7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
1199s
max time network
1200s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 18 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
3700	netsh.exe
2372	netsh.exe
356	netsh.exe
588	netsh.exe
4172	netsh.exe
1856	netsh.exe
3096	netsh.exe
4732	netsh.exe
4608	netsh.exe
4740	netsh.exe
3460	netsh.exe
1292	netsh.exe
4684	netsh.exe
4016	netsh.exe
3604	netsh.exe
3036	netsh.exe
3620	netsh.exe
2464	netsh.exe

Executes dropped EXE 8 IoCs

Processes:

svchost.exe~tl137A.tmpsvchost.exe~tlFE95.tmpsvchost.exe~tlB544.tmpsvchost.exe~tl1E51.tmp

pid process

848 svchost.exe
4836 ~tl137A.tmp
2756 svchost.exe
3576 ~tlFE95.tmp
4156 svchost.exe
2460 ~tlB544.tmp
3240 svchost.exe
2568 ~tl1E51.tmp

pid	process
848	svchost.exe
4836	~tl137A.tmp
2756	svchost.exe
3576	~tlFE95.tmp
4156	svchost.exe
2460	~tlB544.tmp
3240	svchost.exe
2568	~tl1E51.tmp

Drops file in System32 directory 20 IoCs

Processes:

powershell.exepowershell.exesvchost.exesvchost.exepowershell.exepowershell.exepowershell.exe~tl1E51.tmppowershell.exe~tlB544.tmppowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tl1E51.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl1E51.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	~tl1E51.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tlB544.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlB544.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

svchost_dump_SCY - Copy.exe~tl137A.tmpsvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	~tl137A.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\System\svchost.exe	~tl137A.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4196 schtasks.exe
4208 schtasks.exe

pid	process
4196	schtasks.exe
4208	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exenetsh.exesvchost.exe~tlB544.tmpnetsh.exenetsh.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	~tlB544.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	~tlB544.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	~tlB544.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tl137A.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlFE95.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlB544.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe

pid	process
3924	powershell.exe
3924	powershell.exe
4576	powershell.exe
4576	powershell.exe
4576	powershell.exe
3924	powershell.exe
4604	svchost_dump_SCY - Copy.exe
4604	svchost_dump_SCY - Copy.exe
1884	powershell.exe
1884	powershell.exe
3868	powershell.exe
1884	powershell.exe
3868	powershell.exe
3868	powershell.exe
4836	~tl137A.tmp
4836	~tl137A.tmp
1588	powershell.exe
1588	powershell.exe
1588	powershell.exe
4504	powershell.exe
4504	powershell.exe
4504	powershell.exe
4836	~tl137A.tmp
4836	~tl137A.tmp
2756	svchost.exe
2756	svchost.exe
3600	powershell.exe
3600	powershell.exe
2960	powershell.exe
2960	powershell.exe
3600	powershell.exe
2960	powershell.exe
3576	~tlFE95.tmp
3576	~tlFE95.tmp
164	powershell.exe
164	powershell.exe
1192	powershell.exe
1192	powershell.exe
164	powershell.exe
1192	powershell.exe
4156	svchost.exe
4156	svchost.exe
352	powershell.exe
2364	powershell.exe
2364	powershell.exe
352	powershell.exe
2364	powershell.exe
352	powershell.exe
2460	~tlB544.tmp
2460	~tlB544.tmp
4696	powershell.exe
4696	powershell.exe
4376	powershell.exe
4376	powershell.exe
4696	powershell.exe
4376	powershell.exe
3240	svchost.exe
3240	svchost.exe
1388	powershell.exe
4936	powershell.exe
1388	powershell.exe
4936	powershell.exe
1388	powershell.exe
4936	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	924	WMIC.exe
Token: SeSecurityPrivilege	924	WMIC.exe
Token: SeTakeOwnershipPrivilege	924	WMIC.exe
Token: SeLoadDriverPrivilege	924	WMIC.exe
Token: SeSystemProfilePrivilege	924	WMIC.exe
Token: SeSystemtimePrivilege	924	WMIC.exe
Token: SeProfSingleProcessPrivilege	924	WMIC.exe
Token: SeIncBasePriorityPrivilege	924	WMIC.exe
Token: SeCreatePagefilePrivilege	924	WMIC.exe
Token: SeBackupPrivilege	924	WMIC.exe
Token: SeRestorePrivilege	924	WMIC.exe
Token: SeShutdownPrivilege	924	WMIC.exe
Token: SeDebugPrivilege	924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	924	WMIC.exe
Token: SeRemoteShutdownPrivilege	924	WMIC.exe
Token: SeUndockPrivilege	924	WMIC.exe
Token: SeManageVolumePrivilege	924	WMIC.exe
Token: 33	924	WMIC.exe
Token: 34	924	WMIC.exe
Token: 35	924	WMIC.exe
Token: 36	924	WMIC.exe
Token: SeIncreaseQuotaPrivilege	924	WMIC.exe
Token: SeSecurityPrivilege	924	WMIC.exe
Token: SeTakeOwnershipPrivilege	924	WMIC.exe
Token: SeLoadDriverPrivilege	924	WMIC.exe
Token: SeSystemProfilePrivilege	924	WMIC.exe
Token: SeSystemtimePrivilege	924	WMIC.exe
Token: SeProfSingleProcessPrivilege	924	WMIC.exe
Token: SeIncBasePriorityPrivilege	924	WMIC.exe
Token: SeCreatePagefilePrivilege	924	WMIC.exe
Token: SeBackupPrivilege	924	WMIC.exe
Token: SeRestorePrivilege	924	WMIC.exe
Token: SeShutdownPrivilege	924	WMIC.exe
Token: SeDebugPrivilege	924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	924	WMIC.exe
Token: SeRemoteShutdownPrivilege	924	WMIC.exe
Token: SeUndockPrivilege	924	WMIC.exe
Token: SeManageVolumePrivilege	924	WMIC.exe
Token: 33	924	WMIC.exe
Token: 34	924	WMIC.exe
Token: 35	924	WMIC.exe
Token: 36	924	WMIC.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeIncreaseQuotaPrivilege	3924	powershell.exe
Token: SeSecurityPrivilege	3924	powershell.exe
Token: SeTakeOwnershipPrivilege	3924	powershell.exe
Token: SeLoadDriverPrivilege	3924	powershell.exe
Token: SeSystemProfilePrivilege	3924	powershell.exe
Token: SeSystemtimePrivilege	3924	powershell.exe
Token: SeProfSingleProcessPrivilege	3924	powershell.exe
Token: SeIncBasePriorityPrivilege	3924	powershell.exe
Token: SeCreatePagefilePrivilege	3924	powershell.exe
Token: SeBackupPrivilege	3924	powershell.exe
Token: SeRestorePrivilege	3924	powershell.exe
Token: SeShutdownPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeSystemEnvironmentPrivilege	3924	powershell.exe
Token: SeRemoteShutdownPrivilege	3924	powershell.exe
Token: SeUndockPrivilege	3924	powershell.exe
Token: SeManageVolumePrivilege	3924	powershell.exe
Token: 33	3924	powershell.exe
Token: 34	3924	powershell.exe
Token: 35	3924	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tl137A.tmpsvchost.exe~tlFE95.tmp

description	pid	process	target process
PID 4604 wrote to memory of 924	4604	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 4604 wrote to memory of 924	4604	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 4604 wrote to memory of 4684	4604	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4604 wrote to memory of 4684	4604	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4604 wrote to memory of 4608	4604	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4604 wrote to memory of 4608	4604	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4604 wrote to memory of 3924	4604	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4604 wrote to memory of 3924	4604	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4604 wrote to memory of 4576	4604	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4604 wrote to memory of 4576	4604	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4604 wrote to memory of 4936	4604	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4604 wrote to memory of 4936	4604	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4604 wrote to memory of 4208	4604	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4604 wrote to memory of 4208	4604	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4604 wrote to memory of 848	4604	svchost_dump_SCY - Copy.exe	svchost.exe
PID 4604 wrote to memory of 848	4604	svchost_dump_SCY - Copy.exe	svchost.exe
PID 848 wrote to memory of 4308	848	svchost.exe	WMIC.exe
PID 848 wrote to memory of 4308	848	svchost.exe	WMIC.exe
PID 848 wrote to memory of 4740	848	svchost.exe	netsh.exe
PID 848 wrote to memory of 4740	848	svchost.exe	netsh.exe
PID 848 wrote to memory of 4172	848	svchost.exe	netsh.exe
PID 848 wrote to memory of 4172	848	svchost.exe	netsh.exe
PID 848 wrote to memory of 1884	848	svchost.exe	powershell.exe
PID 848 wrote to memory of 1884	848	svchost.exe	powershell.exe
PID 848 wrote to memory of 3868	848	svchost.exe	powershell.exe
PID 848 wrote to memory of 3868	848	svchost.exe	powershell.exe
PID 848 wrote to memory of 4836	848	svchost.exe	~tl137A.tmp
PID 848 wrote to memory of 4836	848	svchost.exe	~tl137A.tmp
PID 4836 wrote to memory of 1872	4836	~tl137A.tmp	netsh.exe
PID 4836 wrote to memory of 1872	4836	~tl137A.tmp	netsh.exe
PID 4836 wrote to memory of 588	4836	~tl137A.tmp	netsh.exe
PID 4836 wrote to memory of 588	4836	~tl137A.tmp	netsh.exe
PID 4836 wrote to memory of 2464	4836	~tl137A.tmp	netsh.exe
PID 4836 wrote to memory of 2464	4836	~tl137A.tmp	netsh.exe
PID 4836 wrote to memory of 1588	4836	~tl137A.tmp	powershell.exe
PID 4836 wrote to memory of 1588	4836	~tl137A.tmp	powershell.exe
PID 4836 wrote to memory of 4504	4836	~tl137A.tmp	powershell.exe
PID 4836 wrote to memory of 4504	4836	~tl137A.tmp	powershell.exe
PID 4836 wrote to memory of 4612	4836	~tl137A.tmp	schtasks.exe
PID 4836 wrote to memory of 4612	4836	~tl137A.tmp	schtasks.exe
PID 4836 wrote to memory of 4196	4836	~tl137A.tmp	schtasks.exe
PID 4836 wrote to memory of 4196	4836	~tl137A.tmp	schtasks.exe
PID 4836 wrote to memory of 2756	4836	~tl137A.tmp	svchost.exe
PID 4836 wrote to memory of 2756	4836	~tl137A.tmp	svchost.exe
PID 2756 wrote to memory of 2060	2756	svchost.exe	netsh.exe
PID 2756 wrote to memory of 2060	2756	svchost.exe	netsh.exe
PID 2756 wrote to memory of 4016	2756	svchost.exe	netsh.exe
PID 2756 wrote to memory of 4016	2756	svchost.exe	netsh.exe
PID 2756 wrote to memory of 3460	2756	svchost.exe	netsh.exe
PID 2756 wrote to memory of 3460	2756	svchost.exe	netsh.exe
PID 2756 wrote to memory of 3600	2756	svchost.exe	powershell.exe
PID 2756 wrote to memory of 3600	2756	svchost.exe	powershell.exe
PID 2756 wrote to memory of 2960	2756	svchost.exe	powershell.exe
PID 2756 wrote to memory of 2960	2756	svchost.exe	powershell.exe
PID 2756 wrote to memory of 3576	2756	svchost.exe	~tlFE95.tmp
PID 2756 wrote to memory of 3576	2756	svchost.exe	~tlFE95.tmp
PID 3576 wrote to memory of 2080	3576	~tlFE95.tmp	netsh.exe
PID 3576 wrote to memory of 2080	3576	~tlFE95.tmp	netsh.exe
PID 3576 wrote to memory of 3700	3576	~tlFE95.tmp	netsh.exe
PID 3576 wrote to memory of 3700	3576	~tlFE95.tmp	netsh.exe
PID 3576 wrote to memory of 3604	3576	~tlFE95.tmp	netsh.exe
PID 3576 wrote to memory of 3604	3576	~tlFE95.tmp	netsh.exe
PID 3576 wrote to memory of 164	3576	~tlFE95.tmp	powershell.exe
PID 3576 wrote to memory of 164	3576	~tlFE95.tmp	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4684

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:4936

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:4208

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
PID:4308

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4740

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3868

C:\Users\Admin\AppData\Local\Temp\~tl137A.tmp
C:\Users\Admin\AppData\Local\Temp\~tl137A.tmp
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:1872

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:588

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4504

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:4612

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:4196

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:2060

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4016

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:3460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2960

C:\Users\Admin\AppData\Local\Temp\~tlFE95.tmp
C:\Users\Admin\AppData\Local\Temp\~tlFE95.tmp
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:2080

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:3700

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:3604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4156

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
- Modifies data under HKEY_USERS
PID:3756

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2372

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2364

C:\Windows\TEMP\~tlB544.tmp
C:\Windows\TEMP\~tlB544.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
- Modifies data under HKEY_USERS
PID:4624

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3036

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4376

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3240

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:2940

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:356

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4936

C:\Windows\TEMP\~tl1E51.tmp
C:\Windows\TEMP\~tl1E51.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2568

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
- Modifies data under HKEY_USERS
PID:4248

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3096

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
268b890dae39e430e8b127909067ed96

SHA1
35939515965c0693ef46e021254c3e73ea8c4a2b

SHA256
7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c

SHA512
abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ddd930bb6b253fa3e4dac84e70cc32f7

SHA1
1f9c1d306551501831ec2ca22913719369a073f3

SHA256
03692955af43e57ec4ebab0ab44b5891a340db567b13a3e729d5a1733f055676

SHA512
8ab52e57cb099a01fa944bb8893ef2b8f82d434cb3730310405dba77967dd5741e61f0255e3a6076b749b5770635068c43a3bfd5d5fc2459c7aaa3ea31811b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4cea0c74a234f91009b492a2cb8fb52b

SHA1
341b43c60fd575c8f6331be313b3692aa3a3a3e6

SHA256
4524eacc40f3911bc490f6c68bd457b3f0cf2ae04fb27d3086d9140b5d96f66b

SHA512
16f94f88b89b0e291f7d55bb1ccb8999858476a3c9290a4c752a2aa2b47748d4388570a07988a82d1f605550efa9c0bf8243fdde024b237e0a09bc789e51d9ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
746d1e357d9bd8b5128c36632ad5b8c9

SHA1
eeebe45d0c75c5e0420be57b9ddd8af931be3458

SHA256
68f367052b39694c349cc5cd1c61f532f9a1264c8df996d4195d802602396f57

SHA512
7c7ff8a49f0e71790791e9d380fb4b330e826ff5223a61c783db08c97e15a5178670e3ecf8bd99643d8882157a3a67e6665776f7a39464a748edfa692dbeb7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
caccc4833866f9c1ebe2bcc70b899cc9

SHA1
b97d98a73e6878f8e78c1994c167a5647f763aba

SHA256
bcce42e3be5da129acf369b84e27bc5ff956cd8b6ce109eb8ef411203867667b

SHA512
a9310240a3b6e37e512706673e5de0196f57fcf897947c4302f0b194cb993f4c9e6f4bd6a64673dfece8187e03bc7403a97b4b663696cebae5d0fdb398ae97dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e3d8026309e6d686a83a290925925c0b

SHA1
24ad1d28441d69d52ed59458d7f9eefe02e34000

SHA256
1ee849ddeb8f33cb162fbaa00a8e8640296229004b77d4f4bc1f0455a9b0e103

SHA512
6f40cd38aa65d7242e4169efcdea6c33ad4e2fe8191ef8e426e1d547553f565005565512ebcdeee69f075847852ce531a182b19c1fe0502bf4e433da823bfb5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4k0vjsvh.b2o.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl137A.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlFE95.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
9bae03d3dc0f5cfd40507ee03ba5a765

SHA1
bbb2ea791c2e53e615f7c4b17246b4d465e6a4fe

SHA256
ff1af3cc0eff747f5425287eea2910d8d69cd9d30af5a90a41a03a023bb0313f

SHA512
2263b74eefd835f92a085f1b35e156b79c37996b1976d6b93ad94cfce8454411131d4b3dc1d3d3cee175b37d05433f3061060023219d7d3da86e034e510b7b81

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.9MB

MD5
63af5a4ab46af05dbe081852146dd535

SHA1
7e0e7beac2392719c37a7b8fb8b16c3e953986a2

SHA256
b6d851e54ce8d76828a2cab80001bfad988f2a9abb306459a6d5fe68bc084b0e

SHA512
e0c1b931d754bfe0ae5931c5d79d80fe37a3073d1be173be39e6e6b1455385553437f801144c2c605592f5abe65233e2c0e9eac7a1cc35760241cdab77bc2cef

Download Submit
C:\Windows\System\svchost.exe

Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
478f1c1fcff584f4f440469ed71d2d43

SHA1
0900e9dc39580d527c145715f985a5a86e80b66c

SHA256
c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb

SHA512
4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
989351950d2a2461d9761641d74bf45a

SHA1
1f49b99278584253448a6ce8d79179fd8ac1fc31

SHA256
fe64e14ab679d19a43dde9453ae8fa51d3fc166cc8899b68fefb3ef76775e991

SHA512
f31c428eec609bdec79eb2abd11313e9bb01aa9ab5b93deb343bdcddc1c1cabfcda9ba90454d987f08ebd0649cf5bc2e3c981894a687abf7ca7cf50b0e861396

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0d83a208634d558703c1e16add85bb1a

SHA1
c38824af60f6cabcfa15fa0854eeb35af2e73fe6

SHA256
e735f75f227f41688c8a1d93cbb9734978f22d96ea87d51e7b78722c9333be29

SHA512
07d6d03ecdea6301fe77fadc53452b5502e716d3b9c947dac6d190048f7c80fa34b25efaee1b11df3ae71d7a960dfc7665fd420c15e742b0440f458d8f0a4b24

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
291B

MD5
ed44855bf47aad91e9109e267d7a9ae0

SHA1
f3f7fce298b925387773a840a97a64c0985595d9

SHA256
e522e374b8253cd19c5384c6a93bb5a126f635ec5bfdeb649bb71a9e8c4ed02f

SHA512
83c25ccaa75ff03a5bbb450d070043ac241d56326841250adb86b2f7d0b82481afdb4a65ed728acf07e728d8955f4542fc059d1b740d9a09fa010862cc0dfa7c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
memory/164-515-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/164-518-0x000001FC78330000-0x000001FC78340000-memory.dmp

Filesize
64KB

Download
memory/848-275-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/848-114-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/848-131-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/848-223-0x00000000369D0000-0x0000000036EB2000-memory.dmp

Filesize
4.9MB

Download
memory/1588-286-0x000001F2FE110000-0x000001F2FE120000-memory.dmp

Filesize
64KB

Download
memory/1588-285-0x000001F2FE110000-0x000001F2FE120000-memory.dmp

Filesize
64KB

Download
memory/1588-283-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/1588-311-0x000001F2FE110000-0x000001F2FE120000-memory.dmp

Filesize
64KB

Download
memory/1588-376-0x000001F2FE110000-0x000001F2FE120000-memory.dmp

Filesize
64KB

Download
memory/1588-383-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-122-0x0000017FF79C0000-0x0000017FF79D0000-memory.dmp

Filesize
64KB

Download
memory/1884-206-0x0000017FF79C0000-0x0000017FF79D0000-memory.dmp

Filesize
64KB

Download
memory/1884-222-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-119-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-149-0x0000017FF79C0000-0x0000017FF79D0000-memory.dmp

Filesize
64KB

Download
memory/1884-121-0x0000017FF79C0000-0x0000017FF79D0000-memory.dmp

Filesize
64KB

Download
memory/2460-1292-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2460-973-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2756-391-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2756-394-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2756-508-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2756-500-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2756-392-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2960-405-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/2960-409-0x000001CE529C0000-0x000001CE529D0000-memory.dmp

Filesize
64KB

Download
memory/2960-410-0x000001CE529C0000-0x000001CE529D0000-memory.dmp

Filesize
64KB

Download
memory/2960-498-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/2960-455-0x000001CE529C0000-0x000001CE529D0000-memory.dmp

Filesize
64KB

Download
memory/2960-494-0x000001CE529C0000-0x000001CE529D0000-memory.dmp

Filesize
64KB

Download
memory/3576-618-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3576-507-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3576-509-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3576-510-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3576-511-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3576-512-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3576-619-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3600-400-0x0000021702BE0000-0x0000021702BF0000-memory.dmp

Filesize
64KB

Download
memory/3600-436-0x0000021702BE0000-0x0000021702BF0000-memory.dmp

Filesize
64KB

Download
memory/3600-490-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/3600-397-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/3600-401-0x0000021702BE0000-0x0000021702BF0000-memory.dmp

Filesize
64KB

Download
memory/3600-482-0x0000021702BE0000-0x0000021702BF0000-memory.dmp

Filesize
64KB

Download
memory/3868-132-0x000001A563710000-0x000001A563720000-memory.dmp

Filesize
64KB

Download
memory/3868-215-0x000001A563710000-0x000001A563720000-memory.dmp

Filesize
64KB

Download
memory/3868-134-0x000001A563710000-0x000001A563720000-memory.dmp

Filesize
64KB

Download
memory/3868-126-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/3868-180-0x000001A563710000-0x000001A563720000-memory.dmp

Filesize
64KB

Download
memory/3868-221-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/3924-8-0x0000025469B80000-0x0000025469B90000-memory.dmp

Filesize
64KB

Download
memory/3924-108-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/3924-6-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/3924-103-0x0000025469B80000-0x0000025469B90000-memory.dmp

Filesize
64KB

Download
memory/3924-54-0x0000025469B80000-0x0000025469B90000-memory.dmp

Filesize
64KB

Download
memory/3924-16-0x0000025469DD0000-0x0000025469DF2000-memory.dmp

Filesize
136KB

Download
memory/3924-23-0x000002546AD10000-0x000002546AD86000-memory.dmp

Filesize
472KB

Download
memory/3924-7-0x0000025469B80000-0x0000025469B90000-memory.dmp

Filesize
64KB

Download
memory/4156-642-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4156-969-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4504-307-0x000001D1FBC40000-0x000001D1FBC50000-memory.dmp

Filesize
64KB

Download
memory/4504-373-0x000001D1FBC40000-0x000001D1FBC50000-memory.dmp

Filesize
64KB

Download
memory/4504-346-0x000001D1FBC40000-0x000001D1FBC50000-memory.dmp

Filesize
64KB

Download
memory/4504-382-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/4504-305-0x000001D1FBC40000-0x000001D1FBC50000-memory.dmp

Filesize
64KB

Download
memory/4504-293-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/4576-14-0x0000018C6C9D0000-0x0000018C6C9E0000-memory.dmp

Filesize
64KB

Download
memory/4576-96-0x0000018C6C9D0000-0x0000018C6C9E0000-memory.dmp

Filesize
64KB

Download
memory/4576-15-0x0000018C6C9D0000-0x0000018C6C9E0000-memory.dmp

Filesize
64KB

Download
memory/4576-100-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/4576-48-0x0000018C6C9D0000-0x0000018C6C9E0000-memory.dmp

Filesize
64KB

Download
memory/4576-12-0x00007FFE2D520000-0x00007FFE2DF0C000-memory.dmp

Filesize
9.9MB

Download
memory/4604-115-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4604-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4604-1-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4836-277-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4836-273-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4836-276-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4836-393-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4836-278-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4836-279-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download