7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
599s
max time network
606s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 14 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
4888	netsh.exe
5024	netsh.exe
5044	netsh.exe
4156	netsh.exe
512	netsh.exe
1060	netsh.exe
2460	netsh.exe
1372	netsh.exe
1552	netsh.exe
1108	netsh.exe
1780	netsh.exe
5096	netsh.exe
4616	netsh.exe
680	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tlC67E.tmpsvchost.exe~tlA053.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	svchost_dump_SCY - Copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	~tlC67E.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	~tlA053.tmp

Executes dropped EXE 6 IoCs

Processes:

svchost.exe~tlC67E.tmpsvchost.exe~tlA053.tmpsvchost.exe~tlF22E.tmp

pid process

1476 svchost.exe
2128 ~tlC67E.tmp
1572 svchost.exe
2320 ~tlA053.tmp
3468 svchost.exe
5076 ~tlF22E.tmp

pid	process
1476	svchost.exe
2128	~tlC67E.tmp
1572	svchost.exe
2320	~tlA053.tmp
3468	svchost.exe
5076	~tlF22E.tmp

Drops file in System32 directory 9 IoCs

Processes:

svchost.exepowershell.exepowershell.exepowershell.exe~tlF22E.tmppowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlF22E.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exesvchost.exesvchost_dump_SCY - Copy.exesvchost.exe~tlC67E.tmp

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tlC67E.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tlC67E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2568 schtasks.exe
1492 schtasks.exe

pid	process
2568	schtasks.exe
1492	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exesvchost.exepowershell.exe~tlF22E.tmp

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	~tlF22E.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tlC67E.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlA053.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlF22E.tmppowershell.exepowershell.exe

pid	process
1640	powershell.exe
1412	powershell.exe
1412	powershell.exe
1640	powershell.exe
5052	svchost_dump_SCY - Copy.exe
5052	svchost_dump_SCY - Copy.exe
4348	powershell.exe
448	powershell.exe
448	powershell.exe
4348	powershell.exe
2128	~tlC67E.tmp
2128	~tlC67E.tmp
2096	powershell.exe
2096	powershell.exe
3100	powershell.exe
3100	powershell.exe
2128	~tlC67E.tmp
2128	~tlC67E.tmp
1572	svchost.exe
1572	svchost.exe
2724	powershell.exe
2432	powershell.exe
2724	powershell.exe
2432	powershell.exe
2320	~tlA053.tmp
2320	~tlA053.tmp
1488	powershell.exe
1488	powershell.exe
680	powershell.exe
680	powershell.exe
3468	svchost.exe
3468	svchost.exe
3948	powershell.exe
3948	powershell.exe
228	powershell.exe
228	powershell.exe
5076	~tlF22E.tmp
5076	~tlF22E.tmp
536	powershell.exe
3284	powershell.exe
3284	powershell.exe
536	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4492	WMIC.exe
Token: SeSecurityPrivilege	4492	WMIC.exe
Token: SeTakeOwnershipPrivilege	4492	WMIC.exe
Token: SeLoadDriverPrivilege	4492	WMIC.exe
Token: SeSystemProfilePrivilege	4492	WMIC.exe
Token: SeSystemtimePrivilege	4492	WMIC.exe
Token: SeProfSingleProcessPrivilege	4492	WMIC.exe
Token: SeIncBasePriorityPrivilege	4492	WMIC.exe
Token: SeCreatePagefilePrivilege	4492	WMIC.exe
Token: SeBackupPrivilege	4492	WMIC.exe
Token: SeRestorePrivilege	4492	WMIC.exe
Token: SeShutdownPrivilege	4492	WMIC.exe
Token: SeDebugPrivilege	4492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4492	WMIC.exe
Token: SeRemoteShutdownPrivilege	4492	WMIC.exe
Token: SeUndockPrivilege	4492	WMIC.exe
Token: SeManageVolumePrivilege	4492	WMIC.exe
Token: 33	4492	WMIC.exe
Token: 34	4492	WMIC.exe
Token: 35	4492	WMIC.exe
Token: 36	4492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4492	WMIC.exe
Token: SeSecurityPrivilege	4492	WMIC.exe
Token: SeTakeOwnershipPrivilege	4492	WMIC.exe
Token: SeLoadDriverPrivilege	4492	WMIC.exe
Token: SeSystemProfilePrivilege	4492	WMIC.exe
Token: SeSystemtimePrivilege	4492	WMIC.exe
Token: SeProfSingleProcessPrivilege	4492	WMIC.exe
Token: SeIncBasePriorityPrivilege	4492	WMIC.exe
Token: SeCreatePagefilePrivilege	4492	WMIC.exe
Token: SeBackupPrivilege	4492	WMIC.exe
Token: SeRestorePrivilege	4492	WMIC.exe
Token: SeShutdownPrivilege	4492	WMIC.exe
Token: SeDebugPrivilege	4492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4492	WMIC.exe
Token: SeRemoteShutdownPrivilege	4492	WMIC.exe
Token: SeUndockPrivilege	4492	WMIC.exe
Token: SeManageVolumePrivilege	4492	WMIC.exe
Token: 33	4492	WMIC.exe
Token: 34	4492	WMIC.exe
Token: 35	4492	WMIC.exe
Token: 36	4492	WMIC.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeIncreaseQuotaPrivilege	4036	WMIC.exe
Token: SeSecurityPrivilege	4036	WMIC.exe
Token: SeTakeOwnershipPrivilege	4036	WMIC.exe
Token: SeLoadDriverPrivilege	4036	WMIC.exe
Token: SeSystemProfilePrivilege	4036	WMIC.exe
Token: SeSystemtimePrivilege	4036	WMIC.exe
Token: SeProfSingleProcessPrivilege	4036	WMIC.exe
Token: SeIncBasePriorityPrivilege	4036	WMIC.exe
Token: SeCreatePagefilePrivilege	4036	WMIC.exe
Token: SeBackupPrivilege	4036	WMIC.exe
Token: SeRestorePrivilege	4036	WMIC.exe
Token: SeShutdownPrivilege	4036	WMIC.exe
Token: SeDebugPrivilege	4036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4036	WMIC.exe
Token: SeRemoteShutdownPrivilege	4036	WMIC.exe
Token: SeUndockPrivilege	4036	WMIC.exe
Token: SeManageVolumePrivilege	4036	WMIC.exe
Token: 33	4036	WMIC.exe
Token: 34	4036	WMIC.exe
Token: 35	4036	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tlC67E.tmpsvchost.exe~tlA053.tmp

description	pid	process	target process
PID 5052 wrote to memory of 4492	5052	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 5052 wrote to memory of 4492	5052	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 5052 wrote to memory of 1372	5052	svchost_dump_SCY - Copy.exe	netsh.exe
PID 5052 wrote to memory of 1372	5052	svchost_dump_SCY - Copy.exe	netsh.exe
PID 5052 wrote to memory of 4888	5052	svchost_dump_SCY - Copy.exe	netsh.exe
PID 5052 wrote to memory of 4888	5052	svchost_dump_SCY - Copy.exe	netsh.exe
PID 5052 wrote to memory of 1640	5052	svchost_dump_SCY - Copy.exe	powershell.exe
PID 5052 wrote to memory of 1640	5052	svchost_dump_SCY - Copy.exe	powershell.exe
PID 5052 wrote to memory of 1412	5052	svchost_dump_SCY - Copy.exe	powershell.exe
PID 5052 wrote to memory of 1412	5052	svchost_dump_SCY - Copy.exe	powershell.exe
PID 5052 wrote to memory of 2268	5052	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 5052 wrote to memory of 2268	5052	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 5052 wrote to memory of 1492	5052	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 5052 wrote to memory of 1492	5052	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 5052 wrote to memory of 1476	5052	svchost_dump_SCY - Copy.exe	svchost.exe
PID 5052 wrote to memory of 1476	5052	svchost_dump_SCY - Copy.exe	svchost.exe
PID 1476 wrote to memory of 4036	1476	svchost.exe	WMIC.exe
PID 1476 wrote to memory of 4036	1476	svchost.exe	WMIC.exe
PID 1476 wrote to memory of 1552	1476	svchost.exe	netsh.exe
PID 1476 wrote to memory of 1552	1476	svchost.exe	netsh.exe
PID 1476 wrote to memory of 1108	1476	svchost.exe	netsh.exe
PID 1476 wrote to memory of 1108	1476	svchost.exe	netsh.exe
PID 1476 wrote to memory of 4348	1476	svchost.exe	powershell.exe
PID 1476 wrote to memory of 4348	1476	svchost.exe	powershell.exe
PID 1476 wrote to memory of 448	1476	svchost.exe	powershell.exe
PID 1476 wrote to memory of 448	1476	svchost.exe	powershell.exe
PID 1476 wrote to memory of 2128	1476	svchost.exe	~tlC67E.tmp
PID 1476 wrote to memory of 2128	1476	svchost.exe	~tlC67E.tmp
PID 2128 wrote to memory of 3796	2128	~tlC67E.tmp	netsh.exe
PID 2128 wrote to memory of 3796	2128	~tlC67E.tmp	netsh.exe
PID 2128 wrote to memory of 5096	2128	~tlC67E.tmp	netsh.exe
PID 2128 wrote to memory of 5096	2128	~tlC67E.tmp	netsh.exe
PID 2128 wrote to memory of 4156	2128	~tlC67E.tmp	netsh.exe
PID 2128 wrote to memory of 4156	2128	~tlC67E.tmp	netsh.exe
PID 2128 wrote to memory of 2096	2128	~tlC67E.tmp	powershell.exe
PID 2128 wrote to memory of 2096	2128	~tlC67E.tmp	powershell.exe
PID 2128 wrote to memory of 3100	2128	~tlC67E.tmp	powershell.exe
PID 2128 wrote to memory of 3100	2128	~tlC67E.tmp	powershell.exe
PID 2128 wrote to memory of 1728	2128	~tlC67E.tmp	schtasks.exe
PID 2128 wrote to memory of 1728	2128	~tlC67E.tmp	schtasks.exe
PID 2128 wrote to memory of 2568	2128	~tlC67E.tmp	schtasks.exe
PID 2128 wrote to memory of 2568	2128	~tlC67E.tmp	schtasks.exe
PID 2128 wrote to memory of 1572	2128	~tlC67E.tmp	svchost.exe
PID 2128 wrote to memory of 1572	2128	~tlC67E.tmp	svchost.exe
PID 1572 wrote to memory of 1248	1572	svchost.exe	netsh.exe
PID 1572 wrote to memory of 1248	1572	svchost.exe	netsh.exe
PID 1572 wrote to memory of 512	1572	svchost.exe	netsh.exe
PID 1572 wrote to memory of 512	1572	svchost.exe	netsh.exe
PID 1572 wrote to memory of 1060	1572	svchost.exe	netsh.exe
PID 1572 wrote to memory of 1060	1572	svchost.exe	netsh.exe
PID 1572 wrote to memory of 2724	1572	svchost.exe	powershell.exe
PID 1572 wrote to memory of 2724	1572	svchost.exe	powershell.exe
PID 1572 wrote to memory of 2432	1572	svchost.exe	powershell.exe
PID 1572 wrote to memory of 2432	1572	svchost.exe	powershell.exe
PID 1572 wrote to memory of 2320	1572	svchost.exe	~tlA053.tmp
PID 1572 wrote to memory of 2320	1572	svchost.exe	~tlA053.tmp
PID 2320 wrote to memory of 4068	2320	~tlA053.tmp	netsh.exe
PID 2320 wrote to memory of 4068	2320	~tlA053.tmp	netsh.exe
PID 2320 wrote to memory of 4616	2320	~tlA053.tmp	netsh.exe
PID 2320 wrote to memory of 4616	2320	~tlA053.tmp	netsh.exe
PID 2320 wrote to memory of 1780	2320	~tlA053.tmp	netsh.exe
PID 2320 wrote to memory of 1780	2320	~tlA053.tmp	netsh.exe
PID 2320 wrote to memory of 1488	2320	~tlA053.tmp	powershell.exe
PID 2320 wrote to memory of 1488	2320	~tlA053.tmp	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1372

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:2268

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:1492

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1552

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:448

C:\Users\Admin\AppData\Local\Temp\~tlC67E.tmp
C:\Users\Admin\AppData\Local\Temp\~tlC67E.tmp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:3796

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:5096

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:1728

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:2568

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:1248

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:512

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2432

C:\Users\Admin\AppData\Local\Temp\~tlA053.tmp
C:\Users\Admin\AppData\Local\Temp\~tlA053.tmp
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:4068

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:4616

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:1780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:680

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3468

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:2724

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:5024

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:5044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:228

C:\Windows\TEMP\~tlF22E.tmp
C:\Windows\TEMP\~tlF22E.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5076

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:5068

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2460

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3284

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c5f08d24862e6379a8d1690a00cec9d9

SHA1
bb8d97ecabf50dbb00c4cdb8e597abb8e8d4cc6a

SHA256
5e251646e29c7e8add8d15ded067b00678c73cc35186cf029605353f964c1c11

SHA512
1d45907c632096953a267f3dbcd3edca01fcaec966cc88d39b6fd6b45e3684710cc23fbe53d649d0f2866ad4de36437795ae66b7440b7c079f83725aeed9c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
7e28e7955dbcb9139ee35cb912e25d80

SHA1
13ec99a4c0fd2d3ed92f19e1459bb6c902998ead

SHA256
38c558bc355f6a88fdabe0f78dcdd8b8ba672861e1ffa9e65f0dee265a23b617

SHA512
0b7204038de0434211855efebd8c6f92e636be1a8905bc9e74093a0a64255ed50c5f24369a2976dfdb1f88dd179581be6e5db36c09e4882c33e1473083353357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
f41f42c322498af0591f396c59dd4304

SHA1
e1e5aa68d73d48bc5e743a34f6c0fa8960ff7514

SHA256
d8bd9a4a363ff2ac2dc887759ec6ba4215a4ce0925a8fb9c531573458ee4a31c

SHA512
2328a1b402b4fb0de9c451fb630eab58549129d3bcfb70b9834cfbd16065ebaadec006b309ea17ac182d34c53e01705cbc9e0196eb0cbd62600c866e79a1844f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hsznujsh.1zi.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlA053.tmp
Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlC67E.tmp
Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
Filesize
2.7MB

MD5
27acfbf94480631e547b5cb508d9d4fb

SHA1
f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

SHA256
0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

SHA512
902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
7.2MB

MD5
6920fc165b4c3a5c8c5c14b6d410be69

SHA1
249216eabbbd9dd7aace9e97d5e7cbfa625f172a

SHA256
356e43b8ca454c361b6b2cbb8ce97faf0e6029249225abef509b100c1cdc4625

SHA512
4d37563f28f6103c4309cd7068772f93677a0b0191e9adcae083d0970d169e8af4c0e61da57cde7029fa96c07180759b9628e0f50ba08db6b1a0195b3f1d7bc5

Download Submit
C:\Windows\System\svchost.exe
Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1004B

MD5
03ff24d24eb59a6501c9a52ccaf88ec2

SHA1
a5969b8c4d927c3f4d3e5228d50969aedab6e810

SHA256
f8a29687943c55c42794bd35be8850b2bda92527304e17c7b49f3cccb50804d3

SHA512
cc0004b59c8b299e1adaf77e8caf41b411c03c81eb4f2faa17f7b525287f2493c074f1b71f5d624831ae90eb4c255c6d22eb956507a261ffbea49c34365e0bd9

Download Submit
memory/228-307-0x000002AB1F4D0000-0x000002AB1F4E0000-memory.dmp

Filesize
64KB

Download
memory/228-308-0x000002AB1F4D0000-0x000002AB1F4E0000-memory.dmp

Filesize
64KB

Download
memory/228-297-0x00007FF8095D0000-0x00007FF80A091000-memory.dmp

Filesize
10.8MB

Download
memory/448-67-0x0000022A5B970000-0x0000022A5B980000-memory.dmp

Filesize
64KB

Download
memory/448-54-0x00007FF808B40000-0x00007FF809601000-memory.dmp

Filesize
10.8MB

Download
memory/448-73-0x00007FF808B40000-0x00007FF809601000-memory.dmp

Filesize
10.8MB

Download
memory/680-241-0x00000257BB590000-0x00000257BB5A0000-memory.dmp

Filesize
64KB

Download
memory/680-257-0x00000257BB590000-0x00000257BB5A0000-memory.dmp

Filesize
64KB

Download
memory/680-240-0x00007FF8095D0000-0x00007FF80A091000-memory.dmp

Filesize
10.8MB

Download
memory/680-252-0x00000257BB590000-0x00000257BB5A0000-memory.dmp

Filesize
64KB

Download
memory/680-260-0x00007FF8095D0000-0x00007FF80A091000-memory.dmp

Filesize
10.8MB

Download
memory/680-242-0x00000257BB590000-0x00000257BB5A0000-memory.dmp

Filesize
64KB

Download
memory/1412-23-0x000001C736110000-0x000001C736120000-memory.dmp

Filesize
64KB

Download
memory/1412-26-0x000001C736110000-0x000001C736120000-memory.dmp

Filesize
64KB

Download
memory/1412-29-0x00007FF808C10000-0x00007FF8096D1000-memory.dmp

Filesize
10.8MB

Download
memory/1412-22-0x00007FF808C10000-0x00007FF8096D1000-memory.dmp

Filesize
10.8MB

Download
memory/1476-75-0x0000000036870000-0x0000000036D52000-memory.dmp

Filesize
4.9MB

Download
memory/1476-42-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1476-66-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1476-131-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1488-237-0x000001D060B50000-0x000001D060B60000-memory.dmp

Filesize
64KB

Download
memory/1488-255-0x00007FF8095D0000-0x00007FF80A091000-memory.dmp

Filesize
10.8MB

Download
memory/1488-236-0x00007FF8095D0000-0x00007FF80A091000-memory.dmp

Filesize
10.8MB

Download
memory/1488-238-0x000001D060B50000-0x000001D060B60000-memory.dmp

Filesize
64KB

Download
memory/1488-253-0x000001D060B50000-0x000001D060B60000-memory.dmp

Filesize
64KB

Download
memory/1572-178-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1572-181-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1572-222-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1640-19-0x00007FF808C10000-0x00007FF8096D1000-memory.dmp

Filesize
10.8MB

Download
memory/1640-33-0x00007FF808C10000-0x00007FF8096D1000-memory.dmp

Filesize
10.8MB

Download
memory/1640-10-0x000001A979D40000-0x000001A979D62000-memory.dmp

Filesize
136KB

Download
memory/1640-24-0x000001A979380000-0x000001A979390000-memory.dmp

Filesize
64KB

Download
memory/1640-21-0x000001A979380000-0x000001A979390000-memory.dmp

Filesize
64KB

Download
memory/2096-138-0x0000026371540000-0x0000026371550000-memory.dmp

Filesize
64KB

Download
memory/2096-162-0x00007FF8095D0000-0x00007FF80A091000-memory.dmp

Filesize
10.8MB

Download
memory/2096-160-0x0000026371540000-0x0000026371550000-memory.dmp

Filesize
64KB

Download
memory/2096-137-0x0000026371540000-0x0000026371550000-memory.dmp

Filesize
64KB

Download
memory/2096-136-0x00007FF8095D0000-0x00007FF80A091000-memory.dmp

Filesize
10.8MB

Download
memory/2096-150-0x0000026371540000-0x0000026371550000-memory.dmp

Filesize
64KB

Download
memory/2128-180-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2128-133-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2128-132-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2128-129-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2128-135-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2128-134-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2320-223-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2320-225-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2320-221-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2320-261-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2320-226-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2320-224-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2432-196-0x000001E962A70000-0x000001E962A80000-memory.dmp

Filesize
64KB

Download
memory/2432-194-0x00007FF8095D0000-0x00007FF80A091000-memory.dmp

Filesize
10.8MB

Download
memory/2432-210-0x000001E962A70000-0x000001E962A80000-memory.dmp

Filesize
64KB

Download
memory/2432-213-0x00007FF8095D0000-0x00007FF80A091000-memory.dmp

Filesize
10.8MB

Download
memory/2724-193-0x0000013CA4830000-0x0000013CA4840000-memory.dmp

Filesize
64KB

Download
memory/2724-192-0x0000013CA4830000-0x0000013CA4840000-memory.dmp

Filesize
64KB

Download
memory/2724-209-0x00007FF8095D0000-0x00007FF80A091000-memory.dmp

Filesize
10.8MB

Download
memory/2724-207-0x0000013CA4830000-0x0000013CA4840000-memory.dmp

Filesize
64KB

Download
memory/2724-182-0x00007FF8095D0000-0x00007FF80A091000-memory.dmp

Filesize
10.8MB

Download
memory/2724-202-0x0000013CA4830000-0x0000013CA4840000-memory.dmp

Filesize
64KB

Download
memory/3100-166-0x00007FF8095D0000-0x00007FF80A091000-memory.dmp

Filesize
10.8MB

Download
memory/3100-149-0x00007FF8095D0000-0x00007FF80A091000-memory.dmp

Filesize
10.8MB

Download
memory/3100-163-0x0000027DCD370000-0x0000027DCD380000-memory.dmp

Filesize
64KB

Download
memory/3468-353-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3468-279-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3468-280-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3468-284-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3948-287-0x00007FF8095D0000-0x00007FF80A091000-memory.dmp

Filesize
10.8MB

Download
memory/4348-64-0x0000020BE6E60000-0x0000020BE6E70000-memory.dmp

Filesize
64KB

Download
memory/4348-44-0x00007FF808B40000-0x00007FF809601000-memory.dmp

Filesize
10.8MB

Download
memory/4348-68-0x0000020BE6E60000-0x0000020BE6E70000-memory.dmp

Filesize
64KB

Download
memory/4348-69-0x0000020BE6E60000-0x0000020BE6E70000-memory.dmp

Filesize
64KB

Download
memory/4348-74-0x00007FF808B40000-0x00007FF809601000-memory.dmp

Filesize
10.8MB

Download
memory/5052-43-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/5052-25-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/5052-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/5076-357-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/5076-415-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download