7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
598s
max time network
606s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-04-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 8 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

3220 netsh.exe
2904 netsh.exe
5024 netsh.exe
3028 netsh.exe
1936 netsh.exe
5016 netsh.exe
3904 netsh.exe
3976 netsh.exe
Executes dropped EXE 5 IoCs

Processes:

svchost.exe~tl9210.tmpsvchost.exe~tl4088.tmpsvchost.exe

pid process

5056 svchost.exe
1756 ~tl9210.tmp
4924 svchost.exe
520 ~tl4088.tmp
4836 svchost.exe
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 62.102.148.68

pid	process
3220	netsh.exe
2904	netsh.exe
5024	netsh.exe
3028	netsh.exe
1936	netsh.exe
5016	netsh.exe
3904	netsh.exe
3976	netsh.exe

pid	process
5056	svchost.exe
1756	~tl9210.tmp
4924	svchost.exe
520	~tl4088.tmp
4836	svchost.exe

description	ioc
Destination IP	62.102.148.68

Drops file in System32 directory 15 IoCs

Processes:

svchost.exe~tl4088.tmppowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl4088.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp	svchost.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tl4088.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock	svchost.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Windows directory 7 IoCs

Processes:

svchost.exe~tl4088.tmpsvchost_dump_SCY - Copy.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl4088.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl4088.tmp
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4012 schtasks.exe
4664 schtasks.exe

pid	process
4012	schtasks.exe
4664	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exenetsh.exenetsh.exe~tl4088.tmp

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	~tl4088.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exepowershell.exepowershell.exe~tl4088.tmppowershell.exepowershell.exe

pid	process
4832	powershell.exe
3020	powershell.exe
3020	powershell.exe
4832	powershell.exe
3020	powershell.exe
4832	powershell.exe
2016	svchost_dump_SCY - Copy.exe
2016	svchost_dump_SCY - Copy.exe
2904	powershell.exe
3336	powershell.exe
3336	powershell.exe
2904	powershell.exe
2904	powershell.exe
3336	powershell.exe
4644	powershell.exe
1000	powershell.exe
4644	powershell.exe
1000	powershell.exe
4644	powershell.exe
1000	powershell.exe
520	~tl4088.tmp
520	~tl4088.tmp
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
5088	powershell.exe
5088	powershell.exe
5088	powershell.exe
520	~tl4088.tmp
520	~tl4088.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3820	WMIC.exe
Token: SeSecurityPrivilege	3820	WMIC.exe
Token: SeTakeOwnershipPrivilege	3820	WMIC.exe
Token: SeLoadDriverPrivilege	3820	WMIC.exe
Token: SeSystemProfilePrivilege	3820	WMIC.exe
Token: SeSystemtimePrivilege	3820	WMIC.exe
Token: SeProfSingleProcessPrivilege	3820	WMIC.exe
Token: SeIncBasePriorityPrivilege	3820	WMIC.exe
Token: SeCreatePagefilePrivilege	3820	WMIC.exe
Token: SeBackupPrivilege	3820	WMIC.exe
Token: SeRestorePrivilege	3820	WMIC.exe
Token: SeShutdownPrivilege	3820	WMIC.exe
Token: SeDebugPrivilege	3820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3820	WMIC.exe
Token: SeRemoteShutdownPrivilege	3820	WMIC.exe
Token: SeUndockPrivilege	3820	WMIC.exe
Token: SeManageVolumePrivilege	3820	WMIC.exe
Token: 33	3820	WMIC.exe
Token: 34	3820	WMIC.exe
Token: 35	3820	WMIC.exe
Token: 36	3820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3820	WMIC.exe
Token: SeSecurityPrivilege	3820	WMIC.exe
Token: SeTakeOwnershipPrivilege	3820	WMIC.exe
Token: SeLoadDriverPrivilege	3820	WMIC.exe
Token: SeSystemProfilePrivilege	3820	WMIC.exe
Token: SeSystemtimePrivilege	3820	WMIC.exe
Token: SeProfSingleProcessPrivilege	3820	WMIC.exe
Token: SeIncBasePriorityPrivilege	3820	WMIC.exe
Token: SeCreatePagefilePrivilege	3820	WMIC.exe
Token: SeBackupPrivilege	3820	WMIC.exe
Token: SeRestorePrivilege	3820	WMIC.exe
Token: SeShutdownPrivilege	3820	WMIC.exe
Token: SeDebugPrivilege	3820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3820	WMIC.exe
Token: SeRemoteShutdownPrivilege	3820	WMIC.exe
Token: SeUndockPrivilege	3820	WMIC.exe
Token: SeManageVolumePrivilege	3820	WMIC.exe
Token: 33	3820	WMIC.exe
Token: 34	3820	WMIC.exe
Token: 35	3820	WMIC.exe
Token: 36	3820	WMIC.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeIncreaseQuotaPrivilege	4832	powershell.exe
Token: SeSecurityPrivilege	4832	powershell.exe
Token: SeTakeOwnershipPrivilege	4832	powershell.exe
Token: SeLoadDriverPrivilege	4832	powershell.exe
Token: SeSystemProfilePrivilege	4832	powershell.exe
Token: SeSystemtimePrivilege	4832	powershell.exe
Token: SeProfSingleProcessPrivilege	4832	powershell.exe
Token: SeIncBasePriorityPrivilege	4832	powershell.exe
Token: SeCreatePagefilePrivilege	4832	powershell.exe
Token: SeBackupPrivilege	4832	powershell.exe
Token: SeRestorePrivilege	4832	powershell.exe
Token: SeShutdownPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeSystemEnvironmentPrivilege	4832	powershell.exe
Token: SeRemoteShutdownPrivilege	4832	powershell.exe
Token: SeUndockPrivilege	4832	powershell.exe
Token: SeManageVolumePrivilege	4832	powershell.exe
Token: 33	4832	powershell.exe
Token: 34	4832	powershell.exe
Token: 35	4832	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exesvchost.exe~tl4088.tmp

description	pid	process	target process
PID 2016 wrote to memory of 3820	2016	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2016 wrote to memory of 3820	2016	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2016 wrote to memory of 5024	2016	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2016 wrote to memory of 5024	2016	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2016 wrote to memory of 3028	2016	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2016 wrote to memory of 3028	2016	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2016 wrote to memory of 4832	2016	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2016 wrote to memory of 4832	2016	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2016 wrote to memory of 3020	2016	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2016 wrote to memory of 3020	2016	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2016 wrote to memory of 208	2016	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2016 wrote to memory of 208	2016	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2016 wrote to memory of 4664	2016	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2016 wrote to memory of 4664	2016	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2016 wrote to memory of 5056	2016	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2016 wrote to memory of 5056	2016	svchost_dump_SCY - Copy.exe	svchost.exe
PID 5056 wrote to memory of 912	5056	svchost.exe	WMIC.exe
PID 5056 wrote to memory of 912	5056	svchost.exe	WMIC.exe
PID 5056 wrote to memory of 1936	5056	svchost.exe	netsh.exe
PID 5056 wrote to memory of 1936	5056	svchost.exe	netsh.exe
PID 5056 wrote to memory of 5016	5056	svchost.exe	netsh.exe
PID 5056 wrote to memory of 5016	5056	svchost.exe	netsh.exe
PID 5056 wrote to memory of 2904	5056	svchost.exe	powershell.exe
PID 5056 wrote to memory of 2904	5056	svchost.exe	powershell.exe
PID 5056 wrote to memory of 3336	5056	svchost.exe	powershell.exe
PID 5056 wrote to memory of 3336	5056	svchost.exe	powershell.exe
PID 5056 wrote to memory of 1756	5056	svchost.exe	~tl9210.tmp
PID 5056 wrote to memory of 1756	5056	svchost.exe	~tl9210.tmp
PID 4924 wrote to memory of 4456	4924	svchost.exe	WMIC.exe
PID 4924 wrote to memory of 4456	4924	svchost.exe	WMIC.exe
PID 4924 wrote to memory of 3904	4924	svchost.exe	netsh.exe
PID 4924 wrote to memory of 3904	4924	svchost.exe	netsh.exe
PID 4924 wrote to memory of 3976	4924	svchost.exe	netsh.exe
PID 4924 wrote to memory of 3976	4924	svchost.exe	netsh.exe
PID 4924 wrote to memory of 4644	4924	svchost.exe	powershell.exe
PID 4924 wrote to memory of 4644	4924	svchost.exe	powershell.exe
PID 4924 wrote to memory of 1000	4924	svchost.exe	powershell.exe
PID 4924 wrote to memory of 1000	4924	svchost.exe	powershell.exe
PID 4924 wrote to memory of 520	4924	svchost.exe	~tl4088.tmp
PID 4924 wrote to memory of 520	4924	svchost.exe	~tl4088.tmp
PID 520 wrote to memory of 3804	520	~tl4088.tmp	netsh.exe
PID 520 wrote to memory of 3804	520	~tl4088.tmp	netsh.exe
PID 520 wrote to memory of 3220	520	~tl4088.tmp	netsh.exe
PID 520 wrote to memory of 3220	520	~tl4088.tmp	netsh.exe
PID 520 wrote to memory of 2904	520	~tl4088.tmp	netsh.exe
PID 520 wrote to memory of 2904	520	~tl4088.tmp	netsh.exe
PID 520 wrote to memory of 3456	520	~tl4088.tmp	powershell.exe
PID 520 wrote to memory of 3456	520	~tl4088.tmp	powershell.exe
PID 520 wrote to memory of 5088	520	~tl4088.tmp	powershell.exe
PID 520 wrote to memory of 5088	520	~tl4088.tmp	powershell.exe
PID 520 wrote to memory of 1352	520	~tl4088.tmp	schtasks.exe
PID 520 wrote to memory of 1352	520	~tl4088.tmp	schtasks.exe
PID 520 wrote to memory of 4012	520	~tl4088.tmp	schtasks.exe
PID 520 wrote to memory of 4012	520	~tl4088.tmp	schtasks.exe
PID 520 wrote to memory of 4836	520	~tl4088.tmp	svchost.exe
PID 520 wrote to memory of 4836	520	~tl4088.tmp	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:5024

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:208

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:4664

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
PID:912

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1936

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:5016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3336

C:\Users\Admin\AppData\Local\Temp\~tl9210.tmp
C:\Users\Admin\AppData\Local\Temp\~tl9210.tmp
3⤵
- Executes dropped EXE
PID:1756

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
PID:4456

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:3904

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1000

C:\Windows\TEMP\~tl4088.tmp
C:\Windows\TEMP\~tl4088.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
- Modifies data under HKEY_USERS
PID:3804

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3220

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5088

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
3⤵
PID:1352

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
3⤵
- Creates scheduled task(s)
PID:4012

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
268b890dae39e430e8b127909067ed96

SHA1
35939515965c0693ef46e021254c3e73ea8c4a2b

SHA256
7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c

SHA512
abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bd755630b20110992c2b52fbfaa2eede

SHA1
68f030e0ffae7763660c9a27a33ed705ec74d2a6

SHA256
6be4920cd4a412da0f040dac4e6d865d3fc1f63355dba535d83c368d83bebeba

SHA512
e0c0903f6cb64f854bb6afe7af7025b5fb8ae17ddde37d30cbab84f13fb67af5197580551976f50e5be1603771108b2db8c8dfbb91abbf6e77aa1a80398c31d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e5b68015aafc035d25257e8393af5985

SHA1
18f53b36d8c7c35840b5cf543d2a6f19a0a224d7

SHA256
1bb36b354cc166d1d6cc42021e84c9f0ffff58200f030329bf37d3b75277f068

SHA512
66ed36c0b50a2de0da24108bbf75b107ff120b244ca323c1f24c0e8fdf62aa52892e456175b7e14f709e247002adddc547994a74eae565dcca64aac4fbe45646

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxviz3ar.40i.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl9210.tmp
Filesize
379KB

MD5
637a4f8868aaa962c735126e5f42f2af

SHA1
93dc8a45509d2975ca01a1ca11bd600583dc2cd1

SHA256
e11acb6b7811fa77c20d1969607dc02a4aadd0f52214ae11325b84f613d6cafc

SHA512
d7f652158ac6a6cb38164202cb47f65ac53c36913175f33d00fdd1d0d83300a425cdadcfeff35b592f9da803ce7cd3197de02855df49c374d4e83b16b2079b65

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
Filesize
2.7MB

MD5
27acfbf94480631e547b5cb508d9d4fb

SHA1
f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

SHA256
0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

SHA512
902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
5.8MB

MD5
525ada19b92f7ab4163ab4ff062391b0

SHA1
d5b65b5f3d89add77e3489080c9558849cc1c309

SHA256
064647be1ef869272b89d9aed3489eb5df095a395db859451fa02e4e72eb41b0

SHA512
6654ce6cb2dcbba7d3b7f20f0a8a05ad0f1668d6cbe252d2083336c3f5b7032e1eb34cbca2149c325b8d73ea1966bd959613df86bf0f2182e183d088161c1086

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
Filesize
9.3MB

MD5
f43373f5264895c2b7dac6dd1af5fae7

SHA1
6fb7b4504d5440368009dd5753699ab42aa980c9

SHA256
00496f2a9497e3296df7d59a9b89989ba81c47b32837ed414c8de6dde44d08a8

SHA512
a1546ec598a06a57f23124b8068bdaa141974827c220d0b82bd9466a3625a68eae723e33540239b77639c0fd63f74a5a061ca17afa363999bcf078694fdb73a5

Download Submit
C:\Windows\System\svchost.exe
Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
C:\Windows\Temp\~tl4088.tmp
Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
478f1c1fcff584f4f440469ed71d2d43

SHA1
0900e9dc39580d527c145715f985a5a86e80b66c

SHA256
c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb

SHA512
4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
291B

MD5
3ddcf581ade46fa7e9e95f5bc8f0f538

SHA1
f62672e20a1ade3a7644cc9d3de4d4b8376aa165

SHA256
56f0d19920847c7b5a7b5f7354c9a47f079bb5b9e868e640cfaf3f4f79483692

SHA512
31b5fcf54eea43e4f765ada646abdf1ffbca3e611b0294bc397e68da13122f471afff540b4faf1a9351effab2a5db6225f74797639a0200dd06916bf0584ae5f

Download Submit
memory/520-643-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/520-647-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/520-648-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/520-649-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1000-517-0x000002F3DF520000-0x000002F3DF530000-memory.dmp

Filesize
64KB

Download
memory/1000-324-0x000002F3F7D80000-0x000002F3F7D9C000-memory.dmp

Filesize
112KB

Download
memory/1000-323-0x00007FF721090000-0x00007FF7210A0000-memory.dmp

Filesize
64KB

Download
memory/1000-286-0x000002F3DF520000-0x000002F3DF530000-memory.dmp

Filesize
64KB

Download
memory/1000-285-0x000002F3DF520000-0x000002F3DF530000-memory.dmp

Filesize
64KB

Download
memory/1000-284-0x00007FF9F57D0000-0x00007FF9F61BC000-memory.dmp

Filesize
9.9MB

Download
memory/1000-403-0x000002F3F7DA0000-0x000002F3F7DAA000-memory.dmp

Filesize
40KB

Download
memory/1000-516-0x000002F3DF520000-0x000002F3DF530000-memory.dmp

Filesize
64KB

Download
memory/1000-577-0x00007FF9F57D0000-0x00007FF9F61BC000-memory.dmp

Filesize
9.9MB

Download
memory/1756-267-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1756-270-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2016-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2016-45-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2016-113-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2904-119-0x000001F856E00000-0x000001F856E10000-memory.dmp

Filesize
64KB

Download
memory/2904-209-0x000001F856E00000-0x000001F856E10000-memory.dmp

Filesize
64KB

Download
memory/2904-216-0x00007FF9F57D0000-0x00007FF9F61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-120-0x000001F856E00000-0x000001F856E10000-memory.dmp

Filesize
64KB

Download
memory/2904-159-0x000001F856E00000-0x000001F856E10000-memory.dmp

Filesize
64KB

Download
memory/2904-118-0x00007FF9F57D0000-0x00007FF9F61BC000-memory.dmp

Filesize
9.9MB

Download
memory/3020-101-0x00007FFA05B40000-0x00007FFA0652C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-94-0x0000024DA4610000-0x0000024DA4620000-memory.dmp

Filesize
64KB

Download
memory/3020-14-0x0000024DA4610000-0x0000024DA4620000-memory.dmp

Filesize
64KB

Download
memory/3020-12-0x0000024DA4610000-0x0000024DA4620000-memory.dmp

Filesize
64KB

Download
memory/3020-10-0x00007FFA05B40000-0x00007FFA0652C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-18-0x0000024DA48A0000-0x0000024DA4916000-memory.dmp

Filesize
472KB

Download
memory/3020-46-0x0000024DA4610000-0x0000024DA4620000-memory.dmp

Filesize
64KB

Download
memory/3336-215-0x00007FF9F57D0000-0x00007FF9F61BC000-memory.dmp

Filesize
9.9MB

Download
memory/3336-124-0x00007FF9F57D0000-0x00007FF9F61BC000-memory.dmp

Filesize
9.9MB

Download
memory/3336-126-0x000002002E200000-0x000002002E210000-memory.dmp

Filesize
64KB

Download
memory/3336-206-0x000002002E200000-0x000002002E210000-memory.dmp

Filesize
64KB

Download
memory/3336-158-0x000002002E200000-0x000002002E210000-memory.dmp

Filesize
64KB

Download
memory/3336-128-0x000002002E200000-0x000002002E210000-memory.dmp

Filesize
64KB

Download
memory/3456-653-0x00007FF9F57D0000-0x00007FF9F61BC000-memory.dmp

Filesize
9.9MB

Download
memory/3456-655-0x000002D3D2F50000-0x000002D3D2F60000-memory.dmp

Filesize
64KB

Download
memory/3456-656-0x000002D3D2F50000-0x000002D3D2F60000-memory.dmp

Filesize
64KB

Download
memory/3456-696-0x00007FF7217B0000-0x00007FF7217C0000-memory.dmp

Filesize
64KB

Download
memory/3456-702-0x000002D3D3260000-0x000002D3D3319000-memory.dmp

Filesize
740KB

Download
memory/4644-336-0x000002A2ADAC0000-0x000002A2ADB79000-memory.dmp

Filesize
740KB

Download
memory/4644-278-0x000002A2ADA90000-0x000002A2ADAA0000-memory.dmp

Filesize
64KB

Download
memory/4644-518-0x000002A2ADA90000-0x000002A2ADAA0000-memory.dmp

Filesize
64KB

Download
memory/4644-519-0x000002A2ADA90000-0x000002A2ADAA0000-memory.dmp

Filesize
64KB

Download
memory/4644-277-0x00007FF9F57D0000-0x00007FF9F61BC000-memory.dmp

Filesize
9.9MB

Download
memory/4644-279-0x000002A2ADA90000-0x000002A2ADAA0000-memory.dmp

Filesize
64KB

Download
memory/4644-325-0x00007FF721660000-0x00007FF721670000-memory.dmp

Filesize
64KB

Download
memory/4644-590-0x00007FF9F57D0000-0x00007FF9F61BC000-memory.dmp

Filesize
9.9MB

Download
memory/4832-106-0x00007FFA05B40000-0x00007FFA0652C000-memory.dmp

Filesize
9.9MB

Download
memory/4832-15-0x0000022422070000-0x0000022422092000-memory.dmp

Filesize
136KB

Download
memory/4832-13-0x00000224081D0000-0x00000224081E0000-memory.dmp

Filesize
64KB

Download
memory/4832-48-0x00000224081D0000-0x00000224081E0000-memory.dmp

Filesize
64KB

Download
memory/4832-8-0x00000224081D0000-0x00000224081E0000-memory.dmp

Filesize
64KB

Download
memory/4832-6-0x00007FFA05B40000-0x00007FFA0652C000-memory.dmp

Filesize
9.9MB

Download
memory/4832-100-0x00000224081D0000-0x00000224081E0000-memory.dmp

Filesize
64KB

Download
memory/4924-272-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4924-646-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4924-591-0x000000002BDC0000-0x000000002C2A2000-memory.dmp

Filesize
4.9MB

Download
memory/5056-112-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/5056-269-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/5056-217-0x00000000369D0000-0x0000000036EB2000-memory.dmp

Filesize
4.9MB

Download
memory/5056-127-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/5088-663-0x00007FF9F57D0000-0x00007FF9F61BC000-memory.dmp

Filesize
9.9MB

Download
memory/5088-664-0x0000026264320000-0x0000026264330000-memory.dmp

Filesize
64KB

Download
memory/5088-707-0x00007FF721480000-0x00007FF721490000-memory.dmp

Filesize
64KB

Download
memory/5088-807-0x0000026264320000-0x0000026264330000-memory.dmp

Filesize
64KB

Download
memory/5088-808-0x0000026264320000-0x0000026264330000-memory.dmp

Filesize
64KB

Download