7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
1200s
max time network
1197s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 14 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
1900	netsh.exe
1872	netsh.exe
1676	netsh.exe
2840	netsh.exe
1636	netsh.exe
2196	netsh.exe
1640	netsh.exe
1660	netsh.exe
2552	netsh.exe
1768	netsh.exe
2104	netsh.exe
2732	netsh.exe
1060	netsh.exe
1900	netsh.exe

Executes dropped EXE 7 IoCs

Processes:

svchost.exe~tl57D.tmpsvchost.exesvchost.exe~tl6C4.tmpsvchost.exe~tl401C.tmp

pid process

1612 svchost.exe
1964 ~tl57D.tmp
2724 svchost.exe
652 svchost.exe
1068 ~tl6C4.tmp
1452 svchost.exe
1188 ~tl401C.tmp

pid	process
1612	svchost.exe
1964	~tl57D.tmp
2724	svchost.exe
652	svchost.exe
1068	~tl6C4.tmp
1452	svchost.exe
1188	~tl401C.tmp

Loads dropped DLL 12 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exetaskeng.exe~tl57D.tmpsvchost.exetaskeng.exesvchost.exe

pid	process
3064	svchost_dump_SCY - Copy.exe
3064	svchost_dump_SCY - Copy.exe
1612	svchost.exe
1612	svchost.exe
2408	taskeng.exe
2408	taskeng.exe
1964	~tl57D.tmp
2724	svchost.exe
2724	svchost.exe
3008	taskeng.exe
1452	svchost.exe
1452	svchost.exe

Drops file in System32 directory 18 IoCs

Processes:

svchost.exesvchost.exepowershell.exepowershell.exepowershell.exe~tl6C4.tmppowershell.exepowershell.exepowershell.exe~tl401C.tmppowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl6C4.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl6C4.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl401C.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl401C.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exesvchost_dump_SCY - Copy.exesvchost.exe~tl57D.tmpsvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl57D.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl57D.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

544 schtasks.exe
2440 schtasks.exe

pid	process
544	schtasks.exe
2440	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exenetsh.exenetsh.exe~tl6C4.tmp~tl401C.tmpsvchost.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepowershell.exenetsh.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a009deda458ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44	~tl6C4.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	~tl401C.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl401C.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	~tl6C4.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl6C4.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	~tl6C4.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	~tl6C4.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D5D0CBD-F2E4-43FC-978E-380C3672D1AF}\WpadNetworkName = "Network 2"	~tl6C4.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	~tl401C.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D5D0CBD-F2E4-43FC-978E-380C3672D1AF}\WpadDecisionTime = c0d945dc468ada01	~tl401C.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDecision = "0"	~tl6C4.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D5D0CBD-F2E4-43FC-978E-380C3672D1AF}\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D5D0CBD-F2E4-43FC-978E-380C3672D1AF}\WpadDecision = "0"	~tl6C4.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	~tl401C.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	~tl401C.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D5D0CBD-F2E4-43FC-978E-380C3672D1AF}\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	~tl6C4.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D5D0CBD-F2E4-43FC-978E-380C3672D1AF}\WpadDecisionReason = "1"	~tl401C.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDecisionTime = a0946bd1458ada01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44	~tl401C.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDecision = "0"	~tl401C.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D5D0CBD-F2E4-43FC-978E-380C3672D1AF}\WpadDecision = "0"	~tl401C.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDetectedUrl	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDecisionReason = "1"	~tl401C.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl6C4.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDecisionTime = c0d945dc468ada01	~tl401C.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDetectedUrl	~tl6C4.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	~tl401C.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1e-c5-3d-80-44\WpadDecision = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tl57D.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl6C4.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl401C.tmppowershell.exepowershell.exe

pid	process
2660	powershell.exe
2416	powershell.exe
3064	svchost_dump_SCY - Copy.exe
1464	powershell.exe
2244	powershell.exe
1964	~tl57D.tmp
1596	powershell.exe
2648	powershell.exe
1964	~tl57D.tmp
2724	svchost.exe
2640	powershell.exe
1516	powershell.exe
1068	~tl6C4.tmp
1912	powershell.exe
1456	powershell.exe
1452	svchost.exe
2760	powershell.exe
2216	powershell.exe
1188	~tl401C.tmp
652	powershell.exe
852	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2592	WMIC.exe
Token: SeSecurityPrivilege	2592	WMIC.exe
Token: SeTakeOwnershipPrivilege	2592	WMIC.exe
Token: SeLoadDriverPrivilege	2592	WMIC.exe
Token: SeSystemProfilePrivilege	2592	WMIC.exe
Token: SeSystemtimePrivilege	2592	WMIC.exe
Token: SeProfSingleProcessPrivilege	2592	WMIC.exe
Token: SeIncBasePriorityPrivilege	2592	WMIC.exe
Token: SeCreatePagefilePrivilege	2592	WMIC.exe
Token: SeBackupPrivilege	2592	WMIC.exe
Token: SeRestorePrivilege	2592	WMIC.exe
Token: SeShutdownPrivilege	2592	WMIC.exe
Token: SeDebugPrivilege	2592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2592	WMIC.exe
Token: SeRemoteShutdownPrivilege	2592	WMIC.exe
Token: SeUndockPrivilege	2592	WMIC.exe
Token: SeManageVolumePrivilege	2592	WMIC.exe
Token: 33	2592	WMIC.exe
Token: 34	2592	WMIC.exe
Token: 35	2592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2592	WMIC.exe
Token: SeSecurityPrivilege	2592	WMIC.exe
Token: SeTakeOwnershipPrivilege	2592	WMIC.exe
Token: SeLoadDriverPrivilege	2592	WMIC.exe
Token: SeSystemProfilePrivilege	2592	WMIC.exe
Token: SeSystemtimePrivilege	2592	WMIC.exe
Token: SeProfSingleProcessPrivilege	2592	WMIC.exe
Token: SeIncBasePriorityPrivilege	2592	WMIC.exe
Token: SeCreatePagefilePrivilege	2592	WMIC.exe
Token: SeBackupPrivilege	2592	WMIC.exe
Token: SeRestorePrivilege	2592	WMIC.exe
Token: SeShutdownPrivilege	2592	WMIC.exe
Token: SeDebugPrivilege	2592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2592	WMIC.exe
Token: SeRemoteShutdownPrivilege	2592	WMIC.exe
Token: SeUndockPrivilege	2592	WMIC.exe
Token: SeManageVolumePrivilege	2592	WMIC.exe
Token: 33	2592	WMIC.exe
Token: 34	2592	WMIC.exe
Token: 35	2592	WMIC.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeIncreaseQuotaPrivilege	2748	WMIC.exe
Token: SeSecurityPrivilege	2748	WMIC.exe
Token: SeTakeOwnershipPrivilege	2748	WMIC.exe
Token: SeLoadDriverPrivilege	2748	WMIC.exe
Token: SeSystemProfilePrivilege	2748	WMIC.exe
Token: SeSystemtimePrivilege	2748	WMIC.exe
Token: SeProfSingleProcessPrivilege	2748	WMIC.exe
Token: SeIncBasePriorityPrivilege	2748	WMIC.exe
Token: SeCreatePagefilePrivilege	2748	WMIC.exe
Token: SeBackupPrivilege	2748	WMIC.exe
Token: SeRestorePrivilege	2748	WMIC.exe
Token: SeShutdownPrivilege	2748	WMIC.exe
Token: SeDebugPrivilege	2748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2748	WMIC.exe
Token: SeRemoteShutdownPrivilege	2748	WMIC.exe
Token: SeUndockPrivilege	2748	WMIC.exe
Token: SeManageVolumePrivilege	2748	WMIC.exe
Token: 33	2748	WMIC.exe
Token: 34	2748	WMIC.exe
Token: 35	2748	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2748	WMIC.exe
Token: SeSecurityPrivilege	2748	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tl57D.tmptaskeng.exe

description	pid	process	target process
PID 3064 wrote to memory of 2592	3064	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 3064 wrote to memory of 2592	3064	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 3064 wrote to memory of 2592	3064	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 3064 wrote to memory of 1636	3064	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3064 wrote to memory of 1636	3064	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3064 wrote to memory of 1636	3064	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3064 wrote to memory of 2552	3064	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3064 wrote to memory of 2552	3064	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3064 wrote to memory of 2552	3064	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3064 wrote to memory of 2416	3064	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3064 wrote to memory of 2416	3064	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3064 wrote to memory of 2416	3064	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3064 wrote to memory of 2660	3064	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3064 wrote to memory of 2660	3064	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3064 wrote to memory of 2660	3064	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3064 wrote to memory of 2788	3064	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3064 wrote to memory of 2788	3064	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3064 wrote to memory of 2788	3064	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3064 wrote to memory of 544	3064	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3064 wrote to memory of 544	3064	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3064 wrote to memory of 544	3064	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3064 wrote to memory of 1612	3064	svchost_dump_SCY - Copy.exe	svchost.exe
PID 3064 wrote to memory of 1612	3064	svchost_dump_SCY - Copy.exe	svchost.exe
PID 3064 wrote to memory of 1612	3064	svchost_dump_SCY - Copy.exe	svchost.exe
PID 1612 wrote to memory of 2748	1612	svchost.exe	WMIC.exe
PID 1612 wrote to memory of 2748	1612	svchost.exe	WMIC.exe
PID 1612 wrote to memory of 2748	1612	svchost.exe	WMIC.exe
PID 1612 wrote to memory of 1900	1612	svchost.exe	netsh.exe
PID 1612 wrote to memory of 1900	1612	svchost.exe	netsh.exe
PID 1612 wrote to memory of 1900	1612	svchost.exe	netsh.exe
PID 1612 wrote to memory of 1872	1612	svchost.exe	netsh.exe
PID 1612 wrote to memory of 1872	1612	svchost.exe	netsh.exe
PID 1612 wrote to memory of 1872	1612	svchost.exe	netsh.exe
PID 1612 wrote to memory of 1464	1612	svchost.exe	powershell.exe
PID 1612 wrote to memory of 1464	1612	svchost.exe	powershell.exe
PID 1612 wrote to memory of 1464	1612	svchost.exe	powershell.exe
PID 1612 wrote to memory of 2244	1612	svchost.exe	powershell.exe
PID 1612 wrote to memory of 2244	1612	svchost.exe	powershell.exe
PID 1612 wrote to memory of 2244	1612	svchost.exe	powershell.exe
PID 1612 wrote to memory of 1964	1612	svchost.exe	~tl57D.tmp
PID 1612 wrote to memory of 1964	1612	svchost.exe	~tl57D.tmp
PID 1612 wrote to memory of 1964	1612	svchost.exe	~tl57D.tmp
PID 1964 wrote to memory of 884	1964	~tl57D.tmp	netsh.exe
PID 1964 wrote to memory of 884	1964	~tl57D.tmp	netsh.exe
PID 1964 wrote to memory of 884	1964	~tl57D.tmp	netsh.exe
PID 1964 wrote to memory of 1676	1964	~tl57D.tmp	netsh.exe
PID 1964 wrote to memory of 1676	1964	~tl57D.tmp	netsh.exe
PID 1964 wrote to memory of 1676	1964	~tl57D.tmp	netsh.exe
PID 1964 wrote to memory of 2104	1964	~tl57D.tmp	netsh.exe
PID 1964 wrote to memory of 2104	1964	~tl57D.tmp	netsh.exe
PID 1964 wrote to memory of 2104	1964	~tl57D.tmp	netsh.exe
PID 1964 wrote to memory of 1596	1964	~tl57D.tmp	powershell.exe
PID 1964 wrote to memory of 1596	1964	~tl57D.tmp	powershell.exe
PID 1964 wrote to memory of 1596	1964	~tl57D.tmp	powershell.exe
PID 1964 wrote to memory of 2648	1964	~tl57D.tmp	powershell.exe
PID 1964 wrote to memory of 2648	1964	~tl57D.tmp	powershell.exe
PID 1964 wrote to memory of 2648	1964	~tl57D.tmp	powershell.exe
PID 2408 wrote to memory of 2724	2408	taskeng.exe	svchost.exe
PID 2408 wrote to memory of 2724	2408	taskeng.exe	svchost.exe
PID 2408 wrote to memory of 2724	2408	taskeng.exe	svchost.exe
PID 1964 wrote to memory of 2816	1964	~tl57D.tmp	schtasks.exe
PID 1964 wrote to memory of 2816	1964	~tl57D.tmp	schtasks.exe
PID 1964 wrote to memory of 2816	1964	~tl57D.tmp	schtasks.exe
PID 1964 wrote to memory of 2440	1964	~tl57D.tmp	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1636

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:2788

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:544

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1900

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2244

C:\Users\Admin\AppData\Local\Temp\~tl57D.tmp
C:\Users\Admin\AppData\Local\Temp\~tl57D.tmp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:884

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1676

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2648

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:2816

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:2440

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Executes dropped EXE
PID:652

C:\Windows\system32\taskeng.exe
taskeng.exe {370C3B2F-E85D-4143-8BEC-12F7D0A5BC7E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2724

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
- Modifies data under HKEY_USERS
PID:308

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2840

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2640

C:\Windows\TEMP\~tl6C4.tmp
C:\Windows\TEMP\~tl6C4.tmp
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1068

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
- Modifies data under HKEY_USERS
PID:2232

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1060

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1456

C:\Windows\system32\taskeng.exe
taskeng.exe {BB5F83E3-E063-4FC5-9C88-D58142345155} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:3008

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1452

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:1996

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1640

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2216

C:\Windows\TEMP\~tl401C.tmp
C:\Windows\TEMP\~tl401C.tmp
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1188

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
- Modifies data under HKEY_USERS
PID:3064

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1660

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
5c30577b7e8f38aa586bb2ae42aedbb4

SHA1
20f1a29b7931e738745b9f42e6012732ed9efe5b

SHA256
5e3c005ff479f854eec73bb2dd49562d4911a241f6053b9c8fa293fd3fe92ffb

SHA512
cef8e6a37e995f230c506dcf3732040c66d78581a4348b284efabe8947c5e705ceb3270ad1cf543283a3b21bb7eccb21e1eb47529296bcdddb55169bedcd1f31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
408a3906f286da816db7c9db54e12f94

SHA1
4e89b1f0307047c43957ee9ea97c816c6ace0529

SHA256
f9f0955a49df388500f353c2f0deac1c28e0a975992d0f23dd7b81fb86291664

SHA512
201cdc49cd8ab7126c93ea6c6ec03c1bc22f3c20f70aa3e90cc003b89c7937fd51414875f80d882ea045f9200e22bd5ed16dadd8b6aaaa0651f7fabab90cb7fc

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
Filesize
2.6MB

MD5
9bae03d3dc0f5cfd40507ee03ba5a765

SHA1
bbb2ea791c2e53e615f7c4b17246b4d465e6a4fe

SHA256
ff1af3cc0eff747f5425287eea2910d8d69cd9d30af5a90a41a03a023bb0313f

SHA512
2263b74eefd835f92a085f1b35e156b79c37996b1976d6b93ad94cfce8454411131d4b3dc1d3d3cee175b37d05433f3061060023219d7d3da86e034e510b7b81

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
6.4MB

MD5
1430c89ec309cf12802d8e723fe32c6e

SHA1
1f4b6ee07d47e827a4c3bd53784c8fa7b140c5c3

SHA256
5996c136d3e6ffffec826c881eda0a56d952d08a87d889fd3d76597615b080fb

SHA512
6942964e07560e288d2c0d53eb6bebbe0bc55fac881b60a7fb13bc9457dd724d5c72f9b22dd4d733c8321db2ae7c02cc96da91aef38fa935e07d18f847d4534c

Download Submit
C:\Windows\System\svchost.exe
Filesize
385KB

MD5
e0a5211e22aa205f5c5c5042b0a572e4

SHA1
f645ec5db1ce143b38b72bb27942f78a74640e64

SHA256
984d7da9ef6efe325c7216c9b3d731200865a0bff5f2a8f288ebc9a6e6c5de1f

SHA512
74d071590695fda8108083745015d1f8e1d6ae5f66701d3be8cdc096c0e62ee4ec52c489fda2b8060db87ee09800ba819e2bc44955ee3775cbfafef5529ebe45

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\~tl57D.tmp
Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
\Windows\Temp\~tl6C4.tmp
Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
\Windows\system\svchost.exe
Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
memory/652-189-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/652-178-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/652-167-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1068-218-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1068-219-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1068-204-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1068-201-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1452-260-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1464-57-0x000007FEF4FC0000-0x000007FEF595D000-memory.dmp

Filesize
9.6MB

Download
memory/1464-56-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/1464-60-0x000007FEF4FC0000-0x000007FEF595D000-memory.dmp

Filesize
9.6MB

Download
memory/1464-58-0x000000000247B000-0x00000000024E2000-memory.dmp

Filesize
412KB

Download
memory/1464-43-0x000000001B0D0000-0x000000001B3B2000-memory.dmp

Filesize
2.9MB

Download
memory/1464-48-0x000007FEF4FC0000-0x000007FEF595D000-memory.dmp

Filesize
9.6MB

Download
memory/1464-50-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/1464-49-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/1516-182-0x000007FEF5020000-0x000007FEF59BD000-memory.dmp

Filesize
9.6MB

Download
memory/1516-184-0x0000000000980000-0x0000000000A00000-memory.dmp

Filesize
512KB

Download
memory/1596-151-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1596-141-0x000007FEF5180000-0x000007FEF5B1D000-memory.dmp

Filesize
9.6MB

Download
memory/1596-142-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1596-144-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1596-143-0x000007FEF5180000-0x000007FEF5B1D000-memory.dmp

Filesize
9.6MB

Download
memory/1596-153-0x000007FEF5180000-0x000007FEF5B1D000-memory.dmp

Filesize
9.6MB

Download
memory/1612-125-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1612-63-0x000000001EC90000-0x000000001F172000-memory.dmp

Filesize
4.9MB

Download
memory/1612-59-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1612-35-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1964-127-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1964-126-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1964-168-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1964-128-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1964-129-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2244-55-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/2244-54-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/2244-53-0x000007FEF4FC0000-0x000007FEF595D000-memory.dmp

Filesize
9.6MB

Download
memory/2244-52-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/2244-62-0x000007FEF4FC0000-0x000007FEF595D000-memory.dmp

Filesize
9.6MB

Download
memory/2244-51-0x000007FEF4FC0000-0x000007FEF595D000-memory.dmp

Filesize
9.6MB

Download
memory/2244-61-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/2416-10-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/2416-13-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2416-16-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2416-21-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-22-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2416-12-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-20-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2416-14-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-179-0x00000000012A0000-0x0000000001320000-memory.dmp

Filesize
512KB

Download
memory/2640-172-0x0000000019C90000-0x0000000019F72000-memory.dmp

Filesize
2.9MB

Download
memory/2640-183-0x000007FEF5020000-0x000007FEF59BD000-memory.dmp

Filesize
9.6MB

Download
memory/2640-181-0x00000000012A0000-0x0000000001320000-memory.dmp

Filesize
512KB

Download
memory/2640-177-0x000007FEF5020000-0x000007FEF59BD000-memory.dmp

Filesize
9.6MB

Download
memory/2640-176-0x00000000009C0000-0x00000000009C8000-memory.dmp

Filesize
32KB

Download
memory/2640-175-0x00000000012A0000-0x0000000001320000-memory.dmp

Filesize
512KB

Download
memory/2640-174-0x00000000012A0000-0x0000000001320000-memory.dmp

Filesize
512KB

Download
memory/2640-173-0x000007FEF5020000-0x000007FEF59BD000-memory.dmp

Filesize
9.6MB

Download
memory/2648-148-0x00000000024FB000-0x0000000002562000-memory.dmp

Filesize
412KB

Download
memory/2648-147-0x000007FEF5180000-0x000007FEF5B1D000-memory.dmp

Filesize
9.6MB

Download
memory/2648-152-0x000007FEF5180000-0x000007FEF5B1D000-memory.dmp

Filesize
9.6MB

Download
memory/2648-145-0x000007FEF5180000-0x000007FEF5B1D000-memory.dmp

Filesize
9.6MB

Download
memory/2648-146-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/2648-149-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/2660-17-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2660-19-0x0000000002A5B000-0x0000000002AC2000-memory.dmp

Filesize
412KB

Download
memory/2660-11-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2660-15-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2660-18-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2724-169-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2724-190-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2724-200-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2724-162-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3064-23-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3064-32-0x000000001EF80000-0x000000001F5B6000-memory.dmp

Filesize
6.2MB

Download
memory/3064-34-0x000000001EF80000-0x000000001F5B6000-memory.dmp

Filesize
6.2MB

Download
memory/3064-36-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3064-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download