7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
595s
max time network
600s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 14 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
2700	netsh.exe
1892	netsh.exe
4560	netsh.exe
1508	netsh.exe
1436	netsh.exe
2300	netsh.exe
3204	netsh.exe
464	netsh.exe
4148	netsh.exe
3028	netsh.exe
2840	netsh.exe
3096	netsh.exe
3096	netsh.exe
2272	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tl337A.tmpsvchost.exe~tl11E3.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	svchost_dump_SCY - Copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	~tl337A.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	~tl11E3.tmp

Executes dropped EXE 6 IoCs

Processes:

svchost.exe~tl337A.tmpsvchost.exe~tl11E3.tmpsvchost.exe~tlA1FF.tmp

pid process

4464 svchost.exe
924 ~tl337A.tmp
3564 svchost.exe
2860 ~tl11E3.tmp
2712 svchost.exe
4072 ~tlA1FF.tmp

pid	process
4464	svchost.exe
924	~tl337A.tmp
3564	svchost.exe
2860	~tl11E3.tmp
2712	svchost.exe
4072	~tlA1FF.tmp

Drops file in System32 directory 8 IoCs

Processes:

powershell.exepowershell.exesvchost.exe~tlA1FF.tmppowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlA1FF.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exesvchost.exesvchost_dump_SCY - Copy.exesvchost.exe~tl337A.tmp

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl337A.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl337A.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4548 schtasks.exe
4412 schtasks.exe

pid	process
4548	schtasks.exe
4412	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesvchost.exe~tlA1FF.tmp

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	~tlA1FF.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	~tlA1FF.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tl337A.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl11E3.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlA1FF.tmppowershell.exepowershell.exe

pid	process
4748	powershell.exe
4748	powershell.exe
632	powershell.exe
632	powershell.exe
4748	powershell.exe
632	powershell.exe
3000	svchost_dump_SCY - Copy.exe
3000	svchost_dump_SCY - Copy.exe
3304	powershell.exe
3304	powershell.exe
2952	powershell.exe
2952	powershell.exe
924	~tl337A.tmp
924	~tl337A.tmp
4728	powershell.exe
4728	powershell.exe
3040	powershell.exe
3040	powershell.exe
924	~tl337A.tmp
924	~tl337A.tmp
3564	svchost.exe
3564	svchost.exe
4300	powershell.exe
4300	powershell.exe
4140	powershell.exe
4140	powershell.exe
2860	~tl11E3.tmp
2860	~tl11E3.tmp
2192	powershell.exe
1164	powershell.exe
2192	powershell.exe
1164	powershell.exe
2712	svchost.exe
2712	svchost.exe
1612	powershell.exe
1612	powershell.exe
2080	powershell.exe
2080	powershell.exe
4072	~tlA1FF.tmp
4072	~tlA1FF.tmp
2412	powershell.exe
868	powershell.exe
2412	powershell.exe
868	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3304	WMIC.exe
Token: SeSecurityPrivilege	3304	WMIC.exe
Token: SeTakeOwnershipPrivilege	3304	WMIC.exe
Token: SeLoadDriverPrivilege	3304	WMIC.exe
Token: SeSystemProfilePrivilege	3304	WMIC.exe
Token: SeSystemtimePrivilege	3304	WMIC.exe
Token: SeProfSingleProcessPrivilege	3304	WMIC.exe
Token: SeIncBasePriorityPrivilege	3304	WMIC.exe
Token: SeCreatePagefilePrivilege	3304	WMIC.exe
Token: SeBackupPrivilege	3304	WMIC.exe
Token: SeRestorePrivilege	3304	WMIC.exe
Token: SeShutdownPrivilege	3304	WMIC.exe
Token: SeDebugPrivilege	3304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3304	WMIC.exe
Token: SeRemoteShutdownPrivilege	3304	WMIC.exe
Token: SeUndockPrivilege	3304	WMIC.exe
Token: SeManageVolumePrivilege	3304	WMIC.exe
Token: 33	3304	WMIC.exe
Token: 34	3304	WMIC.exe
Token: 35	3304	WMIC.exe
Token: 36	3304	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3304	WMIC.exe
Token: SeSecurityPrivilege	3304	WMIC.exe
Token: SeTakeOwnershipPrivilege	3304	WMIC.exe
Token: SeLoadDriverPrivilege	3304	WMIC.exe
Token: SeSystemProfilePrivilege	3304	WMIC.exe
Token: SeSystemtimePrivilege	3304	WMIC.exe
Token: SeProfSingleProcessPrivilege	3304	WMIC.exe
Token: SeIncBasePriorityPrivilege	3304	WMIC.exe
Token: SeCreatePagefilePrivilege	3304	WMIC.exe
Token: SeBackupPrivilege	3304	WMIC.exe
Token: SeRestorePrivilege	3304	WMIC.exe
Token: SeShutdownPrivilege	3304	WMIC.exe
Token: SeDebugPrivilege	3304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3304	WMIC.exe
Token: SeRemoteShutdownPrivilege	3304	WMIC.exe
Token: SeUndockPrivilege	3304	WMIC.exe
Token: SeManageVolumePrivilege	3304	WMIC.exe
Token: 33	3304	WMIC.exe
Token: 34	3304	WMIC.exe
Token: 35	3304	WMIC.exe
Token: 36	3304	WMIC.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeIncreaseQuotaPrivilege	1656	WMIC.exe
Token: SeSecurityPrivilege	1656	WMIC.exe
Token: SeTakeOwnershipPrivilege	1656	WMIC.exe
Token: SeLoadDriverPrivilege	1656	WMIC.exe
Token: SeSystemProfilePrivilege	1656	WMIC.exe
Token: SeSystemtimePrivilege	1656	WMIC.exe
Token: SeProfSingleProcessPrivilege	1656	WMIC.exe
Token: SeIncBasePriorityPrivilege	1656	WMIC.exe
Token: SeCreatePagefilePrivilege	1656	WMIC.exe
Token: SeBackupPrivilege	1656	WMIC.exe
Token: SeRestorePrivilege	1656	WMIC.exe
Token: SeShutdownPrivilege	1656	WMIC.exe
Token: SeDebugPrivilege	1656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1656	WMIC.exe
Token: SeRemoteShutdownPrivilege	1656	WMIC.exe
Token: SeUndockPrivilege	1656	WMIC.exe
Token: SeManageVolumePrivilege	1656	WMIC.exe
Token: 33	1656	WMIC.exe
Token: 34	1656	WMIC.exe
Token: 35	1656	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tl337A.tmpsvchost.exe~tl11E3.tmp

description	pid	process	target process
PID 3000 wrote to memory of 3304	3000	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 3000 wrote to memory of 3304	3000	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 3000 wrote to memory of 2700	3000	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3000 wrote to memory of 2700	3000	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3000 wrote to memory of 1508	3000	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3000 wrote to memory of 1508	3000	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3000 wrote to memory of 4748	3000	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3000 wrote to memory of 4748	3000	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3000 wrote to memory of 632	3000	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3000 wrote to memory of 632	3000	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3000 wrote to memory of 4972	3000	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3000 wrote to memory of 4972	3000	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3000 wrote to memory of 4548	3000	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3000 wrote to memory of 4548	3000	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3000 wrote to memory of 4464	3000	svchost_dump_SCY - Copy.exe	svchost.exe
PID 3000 wrote to memory of 4464	3000	svchost_dump_SCY - Copy.exe	svchost.exe
PID 4464 wrote to memory of 1656	4464	svchost.exe	WMIC.exe
PID 4464 wrote to memory of 1656	4464	svchost.exe	WMIC.exe
PID 4464 wrote to memory of 2840	4464	svchost.exe	netsh.exe
PID 4464 wrote to memory of 2840	4464	svchost.exe	netsh.exe
PID 4464 wrote to memory of 3096	4464	svchost.exe	netsh.exe
PID 4464 wrote to memory of 3096	4464	svchost.exe	netsh.exe
PID 4464 wrote to memory of 3304	4464	svchost.exe	powershell.exe
PID 4464 wrote to memory of 3304	4464	svchost.exe	powershell.exe
PID 4464 wrote to memory of 2952	4464	svchost.exe	powershell.exe
PID 4464 wrote to memory of 2952	4464	svchost.exe	powershell.exe
PID 4464 wrote to memory of 924	4464	svchost.exe	~tl337A.tmp
PID 4464 wrote to memory of 924	4464	svchost.exe	~tl337A.tmp
PID 924 wrote to memory of 2668	924	~tl337A.tmp	netsh.exe
PID 924 wrote to memory of 2668	924	~tl337A.tmp	netsh.exe
PID 924 wrote to memory of 3096	924	~tl337A.tmp	netsh.exe
PID 924 wrote to memory of 3096	924	~tl337A.tmp	netsh.exe
PID 924 wrote to memory of 2272	924	~tl337A.tmp	netsh.exe
PID 924 wrote to memory of 2272	924	~tl337A.tmp	netsh.exe
PID 924 wrote to memory of 4728	924	~tl337A.tmp	powershell.exe
PID 924 wrote to memory of 4728	924	~tl337A.tmp	powershell.exe
PID 924 wrote to memory of 3040	924	~tl337A.tmp	powershell.exe
PID 924 wrote to memory of 3040	924	~tl337A.tmp	powershell.exe
PID 924 wrote to memory of 1288	924	~tl337A.tmp	schtasks.exe
PID 924 wrote to memory of 1288	924	~tl337A.tmp	schtasks.exe
PID 924 wrote to memory of 4412	924	~tl337A.tmp	schtasks.exe
PID 924 wrote to memory of 4412	924	~tl337A.tmp	schtasks.exe
PID 924 wrote to memory of 3564	924	~tl337A.tmp	svchost.exe
PID 924 wrote to memory of 3564	924	~tl337A.tmp	svchost.exe
PID 3564 wrote to memory of 2640	3564	svchost.exe	netsh.exe
PID 3564 wrote to memory of 2640	3564	svchost.exe	netsh.exe
PID 3564 wrote to memory of 1892	3564	svchost.exe	netsh.exe
PID 3564 wrote to memory of 1892	3564	svchost.exe	netsh.exe
PID 3564 wrote to memory of 4148	3564	svchost.exe	netsh.exe
PID 3564 wrote to memory of 4148	3564	svchost.exe	netsh.exe
PID 3564 wrote to memory of 4300	3564	svchost.exe	powershell.exe
PID 3564 wrote to memory of 4300	3564	svchost.exe	powershell.exe
PID 3564 wrote to memory of 4140	3564	svchost.exe	powershell.exe
PID 3564 wrote to memory of 4140	3564	svchost.exe	powershell.exe
PID 3564 wrote to memory of 2860	3564	svchost.exe	~tl11E3.tmp
PID 3564 wrote to memory of 2860	3564	svchost.exe	~tl11E3.tmp
PID 2860 wrote to memory of 3580	2860	~tl11E3.tmp	netsh.exe
PID 2860 wrote to memory of 3580	2860	~tl11E3.tmp	netsh.exe
PID 2860 wrote to memory of 4560	2860	~tl11E3.tmp	netsh.exe
PID 2860 wrote to memory of 4560	2860	~tl11E3.tmp	netsh.exe
PID 2860 wrote to memory of 3204	2860	~tl11E3.tmp	netsh.exe
PID 2860 wrote to memory of 3204	2860	~tl11E3.tmp	netsh.exe
PID 2860 wrote to memory of 2192	2860	~tl11E3.tmp	powershell.exe
PID 2860 wrote to memory of 2192	2860	~tl11E3.tmp	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2700

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:4972

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:4548

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2840

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2952

C:\Users\Admin\AppData\Local\Temp\~tl337A.tmp
C:\Users\Admin\AppData\Local\Temp\~tl337A.tmp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:2668

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:3096

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:1288

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:4412

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:2640

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1892

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4140

C:\Users\Admin\AppData\Local\Temp\~tl11E3.tmp
C:\Users\Admin\AppData\Local\Temp\~tl11E3.tmp
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:3580

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:4560

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:3204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1164

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2712

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:1280

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3028

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2080

C:\Windows\TEMP\~tlA1FF.tmp
C:\Windows\TEMP\~tlA1FF.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4072

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:4904

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:464

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
96e3b86880fedd5afc001d108732a3e5

SHA1
8fc17b39d744a9590a6d5897012da5e6757439a3

SHA256
c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294

SHA512
909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2836b5af7a122498542cab81584a8cf6

SHA1
f083b91a65d2a216ec062e53470452d920792559

SHA256
268120e4cbb94d6fc7ba5797a4253b9f168763e828091abbb0383a14e8896e0d

SHA512
e0ddbf9a4edf67c0ac2f89adfae8a25d98b050de099124ed3b03d6a944b89f20792407cbb82834a8bdf40e3e54d9a255923e6649f6af6424a73f90bf2014a340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c1b0a9f26c3e1786191e94e419f1fbf9

SHA1
7f3492f4ec2d93e164f43fe2606b53edcffd8926

SHA256
796649641966f606d7217bb94c5c0a6194eef518815dacc86feacdd78d3c1113

SHA512
fa0290d77372c26a2f14cb9b0002c222bc757ce7ad02516b884c59a1108f42eb4c76884f9edb6c7149f7c3fac917eda99b72a3b1d72b7e118a1d5a73cadd15a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m11genk1.ql3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl11E3.tmp
Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl337A.tmp
Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
Filesize
2.7MB

MD5
277abb67ec3376d7c576732a62c39916

SHA1
70faa899ea7c8618289668813f04c69613fd6995

SHA256
62ce6ee974509a141b66d66c4dfe41565f9ba90f3d62cd286d7a08834f2b10d4

SHA512
f385313c49f7b153488f12be7ea04ed5c1220a85b7dc1382dcb862b8d5b155c5999971d3e8c7b37abdfcf8c2ff23f971a0a477a24f23ff8d08e2bcbe90f5021b

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
6.7MB

MD5
481a557af76428a2563ad32a02345aba

SHA1
49d06c79f492ab0332d6e3ce2420a327eb3a148e

SHA256
3b55254f5e7640802b9a34c1789b025452efa577f7b679953be382450af2e691

SHA512
fc13e3669d8d66c16c931a53093a3ebe1c658a6a7da9c7aff8f9493786034468e72245b8e6ac5b2e9fc11393ccea64047a15412e78de846e230ce61ba2f3862c

Download Submit
C:\Windows\System\svchost.exe
Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
240B

MD5
26d33a97dcfbc18d0e18bc3dc31ba57a

SHA1
0acf00301d1eee012d867f7b39533e3750a5fe14

SHA256
74246d08fc3ba12a6d5073ca229e07961e86bdb80ccfb5451a7167a49026bc3f

SHA512
1998c1b045d0b01be6d50c56ad6000832c84ab98f4326d6262e234873f7e5f3fdd9f5d2a7c98d3db92f5d6dd3bbf1269abb12e86be9a68c02e2d84c9b723165e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c760880d6bc08cda4e37517b962c15c8

SHA1
f5ffa613e2160452ec84b89fe7a1d2fb5a1c1c12

SHA256
19a17a4c2670d8b8d6b08f4f8e07f3cc87c0c42634f0dbccc26f035185b56396

SHA512
4f7a4fa10f47a7bf3a7159e54e3c3dc89d0e950e8ef58cf34dda0f960916a4a5aee6adf3ba342326a591e34f7cbb03404700bb3578edb1fee3be1f439ae76ea0

Download Submit
memory/632-32-0x00007FFC2B3B0000-0x00007FFC2BE71000-memory.dmp

Filesize
10.8MB

Download
memory/632-16-0x00007FFC2B3B0000-0x00007FFC2BE71000-memory.dmp

Filesize
10.8MB

Download
memory/632-15-0x000002A2FA340000-0x000002A2FA350000-memory.dmp

Filesize
64KB

Download
memory/632-14-0x000002A2FA340000-0x000002A2FA350000-memory.dmp

Filesize
64KB

Download
memory/924-170-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/924-127-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/924-126-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/924-125-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/924-124-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/924-121-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1164-229-0x000001ACA7ED0000-0x000001ACA7EE0000-memory.dmp

Filesize
64KB

Download
memory/1164-228-0x00007FFC2B840000-0x00007FFC2C301000-memory.dmp

Filesize
10.8MB

Download
memory/1164-243-0x00007FFC2B840000-0x00007FFC2C301000-memory.dmp

Filesize
10.8MB

Download
memory/1612-293-0x0000019388B50000-0x0000019388B60000-memory.dmp

Filesize
64KB

Download
memory/1612-314-0x00000193A36A0000-0x00000193A36AA000-memory.dmp

Filesize
40KB

Download
memory/1612-270-0x00007FFC2B840000-0x00007FFC2C301000-memory.dmp

Filesize
10.8MB

Download
memory/1612-271-0x0000019388B50000-0x0000019388B60000-memory.dmp

Filesize
64KB

Download
memory/1612-304-0x00000193A35E0000-0x00000193A3695000-memory.dmp

Filesize
724KB

Download
memory/1612-303-0x00000193A35C0000-0x00000193A35DC000-memory.dmp

Filesize
112KB

Download
memory/2080-287-0x0000027AF5B30000-0x0000027AF5B40000-memory.dmp

Filesize
64KB

Download
memory/2080-316-0x0000027AF7E00000-0x0000027AF7E0A000-memory.dmp

Filesize
40KB

Download
memory/2080-286-0x00007FFC2B840000-0x00007FFC2C301000-memory.dmp

Filesize
10.8MB

Download
memory/2080-288-0x0000027AF5B30000-0x0000027AF5B40000-memory.dmp

Filesize
64KB

Download
memory/2080-315-0x0000027AF8290000-0x0000027AF82AC000-memory.dmp

Filesize
112KB

Download
memory/2192-240-0x00007FFC2B840000-0x00007FFC2C301000-memory.dmp

Filesize
10.8MB

Download
memory/2192-217-0x0000020195590000-0x00000201955A0000-memory.dmp

Filesize
64KB

Download
memory/2192-216-0x0000020195590000-0x00000201955A0000-memory.dmp

Filesize
64KB

Download
memory/2192-215-0x00007FFC2B840000-0x00007FFC2C301000-memory.dmp

Filesize
10.8MB

Download
memory/2712-266-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2712-268-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2712-339-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2860-245-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2860-213-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2860-212-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2860-211-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2860-209-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2860-214-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2952-73-0x00007FFC2B020000-0x00007FFC2BAE1000-memory.dmp

Filesize
10.8MB

Download
memory/2952-57-0x00007FFC2B020000-0x00007FFC2BAE1000-memory.dmp

Filesize
10.8MB

Download
memory/2952-58-0x0000020141F30000-0x0000020141F40000-memory.dmp

Filesize
64KB

Download
memory/2952-59-0x0000020141F30000-0x0000020141F40000-memory.dmp

Filesize
64KB

Download
memory/3000-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3000-33-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3000-43-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3040-142-0x000001B156F20000-0x000001B156F30000-memory.dmp

Filesize
64KB

Download
memory/3040-141-0x000001B156F20000-0x000001B156F30000-memory.dmp

Filesize
64KB

Download
memory/3040-157-0x00007FFC2B840000-0x00007FFC2C301000-memory.dmp

Filesize
10.8MB

Download
memory/3040-140-0x00007FFC2B840000-0x00007FFC2C301000-memory.dmp

Filesize
10.8MB

Download
memory/3304-44-0x00007FFC2B020000-0x00007FFC2BAE1000-memory.dmp

Filesize
10.8MB

Download
memory/3304-70-0x00007FFC2B020000-0x00007FFC2BAE1000-memory.dmp

Filesize
10.8MB

Download
memory/3304-46-0x000001C662420000-0x000001C662430000-memory.dmp

Filesize
64KB

Download
memory/3304-45-0x000001C662420000-0x000001C662430000-memory.dmp

Filesize
64KB

Download
memory/3564-169-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3564-171-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3564-168-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3564-210-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4072-400-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4072-343-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4140-186-0x000002E4E1FB0000-0x000002E4E1FC0000-memory.dmp

Filesize
64KB

Download
memory/4140-184-0x00007FFC2B840000-0x00007FFC2C301000-memory.dmp

Filesize
10.8MB

Download
memory/4140-199-0x000002E4E1FB0000-0x000002E4E1FC0000-memory.dmp

Filesize
64KB

Download
memory/4140-201-0x00007FFC2B840000-0x00007FFC2C301000-memory.dmp

Filesize
10.8MB

Download
memory/4140-185-0x000002E4E1FB0000-0x000002E4E1FC0000-memory.dmp

Filesize
64KB

Download
memory/4300-183-0x000001C5F7940000-0x000001C5F7950000-memory.dmp

Filesize
64KB

Download
memory/4300-177-0x00007FFC2B840000-0x00007FFC2C301000-memory.dmp

Filesize
10.8MB

Download
memory/4300-197-0x00007FFC2B840000-0x00007FFC2C301000-memory.dmp

Filesize
10.8MB

Download
memory/4464-42-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4464-123-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4464-74-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4464-75-0x0000000031C20000-0x0000000032102000-memory.dmp

Filesize
4.9MB

Download
memory/4728-128-0x00007FFC2B840000-0x00007FFC2C301000-memory.dmp

Filesize
10.8MB

Download
memory/4728-152-0x0000018AD43F0000-0x0000018AD4400000-memory.dmp

Filesize
64KB

Download
memory/4728-139-0x0000018AD43F0000-0x0000018AD4400000-memory.dmp

Filesize
64KB

Download
memory/4728-154-0x00007FFC2B840000-0x00007FFC2C301000-memory.dmp

Filesize
10.8MB

Download
memory/4748-31-0x00007FFC2B3B0000-0x00007FFC2BE71000-memory.dmp

Filesize
10.8MB

Download
memory/4748-13-0x0000022BFA3E0000-0x0000022BFA3F0000-memory.dmp

Filesize
64KB

Download
memory/4748-12-0x0000022BFA3E0000-0x0000022BFA3F0000-memory.dmp

Filesize
64KB

Download
memory/4748-11-0x00007FFC2B3B0000-0x00007FFC2BE71000-memory.dmp

Filesize
10.8MB

Download
memory/4748-1-0x0000022BFB2E0000-0x0000022BFB302000-memory.dmp

Filesize
136KB

Download