7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
1194s
max time network
1202s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 14 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
4344	netsh.exe
2440	netsh.exe
4736	netsh.exe
4204	netsh.exe
3656	netsh.exe
1644	netsh.exe
540	netsh.exe
5112	netsh.exe
4352	netsh.exe
2500	netsh.exe
1412	netsh.exe
4824	netsh.exe
1528	netsh.exe
4880	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe~tlEE22.tmpsvchost.exe~tlC8F1.tmpsvchost_dump_SCY - Copy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	~tlEE22.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	~tlC8F1.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	svchost_dump_SCY - Copy.exe

Executes dropped EXE 7 IoCs

Processes:

svchost.exesvchost.exe~tlEE22.tmpsvchost.exe~tlC8F1.tmpsvchost.exe~tl2962.tmp

pid process

4244 svchost.exe
1992 svchost.exe
876 ~tlEE22.tmp
1500 svchost.exe
976 ~tlC8F1.tmp
3660 svchost.exe
2012 ~tl2962.tmp

pid	process
4244	svchost.exe
1992	svchost.exe
876	~tlEE22.tmp
1500	svchost.exe
976	~tlC8F1.tmp
3660	svchost.exe
2012	~tl2962.tmp

Drops file in System32 directory 18 IoCs

Processes:

~tl2962.tmppowershell.exesvchost.exesvchost.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62	~tl2962.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894	~tl2962.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894	~tl2962.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D03E46CD585BBE111C712E6577BC5F07_28C82A231548529DB24817D9458A0019	~tl2962.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl2962.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8	~tl2962.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8	~tl2962.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D03E46CD585BBE111C712E6577BC5F07_28C82A231548529DB24817D9458A0019	~tl2962.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62	~tl2962.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\Q63M5J4H.htm	~tl2962.tmp

Drops file in Windows directory 8 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tlEE22.tmpsvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tlEE22.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tlEE22.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5032 schtasks.exe
2068 schtasks.exe

pid	process
5032	schtasks.exe
2068	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exepowershell.exepowershell.exepowershell.exepowershell.exe~tl2962.tmpsvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	~tl2962.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	~tl2962.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	~tl2962.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tlEE22.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlC8F1.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl2962.tmppowershell.exepowershell.exe

pid	process
4236	powershell.exe
4236	powershell.exe
3192	powershell.exe
3192	powershell.exe
4236	powershell.exe
3192	powershell.exe
1444	svchost_dump_SCY - Copy.exe
1444	svchost_dump_SCY - Copy.exe
2432	powershell.exe
2432	powershell.exe
4652	powershell.exe
4652	powershell.exe
876	~tlEE22.tmp
876	~tlEE22.tmp
836	powershell.exe
4744	powershell.exe
836	powershell.exe
4744	powershell.exe
876	~tlEE22.tmp
876	~tlEE22.tmp
1500	svchost.exe
1500	svchost.exe
4656	powershell.exe
4656	powershell.exe
2920	powershell.exe
2920	powershell.exe
976	~tlC8F1.tmp
976	~tlC8F1.tmp
1412	powershell.exe
1412	powershell.exe
1804	powershell.exe
1804	powershell.exe
3660	svchost.exe
3660	svchost.exe
2420	powershell.exe
2420	powershell.exe
3664	powershell.exe
3664	powershell.exe
2012	~tl2962.tmp
2012	~tl2962.tmp
3860	powershell.exe
3860	powershell.exe
3496	powershell.exe
3496	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	224	WMIC.exe
Token: SeSecurityPrivilege	224	WMIC.exe
Token: SeTakeOwnershipPrivilege	224	WMIC.exe
Token: SeLoadDriverPrivilege	224	WMIC.exe
Token: SeSystemProfilePrivilege	224	WMIC.exe
Token: SeSystemtimePrivilege	224	WMIC.exe
Token: SeProfSingleProcessPrivilege	224	WMIC.exe
Token: SeIncBasePriorityPrivilege	224	WMIC.exe
Token: SeCreatePagefilePrivilege	224	WMIC.exe
Token: SeBackupPrivilege	224	WMIC.exe
Token: SeRestorePrivilege	224	WMIC.exe
Token: SeShutdownPrivilege	224	WMIC.exe
Token: SeDebugPrivilege	224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	224	WMIC.exe
Token: SeRemoteShutdownPrivilege	224	WMIC.exe
Token: SeUndockPrivilege	224	WMIC.exe
Token: SeManageVolumePrivilege	224	WMIC.exe
Token: 33	224	WMIC.exe
Token: 34	224	WMIC.exe
Token: 35	224	WMIC.exe
Token: 36	224	WMIC.exe
Token: SeIncreaseQuotaPrivilege	224	WMIC.exe
Token: SeSecurityPrivilege	224	WMIC.exe
Token: SeTakeOwnershipPrivilege	224	WMIC.exe
Token: SeLoadDriverPrivilege	224	WMIC.exe
Token: SeSystemProfilePrivilege	224	WMIC.exe
Token: SeSystemtimePrivilege	224	WMIC.exe
Token: SeProfSingleProcessPrivilege	224	WMIC.exe
Token: SeIncBasePriorityPrivilege	224	WMIC.exe
Token: SeCreatePagefilePrivilege	224	WMIC.exe
Token: SeBackupPrivilege	224	WMIC.exe
Token: SeRestorePrivilege	224	WMIC.exe
Token: SeShutdownPrivilege	224	WMIC.exe
Token: SeDebugPrivilege	224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	224	WMIC.exe
Token: SeRemoteShutdownPrivilege	224	WMIC.exe
Token: SeUndockPrivilege	224	WMIC.exe
Token: SeManageVolumePrivilege	224	WMIC.exe
Token: 33	224	WMIC.exe
Token: 34	224	WMIC.exe
Token: 35	224	WMIC.exe
Token: 36	224	WMIC.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeIncreaseQuotaPrivilege	1372	WMIC.exe
Token: SeSecurityPrivilege	1372	WMIC.exe
Token: SeTakeOwnershipPrivilege	1372	WMIC.exe
Token: SeLoadDriverPrivilege	1372	WMIC.exe
Token: SeSystemProfilePrivilege	1372	WMIC.exe
Token: SeSystemtimePrivilege	1372	WMIC.exe
Token: SeProfSingleProcessPrivilege	1372	WMIC.exe
Token: SeIncBasePriorityPrivilege	1372	WMIC.exe
Token: SeCreatePagefilePrivilege	1372	WMIC.exe
Token: SeBackupPrivilege	1372	WMIC.exe
Token: SeRestorePrivilege	1372	WMIC.exe
Token: SeShutdownPrivilege	1372	WMIC.exe
Token: SeDebugPrivilege	1372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1372	WMIC.exe
Token: SeRemoteShutdownPrivilege	1372	WMIC.exe
Token: SeUndockPrivilege	1372	WMIC.exe
Token: SeManageVolumePrivilege	1372	WMIC.exe
Token: 33	1372	WMIC.exe
Token: 34	1372	WMIC.exe
Token: 35	1372	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exesvchost.exe~tlEE22.tmpsvchost.exe~tlC8F1.tmp

description	pid	process	target process
PID 1444 wrote to memory of 224	1444	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 1444 wrote to memory of 224	1444	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 1444 wrote to memory of 1412	1444	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1444 wrote to memory of 1412	1444	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1444 wrote to memory of 4824	1444	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1444 wrote to memory of 4824	1444	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1444 wrote to memory of 4236	1444	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1444 wrote to memory of 4236	1444	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1444 wrote to memory of 3192	1444	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1444 wrote to memory of 3192	1444	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1444 wrote to memory of 1068	1444	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1444 wrote to memory of 1068	1444	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1444 wrote to memory of 2068	1444	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1444 wrote to memory of 2068	1444	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1444 wrote to memory of 4244	1444	svchost_dump_SCY - Copy.exe	svchost.exe
PID 1444 wrote to memory of 4244	1444	svchost_dump_SCY - Copy.exe	svchost.exe
PID 4244 wrote to memory of 1372	4244	svchost.exe	WMIC.exe
PID 4244 wrote to memory of 1372	4244	svchost.exe	WMIC.exe
PID 4244 wrote to memory of 4344	4244	svchost.exe	netsh.exe
PID 4244 wrote to memory of 4344	4244	svchost.exe	netsh.exe
PID 4244 wrote to memory of 5112	4244	svchost.exe	netsh.exe
PID 4244 wrote to memory of 5112	4244	svchost.exe	netsh.exe
PID 4244 wrote to memory of 2432	4244	svchost.exe	powershell.exe
PID 4244 wrote to memory of 2432	4244	svchost.exe	powershell.exe
PID 4244 wrote to memory of 4652	4244	svchost.exe	powershell.exe
PID 4244 wrote to memory of 4652	4244	svchost.exe	powershell.exe
PID 1992 wrote to memory of 4496	1992	svchost.exe	WMIC.exe
PID 1992 wrote to memory of 4496	1992	svchost.exe	WMIC.exe
PID 4244 wrote to memory of 876	4244	svchost.exe	~tlEE22.tmp
PID 4244 wrote to memory of 876	4244	svchost.exe	~tlEE22.tmp
PID 876 wrote to memory of 3672	876	~tlEE22.tmp	netsh.exe
PID 876 wrote to memory of 3672	876	~tlEE22.tmp	netsh.exe
PID 876 wrote to memory of 3656	876	~tlEE22.tmp	netsh.exe
PID 876 wrote to memory of 3656	876	~tlEE22.tmp	netsh.exe
PID 876 wrote to memory of 1528	876	~tlEE22.tmp	netsh.exe
PID 876 wrote to memory of 1528	876	~tlEE22.tmp	netsh.exe
PID 876 wrote to memory of 836	876	~tlEE22.tmp	powershell.exe
PID 876 wrote to memory of 836	876	~tlEE22.tmp	powershell.exe
PID 876 wrote to memory of 4744	876	~tlEE22.tmp	powershell.exe
PID 876 wrote to memory of 4744	876	~tlEE22.tmp	powershell.exe
PID 876 wrote to memory of 752	876	~tlEE22.tmp	schtasks.exe
PID 876 wrote to memory of 752	876	~tlEE22.tmp	schtasks.exe
PID 876 wrote to memory of 5032	876	~tlEE22.tmp	schtasks.exe
PID 876 wrote to memory of 5032	876	~tlEE22.tmp	schtasks.exe
PID 876 wrote to memory of 1500	876	~tlEE22.tmp	svchost.exe
PID 876 wrote to memory of 1500	876	~tlEE22.tmp	svchost.exe
PID 1500 wrote to memory of 4884	1500	svchost.exe	netsh.exe
PID 1500 wrote to memory of 4884	1500	svchost.exe	netsh.exe
PID 1500 wrote to memory of 4352	1500	svchost.exe	netsh.exe
PID 1500 wrote to memory of 4352	1500	svchost.exe	netsh.exe
PID 1500 wrote to memory of 1644	1500	svchost.exe	netsh.exe
PID 1500 wrote to memory of 1644	1500	svchost.exe	netsh.exe
PID 1500 wrote to memory of 4656	1500	svchost.exe	powershell.exe
PID 1500 wrote to memory of 4656	1500	svchost.exe	powershell.exe
PID 1500 wrote to memory of 2920	1500	svchost.exe	powershell.exe
PID 1500 wrote to memory of 2920	1500	svchost.exe	powershell.exe
PID 1500 wrote to memory of 976	1500	svchost.exe	~tlC8F1.tmp
PID 1500 wrote to memory of 976	1500	svchost.exe	~tlC8F1.tmp
PID 976 wrote to memory of 2700	976	~tlC8F1.tmp	netsh.exe
PID 976 wrote to memory of 2700	976	~tlC8F1.tmp	netsh.exe
PID 976 wrote to memory of 2440	976	~tlC8F1.tmp	netsh.exe
PID 976 wrote to memory of 2440	976	~tlC8F1.tmp	netsh.exe
PID 976 wrote to memory of 2500	976	~tlC8F1.tmp	netsh.exe
PID 976 wrote to memory of 2500	976	~tlC8F1.tmp	netsh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1412

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:1068

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:2068

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4344

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4652

C:\Users\Admin\AppData\Local\Temp\~tlEE22.tmp
C:\Users\Admin\AppData\Local\Temp\~tlEE22.tmp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:3672

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:3656

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4744

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:752

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:5032

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:4884

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4352

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2920

C:\Users\Admin\AppData\Local\Temp\~tlC8F1.tmp
C:\Users\Admin\AppData\Local\Temp\~tlC8F1.tmp
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:2700

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2440

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
PID:4496

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3660

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:2036

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4880

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3664

C:\Windows\TEMP\~tl2962.tmp
C:\Windows\TEMP\~tl2962.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:3632

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:540

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
993af531f0b57e8128ec273731c3a8e2

SHA1
a42ea55876f4f390837dd2c95fb7ff2344b6e9e1

SHA256
fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62

SHA512
bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3wscclaw.s25.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlC8F1.tmp
Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlEE22.tmp
Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
Filesize
2.6MB

MD5
9bae03d3dc0f5cfd40507ee03ba5a765

SHA1
bbb2ea791c2e53e615f7c4b17246b4d465e6a4fe

SHA256
ff1af3cc0eff747f5425287eea2910d8d69cd9d30af5a90a41a03a023bb0313f

SHA512
2263b74eefd835f92a085f1b35e156b79c37996b1976d6b93ad94cfce8454411131d4b3dc1d3d3cee175b37d05433f3061060023219d7d3da86e034e510b7b81

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
6.7MB

MD5
0e228c49fdf3800585e8174010838f58

SHA1
0ded0768b2bf637720bd4f55c5095919dc9018be

SHA256
cb4ff9a8f9071d7e03b51f99cfd614f4bf5ffb65dd33cb69d86d0fa2c44766d3

SHA512
7262a61ebc0939e00f60ddd63f10c78459a343e0984600b8c0be75ea685774d5963998719097b28af33f861a789ba36d4045a6172c47f09d5be50e4cfc0b7cb0

Download Submit
C:\Windows\System\svchost.exe
Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7a22a7645143d402a64234676e82ec6d

SHA1
e52ec10a13b720abafa50d3e7efcc79153b55364

SHA256
9897ad03faf215e59eada73f29494197103f6470a08ffb52072017e6f22f9e8f

SHA512
37f8f5f8075ed684662bda94301a6b086b9be1774e4651782108879edcae20be986c5e3aef7eafdeb6cc82791ca620aeacce08574c4edb75c98ab6e681b29535

Download Submit
memory/836-145-0x0000019599140000-0x0000019599150000-memory.dmp

Filesize
64KB

Download
memory/836-146-0x0000019599140000-0x0000019599150000-memory.dmp

Filesize
64KB

Download
memory/836-144-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

Filesize
10.8MB

Download
memory/836-173-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

Filesize
10.8MB

Download
memory/876-141-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/876-186-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/876-143-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/876-142-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/876-140-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/876-137-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/976-225-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/976-227-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/976-223-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/976-226-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/976-228-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/976-260-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1412-231-0x000002ED47FF0000-0x000002ED48000000-memory.dmp

Filesize
64KB

Download
memory/1412-255-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

Filesize
10.8MB

Download
memory/1412-230-0x000002ED47FF0000-0x000002ED48000000-memory.dmp

Filesize
64KB

Download
memory/1412-229-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

Filesize
10.8MB

Download
memory/1444-26-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1444-44-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1444-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1500-185-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1500-187-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1500-224-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1500-184-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1804-258-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

Filesize
10.8MB

Download
memory/1804-252-0x000001E3A29F0000-0x000001E3A2A00000-memory.dmp

Filesize
64KB

Download
memory/1804-253-0x000001E3A29F0000-0x000001E3A2A00000-memory.dmp

Filesize
64KB

Download
memory/1804-251-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

Filesize
10.8MB

Download
memory/1992-125-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1992-126-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2012-417-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2012-361-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2420-315-0x00000167B49A0000-0x00000167B49BC000-memory.dmp

Filesize
112KB

Download
memory/2420-284-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

Filesize
10.8MB

Download
memory/2420-285-0x0000016799FB0000-0x0000016799FC0000-memory.dmp

Filesize
64KB

Download
memory/2420-319-0x00007FF4DE110000-0x00007FF4DE120000-memory.dmp

Filesize
64KB

Download
memory/2420-321-0x0000016799FB0000-0x0000016799FC0000-memory.dmp

Filesize
64KB

Download
memory/2432-52-0x0000027140F70000-0x0000027140F80000-memory.dmp

Filesize
64KB

Download
memory/2432-56-0x0000027140F70000-0x0000027140F80000-memory.dmp

Filesize
64KB

Download
memory/2432-50-0x00007FFB08DB0000-0x00007FFB09871000-memory.dmp

Filesize
10.8MB

Download
memory/2432-72-0x00007FFB08DB0000-0x00007FFB09871000-memory.dmp

Filesize
10.8MB

Download
memory/2920-200-0x000001E9E7D10000-0x000001E9E7D20000-memory.dmp

Filesize
64KB

Download
memory/2920-199-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

Filesize
10.8MB

Download
memory/2920-206-0x000001E9E7D10000-0x000001E9E7D20000-memory.dmp

Filesize
64KB

Download
memory/2920-215-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

Filesize
10.8MB

Download
memory/3192-29-0x00000197CCC00000-0x00000197CCC10000-memory.dmp

Filesize
64KB

Download
memory/3192-14-0x00000197CCC00000-0x00000197CCC10000-memory.dmp

Filesize
64KB

Download
memory/3192-25-0x00007FFB08C00000-0x00007FFB096C1000-memory.dmp

Filesize
10.8MB

Download
memory/3192-34-0x00007FFB08C00000-0x00007FFB096C1000-memory.dmp

Filesize
10.8MB

Download
memory/3192-13-0x00000197CCC00000-0x00000197CCC10000-memory.dmp

Filesize
64KB

Download
memory/3660-283-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3660-281-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3660-355-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3660-280-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3664-320-0x00007FF4C4B20000-0x00007FF4C4B30000-memory.dmp

Filesize
64KB

Download
memory/3664-300-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

Filesize
10.8MB

Download
memory/3664-301-0x000001EC9CF10000-0x000001EC9CF20000-memory.dmp

Filesize
64KB

Download
memory/4236-30-0x00007FFB08C00000-0x00007FFB096C1000-memory.dmp

Filesize
10.8MB

Download
memory/4236-11-0x00007FFB08C00000-0x00007FFB096C1000-memory.dmp

Filesize
10.8MB

Download
memory/4236-12-0x000001DAB1A00000-0x000001DAB1A10000-memory.dmp

Filesize
64KB

Download
memory/4236-1-0x000001DAB19A0000-0x000001DAB19C2000-memory.dmp

Filesize
136KB

Download
memory/4236-20-0x000001DAB1A00000-0x000001DAB1A10000-memory.dmp

Filesize
64KB

Download
memory/4244-69-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4244-76-0x0000000036870000-0x0000000036D52000-memory.dmp

Filesize
4.9MB

Download
memory/4244-43-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4244-139-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4652-59-0x000001FF7EF20000-0x000001FF7EF30000-memory.dmp

Filesize
64KB

Download
memory/4652-58-0x00007FFB08DB0000-0x00007FFB09871000-memory.dmp

Filesize
10.8MB

Download
memory/4652-70-0x000001FF7EF20000-0x000001FF7EF30000-memory.dmp

Filesize
64KB

Download
memory/4652-75-0x00007FFB08DB0000-0x00007FFB09871000-memory.dmp

Filesize
10.8MB

Download
memory/4656-212-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

Filesize
10.8MB

Download
memory/4656-188-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

Filesize
10.8MB

Download
memory/4744-172-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

Filesize
10.8MB

Download
memory/4744-158-0x000002C116D20000-0x000002C116D30000-memory.dmp

Filesize
64KB

Download
memory/4744-157-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

Filesize
10.8MB

Download
memory/4744-147-0x000002C116D20000-0x000002C116D30000-memory.dmp

Filesize
64KB

Download