7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
1800s
max time network
1808s
platform
windows10-1703_x64
resource
win10-20240319-en
resource tags

arch:x64arch:x86image:win10-20240319-enlocale:en-usos:windows10-1703-x64system
submitted
12-04-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

discovery evasion

Malware Config

Signatures

Contacts a large (767) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 26 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
2856	netsh.exe
2160	netsh.exe
4844	netsh.exe
212	netsh.exe
436	netsh.exe
3924	netsh.exe
4580	netsh.exe
4728	netsh.exe
2232	netsh.exe
2236	netsh.exe
4908	netsh.exe
660	netsh.exe
1048	netsh.exe
1348	netsh.exe
1184	netsh.exe
4880	netsh.exe
4932	netsh.exe
4784	netsh.exe
4960	netsh.exe
2788	netsh.exe
492	netsh.exe
4188	netsh.exe
2260	netsh.exe
2312	netsh.exe
4816	netsh.exe
3496	netsh.exe

Executes dropped EXE 12 IoCs

Processes:

svchost.exe~tl1D6C.tmpsvchost.exe~tlFF22.tmpsvchost.exe~tl8AB9.tmpsvchost.exe~tlD7D3.tmpsvchost.exe~tl4247.tmpsvchost.exe~tlB279.tmp

pid	process
4804	svchost.exe
4264	~tl1D6C.tmp
408	svchost.exe
776	~tlFF22.tmp
1032	svchost.exe
4272	~tl8AB9.tmp
4360	svchost.exe
2076	~tlD7D3.tmp
64	svchost.exe
1072	~tl4247.tmp
2836	svchost.exe
4764	~tlB279.tmp

Drops file in System32 directory 40 IoCs

Processes:

powershell.exe~tlB279.tmp~tl4247.tmp~tlD7D3.tmppowershell.exesvchost.exepowershell.exepowershell.exesvchost.exesvchost.exe~tl8AB9.tmppowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlB279.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	~tl4247.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tlD7D3.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl4247.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tlB279.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl8AB9.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlD7D3.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	~tlB279.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tl8AB9.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\5QS68INC.htm	~tlD7D3.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tl4247.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe

Drops file in Windows directory 11 IoCs

Processes:

svchost.exe~tl1D6C.tmpsvchost.exesvchost.exesvchost_dump_SCY - Copy.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl1D6C.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl1D6C.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4964 schtasks.exe
428 schtasks.exe

pid	process
4964	schtasks.exe
428	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

netsh.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exenetsh.exepowershell.exepowershell.exepowershell.exepowershell.exe~tl8AB9.tmpsvchost.exepowershell.exenetsh.exepowershell.exenetsh.exenetsh.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	~tl8AB9.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tl1D6C.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlFF22.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl8AB9.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe

pid	process
4904	powershell.exe
4904	powershell.exe
2588	powershell.exe
2588	powershell.exe
4904	powershell.exe
2588	powershell.exe
2304	svchost_dump_SCY - Copy.exe
2304	svchost_dump_SCY - Copy.exe
2772	powershell.exe
4172	powershell.exe
2772	powershell.exe
2772	powershell.exe
4172	powershell.exe
4172	powershell.exe
4264	~tl1D6C.tmp
4264	~tl1D6C.tmp
4272	powershell.exe
2076	powershell.exe
4272	powershell.exe
2076	powershell.exe
4272	powershell.exe
2076	powershell.exe
4264	~tl1D6C.tmp
4264	~tl1D6C.tmp
408	svchost.exe
408	svchost.exe
2932	powershell.exe
2932	powershell.exe
4284	powershell.exe
4284	powershell.exe
2932	powershell.exe
4284	powershell.exe
776	~tlFF22.tmp
776	~tlFF22.tmp
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe
3232	powershell.exe
3232	powershell.exe
3232	powershell.exe
1032	svchost.exe
1032	svchost.exe
708	powershell.exe
3444	powershell.exe
3444	powershell.exe
708	powershell.exe
3444	powershell.exe
708	powershell.exe
4272	~tl8AB9.tmp
4272	~tl8AB9.tmp
3008	powershell.exe
1660	powershell.exe
3008	powershell.exe
1660	powershell.exe
3008	powershell.exe
1660	powershell.exe
4360	svchost.exe
4360	svchost.exe
4168	powershell.exe
4168	powershell.exe
4168	powershell.exe
4432	powershell.exe
4432	powershell.exe
4432	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4588	WMIC.exe
Token: SeSecurityPrivilege	4588	WMIC.exe
Token: SeTakeOwnershipPrivilege	4588	WMIC.exe
Token: SeLoadDriverPrivilege	4588	WMIC.exe
Token: SeSystemProfilePrivilege	4588	WMIC.exe
Token: SeSystemtimePrivilege	4588	WMIC.exe
Token: SeProfSingleProcessPrivilege	4588	WMIC.exe
Token: SeIncBasePriorityPrivilege	4588	WMIC.exe
Token: SeCreatePagefilePrivilege	4588	WMIC.exe
Token: SeBackupPrivilege	4588	WMIC.exe
Token: SeRestorePrivilege	4588	WMIC.exe
Token: SeShutdownPrivilege	4588	WMIC.exe
Token: SeDebugPrivilege	4588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4588	WMIC.exe
Token: SeRemoteShutdownPrivilege	4588	WMIC.exe
Token: SeUndockPrivilege	4588	WMIC.exe
Token: SeManageVolumePrivilege	4588	WMIC.exe
Token: 33	4588	WMIC.exe
Token: 34	4588	WMIC.exe
Token: 35	4588	WMIC.exe
Token: 36	4588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4588	WMIC.exe
Token: SeSecurityPrivilege	4588	WMIC.exe
Token: SeTakeOwnershipPrivilege	4588	WMIC.exe
Token: SeLoadDriverPrivilege	4588	WMIC.exe
Token: SeSystemProfilePrivilege	4588	WMIC.exe
Token: SeSystemtimePrivilege	4588	WMIC.exe
Token: SeProfSingleProcessPrivilege	4588	WMIC.exe
Token: SeIncBasePriorityPrivilege	4588	WMIC.exe
Token: SeCreatePagefilePrivilege	4588	WMIC.exe
Token: SeBackupPrivilege	4588	WMIC.exe
Token: SeRestorePrivilege	4588	WMIC.exe
Token: SeShutdownPrivilege	4588	WMIC.exe
Token: SeDebugPrivilege	4588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4588	WMIC.exe
Token: SeRemoteShutdownPrivilege	4588	WMIC.exe
Token: SeUndockPrivilege	4588	WMIC.exe
Token: SeManageVolumePrivilege	4588	WMIC.exe
Token: 33	4588	WMIC.exe
Token: 34	4588	WMIC.exe
Token: 35	4588	WMIC.exe
Token: 36	4588	WMIC.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeIncreaseQuotaPrivilege	4904	powershell.exe
Token: SeSecurityPrivilege	4904	powershell.exe
Token: SeTakeOwnershipPrivilege	4904	powershell.exe
Token: SeLoadDriverPrivilege	4904	powershell.exe
Token: SeSystemProfilePrivilege	4904	powershell.exe
Token: SeSystemtimePrivilege	4904	powershell.exe
Token: SeProfSingleProcessPrivilege	4904	powershell.exe
Token: SeIncBasePriorityPrivilege	4904	powershell.exe
Token: SeCreatePagefilePrivilege	4904	powershell.exe
Token: SeBackupPrivilege	4904	powershell.exe
Token: SeRestorePrivilege	4904	powershell.exe
Token: SeShutdownPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeSystemEnvironmentPrivilege	4904	powershell.exe
Token: SeRemoteShutdownPrivilege	4904	powershell.exe
Token: SeUndockPrivilege	4904	powershell.exe
Token: SeManageVolumePrivilege	4904	powershell.exe
Token: 33	4904	powershell.exe
Token: 34	4904	powershell.exe
Token: 35	4904	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tl1D6C.tmpsvchost.exe~tlFF22.tmp

description	pid	process	target process
PID 2304 wrote to memory of 4588	2304	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2304 wrote to memory of 4588	2304	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2304 wrote to memory of 2856	2304	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2304 wrote to memory of 2856	2304	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2304 wrote to memory of 4960	2304	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2304 wrote to memory of 4960	2304	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2304 wrote to memory of 4904	2304	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2304 wrote to memory of 4904	2304	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2304 wrote to memory of 2588	2304	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2304 wrote to memory of 2588	2304	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2304 wrote to memory of 4896	2304	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2304 wrote to memory of 4896	2304	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2304 wrote to memory of 4964	2304	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2304 wrote to memory of 4964	2304	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2304 wrote to memory of 4804	2304	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2304 wrote to memory of 4804	2304	svchost_dump_SCY - Copy.exe	svchost.exe
PID 4804 wrote to memory of 2524	4804	svchost.exe	WMIC.exe
PID 4804 wrote to memory of 2524	4804	svchost.exe	WMIC.exe
PID 4804 wrote to memory of 2788	4804	svchost.exe	netsh.exe
PID 4804 wrote to memory of 2788	4804	svchost.exe	netsh.exe
PID 4804 wrote to memory of 2160	4804	svchost.exe	netsh.exe
PID 4804 wrote to memory of 2160	4804	svchost.exe	netsh.exe
PID 4804 wrote to memory of 2772	4804	svchost.exe	powershell.exe
PID 4804 wrote to memory of 2772	4804	svchost.exe	powershell.exe
PID 4804 wrote to memory of 4172	4804	svchost.exe	powershell.exe
PID 4804 wrote to memory of 4172	4804	svchost.exe	powershell.exe
PID 4804 wrote to memory of 4264	4804	svchost.exe	~tl1D6C.tmp
PID 4804 wrote to memory of 4264	4804	svchost.exe	~tl1D6C.tmp
PID 4264 wrote to memory of 1776	4264	~tl1D6C.tmp	netsh.exe
PID 4264 wrote to memory of 1776	4264	~tl1D6C.tmp	netsh.exe
PID 4264 wrote to memory of 4844	4264	~tl1D6C.tmp	netsh.exe
PID 4264 wrote to memory of 4844	4264	~tl1D6C.tmp	netsh.exe
PID 4264 wrote to memory of 4188	4264	~tl1D6C.tmp	netsh.exe
PID 4264 wrote to memory of 4188	4264	~tl1D6C.tmp	netsh.exe
PID 4264 wrote to memory of 4272	4264	~tl1D6C.tmp	powershell.exe
PID 4264 wrote to memory of 4272	4264	~tl1D6C.tmp	powershell.exe
PID 4264 wrote to memory of 2076	4264	~tl1D6C.tmp	powershell.exe
PID 4264 wrote to memory of 2076	4264	~tl1D6C.tmp	powershell.exe
PID 4264 wrote to memory of 2208	4264	~tl1D6C.tmp	schtasks.exe
PID 4264 wrote to memory of 2208	4264	~tl1D6C.tmp	schtasks.exe
PID 4264 wrote to memory of 428	4264	~tl1D6C.tmp	schtasks.exe
PID 4264 wrote to memory of 428	4264	~tl1D6C.tmp	schtasks.exe
PID 4264 wrote to memory of 408	4264	~tl1D6C.tmp	svchost.exe
PID 4264 wrote to memory of 408	4264	~tl1D6C.tmp	svchost.exe
PID 408 wrote to memory of 380	408	svchost.exe	netsh.exe
PID 408 wrote to memory of 380	408	svchost.exe	netsh.exe
PID 408 wrote to memory of 1348	408	svchost.exe	netsh.exe
PID 408 wrote to memory of 1348	408	svchost.exe	netsh.exe
PID 408 wrote to memory of 2260	408	svchost.exe	netsh.exe
PID 408 wrote to memory of 2260	408	svchost.exe	netsh.exe
PID 408 wrote to memory of 2932	408	svchost.exe	powershell.exe
PID 408 wrote to memory of 2932	408	svchost.exe	powershell.exe
PID 408 wrote to memory of 4284	408	svchost.exe	powershell.exe
PID 408 wrote to memory of 4284	408	svchost.exe	powershell.exe
PID 408 wrote to memory of 776	408	svchost.exe	~tlFF22.tmp
PID 408 wrote to memory of 776	408	svchost.exe	~tlFF22.tmp
PID 776 wrote to memory of 208	776	~tlFF22.tmp	netsh.exe
PID 776 wrote to memory of 208	776	~tlFF22.tmp	netsh.exe
PID 776 wrote to memory of 3924	776	~tlFF22.tmp	netsh.exe
PID 776 wrote to memory of 3924	776	~tlFF22.tmp	netsh.exe
PID 776 wrote to memory of 2312	776	~tlFF22.tmp	netsh.exe
PID 776 wrote to memory of 2312	776	~tlFF22.tmp	netsh.exe
PID 776 wrote to memory of 4820	776	~tlFF22.tmp	powershell.exe
PID 776 wrote to memory of 4820	776	~tlFF22.tmp	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2856

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:4896

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:4964

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
PID:2524

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2788

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4172

C:\Users\Admin\AppData\Local\Temp\~tl1D6C.tmp
C:\Users\Admin\AppData\Local\Temp\~tl1D6C.tmp
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:1776

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4844

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:2208

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:428

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:380

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1348

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4284

C:\Users\Admin\AppData\Local\Temp\~tlFF22.tmp
C:\Users\Admin\AppData\Local\Temp\~tlFF22.tmp
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:208

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:3924

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3232

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1032

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:2432

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:212

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3444

C:\Windows\TEMP\~tl8AB9.tmp
C:\Windows\TEMP\~tl8AB9.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4272

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
- Modifies data under HKEY_USERS
PID:4380

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2236

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1660

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4360

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
- Modifies data under HKEY_USERS
PID:2488

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1184

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:3496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4432

C:\Windows\TEMP\~tlD7D3.tmp
C:\Windows\TEMP\~tlD7D3.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2076

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:2180

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4880

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1544

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:64

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:3020

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4932

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:312

C:\Windows\TEMP\~tl4247.tmp
C:\Windows\TEMP\~tl4247.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1072

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:372

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:492

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3396

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2836

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:3096

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1048

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4352

C:\Windows\TEMP\~tlB279.tmp
C:\Windows\TEMP\~tlB279.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4764

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:1164

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:436

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
PID:3604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8cfab9c93b77986b54aa3cd4b40e9d5c

SHA1
c63eb5d18099ff0c0e6cb60b3718b9951c576695

SHA256
bb66c0d2955af0bffaa61a7d7bca84f94b104e38b604faad9b46bc704ad3bbb3

SHA512
7641c2cd9fc39c6e42f3ac333009c2283a9625fe3648dac6cb3b7b148538598b677609fa242a8a8b63263b9cf16330cdc9c3e6a092428542d0250c4e27f0b361

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9973922ca9c995d9cae62756213ce79e

SHA1
1bfa8199d8e16f2e8ca2db21eb220b63e8375bc1

SHA256
a8e289ee2dcde01e898cc8fb024a76c5c3720329e1a2be28986d07dbbdf2bb2d

SHA512
31760eb41d9f37d7fa2c1adf819341c9a51330ca7b3794fe48739d84b49815f22d481afb9ea741056c6dc28b337fc3fe3ca68d25d095f5487d83dfcf8fa9a895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5536317cb5b840f8ac8eaf72aacee60a

SHA1
b226095e5b9760c33a0bcd393f16f1441e4c3dd4

SHA256
1278d5cb74990c8076f25e7a354ae86aa7ed1e99e3f490c830c962d4c40c8846

SHA512
4a37234165e27dcabf6fd17ce0159e2a7268fe62bfd864cf89d1981d06f6561b8e24f24f9855734392b11fac8ba8a4a314c7e4b52b7619e81e828c5d7bbb4b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f94c9f281628a4ab5f26859fe04c6d2d

SHA1
0abb91b81ed1b5db4506c5f46cbf17e56130cdb7

SHA256
90f14a504a8f133f469145e152aa7a16705ef1e56e70eaf52c63d3accccf73c8

SHA512
dd56927741d7c30bbbd421e14f9dc79e3263fcca2f382b0ae070b42b854f5eed9f500d97136fd914d59e6b6a57f6c29b654c4e3cd65d0658bb69620c502a0ef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
885fda8d7b92951542413006e57413f9

SHA1
48fa29606d9ddb87b788270c37b149ff901d460b

SHA256
0e1cc07f0f6e015b0ce4f01b057bf7dc832968894c8555f95c7f9814e313519f

SHA512
1510f52b0cc8d9a44161ced32f5379b4e3e2365942690ff4de5220a9497038f8cdb0cdadfc96430dd73695406850f246a020366993443ceeaa5f908d3fc98eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ejkxorcg.53e.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl1D6C.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlFF22.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
27acfbf94480631e547b5cb508d9d4fb

SHA1
f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

SHA256
0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

SHA512
902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
10.3MB

MD5
92de1c78075abd421901b532245082af

SHA1
f56748f6cd70c6d7db4d6bf8d1c76c21e5faf903

SHA256
8eed79ddf17b286e568783a622519f6474bdb7ce1839061bdd68e319cf2830a2

SHA512
993ea77f975c6ed01e2b761014eb51377b5365f4813e0f0baca072fa0382d8c5461157769191c2dd48b346ae22c392f760d58d2463267ce88f6bd22a6fb4fe1b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg

Filesize
393KB

MD5
72e28e2092a43e0d70289f62bec20e65

SHA1
944f2b81392ee946f4767376882c5c1bda6dddb5

SHA256
6ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f

SHA512
31c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466

Download Submit
C:\Windows\System\svchost.exe

Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
478f1c1fcff584f4f440469ed71d2d43

SHA1
0900e9dc39580d527c145715f985a5a86e80b66c

SHA256
c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb

SHA512
4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abe663449b4f576827c31619a785944d

SHA1
580e61da59e18c047b250e6b16b6f1e5ded74bb5

SHA256
078e3c94b51db8f38417da233a3402c5c74652741c56e01307bff989932be438

SHA512
5b0406bfef312263c2a443b3ac1a0a055b93aadaf90fd4f36ffffb59252bf157b6ec7a1aa56ebd27397b50d3fab335cd8d9fef73027dabe590945524a32474b2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cacf51d970a61c965c4c1bd8de5232d7

SHA1
c144199c2ed58265005386d4ee0c35b288797578

SHA256
affcc9c114a4b144a5460bb7ef56999cea4879dbfe5a3f97b0cc5e50cd83e955

SHA512
10e807533f5df91a0e0c003f7cb1e8d3ba561bc5fdc16821a5a366e4e35a4b7929a6d03c4d7708b625f0f89744598fd4bb1533938c16cc9e40a35008bdb55083

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6b5b91509410da04ce27ac02bd57ec1b

SHA1
2ce98141797448ef8ec563e896a2e3ca3c1a03dc

SHA256
8f729a570cd70ec0aeb0bc2936ddcd366366a55e5fca60ba95b160e3d396d2eb

SHA512
66a010c1632ed47e2c00e77c7b594b389ea888bd6d11b38d145934eda44d8b58fc1f9e9eda433ed7b7b48d9b8cb32e667d9eb1eefda1b471ce20cb9aef2f4d97

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2eca4efefa84bfa8f3d5724adf31d8c0

SHA1
13f219fbb998e62c2e537aedcdaba2c6a515c7c5

SHA256
ab573ae6cb9dd8d6a90e33562ec81323732aad26f31854bc4b1166dd0e1a19f9

SHA512
d912816be6564466a24a47c8ddc8750445913ae4c0d1d1d8ceeff840bb34199c9d816e47f0588c1ca789ae68b080d31e90e51a9b25f1a99461b157039d832ff3

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
16d92d7c033d80c6d4c5bd1619e30ac9

SHA1
13d65c0e570aafd0234284a1b385b7f0445ae74f

SHA256
fc9c5cf320d553029e9769693d768d3f83e2c1c2c7d62cde6c7f0c3f0be68233

SHA512
e31d9001fde0aec789cf21e59c368c41e1d304d0bae0c9a913148ce6849e66bf9705290dc64e3878472943f2bf7887832d6c80a39e6f394a49326769cb86eaa0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5be5905ee3a55d544f844d7a30329b16

SHA1
a7b36bf9f77dd0c2958aeaecf8455bb162c178a9

SHA256
749598a63d39babc4c53ccfee605b91b2b4a43f22cf153d2741d16a9d1ddd440

SHA512
b4cf632809790e0fe29240f9a34195d432448980d185bca685f23e132953c23db27c4162bafcc5f5596d6ed81ca7527cbdde03ebc1a984bb1f1cfb7e5b4c61a8

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
memory/408-497-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/408-383-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/408-384-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/408-387-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/776-494-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/776-499-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/776-603-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/776-495-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/776-496-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/776-498-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/776-604-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1032-954-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1032-945-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1032-625-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2076-366-0x000002A2D4870000-0x000002A2D4880000-memory.dmp

Filesize
64KB

Download
memory/2076-369-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/2076-287-0x000002A2D4870000-0x000002A2D4880000-memory.dmp

Filesize
64KB

Download
memory/2076-286-0x000002A2D4870000-0x000002A2D4880000-memory.dmp

Filesize
64KB

Download
memory/2076-319-0x000002A2D4870000-0x000002A2D4880000-memory.dmp

Filesize
64KB

Download
memory/2076-283-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-44-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2304-111-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2304-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2588-105-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/2588-99-0x000001D82FBC0000-0x000001D82FBD0000-memory.dmp

Filesize
64KB

Download
memory/2588-48-0x000001D82FBC0000-0x000001D82FBD0000-memory.dmp

Filesize
64KB

Download
memory/2588-16-0x000001D82FBC0000-0x000001D82FBD0000-memory.dmp

Filesize
64KB

Download
memory/2588-12-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/2772-114-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/2772-118-0x00000201FFA90000-0x00000201FFAA0000-memory.dmp

Filesize
64KB

Download
memory/2772-214-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/2772-119-0x00000201FFA90000-0x00000201FFAA0000-memory.dmp

Filesize
64KB

Download
memory/2772-144-0x00000201FFA90000-0x00000201FFAA0000-memory.dmp

Filesize
64KB

Download
memory/2772-206-0x00000201FFA90000-0x00000201FFAA0000-memory.dmp

Filesize
64KB

Download
memory/2932-486-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-424-0x000001D6FCE20000-0x000001D6FCE30000-memory.dmp

Filesize
64KB

Download
memory/2932-482-0x000001D6FCE20000-0x000001D6FCE30000-memory.dmp

Filesize
64KB

Download
memory/2932-393-0x000001D6FCE20000-0x000001D6FCE30000-memory.dmp

Filesize
64KB

Download
memory/2932-391-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/3232-525-0x000001A37B3C0000-0x000001A37B3D0000-memory.dmp

Filesize
64KB

Download
memory/3232-513-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/3232-523-0x000001A37B3C0000-0x000001A37B3D0000-memory.dmp

Filesize
64KB

Download
memory/4172-213-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/4172-123-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/4172-125-0x00000131F6400000-0x00000131F6410000-memory.dmp

Filesize
64KB

Download
memory/4172-207-0x00000131F6400000-0x00000131F6410000-memory.dmp

Filesize
64KB

Download
memory/4172-167-0x00000131F6400000-0x00000131F6410000-memory.dmp

Filesize
64KB

Download
memory/4172-126-0x00000131F6400000-0x00000131F6410000-memory.dmp

Filesize
64KB

Download
memory/4264-272-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4264-273-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4264-267-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4264-271-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4264-386-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4272-958-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4272-317-0x00000295B47E0000-0x00000295B47F0000-memory.dmp

Filesize
64KB

Download
memory/4272-1274-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4272-372-0x00000295B47E0000-0x00000295B47F0000-memory.dmp

Filesize
64KB

Download
memory/4272-277-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/4272-278-0x00000295B47E0000-0x00000295B47F0000-memory.dmp

Filesize
64KB

Download
memory/4272-280-0x00000295B47E0000-0x00000295B47F0000-memory.dmp

Filesize
64KB

Download
memory/4272-376-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/4284-397-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/4284-441-0x0000027DF18F0000-0x0000027DF1900000-memory.dmp

Filesize
64KB

Download
memory/4284-481-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/4284-476-0x0000027DF18F0000-0x0000027DF1900000-memory.dmp

Filesize
64KB

Download
memory/4804-117-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4804-269-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4804-215-0x00000000369D0000-0x0000000036EB2000-memory.dmp

Filesize
4.9MB

Download
memory/4820-503-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/4820-506-0x000001B79F990000-0x000001B79F9A0000-memory.dmp

Filesize
64KB

Download
memory/4820-529-0x000001B79F990000-0x000001B79F9A0000-memory.dmp

Filesize
64KB

Download
memory/4820-505-0x000001B79F990000-0x000001B79F9A0000-memory.dmp

Filesize
64KB

Download
memory/4904-100-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download
memory/4904-17-0x0000017E5C570000-0x0000017E5C5E6000-memory.dmp

Filesize
472KB

Download
memory/4904-46-0x0000017E5C2E0000-0x0000017E5C2F0000-memory.dmp

Filesize
64KB

Download
memory/4904-15-0x0000017E5C2E0000-0x0000017E5C2F0000-memory.dmp

Filesize
64KB

Download
memory/4904-95-0x0000017E5C2E0000-0x0000017E5C2F0000-memory.dmp

Filesize
64KB

Download
memory/4904-9-0x0000017E5C2B0000-0x0000017E5C2D2000-memory.dmp

Filesize
136KB

Download
memory/4904-8-0x0000017E5C2E0000-0x0000017E5C2F0000-memory.dmp

Filesize
64KB

Download
memory/4904-5-0x00007FF9B0050000-0x00007FF9B0A3C000-memory.dmp

Filesize
9.9MB

Download