7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
1799s
max time network
1801s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

discovery evasion

Malware Config

Signatures

Contacts a large (774) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 22 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
1008	netsh.exe
1228	netsh.exe
5112	netsh.exe
3096	netsh.exe
1152	netsh.exe
404	netsh.exe
2916	netsh.exe
4932	netsh.exe
4268	netsh.exe
2308	netsh.exe
1672	netsh.exe
696	netsh.exe
3232	netsh.exe
2464	netsh.exe
4992	netsh.exe
1432	netsh.exe
1628	netsh.exe
4268	netsh.exe
1420	netsh.exe
3916	netsh.exe
872	netsh.exe
4108	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

~tl1344.tmpsvchost.exe~tlEC0F.tmpsvchost_dump_SCY - Copy.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	~tl1344.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	~tlEC0F.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	svchost_dump_SCY - Copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 11 IoCs

Processes:

svchost.exesvchost.exe~tl1344.tmpsvchost.exe~tlEC0F.tmpsvchost.exe~tl2914.tmpsvchost.exe~tl95AC.tmpsvchost.exe~tlFC58.tmp

pid	process
2688	svchost.exe
3688	svchost.exe
2676	~tl1344.tmp
348	svchost.exe
3192	~tlEC0F.tmp
2060	svchost.exe
1688	~tl2914.tmp
1340	svchost.exe
1056	~tl95AC.tmp
4676	svchost.exe
4988	~tlFC58.tmp

Drops file in System32 directory 25 IoCs

Processes:

svchost.exesvchost.exepowershell.exepowershell.exe~tl2914.tmppowershell.exepowershell.exepowershell.exesvchost.exesvchost.exepowershell.exepowershell.exe~tlFC58.tmppowershell.exepowershell.exepowershell.exe~tl95AC.tmppowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl2914.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\LGZ84YUP.htm	~tl2914.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlFC58.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\S8R5P3YA.htm	~tl2914.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl95AC.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Windows directory 10 IoCs

Processes:

svchost_dump_SCY - Copy.exe~tl1344.tmpsvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	~tl1344.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl1344.tmp
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2808 schtasks.exe
920 schtasks.exe

pid	process
2808	schtasks.exe
920	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exe~tlFC58.tmppowershell.exepowershell.exepowershell.exesvchost.exe~tl2914.tmp

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	~tlFC58.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	~tl2914.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tl1344.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlEC0F.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl2914.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl95AC.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlFC58.tmppowershell.exepowershell.exe

pid	process
2776	powershell.exe
3532	powershell.exe
2776	powershell.exe
3532	powershell.exe
4088	svchost_dump_SCY - Copy.exe
4088	svchost_dump_SCY - Copy.exe
3448	powershell.exe
3448	powershell.exe
3964	powershell.exe
3964	powershell.exe
2676	~tl1344.tmp
2676	~tl1344.tmp
1000	powershell.exe
1000	powershell.exe
2348	powershell.exe
2348	powershell.exe
2676	~tl1344.tmp
2676	~tl1344.tmp
348	svchost.exe
348	svchost.exe
3652	powershell.exe
3652	powershell.exe
5060	powershell.exe
5060	powershell.exe
3192	~tlEC0F.tmp
3192	~tlEC0F.tmp
1732	powershell.exe
1732	powershell.exe
1084	powershell.exe
1084	powershell.exe
2060	svchost.exe
2060	svchost.exe
1356	powershell.exe
1356	powershell.exe
4012	powershell.exe
4012	powershell.exe
1688	~tl2914.tmp
1688	~tl2914.tmp
4936	powershell.exe
2676	powershell.exe
4936	powershell.exe
2676	powershell.exe
1340	svchost.exe
1340	svchost.exe
4232	powershell.exe
1636	powershell.exe
1636	powershell.exe
4232	powershell.exe
1056	~tl95AC.tmp
1056	~tl95AC.tmp
3960	powershell.exe
2220	powershell.exe
2220	powershell.exe
3960	powershell.exe
4676	svchost.exe
4676	svchost.exe
4996	powershell.exe
4996	powershell.exe
316	powershell.exe
316	powershell.exe
4988	~tlFC58.tmp
4988	~tlFC58.tmp
4020	powershell.exe
2824	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2436	WMIC.exe
Token: SeSecurityPrivilege	2436	WMIC.exe
Token: SeTakeOwnershipPrivilege	2436	WMIC.exe
Token: SeLoadDriverPrivilege	2436	WMIC.exe
Token: SeSystemProfilePrivilege	2436	WMIC.exe
Token: SeSystemtimePrivilege	2436	WMIC.exe
Token: SeProfSingleProcessPrivilege	2436	WMIC.exe
Token: SeIncBasePriorityPrivilege	2436	WMIC.exe
Token: SeCreatePagefilePrivilege	2436	WMIC.exe
Token: SeBackupPrivilege	2436	WMIC.exe
Token: SeRestorePrivilege	2436	WMIC.exe
Token: SeShutdownPrivilege	2436	WMIC.exe
Token: SeDebugPrivilege	2436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2436	WMIC.exe
Token: SeRemoteShutdownPrivilege	2436	WMIC.exe
Token: SeUndockPrivilege	2436	WMIC.exe
Token: SeManageVolumePrivilege	2436	WMIC.exe
Token: 33	2436	WMIC.exe
Token: 34	2436	WMIC.exe
Token: 35	2436	WMIC.exe
Token: 36	2436	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2436	WMIC.exe
Token: SeSecurityPrivilege	2436	WMIC.exe
Token: SeTakeOwnershipPrivilege	2436	WMIC.exe
Token: SeLoadDriverPrivilege	2436	WMIC.exe
Token: SeSystemProfilePrivilege	2436	WMIC.exe
Token: SeSystemtimePrivilege	2436	WMIC.exe
Token: SeProfSingleProcessPrivilege	2436	WMIC.exe
Token: SeIncBasePriorityPrivilege	2436	WMIC.exe
Token: SeCreatePagefilePrivilege	2436	WMIC.exe
Token: SeBackupPrivilege	2436	WMIC.exe
Token: SeRestorePrivilege	2436	WMIC.exe
Token: SeShutdownPrivilege	2436	WMIC.exe
Token: SeDebugPrivilege	2436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2436	WMIC.exe
Token: SeRemoteShutdownPrivilege	2436	WMIC.exe
Token: SeUndockPrivilege	2436	WMIC.exe
Token: SeManageVolumePrivilege	2436	WMIC.exe
Token: 33	2436	WMIC.exe
Token: 34	2436	WMIC.exe
Token: 35	2436	WMIC.exe
Token: 36	2436	WMIC.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeIncreaseQuotaPrivilege	3276	WMIC.exe
Token: SeSecurityPrivilege	3276	WMIC.exe
Token: SeTakeOwnershipPrivilege	3276	WMIC.exe
Token: SeLoadDriverPrivilege	3276	WMIC.exe
Token: SeSystemProfilePrivilege	3276	WMIC.exe
Token: SeSystemtimePrivilege	3276	WMIC.exe
Token: SeProfSingleProcessPrivilege	3276	WMIC.exe
Token: SeIncBasePriorityPrivilege	3276	WMIC.exe
Token: SeCreatePagefilePrivilege	3276	WMIC.exe
Token: SeBackupPrivilege	3276	WMIC.exe
Token: SeRestorePrivilege	3276	WMIC.exe
Token: SeShutdownPrivilege	3276	WMIC.exe
Token: SeDebugPrivilege	3276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3276	WMIC.exe
Token: SeRemoteShutdownPrivilege	3276	WMIC.exe
Token: SeUndockPrivilege	3276	WMIC.exe
Token: SeManageVolumePrivilege	3276	WMIC.exe
Token: 33	3276	WMIC.exe
Token: 34	3276	WMIC.exe
Token: 35	3276	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exesvchost.exe~tl1344.tmpsvchost.exe~tlEC0F.tmp

description	pid	process	target process
PID 4088 wrote to memory of 2436	4088	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 4088 wrote to memory of 2436	4088	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 4088 wrote to memory of 1420	4088	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4088 wrote to memory of 1420	4088	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4088 wrote to memory of 3916	4088	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4088 wrote to memory of 3916	4088	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4088 wrote to memory of 2776	4088	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4088 wrote to memory of 2776	4088	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4088 wrote to memory of 3532	4088	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4088 wrote to memory of 3532	4088	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4088 wrote to memory of 2024	4088	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4088 wrote to memory of 2024	4088	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4088 wrote to memory of 2808	4088	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4088 wrote to memory of 2808	4088	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4088 wrote to memory of 2688	4088	svchost_dump_SCY - Copy.exe	svchost.exe
PID 4088 wrote to memory of 2688	4088	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2688 wrote to memory of 3276	2688	svchost.exe	WMIC.exe
PID 2688 wrote to memory of 3276	2688	svchost.exe	WMIC.exe
PID 2688 wrote to memory of 872	2688	svchost.exe	netsh.exe
PID 2688 wrote to memory of 872	2688	svchost.exe	netsh.exe
PID 2688 wrote to memory of 4268	2688	svchost.exe	netsh.exe
PID 2688 wrote to memory of 4268	2688	svchost.exe	netsh.exe
PID 2688 wrote to memory of 3448	2688	svchost.exe	powershell.exe
PID 2688 wrote to memory of 3448	2688	svchost.exe	powershell.exe
PID 2688 wrote to memory of 3964	2688	svchost.exe	powershell.exe
PID 2688 wrote to memory of 3964	2688	svchost.exe	powershell.exe
PID 3688 wrote to memory of 4504	3688	svchost.exe	WMIC.exe
PID 3688 wrote to memory of 4504	3688	svchost.exe	WMIC.exe
PID 2688 wrote to memory of 2676	2688	svchost.exe	~tl1344.tmp
PID 2688 wrote to memory of 2676	2688	svchost.exe	~tl1344.tmp
PID 2676 wrote to memory of 1616	2676	~tl1344.tmp	netsh.exe
PID 2676 wrote to memory of 1616	2676	~tl1344.tmp	netsh.exe
PID 2676 wrote to memory of 1228	2676	~tl1344.tmp	netsh.exe
PID 2676 wrote to memory of 1228	2676	~tl1344.tmp	netsh.exe
PID 2676 wrote to memory of 5112	2676	~tl1344.tmp	netsh.exe
PID 2676 wrote to memory of 5112	2676	~tl1344.tmp	netsh.exe
PID 2676 wrote to memory of 1000	2676	~tl1344.tmp	powershell.exe
PID 2676 wrote to memory of 1000	2676	~tl1344.tmp	powershell.exe
PID 2676 wrote to memory of 2348	2676	~tl1344.tmp	powershell.exe
PID 2676 wrote to memory of 2348	2676	~tl1344.tmp	powershell.exe
PID 2676 wrote to memory of 1132	2676	~tl1344.tmp	schtasks.exe
PID 2676 wrote to memory of 1132	2676	~tl1344.tmp	schtasks.exe
PID 2676 wrote to memory of 920	2676	~tl1344.tmp	schtasks.exe
PID 2676 wrote to memory of 920	2676	~tl1344.tmp	schtasks.exe
PID 2676 wrote to memory of 348	2676	~tl1344.tmp	svchost.exe
PID 2676 wrote to memory of 348	2676	~tl1344.tmp	svchost.exe
PID 348 wrote to memory of 3500	348	svchost.exe	netsh.exe
PID 348 wrote to memory of 3500	348	svchost.exe	netsh.exe
PID 348 wrote to memory of 3096	348	svchost.exe	netsh.exe
PID 348 wrote to memory of 3096	348	svchost.exe	netsh.exe
PID 348 wrote to memory of 1152	348	svchost.exe	netsh.exe
PID 348 wrote to memory of 1152	348	svchost.exe	netsh.exe
PID 348 wrote to memory of 3652	348	svchost.exe	powershell.exe
PID 348 wrote to memory of 3652	348	svchost.exe	powershell.exe
PID 348 wrote to memory of 5060	348	svchost.exe	powershell.exe
PID 348 wrote to memory of 5060	348	svchost.exe	powershell.exe
PID 348 wrote to memory of 3192	348	svchost.exe	~tlEC0F.tmp
PID 348 wrote to memory of 3192	348	svchost.exe	~tlEC0F.tmp
PID 3192 wrote to memory of 1068	3192	~tlEC0F.tmp	netsh.exe
PID 3192 wrote to memory of 1068	3192	~tlEC0F.tmp	netsh.exe
PID 3192 wrote to memory of 404	3192	~tlEC0F.tmp	netsh.exe
PID 3192 wrote to memory of 404	3192	~tlEC0F.tmp	netsh.exe
PID 3192 wrote to memory of 2308	3192	~tlEC0F.tmp	netsh.exe
PID 3192 wrote to memory of 2308	3192	~tlEC0F.tmp	netsh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1420

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:2024

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:2808

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:872

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3964

C:\Users\Admin\AppData\Local\Temp\~tl1344.tmp
C:\Users\Admin\AppData\Local\Temp\~tl1344.tmp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:1616

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1228

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2348

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:1132

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:920

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:348

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:3500

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:3096

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5060

C:\Users\Admin\AppData\Local\Temp\~tlEC0F.tmp
C:\Users\Admin\AppData\Local\Temp\~tlEC0F.tmp
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:1068

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:404

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1084

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
PID:4504

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:3080

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2916

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4012

C:\Windows\TEMP\~tl2914.tmp
C:\Windows\TEMP\~tl2914.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:3424

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4108

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2676

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1340

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:4568

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1672

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Windows\TEMP\~tl95AC.tmp
C:\Windows\TEMP\~tl95AC.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1056

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:4648

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1628

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2220

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:1820

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3232

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:316

C:\Windows\TEMP\~tlFC58.tmp
C:\Windows\TEMP\~tlFC58.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4988

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:2756

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1008

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2824

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
657f1383dfb9783d7889c4df82901c1c

SHA1
3d9736cffde9d93cf93ffc80d18949fccdc68eb6

SHA256
aa2d0dcda661e11cca53f6dcbc07b5f8ff03df7fc2b4d28f2ad8705ed0f93ab8

SHA512
327d790e546bfc35f5704c2b6abad5e767985773b992349014169afb9ec13e3c81067ced9742fc461b11dbf3c3a5f1454f735160e2595260fe4c6cdd0002216a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c0b54979be9dc4a7e064d1fd6a1fe278

SHA1
fff4cc8af7505a4010373b31d402e183f002dc03

SHA256
0a9e4ba8cd62a3057361dc05a45d5118a60b831f3ab7ff794e1843513237c71a

SHA512
c1d0c91bbaab16721220de53d5af889db7f497eb5c665067340f231d90c2dc3e87ee457a06847874a847a7aeaf8f71aa0ce04f75dbc41184893e7d2276b4a97d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c1b0a9f26c3e1786191e94e419f1fbf9

SHA1
7f3492f4ec2d93e164f43fe2606b53edcffd8926

SHA256
796649641966f606d7217bb94c5c0a6194eef518815dacc86feacdd78d3c1113

SHA512
fa0290d77372c26a2f14cb9b0002c222bc757ce7ad02516b884c59a1108f42eb4c76884f9edb6c7149f7c3fac917eda99b72a3b1d72b7e118a1d5a73cadd15a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e5663972c1caaba7088048911c758bf3

SHA1
3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

SHA256
9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

SHA512
ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3z02dyn.nrl.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl1344.tmp
Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlEC0F.tmp
Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
Filesize
2.7MB

MD5
27acfbf94480631e547b5cb508d9d4fb

SHA1
f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

SHA256
0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

SHA512
902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
6.0MB

MD5
07c0f9894face98716ae71dac82652bb

SHA1
4618f07131e7b0dc5fb76fc405d679f0b5f80aa5

SHA256
e4a86d326df4f9ff530c02b09519fe1dc9d8377af7b4834a648765e47a2f934c

SHA512
2f81f1ccee27f5560406dd43af627f264ed7f04cace351c3ddfabc024102c2077ffbfdd22176fee95d0b44f0e527e972ea40951da5c23733e5aff3cbe810683f

Download Submit
C:\Windows\System\svchost.exe
Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
856B

MD5
1796b130132422e24f94b2122f9d901d

SHA1
b49c5b16c92fdc3f5f1500074652e7fb479601e7

SHA256
79beea91e0983a1255ea200b98efc11638787313d25a460235edac1f4435a106

SHA512
b9d9c297c8e77c1594a87148ca80ebc91c121c198a41e5f7af396966521463cf7a5c60da118bdc08ae4f0f5d445e3601f1bc87cc6affc24b68480891e7422e9f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6494311bccf8e3d2d71012d83579d25d

SHA1
6506537ba1cdae2d53537fee1e773b70a362952b

SHA256
7886bd67277429059000b622d932e1a177e9677690a8e2c27d7bcb168da96388

SHA512
159810bfbf60a017bd9fbf877f96bc0c1621461020a8b59173a69f45880e4689a3a324b38b19e04c6e00a2a8467e23d14aa3f9d9e00a9c290ed9950c64f94e2f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c760880d6bc08cda4e37517b962c15c8

SHA1
f5ffa613e2160452ec84b89fe7a1d2fb5a1c1c12

SHA256
19a17a4c2670d8b8d6b08f4f8e07f3cc87c0c42634f0dbccc26f035185b56396

SHA512
4f7a4fa10f47a7bf3a7159e54e3c3dc89d0e950e8ef58cf34dda0f960916a4a5aee6adf3ba342326a591e34f7cbb03404700bb3578edb1fee3be1f439ae76ea0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d9f6464c8062892853bf19bb71829d34

SHA1
e5836f4fc2ba4177d58274f3a2e288e0d54922d7

SHA256
8d9aadf9c9e63abd444f136a75370fae0b291ebbade2e8b1a856a2b66785dd2e

SHA512
709e49ece9043280a2b697a07f4d226d14355efb6e5061066adc4e9ab91c97afc1c1eba77d5d7a2723c0226ca474dbdc9ea13619a9734a955c5747e44bcd2401

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
877cbe19207b431000ab1f991bf8ca46

SHA1
16fefd70e50230c0a26cbb00cad1016ea7745d6c

SHA256
9d70a7dc15e248b27d6bf474b86ac4ec094cc2f0d043dd125036bc2d319d4c50

SHA512
91e6a97a69cbc727d7a97abc2abe44df32d0bfb509ceecabd9fbfd0208dbd659248e05f11abed60caeb84d6f12307255379be2a4db613703e2067044724a13fa

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0953b594264e274949d61e5195a621de

SHA1
c354e793be20a5c775f8ef8ea0070da241df01df

SHA256
3bb9454766d98b1890a7adb01511c4377c3dd6ad96e0b382f27fc38512a541e6

SHA512
6268096c32a53dc70c57e7ae73524bd5fd42b613d7e00edf3d249029af9069f831c928ab202c90e66578a00fa7a42c2431fae7b4a0399f56403847f95ed5d4e9

Download Submit
memory/348-221-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/348-184-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/348-182-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/348-181-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1000-167-0x00007FFA639A0000-0x00007FFA64461000-memory.dmp

Filesize
10.8MB

Download
memory/1000-152-0x00007FFA639A0000-0x00007FFA64461000-memory.dmp

Filesize
10.8MB

Download
memory/1000-153-0x000001F9ED6C0000-0x000001F9ED6D0000-memory.dmp

Filesize
64KB

Download
memory/1084-254-0x00007FFA63D60000-0x00007FFA64821000-memory.dmp

Filesize
10.8MB

Download
memory/1084-251-0x000001DFAA9A0000-0x000001DFAA9B0000-memory.dmp

Filesize
64KB

Download
memory/1084-237-0x00007FFA63D60000-0x00007FFA64821000-memory.dmp

Filesize
10.8MB

Download
memory/1084-238-0x000001DFAA9A0000-0x000001DFAA9B0000-memory.dmp

Filesize
64KB

Download
memory/1084-239-0x000001DFAA9A0000-0x000001DFAA9B0000-memory.dmp

Filesize
64KB

Download
memory/1356-330-0x000001A8484C0000-0x000001A8484DC000-memory.dmp

Filesize
112KB

Download
memory/1356-319-0x000001A847EF0000-0x000001A847EFA000-memory.dmp

Filesize
40KB

Download
memory/1356-333-0x000001A8484A0000-0x000001A8484A8000-memory.dmp

Filesize
32KB

Download
memory/1356-332-0x000001A8484E0000-0x000001A8484FA000-memory.dmp

Filesize
104KB

Download
memory/1356-317-0x000001A848280000-0x000001A84829C000-memory.dmp

Filesize
112KB

Download
memory/1356-309-0x00007FF4EF480000-0x00007FF4EF490000-memory.dmp

Filesize
64KB

Download
memory/1356-286-0x000001A845E60000-0x000001A845E70000-memory.dmp

Filesize
64KB

Download
memory/1356-318-0x000001A8482A0000-0x000001A848355000-memory.dmp

Filesize
724KB

Download
memory/1356-285-0x00007FFA64360000-0x00007FFA64E21000-memory.dmp

Filesize
10.8MB

Download
memory/1688-359-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1688-416-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1732-250-0x00007FFA63D60000-0x00007FFA64821000-memory.dmp

Filesize
10.8MB

Download
memory/1732-226-0x00007FFA63D60000-0x00007FFA64821000-memory.dmp

Filesize
10.8MB

Download
memory/2060-281-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2060-284-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2060-355-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2348-170-0x00007FFA639A0000-0x00007FFA64461000-memory.dmp

Filesize
10.8MB

Download
memory/2348-154-0x00007FFA639A0000-0x00007FFA64461000-memory.dmp

Filesize
10.8MB

Download
memory/2348-164-0x000001B7C1290000-0x000001B7C12A0000-memory.dmp

Filesize
64KB

Download
memory/2348-165-0x000001B7C1290000-0x000001B7C12A0000-memory.dmp

Filesize
64KB

Download
memory/2676-183-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2676-139-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2676-141-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2676-140-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2676-138-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2676-135-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2688-72-0x0000000036860000-0x0000000036D42000-memory.dmp

Filesize
4.9MB

Download
memory/2688-137-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2688-39-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2688-71-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2776-29-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/2776-12-0x0000026B14250000-0x0000026B14272000-memory.dmp

Filesize
136KB

Download
memory/2776-2-0x0000026B2C980000-0x0000026B2C990000-memory.dmp

Filesize
64KB

Download
memory/2776-1-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/3192-220-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3192-225-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3192-224-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3192-223-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3192-222-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3192-256-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3448-41-0x00007FFA643D0000-0x00007FFA64E91000-memory.dmp

Filesize
10.8MB

Download
memory/3448-43-0x000001F1BA060000-0x000001F1BA070000-memory.dmp

Filesize
64KB

Download
memory/3448-42-0x000001F1BA060000-0x000001F1BA070000-memory.dmp

Filesize
64KB

Download
memory/3448-67-0x00007FFA643D0000-0x00007FFA64E91000-memory.dmp

Filesize
10.8MB

Download
memory/3532-14-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/3532-16-0x000001C8039F0000-0x000001C803A00000-memory.dmp

Filesize
64KB

Download
memory/3532-15-0x000001C8039F0000-0x000001C803A00000-memory.dmp

Filesize
64KB

Download
memory/3532-30-0x00007FFA64480000-0x00007FFA64F41000-memory.dmp

Filesize
10.8MB

Download
memory/3652-194-0x00007FFA63960000-0x00007FFA64421000-memory.dmp

Filesize
10.8MB

Download
memory/3652-209-0x00007FFA63960000-0x00007FFA64421000-memory.dmp

Filesize
10.8MB

Download
memory/3688-126-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3688-127-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3964-55-0x0000025E4B580000-0x0000025E4B590000-memory.dmp

Filesize
64KB

Download
memory/3964-70-0x00007FFA643D0000-0x00007FFA64E91000-memory.dmp

Filesize
10.8MB

Download
memory/3964-54-0x00007FFA643D0000-0x00007FFA64E91000-memory.dmp

Filesize
10.8MB

Download
memory/3964-56-0x0000025E4B580000-0x0000025E4B590000-memory.dmp

Filesize
64KB

Download
memory/4012-322-0x0000025B4F170000-0x0000025B4F180000-memory.dmp

Filesize
64KB

Download
memory/4012-331-0x0000025B517C0000-0x0000025B517CA000-memory.dmp

Filesize
40KB

Download
memory/4012-296-0x00007FFA64360000-0x00007FFA64E21000-memory.dmp

Filesize
10.8MB

Download
memory/4012-297-0x0000025B4F170000-0x0000025B4F180000-memory.dmp

Filesize
64KB

Download
memory/4088-40-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4088-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4088-13-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/5060-196-0x00007FFA63960000-0x00007FFA64421000-memory.dmp

Filesize
10.8MB

Download
memory/5060-206-0x000001C82A7D0000-0x000001C82A7E0000-memory.dmp

Filesize
64KB

Download
memory/5060-212-0x00007FFA63960000-0x00007FFA64421000-memory.dmp

Filesize
10.8MB

Download
memory/5060-207-0x000001C82A7D0000-0x000001C82A7E0000-memory.dmp

Filesize
64KB

Download