a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

max time kernel
1800s
max time network
1808s
platform
windows10-1703_x64
resource
win10-20240319-en
resource tags

arch:x64arch:x86image:win10-20240319-enlocale:en-usos:windows10-1703-x64system
submitted
12-04-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

9.4MB
MD5

db3edf03a8a2c8e96fe2d2deaaec76ff
SHA1

2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256

a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512

121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
SSDEEP

98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK

Score

8^/10

discovery evasion

Malware Config

Signatures

Contacts a large (551) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 22 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
4920	netsh.exe
3624	netsh.exe
4308	netsh.exe
2848	netsh.exe
4420	netsh.exe
5036	netsh.exe
4376	netsh.exe
5036	netsh.exe
1468	netsh.exe
2240	netsh.exe
4676	netsh.exe
632	netsh.exe
4808	netsh.exe
3916	netsh.exe
1812	netsh.exe
4352	netsh.exe
212	netsh.exe
3076	netsh.exe
1172	netsh.exe
3388	netsh.exe
3628	netsh.exe
4532	netsh.exe

Executes dropped EXE 12 IoCs

Processes:

svchost.exe~tl76C3.tmpsvchost.exe~tl5A3D.tmpsvchost.exe~tl368A.tmpsvchost.exe~tl9A96.tmpsvchost.exe~tl46E.tmpsvchost.exe~tl6D0E.tmp

pid	process
4916	svchost.exe
3892	~tl76C3.tmp
3952	svchost.exe
4016	~tl5A3D.tmp
4312	svchost.exe
4504	~tl368A.tmp
1660	svchost.exe
1904	~tl9A96.tmp
3932	svchost.exe
4212	~tl46E.tmp
3184	svchost.exe
3372	~tl6D0E.tmp

Drops file in System32 directory 42 IoCs

Processes:

svchost.exe~tl9A96.tmp~tl46E.tmpsvchost.exesvchost.exepowershell.exepowershell.exe~tl6D0E.tmpsvchost.exepowershell.exepowershell.exepowershell.exepowershell.exe~tl368A.tmppowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72F69839B678B3EFA9DBC1C158DE06B9	~tl9A96.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72F69839B678B3EFA9DBC1C158DE06B9	~tl9A96.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl46E.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	~tl9A96.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl6D0E.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl9A96.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tl368A.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl368A.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\DF2NDXKH.htm	~tl9A96.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	~tl9A96.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tl9A96.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tl6D0E.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tl46E.tmp

Drops file in Windows directory 11 IoCs

Processes:

tmp.exesvchost.exe~tl76C3.tmpsvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\System\svchost.exe	~tl76C3.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	~tl76C3.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5024 schtasks.exe
4536 schtasks.exe

pid	process
5024	schtasks.exe
4536	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

netsh.exepowershell.exepowershell.exepowershell.exe~tl6D0E.tmppowershell.exesvchost.exepowershell.exe~tl46E.tmp~tl9A96.tmppowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exenetsh.exepowershell.exesvchost.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	~tl6D0E.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	~tl46E.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	~tl9A96.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	~tl9A96.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	~tl9A96.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.exepowershell.exe~tl76C3.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl5A3D.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl368A.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe

pid	process
5116	powershell.exe
5116	powershell.exe
5116	powershell.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe
3152	tmp.exe
3152	tmp.exe
1172	powershell.exe
1172	powershell.exe
1172	powershell.exe
5008	powershell.exe
5008	powershell.exe
5008	powershell.exe
3892	~tl76C3.tmp
3892	~tl76C3.tmp
1236	powershell.exe
3052	powershell.exe
1236	powershell.exe
3052	powershell.exe
3052	powershell.exe
1236	powershell.exe
3892	~tl76C3.tmp
3892	~tl76C3.tmp
3952	svchost.exe
3952	svchost.exe
1452	powershell.exe
1452	powershell.exe
3600	powershell.exe
3600	powershell.exe
1452	powershell.exe
3600	powershell.exe
4016	~tl5A3D.tmp
4016	~tl5A3D.tmp
3788	powershell.exe
3788	powershell.exe
5076	powershell.exe
5076	powershell.exe
3788	powershell.exe
5076	powershell.exe
4312	svchost.exe
4312	svchost.exe
3472	powershell.exe
3472	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
3472	powershell.exe
4504	~tl368A.tmp
4504	~tl368A.tmp
3936	powershell.exe
3936	powershell.exe
4592	powershell.exe
4592	powershell.exe
3936	powershell.exe
4592	powershell.exe
1660	svchost.exe
1660	svchost.exe
1080	powershell.exe
1412	powershell.exe
1080	powershell.exe
1080	powershell.exe
1412	powershell.exe
1412	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeIncreaseQuotaPrivilege	5116	powershell.exe
Token: SeSecurityPrivilege	5116	powershell.exe
Token: SeTakeOwnershipPrivilege	5116	powershell.exe
Token: SeLoadDriverPrivilege	5116	powershell.exe
Token: SeSystemProfilePrivilege	5116	powershell.exe
Token: SeSystemtimePrivilege	5116	powershell.exe
Token: SeProfSingleProcessPrivilege	5116	powershell.exe
Token: SeIncBasePriorityPrivilege	5116	powershell.exe
Token: SeCreatePagefilePrivilege	5116	powershell.exe
Token: SeBackupPrivilege	5116	powershell.exe
Token: SeRestorePrivilege	5116	powershell.exe
Token: SeShutdownPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeSystemEnvironmentPrivilege	5116	powershell.exe
Token: SeRemoteShutdownPrivilege	5116	powershell.exe
Token: SeUndockPrivilege	5116	powershell.exe
Token: SeManageVolumePrivilege	5116	powershell.exe
Token: 33	5116	powershell.exe
Token: 34	5116	powershell.exe
Token: 35	5116	powershell.exe
Token: 36	5116	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeIncreaseQuotaPrivilege	1172	powershell.exe
Token: SeSecurityPrivilege	1172	powershell.exe
Token: SeTakeOwnershipPrivilege	1172	powershell.exe
Token: SeLoadDriverPrivilege	1172	powershell.exe
Token: SeSystemProfilePrivilege	1172	powershell.exe
Token: SeSystemtimePrivilege	1172	powershell.exe
Token: SeProfSingleProcessPrivilege	1172	powershell.exe
Token: SeIncBasePriorityPrivilege	1172	powershell.exe
Token: SeCreatePagefilePrivilege	1172	powershell.exe
Token: SeBackupPrivilege	1172	powershell.exe
Token: SeRestorePrivilege	1172	powershell.exe
Token: SeShutdownPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeSystemEnvironmentPrivilege	1172	powershell.exe
Token: SeRemoteShutdownPrivilege	1172	powershell.exe
Token: SeUndockPrivilege	1172	powershell.exe
Token: SeManageVolumePrivilege	1172	powershell.exe
Token: 33	1172	powershell.exe
Token: 34	1172	powershell.exe
Token: 35	1172	powershell.exe
Token: 36	1172	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeIncreaseQuotaPrivilege	1236	powershell.exe
Token: SeSecurityPrivilege	1236	powershell.exe
Token: SeTakeOwnershipPrivilege	1236	powershell.exe
Token: SeLoadDriverPrivilege	1236	powershell.exe
Token: SeSystemProfilePrivilege	1236	powershell.exe
Token: SeSystemtimePrivilege	1236	powershell.exe
Token: SeProfSingleProcessPrivilege	1236	powershell.exe
Token: SeIncBasePriorityPrivilege	1236	powershell.exe
Token: SeCreatePagefilePrivilege	1236	powershell.exe
Token: SeBackupPrivilege	1236	powershell.exe
Token: SeRestorePrivilege	1236	powershell.exe
Token: SeShutdownPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeSystemEnvironmentPrivilege	1236	powershell.exe
Token: SeRemoteShutdownPrivilege	1236	powershell.exe
Token: SeUndockPrivilege	1236	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exesvchost.exe~tl76C3.tmpsvchost.exe~tl5A3D.tmpsvchost.exe

description	pid	process	target process
PID 3152 wrote to memory of 5116	3152	tmp.exe	powershell.exe
PID 3152 wrote to memory of 5116	3152	tmp.exe	powershell.exe
PID 3152 wrote to memory of 1632	3152	tmp.exe	powershell.exe
PID 3152 wrote to memory of 1632	3152	tmp.exe	powershell.exe
PID 3152 wrote to memory of 4604	3152	tmp.exe	schtasks.exe
PID 3152 wrote to memory of 4604	3152	tmp.exe	schtasks.exe
PID 3152 wrote to memory of 5024	3152	tmp.exe	schtasks.exe
PID 3152 wrote to memory of 5024	3152	tmp.exe	schtasks.exe
PID 3152 wrote to memory of 4916	3152	tmp.exe	svchost.exe
PID 3152 wrote to memory of 4916	3152	tmp.exe	svchost.exe
PID 4916 wrote to memory of 1172	4916	svchost.exe	powershell.exe
PID 4916 wrote to memory of 1172	4916	svchost.exe	powershell.exe
PID 4916 wrote to memory of 5008	4916	svchost.exe	powershell.exe
PID 4916 wrote to memory of 5008	4916	svchost.exe	powershell.exe
PID 4916 wrote to memory of 3892	4916	svchost.exe	~tl76C3.tmp
PID 4916 wrote to memory of 3892	4916	svchost.exe	~tl76C3.tmp
PID 3892 wrote to memory of 432	3892	~tl76C3.tmp	netsh.exe
PID 3892 wrote to memory of 432	3892	~tl76C3.tmp	netsh.exe
PID 3892 wrote to memory of 632	3892	~tl76C3.tmp	netsh.exe
PID 3892 wrote to memory of 632	3892	~tl76C3.tmp	netsh.exe
PID 3892 wrote to memory of 4920	3892	~tl76C3.tmp	netsh.exe
PID 3892 wrote to memory of 4920	3892	~tl76C3.tmp	netsh.exe
PID 3892 wrote to memory of 1236	3892	~tl76C3.tmp	powershell.exe
PID 3892 wrote to memory of 1236	3892	~tl76C3.tmp	powershell.exe
PID 3892 wrote to memory of 3052	3892	~tl76C3.tmp	powershell.exe
PID 3892 wrote to memory of 3052	3892	~tl76C3.tmp	powershell.exe
PID 3892 wrote to memory of 2760	3892	~tl76C3.tmp	schtasks.exe
PID 3892 wrote to memory of 2760	3892	~tl76C3.tmp	schtasks.exe
PID 3892 wrote to memory of 4536	3892	~tl76C3.tmp	schtasks.exe
PID 3892 wrote to memory of 4536	3892	~tl76C3.tmp	schtasks.exe
PID 3892 wrote to memory of 3952	3892	~tl76C3.tmp	svchost.exe
PID 3892 wrote to memory of 3952	3892	~tl76C3.tmp	svchost.exe
PID 3952 wrote to memory of 3988	3952	svchost.exe	netsh.exe
PID 3952 wrote to memory of 3988	3952	svchost.exe	netsh.exe
PID 3952 wrote to memory of 3624	3952	svchost.exe	netsh.exe
PID 3952 wrote to memory of 3624	3952	svchost.exe	netsh.exe
PID 3952 wrote to memory of 5036	3952	svchost.exe	netsh.exe
PID 3952 wrote to memory of 5036	3952	svchost.exe	netsh.exe
PID 3952 wrote to memory of 1452	3952	svchost.exe	powershell.exe
PID 3952 wrote to memory of 1452	3952	svchost.exe	powershell.exe
PID 3952 wrote to memory of 3600	3952	svchost.exe	powershell.exe
PID 3952 wrote to memory of 3600	3952	svchost.exe	powershell.exe
PID 3952 wrote to memory of 4016	3952	svchost.exe	~tl5A3D.tmp
PID 3952 wrote to memory of 4016	3952	svchost.exe	~tl5A3D.tmp
PID 4016 wrote to memory of 1456	4016	~tl5A3D.tmp	netsh.exe
PID 4016 wrote to memory of 1456	4016	~tl5A3D.tmp	netsh.exe
PID 4016 wrote to memory of 4808	4016	~tl5A3D.tmp	netsh.exe
PID 4016 wrote to memory of 4808	4016	~tl5A3D.tmp	netsh.exe
PID 4016 wrote to memory of 212	4016	~tl5A3D.tmp	netsh.exe
PID 4016 wrote to memory of 212	4016	~tl5A3D.tmp	netsh.exe
PID 4016 wrote to memory of 3788	4016	~tl5A3D.tmp	powershell.exe
PID 4016 wrote to memory of 3788	4016	~tl5A3D.tmp	powershell.exe
PID 4016 wrote to memory of 5076	4016	~tl5A3D.tmp	powershell.exe
PID 4016 wrote to memory of 5076	4016	~tl5A3D.tmp	powershell.exe
PID 4312 wrote to memory of 3128	4312	svchost.exe	netsh.exe
PID 4312 wrote to memory of 3128	4312	svchost.exe	netsh.exe
PID 4312 wrote to memory of 3076	4312	svchost.exe	netsh.exe
PID 4312 wrote to memory of 3076	4312	svchost.exe	netsh.exe
PID 4312 wrote to memory of 3916	4312	svchost.exe	netsh.exe
PID 4312 wrote to memory of 3916	4312	svchost.exe	netsh.exe
PID 4312 wrote to memory of 3472	4312	svchost.exe	powershell.exe
PID 4312 wrote to memory of 3472	4312	svchost.exe	powershell.exe
PID 4312 wrote to memory of 2960	4312	svchost.exe	powershell.exe
PID 4312 wrote to memory of 2960	4312	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:4604

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:5024

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Users\Admin\AppData\Local\Temp\~tl76C3.tmp
C:\Users\Admin\AppData\Local\Temp\~tl76C3.tmp
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:432

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:632

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:2760

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:4536

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:3988

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:3624

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3600

C:\Users\Admin\AppData\Local\Temp\~tl5A3D.tmp
C:\Users\Admin\AppData\Local\Temp\~tl5A3D.tmp
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:1456

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:4808

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5076

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
- Modifies data under HKEY_USERS
PID:3128

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3076

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2960

C:\Windows\TEMP\~tl368A.tmp
C:\Windows\TEMP\~tl368A.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4504

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:3136

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1172

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4592

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1660

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:2564

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4308

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1412

C:\Windows\TEMP\~tl9A96.tmp
C:\Windows\TEMP\~tl9A96.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1904

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:3604

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3388

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:868

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3932

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:4940

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4420

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2176

C:\Windows\TEMP\~tl46E.tmp
C:\Windows\TEMP\~tl46E.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4212

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:4820

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1468

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3508

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3184

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:1448

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4532

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4112

C:\Windows\TEMP\~tl6D0E.tmp
C:\Windows\TEMP\~tl6D0E.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3372

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
- Modifies data under HKEY_USERS
PID:4912

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2240

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0a0459bda803302e2cf523df290c21eb

SHA1
230dbe5c1c04854f3805cf0dba1d45b6329126c2

SHA256
cc42995442405d73655067690a9558d4b5bb9d15589447d4ae2a9b8465d0331a

SHA512
f4628f5e95ce1c57eae122ed78d7e73f57a9166b02acd5aac28e86eccf743fc37b1909ea30f4d513d400028cccce56e449b6f1eeb579f21fe734019aae6fca6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
94db75b896d0aac2566638f1b52777b6

SHA1
49f2bc55d4c5710a102f2edaab8deeddec0ca8b4

SHA256
8fc7e7f05374c437b32c3614dc2bed703456ed4800bd91a603551f37c1159e12

SHA512
1a61bc80830d9735a7da5744b32a58a3b0a97305e2de8f9264561d10513ea14684201e3e0af48808f0ea8c2e0ba89ace5ad9d8971c715401a5c03e8b45d61298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d02618af1b88f14aeca4d943f7096a96

SHA1
ee1fbfa20916814cf460a28626a61a13cbf5c5e6

SHA256
9df1cbf203996da03dc0f2cd1924b10b5f4cf1458e424568c7f06951fea3c846

SHA512
75ff3deea3de0300c309513ea279a55f6fac91f9577942426b1d88e18e813e98554457b0f3cbabbf896970d819cabfcbe5bb3dfc524d68ba708bd38f7d82ee62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a360cf8015ee77017ee6d2209d0fa001

SHA1
f4ceb96c863f143958956210be30adf92b195f48

SHA256
b8df81ff996375a85b8d6df7d8b3741864f6fb1e258408f174eca645b8ed0aae

SHA512
2a80d040146abeb516e3c19a6e5d4aac3353a8ba94fcb9e30e8e4ad6262c63ca7b1e50eb3eea8739ca9a808893833d6d4e717aca8c7c3aac667cc8126a104fb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
79071d221e4687e70188b41faae7bcc3

SHA1
5077308beaae78da26975748dc6065c686ffd50e

SHA256
57cb4484ff1fd9d7a9d7bf836fc5969db306b25f7dc5e9408071c3460ffccd5a

SHA512
411852ffafd2ee2d13dd97e1e2bd3f077c41ede7de4e4fe292df3b4ede878d10ed24bbbefb3e0242bb26a9cf15016856df69e03606fc8e29c3649dd404a2945e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdk2jiyo.dgg.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl5A3D.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl76C3.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg

Filesize
393KB

MD5
72e28e2092a43e0d70289f62bec20e65

SHA1
944f2b81392ee946f4767376882c5c1bda6dddb5

SHA256
6ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f

SHA512
31c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466

Download Submit
C:\Windows\System\svchost.exe

Filesize
9.4MB

MD5
db3edf03a8a2c8e96fe2d2deaaec76ff

SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1

SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
478f1c1fcff584f4f440469ed71d2d43

SHA1
0900e9dc39580d527c145715f985a5a86e80b66c

SHA256
c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb

SHA512
4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f1d0fa0fbb2eaa741db1e01e7c35e998

SHA1
9415ce4777b3ced19dd08ee3b36f93538fcd0b9e

SHA256
8990d961219b8fc613b4076ec95f703d828bee8573d46ae4deb34dfaeef729ee

SHA512
6680d8abbbad9029362330f183cd21a1092c0c66cbd1c31dfba6771812b73f1796097d97b656af6e745dd6d7e9b49bb0ada6589127217a89ad3acc06e1a448e6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59b7940255e695e56f2ff07ec776cc1b

SHA1
d201152ec6c8f2d919023d1e61d0bb21c454aadd

SHA256
6b9f7fc997d0432bed14ea44b70f540fbb71b281ce60d9eee97336e07242c6b7

SHA512
c3c1b0b0b711896faf2ae0505e24e0ccc25ca01dc1996b25448b6e0c3db691f6c13ce6c3a77c9ea6292f9603d9aeb0cdfd34056adbf47132cf0e9af3121aa5ff

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
23d4e2e3a278c84084aaad203a1cb633

SHA1
2d05b8d0663bc1aec39166588b3c7842e9404333

SHA256
0767e7341e69b30596fae5e3acf11fe36de203206b320eedaaa533b2a735ab9a

SHA512
48aabc0aff5304c639d0952337871278dba135306e9896caa53d85f1d18db2b955ff0dbcdadf509bebff5e7b3a58e72f4ec9a203a01ea2492a901f0f108dda0d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
890f33594f0e1f1a0ccfb292c152470b

SHA1
a79f767eda24dc2ac3b80150f91c2d664dff263b

SHA256
eb04c89db705f473a42a954f66d4ee987a14fdd684b3fb275a1a15c064c0089f

SHA512
43f933d479a2ae9352cca9573c0383bafe4abd06b6c88746daf04d64c57c92cb6a0f3c6e03d0c2ee3248a462d849341e413d184f21e77f159833a4b1da0b40a3

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
216f88c3470119ed38f9618b6b29f468

SHA1
f28f7947ea3d860513c24c3f09887545c79a1a3f

SHA256
4b4e4a6bc61cd7f9d510f284f5f52fdcfc161da75626a362d12b629171927c91

SHA512
4a0288fc89463e7f2f2fae6533cff173fb98d526b6f997a077138c865fa9792a56111bdb0a106a2ddaf9e898933a0388ccca99d79c1c229dd1eae3d99456e120

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a70e9e763172da7006a43773d2968615

SHA1
dbddc97e6281e0e9c644994086cbcddc4595fb3a

SHA256
961be0313ff5dc729d73ecc4dea4969098232ef39b8950683b7ac114f3c11b4a

SHA512
39798d75be1b4774a6e26c0a072b30c70e5e6af2d9965fc47835e9112e969b00c405fa4da8a725267c9f1031228a68bc4153f8c673b2e57df169d73ec6ad61ac

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
102f8b661aa8d01905ad1adac3340ad7

SHA1
50c3678a6997d45aa2c1126ad9a727cd9bf6089a

SHA256
ac75b26a8c473469f80788553c2dcdd932799a6524ecf593b8b1c363c626c808

SHA512
54acd352242621c1ce8221fd7075060bedb58b1f3009d0735f63e0173f33e2db1ff8a9d01b4db978fb60f9d3cb9fc1cc221785aeb3fc3b840edaaf4b1dc9dc0d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
memory/1172-196-0x000001FCD4020000-0x000001FCD4030000-memory.dmp

Filesize
64KB

Download
memory/1172-155-0x000001FCD4020000-0x000001FCD4030000-memory.dmp

Filesize
64KB

Download
memory/1172-216-0x00007FFBB9270000-0x00007FFBB9C5C000-memory.dmp

Filesize
9.9MB

Download
memory/1172-129-0x00007FFBB9270000-0x00007FFBB9C5C000-memory.dmp

Filesize
9.9MB

Download
memory/1172-130-0x000001FCD4020000-0x000001FCD4030000-memory.dmp

Filesize
64KB

Download
memory/1172-132-0x000001FCD4020000-0x000001FCD4030000-memory.dmp

Filesize
64KB

Download
memory/1236-323-0x000001836EAF0000-0x000001836EB00000-memory.dmp

Filesize
64KB

Download
memory/1236-324-0x000001836EAF0000-0x000001836EB00000-memory.dmp

Filesize
64KB

Download
memory/1236-321-0x00007FFBA9120000-0x00007FFBA9B0C000-memory.dmp

Filesize
9.9MB

Download
memory/1236-361-0x000001836EAF0000-0x000001836EB00000-memory.dmp

Filesize
64KB

Download
memory/1236-414-0x000001836EAF0000-0x000001836EB00000-memory.dmp

Filesize
64KB

Download
memory/1236-419-0x00007FFBA9120000-0x00007FFBA9B0C000-memory.dmp

Filesize
9.9MB

Download
memory/1452-532-0x00007FFBA9120000-0x00007FFBA9B0C000-memory.dmp

Filesize
9.9MB

Download
memory/1452-433-0x00007FFBA9120000-0x00007FFBA9B0C000-memory.dmp

Filesize
9.9MB

Download
memory/1452-525-0x00000211F5CF0000-0x00000211F5D00000-memory.dmp

Filesize
64KB

Download
memory/1452-474-0x00000211F5CF0000-0x00000211F5D00000-memory.dmp

Filesize
64KB

Download
memory/1452-437-0x00000211F5CF0000-0x00000211F5D00000-memory.dmp

Filesize
64KB

Download
memory/1452-436-0x00000211F5CF0000-0x00000211F5D00000-memory.dmp

Filesize
64KB

Download
memory/1632-107-0x0000021468E90000-0x0000021468EA0000-memory.dmp

Filesize
64KB

Download
memory/1632-53-0x00007FFBB9300000-0x00007FFBB9CEC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-73-0x0000021468E90000-0x0000021468EA0000-memory.dmp

Filesize
64KB

Download
memory/1632-56-0x0000021468E90000-0x0000021468EA0000-memory.dmp

Filesize
64KB

Download
memory/1632-58-0x0000021468E90000-0x0000021468EA0000-memory.dmp

Filesize
64KB

Download
memory/1632-112-0x00007FFBB9300000-0x00007FFBB9CEC000-memory.dmp

Filesize
9.9MB

Download
memory/3052-331-0x0000027148C10000-0x0000027148C20000-memory.dmp

Filesize
64KB

Download
memory/3052-327-0x00007FFBA9120000-0x00007FFBA9B0C000-memory.dmp

Filesize
9.9MB

Download
memory/3052-365-0x0000027148C10000-0x0000027148C20000-memory.dmp

Filesize
64KB

Download
memory/3052-409-0x0000027148C10000-0x0000027148C20000-memory.dmp

Filesize
64KB

Download
memory/3052-415-0x00007FFBA9120000-0x00007FFBA9B0C000-memory.dmp

Filesize
9.9MB

Download
memory/3052-330-0x0000027148C10000-0x0000027148C20000-memory.dmp

Filesize
64KB

Download
memory/3152-0-0x00007FFBC5CEB000-0x00007FFBC5CEF000-memory.dmp

Filesize
16KB

Download
memory/3152-3-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3152-2-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3152-4-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3152-5-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3152-123-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3152-1-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3152-7-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3600-442-0x00007FFBA9120000-0x00007FFBA9B0C000-memory.dmp

Filesize
9.9MB

Download
memory/3600-522-0x0000024463910000-0x0000024463920000-memory.dmp

Filesize
64KB

Download
memory/3600-444-0x0000024463910000-0x0000024463920000-memory.dmp

Filesize
64KB

Download
memory/3600-445-0x0000024463910000-0x0000024463920000-memory.dmp

Filesize
64KB

Download
memory/3600-531-0x00007FFBA9120000-0x00007FFBA9B0C000-memory.dmp

Filesize
9.9MB

Download
memory/3600-475-0x0000024463910000-0x0000024463920000-memory.dmp

Filesize
64KB

Download
memory/3788-548-0x00007FFBA9120000-0x00007FFBA9B0C000-memory.dmp

Filesize
9.9MB

Download
memory/3892-303-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3892-305-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3892-429-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3892-302-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3892-304-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3892-317-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3952-428-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3952-427-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3952-430-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3952-541-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4016-649-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4016-648-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4016-540-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4016-544-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4016-543-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4016-542-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4312-993-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4312-667-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4504-1329-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4504-1327-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4504-997-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4916-120-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4916-316-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4916-122-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4916-228-0x0000000180000000-0x000000018070E000-memory.dmp

Filesize
7.1MB

Download
memory/4916-125-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/5008-150-0x00007FFBB9270000-0x00007FFBB9C5C000-memory.dmp

Filesize
9.9MB

Download
memory/5008-153-0x000002227E570000-0x000002227E580000-memory.dmp

Filesize
64KB

Download
memory/5008-223-0x000002227E570000-0x000002227E580000-memory.dmp

Filesize
64KB

Download
memory/5008-154-0x000002227E570000-0x000002227E580000-memory.dmp

Filesize
64KB

Download
memory/5008-190-0x000002227E570000-0x000002227E580000-memory.dmp

Filesize
64KB

Download
memory/5008-227-0x00007FFBB9270000-0x00007FFBB9C5C000-memory.dmp

Filesize
9.9MB

Download
memory/5116-18-0x00000175E4B10000-0x00000175E4B86000-memory.dmp

Filesize
472KB

Download
memory/5116-12-0x00000175CC400000-0x00000175CC422000-memory.dmp

Filesize
136KB

Download
memory/5116-13-0x00007FFBB9300000-0x00007FFBB9CEC000-memory.dmp

Filesize
9.9MB

Download
memory/5116-15-0x00000175CC330000-0x00000175CC340000-memory.dmp

Filesize
64KB

Download
memory/5116-14-0x00000175CC330000-0x00000175CC340000-memory.dmp

Filesize
64KB

Download
memory/5116-31-0x00000175CC330000-0x00000175CC340000-memory.dmp

Filesize
64KB

Download
memory/5116-90-0x00000175CC330000-0x00000175CC340000-memory.dmp

Filesize
64KB

Download
memory/5116-106-0x00007FFBB9300000-0x00007FFBB9CEC000-memory.dmp

Filesize
9.9MB

Download