe
PID 2168 wrote to memory of 2552	2168	~tl7C55.tmp	powershell.exe
PID 2168 wrote to memory of 4432	2168	~tl7C55.tmp	powershell.exe
PID 2168 wrote to memory of 4432	2168	~tl7C55.tmp	powershell.exe
PID 2168 wrote to memory of 696	2168	~tl7C55.tmp	schtasks.exe
PID 2168 wrote to memory of 696	2168	~tl7C55.tmp	schtasks.exe
PID 2168 wrote to memory of 1220	2168	~tl7C55.tmp	schtasks.exe
PID 2168 wrote to memory of 1220	2168	~tl7C55.tmp	schtasks.exe
PID 2168 wrote to memory of 3912	2168	~tl7C55.tmp	svchost.exe
PID 2168 wrote to memory of 3912	2168	~tl7C55.tmp	svchost.exe
PID 3912 wrote to memory of 1724	3912	svchost.exe	netsh.exe
PID 3912 wrote to memory of 1724	3912	svchost.exe	netsh.exe
PID 3912 wrote to memory of 452	3912	svchost.exe	netsh.exe
PID 3912 wrote to memory of 452	3912	svchost.exe	netsh.exe
PID 3912 wrote to memory of 4988	3912	svchost.exe	netsh.exe
PID 3912 wrote to memory of 4988	3912	svchost.exe	netsh.exe
PID 3912 wrote to memory of 4488	3912	svchost.exe	powershell.exe
PID 3912 wrote to memory of 4488	3912	svchost.exe	powershell.exe
PID 3912 wrote to memory of 2872	3912	svchost.exe	powershell.exe
PID 3912 wrote to memory of 2872	3912	svchost.exe	powershell.exe
PID 3912 wrote to memory of 5044	3912	svchost.exe	~tl5F24.tmp
PID 3912 wrote to memory of 5044	3912	svchost.exe	~tl5F24.tmp
PID 5044 wrote to memory of 2172	5044	~tl5F24.tmp	netsh.exe
PID 5044 wrote to memory of 2172	5044	~tl5F24.tmp	netsh.exe
PID 5044 wrote to memory of 2592	5044	~tl5F24.tmp	netsh.exe
PID 5044 wrote to memory of 2592	5044	~tl5F24.tmp	netsh.exe
PID 5044 wrote to memory of 3620	5044	~tl5F24.tmp	netsh.exe
PID 5044 wrote to memory of 3620	5044	~tl5F24.tmp	netsh.exe
PID 5044 wrote to memory of 2036	5044	~tl5F24.tmp	powershell.exe
PID 5044 wrote to memory of 2036	5044	~tl5F24.tmp	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4944

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:3716

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:2028

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3608

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Users\Admin\AppData\Local\Temp\~tl7C55.tmp
C:\Users\Admin\AppData\Local\Temp\~tl7C55.tmp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:336

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4576

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4432

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:696

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:1220

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:1724

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:452

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2872

C:\Users\Admin\AppData\Local\Temp\~tl5F24.tmp
C:\Users\Admin\AppData\Local\Temp\~tl5F24.tmp
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:2172

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2592

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:3620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:864

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5048

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:3188

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1092

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2760

C:\Windows\TEMP\~tlB345.tmp
C:\Windows\TEMP\~tlB345.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:884

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:1708

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4572

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:5020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4004

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:2964

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2756

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1232

C:\Windows\TEMP\~tl1260.tmp
C:\Windows\TEMP\~tl1260.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3208

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:4416

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4132

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1272

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2324

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:2108

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1832

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4300

C:\Windows\TEMP\~tl789E.tmp
C:\Windows\TEMP\~tl789E.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2888

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:3956

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1172

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4012

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5112

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:1784

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4652

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4220

C:\Windows\TEMP\~tlE4A9.tmp
C:\Windows\TEMP\~tlE4A9.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2760

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:2388

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4480

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
54522d22658e4f8f87ecb947b71b8feb

SHA1
6a6144bdf9c445099f52211b6122a2ecf72b77e9

SHA256
af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

SHA512
55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ipnu4wyu.c2y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl5F24.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl7C55.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
9bae03d3dc0f5cfd40507ee03ba5a765

SHA1
bbb2ea791c2e53e615f7c4b17246b4d465e6a4fe

SHA256
ff1af3cc0eff747f5425287eea2910d8d69cd9d30af5a90a41a03a023bb0313f

SHA512
2263b74eefd835f92a085f1b35e156b79c37996b1976d6b93ad94cfce8454411131d4b3dc1d3d3cee175b37d05433f3061060023219d7d3da86e034e510b7b81

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
12.1MB

MD5
3059b3c5671d1a391d6964f55227dc61

SHA1
0fcee11b121a0802a2ab536a9d46f7af95e504f5

SHA256
3ad102ca5a6fe13fe5f478c48018d7670083907a5a0acdad7d3e4fd24b356be2

SHA512
33cc0d520aa58b3f4acbfbd936fc42c09b52308ca25a5b406c961b572eb21588457c32f5b2d976e7c4af95d019a90727b57979bd8ba7812aae78037170495618

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg

Filesize
393KB

MD5
72e28e2092a43e0d70289f62bec20e65

SHA1
944f2b81392ee946f4767376882c5c1bda6dddb5

SHA256
6ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f

SHA512
31c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466

Download Submit
C:\Windows\System\svchost.exe

Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3af6b6752764b70e843397de266e5e5

SHA1
067a680a02a8eab0ce869b9d7adcecde95668b33

SHA256
a6187a6b67113725ad9c54050be51232ee15408e6fac2b8a6166e87af04689c4

SHA512
de1e1af659dd1ebb18ca008ea3103f14b66396c7af2a0a73e999d05d5572cafbe1f84816e330953e2f4d136fecad983a03f747480c9ddb92895204b34fe232e2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0953b594264e274949d61e5195a621de

SHA1
c354e793be20a5c775f8ef8ea0070da241df01df

SHA256
3bb9454766d98b1890a7adb01511c4377c3dd6ad96e0b382f27fc38512a541e6

SHA512
6268096c32a53dc70c57e7ae73524bd5fd42b613d7e00edf3d249029af9069f831c928ab202c90e66578a00fa7a42c2431fae7b4a0399f56403847f95ed5d4e9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
293e7bf8bf86b0849f6453671979a83d

SHA1
be4cbf94c88cdd0d4f7a107cafafa93972244a62

SHA256
f346434da1c878361ffe7b32db87246404171108737a0b8a2d7c1b7b3d3ad601

SHA512
b4f4653e1cc24d177187801d14330cb078f640ed02b5c49e7974db6dff268e818713f32d21efc48f3f19eb70d946f566c44c6b1843825dd4f726f9736614b683

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
496B

MD5
46a4591e6770988bc10cf0b07702e8ab

SHA1
9d005a90e71f985d1dd2c17c559ecdb66e94a1e1

SHA256
057f72a92c45e0bda202e24a145e4ae1da77c426f79ee828e73e2541abee27ef

SHA512
b713c2afc6890a91111ef718dac8e7b2508da8659885d6c40d5fda4bacbde767a673f950c1e7302419563edab0a757ea91399535c37e2dbafbf1e5b727516448

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d32fdc79361982d867cd00f35027d489

SHA1
413721f0eb6cc66704d85c95555ee77eb4458e3b

SHA256
b89ccd4d5fabfcad9b5db0d46678efb3438571dff026327ceaf09ad4fd51190c

SHA512
1094cbec009f1cd4bb10b147aed4a91460a2f7ce2febeb476822134778f8d1444fa0ef3c9dca006bad292bd0aa0ea17077155edb147ad2d836ca15cc7a3b95b2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7e428aea1e8381e89378ab3addbcf298

SHA1
5d3854328868b928a07681e749117d6f100b94e4

SHA256
fcec6e8957187a65bb03233f86174a1b38be96dad3e7091afe02c665ee025bb8

SHA512
4937f2824bd9f066342542065a9b7ee8de9667c839c5caa3b2eba3fe030ee9a2c77708cf773a3e916cde1ede8387756ee54eea64a5e60692c3d0e8aed21d2a2e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
37809c5ecf523d9e6d75ccf7de40c812

SHA1
91e83f35d5aeaea0f23df11e914c1fd051f2e205

SHA256
dc50ac86a87669bac08197de9601a3305f6ebedf49c4e33014d72a5f579be261

SHA512
ba91a2bc59063119aaeed4dbf0d5d8f4346af3ab9c2dc9f0286e75550dd103bf211ea7d6ee658a58d4d3d04bb5947663bde2ed8b710e5f584e725e3f78988a46

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
192B

MD5
bf9028fdeb4afb8c895e55f809dbd992

SHA1
30cb57cc44f4e0ba9f18f7a9423779ed052d8bb8

SHA256
0d3c771d483df5f60941330e6de09475aee194e1b785b8f0933c35f96f2dd664

SHA512
3a52333a3713bd952e0897898cd84aae9f1953bcab5635a1d7d8a621af762f5a8e780a891ab54fdd8ad4a516baea1723368c5270fcbb95b84601198f7998ab3e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
877cbe19207b431000ab1f991bf8ca46

SHA1
16fefd70e50230c0a26cbb00cad1016ea7745d6c

SHA256
9d70a7dc15e248b27d6bf474b86ac4ec094cc2f0d043dd125036bc2d319d4c50

SHA512
91e6a97a69cbc727d7a97abc2abe44df32d0bfb509ceecabd9fbfd0208dbd659248e05f11abed60caeb84d6f12307255379be2a4db613703e2067044724a13fa

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
836B

MD5
ecdadb22a26a495f0f3d71fc35399030

SHA1
903937535e2ce7bc93f02ecea247a97cff6f2d5c

SHA256
1282f45cb118e5809f6c6c5c05d9f6c65a95dde5c11b88516f8ea639cf7136b6

SHA512
32f166f2a32833be299be49a58913609ab442aea6f2de6f73a7924b6840fa3fff53c4072f1def95fab9d56e4e663afe879731c11a4ce176fd1a9c1e77838a27d

Download Submit
memory/640-307-0x00007FF4B8670000-0x00007FF4B8680000-memory.dmp

Filesize
64KB

Download
memory/640-265-0x00007FFD29580000-0x00007FFD2A041000-memory.dmp

Filesize
10.8MB

Download
memory/640-266-0x0000014F97840000-0x0000014F97850000-memory.dmp

Filesize
64KB

Download
memory/640-296-0x0000014F97850000-0x0000014F9786C000-memory.dmp

Filesize
112KB

Download
memory/640-302-0x0000014FB2070000-0x0000014FB2125000-memory.dmp

Filesize
724KB

Download
memory/640-308-0x0000014F97840000-0x0000014F97850000-memory.dmp

Filesize
64KB

Download
memory/864-247-0x00007FFD29580000-0x00007FFD2A041000-memory.dmp

Filesize
10.8MB

Download
memory/864-241-0x0000029114F20000-0x0000029114F30000-memory.dmp

Filesize
64KB

Download
memory/864-242-0x0000029114F20000-0x0000029114F30000-memory.dmp

Filesize
64KB

Download
memory/864-240-0x00007FFD29580000-0x00007FFD2A041000-memory.dmp

Filesize
10.8MB

Download
memory/884-394-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/884-339-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1580-25-0x00007FFD28AE0000-0x00007FFD295A1000-memory.dmp

Filesize
10.8MB

Download
memory/1580-15-0x000002B3AECB0000-0x000002B3AECC0000-memory.dmp

Filesize
64KB

Download
memory/1580-34-0x00007FFD28AE0000-0x00007FFD295A1000-memory.dmp

Filesize
10.8MB

Download
memory/1580-27-0x000002B3AECB0000-0x000002B3AECC0000-memory.dmp

Filesize
64KB

Download
memory/1580-14-0x000002B3AECB0000-0x000002B3AECC0000-memory.dmp

Filesize
64KB

Download
memory/1604-126-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1604-76-0x0000000031C10000-0x00000000320F2000-memory.dmp

Filesize
4.9MB

Download
memory/1604-43-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1604-75-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1696-59-0x000001EBFB7B0000-0x000001EBFB7C0000-memory.dmp

Filesize
64KB

Download
memory/1696-60-0x000001EBFB7B0000-0x000001EBFB7C0000-memory.dmp

Filesize
64KB

Download
memory/1696-58-0x00007FFD28C70000-0x00007FFD29731000-memory.dmp

Filesize
10.8MB

Download
memory/1696-74-0x00007FFD28C70000-0x00007FFD29731000-memory.dmp

Filesize
10.8MB

Download
memory/1784-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1784-44-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1784-26-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2036-218-0x00007FFD29580000-0x00007FFD2A041000-memory.dmp

Filesize
10.8MB

Download
memory/2036-244-0x00007FFD29580000-0x00007FFD2A041000-memory.dmp

Filesize
10.8MB

Download
memory/2036-220-0x000002DEC9B50000-0x000002DEC9B60000-memory.dmp

Filesize
64KB

Download
memory/2036-219-0x000002DEC9B50000-0x000002DEC9B60000-memory.dmp

Filesize
64KB

Download
memory/2168-124-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2168-173-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2168-130-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2168-128-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2168-127-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2168-129-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2388-10-0x0000013EC5CA0000-0x0000013EC5CC2000-memory.dmp

Filesize
136KB

Download
memory/2388-13-0x0000013EDE2A0000-0x0000013EDE2B0000-memory.dmp

Filesize
64KB

Download
memory/2388-12-0x0000013EDE2A0000-0x0000013EDE2B0000-memory.dmp

Filesize
64KB

Download
memory/2388-33-0x00007FFD28AE0000-0x00007FFD295A1000-memory.dmp

Filesize
10.8MB

Download
memory/2388-11-0x00007FFD28AE0000-0x00007FFD295A1000-memory.dmp

Filesize
10.8MB

Download
memory/2552-133-0x000001BDE0AE0000-0x000001BDE0AF0000-memory.dmp

Filesize
64KB

Download
memory/2552-154-0x000001BDE0AE0000-0x000001BDE0AF0000-memory.dmp

Filesize
64KB

Download
memory/2552-156-0x00007FFD29580000-0x00007FFD2A041000-memory.dmp

Filesize
10.8MB

Download
memory/2552-132-0x000001BDE0AE0000-0x000001BDE0AF0000-memory.dmp

Filesize
64KB

Download
memory/2552-131-0x00007FFD29580000-0x00007FFD2A041000-memory.dmp

Filesize
10.8MB

Download
memory/2760-310-0x000001DEB2D50000-0x000001DEB2D5A000-memory.dmp

Filesize
40KB

Download
memory/2760-309-0x000001DEB2D40000-0x000001DEB2D50000-memory.dmp

Filesize
64KB

Download
memory/2760-278-0x00007FFD29580000-0x00007FFD2A041000-memory.dmp

Filesize
10.8MB

Download
memory/2760-279-0x000001DEB2D40000-0x000001DEB2D50000-memory.dmp

Filesize
64KB

Download
memory/2872-198-0x000001BA5FCF0000-0x000001BA5FD00000-memory.dmp

Filesize
64KB

Download
memory/2872-204-0x00007FFD29580000-0x00007FFD2A041000-memory.dmp

Filesize
10.8MB

Download
memory/2872-187-0x00007FFD29580000-0x00007FFD2A041000-memory.dmp

Filesize
10.8MB

Download
memory/2872-197-0x000001BA5FCF0000-0x000001BA5FD00000-memory.dmp

Filesize
64KB

Download
memory/2872-201-0x000001BA5FCF0000-0x000001BA5FD00000-memory.dmp

Filesize
64KB

Download
memory/3088-45-0x00007FFD28C70000-0x00007FFD29731000-memory.dmp

Filesize
10.8MB

Download
memory/3088-46-0x000002ACB85D0000-0x000002ACB85E0000-memory.dmp

Filesize
64KB

Download
memory/3088-47-0x000002ACB85D0000-0x000002ACB85E0000-memory.dmp

Filesize
64KB

Download
memory/3088-71-0x00007FFD28C70000-0x00007FFD29731000-memory.dmp

Filesize
10.8MB

Download
memory/3912-171-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3912-213-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3912-172-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3912-174-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4432-144-0x00007FFD29580000-0x00007FFD2A041000-memory.dmp

Filesize
10.8MB

Download
memory/4432-159-0x00007FFD29580000-0x00007FFD2A041000-memory.dmp

Filesize
10.8MB

Download
memory/4488-185-0x000001337B120000-0x000001337B130000-memory.dmp

Filesize
64KB

Download
memory/4488-200-0x00007FFD29580000-0x00007FFD2A041000-memory.dmp

Filesize
10.8MB

Download
memory/4488-175-0x00007FFD29580000-0x00007FFD2A041000-memory.dmp

Filesize
10.8MB

Download
memory/5044-250-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/5044-216-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/5044-215-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/5044-214-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/5044-249-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/5044-212-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/5044-217-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/5048-334-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/5048-264-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/5048-328-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/5048-262-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download