a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

max time kernel
1800s
max time network
1807s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

9.4MB
MD5

db3edf03a8a2c8e96fe2d2deaaec76ff
SHA1

2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256

a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512

121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
SSDEEP

98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK

Score

8^/10

discovery evasion

Malware Config

Signatures

Contacts a large (1297) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 22 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
2708	netsh.exe
2480	netsh.exe
3236	netsh.exe
1408	netsh.exe
1520	netsh.exe
2084	netsh.exe
3764	netsh.exe
3288	netsh.exe
1648	netsh.exe
4488	netsh.exe
3052	netsh.exe
2256	netsh.exe
2012	netsh.exe
1784	netsh.exe
3024	netsh.exe
2484	netsh.exe
1520	netsh.exe
436	netsh.exe
1220	netsh.exe
3852	netsh.exe
1132	netsh.exe
4500	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

~tl99CB.tmptmp.exesvchost.exe~tlB92F.tmpsvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	~tl99CB.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	~tlB92F.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 12 IoCs

Processes:

svchost.exe~tlB92F.tmpsvchost.exe~tl99CB.tmpsvchost.exe~tl7165.tmpsvchost.exe~tlD6AA.tmpsvchost.exe~tl3FC7.tmpsvchost.exe~tlA838.tmp

pid	process
4556	svchost.exe
2000	~tlB92F.tmp
1436	svchost.exe
2488	~tl99CB.tmp
1348	svchost.exe
2336	~tl7165.tmp
2028	svchost.exe
2604	~tlD6AA.tmp
3084	svchost.exe
4064	~tl3FC7.tmp
3132	svchost.exe
4716	~tlA838.tmp

Drops file in System32 directory 37 IoCs

Processes:

~tl3FC7.tmpsvchost.exesvchost.exe~tlD6AA.tmppowershell.exepowershell.exe~tl7165.tmppowershell.exepowershell.exepowershell.exe~tlA838.tmppowershell.exepowershell.exesvchost.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	~tl3FC7.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	~tlD6AA.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	~tl7165.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl3FC7.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlA838.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[3].htm	~tl7165.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	~tlA838.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl7165.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlD6AA.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Windows directory 11 IoCs

Processes:

svchost.exesvchost.exe~tlB92F.tmptmp.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\System\svchost.exe	~tlB92F.tmp
File created	C:\Windows\System\svchost.exe	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tlB92F.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3808 schtasks.exe
4504 schtasks.exe

pid	process
3808	schtasks.exe
4504	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exe~tlA838.tmppowershell.exe~tlD6AA.tmppowershell.exepowershell.exe~tl3FC7.tmppowershell.exesvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	~tlA838.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	~tlD6AA.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	~tl3FC7.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.exepowershell.exe~tlB92F.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl99CB.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl7165.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlD6AA.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl3FC7.tmppowershell.exepowershell.exe

pid	process
2544	powershell.exe
2544	powershell.exe
3736	powershell.exe
3736	powershell.exe
2404	tmp.exe
2404	tmp.exe
4640	powershell.exe
4640	powershell.exe
3552	powershell.exe
3552	powershell.exe
2000	~tlB92F.tmp
2000	~tlB92F.tmp
2992	powershell.exe
2992	powershell.exe
944	powershell.exe
944	powershell.exe
2000	~tlB92F.tmp
2000	~tlB92F.tmp
1436	svchost.exe
1436	svchost.exe
1180	powershell.exe
432	powershell.exe
1180	powershell.exe
432	powershell.exe
2488	~tl99CB.tmp
2488	~tl99CB.tmp
4068	powershell.exe
4068	powershell.exe
4364	powershell.exe
4364	powershell.exe
1348	svchost.exe
1348	svchost.exe
224	powershell.exe
224	powershell.exe
1760	powershell.exe
1760	powershell.exe
2336	~tl7165.tmp
2336	~tl7165.tmp
4984	powershell.exe
3292	powershell.exe
4984	powershell.exe
3292	powershell.exe
2028	svchost.exe
2028	svchost.exe
3052	powershell.exe
1816	powershell.exe
3052	powershell.exe
1816	powershell.exe
2604	~tlD6AA.tmp
2604	~tlD6AA.tmp
1684	powershell.exe
4608	powershell.exe
1684	powershell.exe
4608	powershell.exe
3084	svchost.exe
3084	svchost.exe
4580	powershell.exe
4580	powershell.exe
3568	powershell.exe
3568	powershell.exe
4064	~tl3FC7.tmp
4064	~tl3FC7.tmp
868	powershell.exe
4700	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exesvchost.exe~tlB92F.tmpsvchost.exe~tl99CB.tmpsvchost.exe

description	pid	process	target process
PID 2404 wrote to memory of 2544	2404	tmp.exe	powershell.exe
PID 2404 wrote to memory of 2544	2404	tmp.exe	powershell.exe
PID 2404 wrote to memory of 3736	2404	tmp.exe	powershell.exe
PID 2404 wrote to memory of 3736	2404	tmp.exe	powershell.exe
PID 2404 wrote to memory of 4124	2404	tmp.exe	schtasks.exe
PID 2404 wrote to memory of 4124	2404	tmp.exe	schtasks.exe
PID 2404 wrote to memory of 3808	2404	tmp.exe	schtasks.exe
PID 2404 wrote to memory of 3808	2404	tmp.exe	schtasks.exe
PID 2404 wrote to memory of 4556	2404	tmp.exe	svchost.exe
PID 2404 wrote to memory of 4556	2404	tmp.exe	svchost.exe
PID 4556 wrote to memory of 4640	4556	svchost.exe	powershell.exe
PID 4556 wrote to memory of 4640	4556	svchost.exe	powershell.exe
PID 4556 wrote to memory of 3552	4556	svchost.exe	powershell.exe
PID 4556 wrote to memory of 3552	4556	svchost.exe	powershell.exe
PID 4556 wrote to memory of 2000	4556	svchost.exe	~tlB92F.tmp
PID 4556 wrote to memory of 2000	4556	svchost.exe	~tlB92F.tmp
PID 2000 wrote to memory of 2800	2000	~tlB92F.tmp	netsh.exe
PID 2000 wrote to memory of 2800	2000	~tlB92F.tmp	netsh.exe
PID 2000 wrote to memory of 3052	2000	~tlB92F.tmp	netsh.exe
PID 2000 wrote to memory of 3052	2000	~tlB92F.tmp	netsh.exe
PID 2000 wrote to memory of 2256	2000	~tlB92F.tmp	netsh.exe
PID 2000 wrote to memory of 2256	2000	~tlB92F.tmp	netsh.exe
PID 2000 wrote to memory of 2992	2000	~tlB92F.tmp	powershell.exe
PID 2000 wrote to memory of 2992	2000	~tlB92F.tmp	powershell.exe
PID 2000 wrote to memory of 944	2000	~tlB92F.tmp	powershell.exe
PID 2000 wrote to memory of 944	2000	~tlB92F.tmp	powershell.exe
PID 2000 wrote to memory of 488	2000	~tlB92F.tmp	schtasks.exe
PID 2000 wrote to memory of 488	2000	~tlB92F.tmp	schtasks.exe
PID 2000 wrote to memory of 4504	2000	~tlB92F.tmp	schtasks.exe
PID 2000 wrote to memory of 4504	2000	~tlB92F.tmp	schtasks.exe
PID 2000 wrote to memory of 1436	2000	~tlB92F.tmp	svchost.exe
PID 2000 wrote to memory of 1436	2000	~tlB92F.tmp	svchost.exe
PID 1436 wrote to memory of 3228	1436	svchost.exe	netsh.exe
PID 1436 wrote to memory of 3228	1436	svchost.exe	netsh.exe
PID 1436 wrote to memory of 3288	1436	svchost.exe	netsh.exe
PID 1436 wrote to memory of 3288	1436	svchost.exe	netsh.exe
PID 1436 wrote to memory of 2480	1436	svchost.exe	netsh.exe
PID 1436 wrote to memory of 2480	1436	svchost.exe	netsh.exe
PID 1436 wrote to memory of 1180	1436	svchost.exe	powershell.exe
PID 1436 wrote to memory of 1180	1436	svchost.exe	powershell.exe
PID 1436 wrote to memory of 432	1436	svchost.exe	powershell.exe
PID 1436 wrote to memory of 432	1436	svchost.exe	powershell.exe
PID 1436 wrote to memory of 2488	1436	svchost.exe	~tl99CB.tmp
PID 1436 wrote to memory of 2488	1436	svchost.exe	~tl99CB.tmp
PID 2488 wrote to memory of 3264	2488	~tl99CB.tmp	netsh.exe
PID 2488 wrote to memory of 3264	2488	~tl99CB.tmp	netsh.exe
PID 2488 wrote to memory of 1520	2488	~tl99CB.tmp	netsh.exe
PID 2488 wrote to memory of 1520	2488	~tl99CB.tmp	netsh.exe
PID 2488 wrote to memory of 436	2488	~tl99CB.tmp	netsh.exe
PID 2488 wrote to memory of 436	2488	~tl99CB.tmp	netsh.exe
PID 2488 wrote to memory of 4068	2488	~tl99CB.tmp	powershell.exe
PID 2488 wrote to memory of 4068	2488	~tl99CB.tmp	powershell.exe
PID 2488 wrote to memory of 4364	2488	~tl99CB.tmp	powershell.exe
PID 2488 wrote to memory of 4364	2488	~tl99CB.tmp	powershell.exe
PID 1348 wrote to memory of 864	1348	svchost.exe	netsh.exe
PID 1348 wrote to memory of 864	1348	svchost.exe	netsh.exe
PID 1348 wrote to memory of 1220	1348	svchost.exe	netsh.exe
PID 1348 wrote to memory of 1220	1348	svchost.exe	netsh.exe
PID 1348 wrote to memory of 3236	1348	svchost.exe	netsh.exe
PID 1348 wrote to memory of 3236	1348	svchost.exe	netsh.exe
PID 1348 wrote to memory of 224	1348	svchost.exe	powershell.exe
PID 1348 wrote to memory of 224	1348	svchost.exe	powershell.exe
PID 1348 wrote to memory of 1760	1348	svchost.exe	powershell.exe
PID 1348 wrote to memory of 1760	1348	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:4124

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:3808

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Users\Admin\AppData\Local\Temp\~tlB92F.tmp
C:\Users\Admin\AppData\Local\Temp\~tlB92F.tmp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:2800

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:3052

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:488

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:4504

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:3228

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:3288

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Users\Admin\AppData\Local\Temp\~tl99CB.tmp
C:\Users\Admin\AppData\Local\Temp\~tl99CB.tmp
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:3264

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:1520

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:864

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1220

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\TEMP\~tl7165.tmp
C:\Windows\TEMP\~tl7165.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2336

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:884

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1648

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:312

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1132

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\TEMP\~tlD6AA.tmp
C:\Windows\TEMP\~tlD6AA.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2604

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:5092

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1520

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3084

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:2408

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1784

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\TEMP\~tl3FC7.tmp
C:\Windows\TEMP\~tl3FC7.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4064

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:1440

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3764

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3132

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:3760

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4488

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\TEMP\~tlA838.tmp
C:\Windows\TEMP\~tlA838.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4716

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:4760

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3024

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7b9b8184def0f1090e14c66eea5e230c

SHA1
e01c879bf123bd1a37e8e9d3446931cc7485390e

SHA256
2a9bf687759983a98da6881463ddff7557cdce6fc67a8499afb5846a285a336a

SHA512
3ecc44fc64c4324933b6a332331c3f0cb85ccd375177fab6846aa7ca8ec303c8f7b6d5c065bde597be6e347aa93113308da9ded6d0d8c43fc03bc6f48641247a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
07a771c4f31f62b2d04e2befaa36dce7

SHA1
662952ede6c1acbb575e8149a5ac2f08edade811

SHA256
a2df2570980e1123d9af8e12a27a82d3a4d332f0e7dd44e4e225743207c099b3

SHA512
9e339a2d0bfaf5bbe5252f69061652c5880fe1233930830ca7190a65516366e05129907b1656a6790c0093ad82ac73ddee6738d0b78ecb1e3d888f467b889fe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bc0c9eafdc0931457084e036a9e65009

SHA1
47e16681e9ef1d429d510e123537a38f149d11d5

SHA256
c153db1cb94b4f18475ab4349d6c88469a9dc94abd6a3c9232d261d40c047ca5

SHA512
87f5d9c826fe5aa6316e7c94b66b39cc1086f6d9fefaee3d9cf2b172ae34f1769220d6ec7a4ae49aa8ca6d3abc1c62e9212ca9ebf4720a5ca46e6f34e32df0d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f3b96b24f06e2d37a46e43e8b784f56

SHA1
7be6702c5867f359e913eeeecdd5b76698589295

SHA256
8e386afeed28e1d282d9a0294dd2e9402dcb807f7c77aca8426314c20057e720

SHA512
d760999531a77a9adf2b4dc019ce3b43ac3a8cad825398b3a09818afe8deaa177d37219a26dd8a432c00c9cff7858efc43cae2375edc996bb0136c92c39c9dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
38f41e2606668501cbd52620207d1b73

SHA1
aba7a52f5c36f154ec423146618507547d74e18e

SHA256
5f087405a0508e547ccf5aaae6d91514e02d9ded48a901c9402c094d1bab0040

SHA512
802b5d47bebfc03ac96c81b5e54188efaa64804270dfa87932968dbcc6b3a31d5206e4290db15bba31a7f7755b4f8f17dd7bb8c711707d0c07a0af9e94df9127

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
81df5336ec1f6fe20b56d552b01544dc

SHA1
969a4ec09599d179e37d040d189a81189dc03877

SHA256
167cd67fceb2a78ed9b1a88140f009ecb02b4a84723c9702707659bcc80e7a51

SHA512
605ddc659a611112c0e8fda968dd9e83fa59c0c3a612110d6519df03fee889e7570b27150aa0a0f719f1a25d46f02415dcf1440f64713bfc4d3c9777f97d8bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lj3p5s1b.w1h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl99CB.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlB92F.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg

Filesize
393KB

MD5
72e28e2092a43e0d70289f62bec20e65

SHA1
944f2b81392ee946f4767376882c5c1bda6dddb5

SHA256
6ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f

SHA512
31c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466

Download Submit
C:\Windows\System\svchost.exe

Filesize
9.4MB

MD5
db3edf03a8a2c8e96fe2d2deaaec76ff

SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1

SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a984083caf469e993991f2d137a734e1

SHA1
3c1820ca6efad65d00c8c412824a7d563fd0ef87

SHA256
c0fd1d4ff446d8eb13cba8110234e5306f8f67a7e9f07c62da287bf740cfdc99

SHA512
5b84cb774ac41f2005a82aa74bf6a2e7669dd37c3ed5c5654ca9def88ed608a6e0a49ec7524a6c3b2b9b79fa063ca44cbf9314b2518ffc6385ce72ced5bf3c7a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2b269f1e86920041f03ed04b5cc09497

SHA1
cb6a846b9d74bc05a0d916fa628a87afac8918d3

SHA256
9b221a6c3cc39e60f1e6adeba32342ca20f25957a14e8054eacd3e3eee9925aa

SHA512
5a8a5991951808c030245f843656838708a8b74ce606b8d73cecb0c6734b3a3fdec6d401a4c24c4e2c095f79342e8bb006dd9b5878cf0e384101ffd23b89e6dd

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6714d2ce29e2b80c6ec82827abecc844

SHA1
c5316f2b4b4a073e25a694e20d7ee47441d459fc

SHA256
085cf746903ae4fe3be49a9ef382f64cc09d7cec88789f9c207c9e2886c53e9b

SHA512
93d8275ca299d01c41c4a1e7077c2a1c22e6a017962d3aab60411dfa59d05144f170a01eae278dad64da55f3dba57d2a2986d8bcbb4c48e018652f1b0dae90f7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
58896d042ef0e87daddae768fd3184bc

SHA1
7bd00831b6a32464e50cdc0991f91277bdfb37fe

SHA256
2333328e73f4f099a1c43d276ffb78bca7b3ebda16335758497f85a0c110a94e

SHA512
728439383a2b797313b1be2496307eb765872a9e29b628739f1e943ed70be372b4373c4960941bb4758641928dca2afda67d2058b0d8e7e922afef2d59d8728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c00e9ef4ad5d47d1216f50bdd3378573

SHA1
1d4394ed120f79ffa3b37d1fdded07271944251c

SHA256
8ef2fec6d793896f16a6f2f5c7798a8c715701c4aa673632bf5367edae97bf9e

SHA512
3d3e2f36c0b9291982947aec38c7a461c11178e3ef8116b73788fec4acffd75ede9da77d461b7ccbd9fe8fcedec8ad7880bf3c7f1ac1809cbc254b2e6dd4348f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6f06741dd696b6b8d0cee85ddce46739

SHA1
51067048e718e74bfdd1903712f4a2db39520fa0

SHA256
2d3da1a2d7914817b2600148feb349fbf479c35132c0652e484e0a57834b6c1f

SHA512
b539d216b0be4fe8ba280a7c5d1013960524040c4b585c8a00e13995d4fa0ecf55a94c4f035facedaa38d565fab582b3ff67c8cc5a54c342eff51a718894f12c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b1d3e7f74549cd262b3a6ef50c2ecce8

SHA1
a456c31f304268f5103f28e76a731e79cd27ee7f

SHA256
435afc9dd31733e2faa22320406027b2af80bec2b5f326416f64d1d33879b788

SHA512
1a452012f12cca9db9ed31dbb9824c404adbb9a1b3d7e7987a128e6a0b19b8507fe2dd8df5ea3396120b80a604295b6aeaf23f16f49d3d00354f7d8d6284d1c6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0802c82bbc3c604193e9636a6ceed96

SHA1
6d98355e298027e01d5cc40f8cb26b2309888b7d

SHA256
860f8700c8a5f4daaa0e46ba57b8de0c4dd6fbe728ac60e2fbf324d6c94d64d2

SHA512
b27cb5b66a8b10f57674df1e1b91edb9535dd7781d6f4706933f3e8b96b7c9172419ee9056b4ab64e6d98cbc509754dbba25ffdd587205ad9f6514806f62c2ed

Download Submit
memory/224-332-0x00007FFC4A710000-0x00007FFC4B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/224-333-0x00000284AE4A0000-0x00000284AE4B0000-memory.dmp

Filesize
64KB

Download
memory/432-237-0x00007FFC4A710000-0x00007FFC4B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/432-238-0x000002488C7E0000-0x000002488C7F0000-memory.dmp

Filesize
64KB

Download
memory/432-248-0x000002488C7E0000-0x000002488C7F0000-memory.dmp

Filesize
64KB

Download
memory/432-252-0x000002488C7E0000-0x000002488C7F0000-memory.dmp

Filesize
64KB

Download
memory/432-266-0x00007FFC4A710000-0x00007FFC4B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/944-192-0x00007FFC4A710000-0x00007FFC4B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/944-202-0x000002350D9D0000-0x000002350D9E0000-memory.dmp

Filesize
64KB

Download
memory/944-206-0x000002350D9D0000-0x000002350D9E0000-memory.dmp

Filesize
64KB

Download
memory/944-209-0x00007FFC4A710000-0x00007FFC4B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/1180-249-0x000001AA20760000-0x000001AA20770000-memory.dmp

Filesize
64KB

Download
memory/1180-251-0x00007FFC4A710000-0x00007FFC4B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/1180-226-0x000001AA20760000-0x000001AA20770000-memory.dmp

Filesize
64KB

Download
memory/1180-225-0x00007FFC4A710000-0x00007FFC4B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/1348-315-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1348-398-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1348-331-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1436-224-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1436-221-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1436-263-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2000-166-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2000-167-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2000-164-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2000-223-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2000-179-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2336-459-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2336-402-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2404-4-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2404-0-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2404-6-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2404-55-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2404-3-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2404-2-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2404-1-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2488-268-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2488-267-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2488-265-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2488-299-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2488-262-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2544-23-0x00007FFC4A5F0000-0x00007FFC4B0B1000-memory.dmp

Filesize
10.8MB

Download
memory/2544-9-0x0000029727660000-0x0000029727682000-memory.dmp

Filesize
136KB

Download
memory/2544-20-0x00000297255B0000-0x00000297255C0000-memory.dmp

Filesize
64KB

Download
memory/2544-19-0x00000297255B0000-0x00000297255C0000-memory.dmp

Filesize
64KB

Download
memory/2544-18-0x00000297255B0000-0x00000297255C0000-memory.dmp

Filesize
64KB

Download
memory/2544-17-0x00007FFC4A5F0000-0x00007FFC4B0B1000-memory.dmp

Filesize
10.8MB

Download
memory/2992-190-0x0000015D19B80000-0x0000015D19B90000-memory.dmp

Filesize
64KB

Download
memory/2992-205-0x00007FFC4A710000-0x00007FFC4B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2992-180-0x00007FFC4A710000-0x00007FFC4B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2992-203-0x0000015D19B80000-0x0000015D19B90000-memory.dmp

Filesize
64KB

Download
memory/3552-77-0x00000231C3050000-0x00000231C3060000-memory.dmp

Filesize
64KB

Download
memory/3552-76-0x00000231C3050000-0x00000231C3060000-memory.dmp

Filesize
64KB

Download
memory/3552-88-0x00000231C3050000-0x00000231C3060000-memory.dmp

Filesize
64KB

Download
memory/3552-89-0x00000231C3050000-0x00000231C3060000-memory.dmp

Filesize
64KB

Download
memory/3552-91-0x00007FFC4A710000-0x00007FFC4B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/3552-75-0x00007FFC4A710000-0x00007FFC4B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/3736-24-0x00007FFC4A5F0000-0x00007FFC4B0B1000-memory.dmp

Filesize
10.8MB

Download
memory/3736-37-0x000002ABB4900000-0x000002ABB4910000-memory.dmp

Filesize
64KB

Download
memory/3736-38-0x000002ABB4900000-0x000002ABB4910000-memory.dmp

Filesize
64KB

Download
memory/3736-41-0x00007FFC4A5F0000-0x00007FFC4B0B1000-memory.dmp

Filesize
10.8MB

Download
memory/3736-25-0x000002ABB4900000-0x000002ABB4910000-memory.dmp

Filesize
64KB

Download
memory/3736-28-0x000002ABB4900000-0x000002ABB4910000-memory.dmp

Filesize
64KB

Download
memory/4068-281-0x0000021966D00000-0x0000021966D10000-memory.dmp

Filesize
64KB

Download
memory/4068-295-0x00007FFC4A710000-0x00007FFC4B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/4068-293-0x0000021966D00000-0x0000021966D10000-memory.dmp

Filesize
64KB

Download
memory/4068-269-0x00007FFC4A710000-0x00007FFC4B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/4364-280-0x00007FFC4A710000-0x00007FFC4B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/4364-282-0x0000023BC0580000-0x0000023BC0590000-memory.dmp

Filesize
64KB

Download
memory/4364-298-0x00007FFC4A710000-0x00007FFC4B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-57-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4556-178-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4556-92-0x0000000180000000-0x000000018070E000-memory.dmp

Filesize
7.1MB

Download
memory/4556-52-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4556-54-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4640-71-0x0000018F86FF0000-0x0000018F87000000-memory.dmp

Filesize
64KB

Download
memory/4640-68-0x0000018F86FF0000-0x0000018F87000000-memory.dmp

Filesize
64KB

Download
memory/4640-67-0x00007FFC4A660000-0x00007FFC4B121000-memory.dmp

Filesize
10.8MB

Download
memory/4640-70-0x0000018F86FF0000-0x0000018F87000000-memory.dmp

Filesize
64KB

Download
memory/4640-72-0x0000018F86FF0000-0x0000018F87000000-memory.dmp

Filesize
64KB

Download
memory/4640-74-0x00007FFC4A660000-0x00007FFC4B121000-memory.dmp

Filesize
10.8MB

Download