a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

max time kernel
1198s
max time network
1199s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

9.4MB
MD5

db3edf03a8a2c8e96fe2d2deaaec76ff
SHA1

2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256

a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512

121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
SSDEEP

98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 14 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
1984	netsh.exe
1804	netsh.exe
4320	netsh.exe
5072	netsh.exe
2816	netsh.exe
3836	netsh.exe
2672	netsh.exe
2856	netsh.exe
4772	netsh.exe
688	netsh.exe
432	netsh.exe
4844	netsh.exe
4156	netsh.exe
2720	netsh.exe

Executes dropped EXE 8 IoCs

Processes:

svchost.exe~tlF723.tmpsvchost.exe~tlD667.tmpsvchost.exe~tlFB17.tmpsvchost.exe~tl60C9.tmp

pid process

544 svchost.exe
4844 ~tlF723.tmp
3156 svchost.exe
1408 ~tlD667.tmp
216 svchost.exe
4908 ~tlFB17.tmp
420 svchost.exe
540 ~tl60C9.tmp

pid	process
544	svchost.exe
4844	~tlF723.tmp
3156	svchost.exe
1408	~tlD667.tmp
216	svchost.exe
4908	~tlFB17.tmp
420	svchost.exe
540	~tl60C9.tmp

Drops file in System32 directory 24 IoCs

Processes:

~tlFB17.tmppowershell.exe~tl60C9.tmpsvchost.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tlFB17.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\J153HDZJ.htm	~tl60C9.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72F69839B678B3EFA9DBC1C158DE06B9	~tl60C9.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlFB17.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	~tl60C9.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl60C9.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	~tl60C9.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72F69839B678B3EFA9DBC1C158DE06B9	~tl60C9.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tl60C9.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

~tlF723.tmpsvchost.exetmp.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System\svchost.exe	~tlF723.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\svchost.exe	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	~tlF723.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4492 schtasks.exe
1916 schtasks.exe

pid	process
4492	schtasks.exe
1916	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exenetsh.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe~tl60C9.tmpnetsh.exe~tlFB17.tmpnetsh.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	~tl60C9.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	~tlFB17.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.exepowershell.exe~tlF723.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlD667.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlFB17.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe

pid	process
3628	powershell.exe
3628	powershell.exe
3628	powershell.exe
5080	powershell.exe
5080	powershell.exe
5080	powershell.exe
3608	tmp.exe
3608	tmp.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
2364	powershell.exe
2364	powershell.exe
2364	powershell.exe
4844	~tlF723.tmp
4844	~tlF723.tmp
1368	powershell.exe
1368	powershell.exe
4288	powershell.exe
1368	powershell.exe
4288	powershell.exe
4288	powershell.exe
4844	~tlF723.tmp
4844	~tlF723.tmp
3156	svchost.exe
3156	svchost.exe
3492	powershell.exe
3492	powershell.exe
4440	powershell.exe
3492	powershell.exe
4440	powershell.exe
4440	powershell.exe
1408	~tlD667.tmp
1408	~tlD667.tmp
1696	powershell.exe
1696	powershell.exe
2236	powershell.exe
2236	powershell.exe
1696	powershell.exe
2236	powershell.exe
216	svchost.exe
216	svchost.exe
3348	powershell.exe
3348	powershell.exe
716	powershell.exe
3348	powershell.exe
716	powershell.exe
716	powershell.exe
4908	~tlFB17.tmp
4908	~tlFB17.tmp
3488	powershell.exe
3488	powershell.exe
844	powershell.exe
3488	powershell.exe
844	powershell.exe
844	powershell.exe
420	svchost.exe
420	svchost.exe
456	powershell.exe
456	powershell.exe
2272	powershell.exe
456	powershell.exe
2272	powershell.exe
2272	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeIncreaseQuotaPrivilege	3628	powershell.exe
Token: SeSecurityPrivilege	3628	powershell.exe
Token: SeTakeOwnershipPrivilege	3628	powershell.exe
Token: SeLoadDriverPrivilege	3628	powershell.exe
Token: SeSystemProfilePrivilege	3628	powershell.exe
Token: SeSystemtimePrivilege	3628	powershell.exe
Token: SeProfSingleProcessPrivilege	3628	powershell.exe
Token: SeIncBasePriorityPrivilege	3628	powershell.exe
Token: SeCreatePagefilePrivilege	3628	powershell.exe
Token: SeBackupPrivilege	3628	powershell.exe
Token: SeRestorePrivilege	3628	powershell.exe
Token: SeShutdownPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeSystemEnvironmentPrivilege	3628	powershell.exe
Token: SeRemoteShutdownPrivilege	3628	powershell.exe
Token: SeUndockPrivilege	3628	powershell.exe
Token: SeManageVolumePrivilege	3628	powershell.exe
Token: 33	3628	powershell.exe
Token: 34	3628	powershell.exe
Token: 35	3628	powershell.exe
Token: 36	3628	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeIncreaseQuotaPrivilege	3024	powershell.exe
Token: SeSecurityPrivilege	3024	powershell.exe
Token: SeTakeOwnershipPrivilege	3024	powershell.exe
Token: SeLoadDriverPrivilege	3024	powershell.exe
Token: SeSystemProfilePrivilege	3024	powershell.exe
Token: SeSystemtimePrivilege	3024	powershell.exe
Token: SeProfSingleProcessPrivilege	3024	powershell.exe
Token: SeIncBasePriorityPrivilege	3024	powershell.exe
Token: SeCreatePagefilePrivilege	3024	powershell.exe
Token: SeBackupPrivilege	3024	powershell.exe
Token: SeRestorePrivilege	3024	powershell.exe
Token: SeShutdownPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeSystemEnvironmentPrivilege	3024	powershell.exe
Token: SeRemoteShutdownPrivilege	3024	powershell.exe
Token: SeUndockPrivilege	3024	powershell.exe
Token: SeManageVolumePrivilege	3024	powershell.exe
Token: 33	3024	powershell.exe
Token: 34	3024	powershell.exe
Token: 35	3024	powershell.exe
Token: 36	3024	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeIncreaseQuotaPrivilege	1368	powershell.exe
Token: SeSecurityPrivilege	1368	powershell.exe
Token: SeTakeOwnershipPrivilege	1368	powershell.exe
Token: SeLoadDriverPrivilege	1368	powershell.exe
Token: SeSystemProfilePrivilege	1368	powershell.exe
Token: SeSystemtimePrivilege	1368	powershell.exe
Token: SeProfSingleProcessPrivilege	1368	powershell.exe
Token: SeIncBasePriorityPrivilege	1368	powershell.exe
Token: SeCreatePagefilePrivilege	1368	powershell.exe
Token: SeBackupPrivilege	1368	powershell.exe
Token: SeRestorePrivilege	1368	powershell.exe
Token: SeShutdownPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeSystemEnvironmentPrivilege	1368	powershell.exe
Token: SeRemoteShutdownPrivilege	1368	powershell.exe
Token: SeUndockPrivilege	1368	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exesvchost.exe~tlF723.tmpsvchost.exe~tlD667.tmpsvchost.exe

description	pid	process	target process
PID 3608 wrote to memory of 3628	3608	tmp.exe	powershell.exe
PID 3608 wrote to memory of 3628	3608	tmp.exe	powershell.exe
PID 3608 wrote to memory of 5080	3608	tmp.exe	powershell.exe
PID 3608 wrote to memory of 5080	3608	tmp.exe	powershell.exe
PID 3608 wrote to memory of 3348	3608	tmp.exe	schtasks.exe
PID 3608 wrote to memory of 3348	3608	tmp.exe	schtasks.exe
PID 3608 wrote to memory of 4492	3608	tmp.exe	schtasks.exe
PID 3608 wrote to memory of 4492	3608	tmp.exe	schtasks.exe
PID 3608 wrote to memory of 544	3608	tmp.exe	svchost.exe
PID 3608 wrote to memory of 544	3608	tmp.exe	svchost.exe
PID 544 wrote to memory of 3024	544	svchost.exe	powershell.exe
PID 544 wrote to memory of 3024	544	svchost.exe	powershell.exe
PID 544 wrote to memory of 2364	544	svchost.exe	powershell.exe
PID 544 wrote to memory of 2364	544	svchost.exe	powershell.exe
PID 544 wrote to memory of 4844	544	svchost.exe	~tlF723.tmp
PID 544 wrote to memory of 4844	544	svchost.exe	~tlF723.tmp
PID 4844 wrote to memory of 3800	4844	~tlF723.tmp	netsh.exe
PID 4844 wrote to memory of 3800	4844	~tlF723.tmp	netsh.exe
PID 4844 wrote to memory of 2816	4844	~tlF723.tmp	netsh.exe
PID 4844 wrote to memory of 2816	4844	~tlF723.tmp	netsh.exe
PID 4844 wrote to memory of 1984	4844	~tlF723.tmp	netsh.exe
PID 4844 wrote to memory of 1984	4844	~tlF723.tmp	netsh.exe
PID 4844 wrote to memory of 1368	4844	~tlF723.tmp	powershell.exe
PID 4844 wrote to memory of 1368	4844	~tlF723.tmp	powershell.exe
PID 4844 wrote to memory of 4288	4844	~tlF723.tmp	powershell.exe
PID 4844 wrote to memory of 4288	4844	~tlF723.tmp	powershell.exe
PID 4844 wrote to memory of 2832	4844	~tlF723.tmp	schtasks.exe
PID 4844 wrote to memory of 2832	4844	~tlF723.tmp	schtasks.exe
PID 4844 wrote to memory of 1916	4844	~tlF723.tmp	schtasks.exe
PID 4844 wrote to memory of 1916	4844	~tlF723.tmp	schtasks.exe
PID 4844 wrote to memory of 3156	4844	~tlF723.tmp	svchost.exe
PID 4844 wrote to memory of 3156	4844	~tlF723.tmp	svchost.exe
PID 3156 wrote to memory of 208	3156	svchost.exe	netsh.exe
PID 3156 wrote to memory of 208	3156	svchost.exe	netsh.exe
PID 3156 wrote to memory of 4156	3156	svchost.exe	netsh.exe
PID 3156 wrote to memory of 4156	3156	svchost.exe	netsh.exe
PID 3156 wrote to memory of 4772	3156	svchost.exe	netsh.exe
PID 3156 wrote to memory of 4772	3156	svchost.exe	netsh.exe
PID 3156 wrote to memory of 3492	3156	svchost.exe	powershell.exe
PID 3156 wrote to memory of 3492	3156	svchost.exe	powershell.exe
PID 3156 wrote to memory of 4440	3156	svchost.exe	powershell.exe
PID 3156 wrote to memory of 4440	3156	svchost.exe	powershell.exe
PID 3156 wrote to memory of 1408	3156	svchost.exe	~tlD667.tmp
PID 3156 wrote to memory of 1408	3156	svchost.exe	~tlD667.tmp
PID 1408 wrote to memory of 2924	1408	~tlD667.tmp	netsh.exe
PID 1408 wrote to memory of 2924	1408	~tlD667.tmp	netsh.exe
PID 1408 wrote to memory of 1804	1408	~tlD667.tmp	netsh.exe
PID 1408 wrote to memory of 1804	1408	~tlD667.tmp	netsh.exe
PID 1408 wrote to memory of 688	1408	~tlD667.tmp	netsh.exe
PID 1408 wrote to memory of 688	1408	~tlD667.tmp	netsh.exe
PID 1408 wrote to memory of 1696	1408	~tlD667.tmp	powershell.exe
PID 1408 wrote to memory of 1696	1408	~tlD667.tmp	powershell.exe
PID 1408 wrote to memory of 2236	1408	~tlD667.tmp	powershell.exe
PID 1408 wrote to memory of 2236	1408	~tlD667.tmp	powershell.exe
PID 216 wrote to memory of 3544	216	svchost.exe	netsh.exe
PID 216 wrote to memory of 3544	216	svchost.exe	netsh.exe
PID 216 wrote to memory of 4320	216	svchost.exe	netsh.exe
PID 216 wrote to memory of 4320	216	svchost.exe	netsh.exe
PID 216 wrote to memory of 432	216	svchost.exe	netsh.exe
PID 216 wrote to memory of 432	216	svchost.exe	netsh.exe
PID 216 wrote to memory of 3348	216	svchost.exe	powershell.exe
PID 216 wrote to memory of 3348	216	svchost.exe	powershell.exe
PID 216 wrote to memory of 716	216	svchost.exe	powershell.exe
PID 216 wrote to memory of 716	216	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:3348

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:4492

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Users\Admin\AppData\Local\Temp\~tlF723.tmp
C:\Users\Admin\AppData\Local\Temp\~tlF723.tmp
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:3800

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2816

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:2832

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:1916

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:208

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4156

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4440

C:\Users\Admin\AppData\Local\Temp\~tlD667.tmp
C:\Users\Admin\AppData\Local\Temp\~tlD667.tmp
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:2924

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:1804

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2236

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
- Modifies data under HKEY_USERS
PID:3544

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4320

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:716

C:\Windows\TEMP\~tlFB17.tmp
C:\Windows\TEMP\~tlFB17.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4908

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
- Modifies data under HKEY_USERS
PID:4148

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:5072

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:844

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:420

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:468

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3836

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2272

C:\Windows\TEMP\~tl60C9.tmp
C:\Windows\TEMP\~tl60C9.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:540

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
- Modifies data under HKEY_USERS
PID:4792

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2856

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
26f4ec4db9c5e7147c11c4f3b070582b

SHA1
63ac4ca27a1c85a032502912d667e806898b597a

SHA256
b630855214bc3740aa2dcd05cd2522352d3fb4901e8c9ecfde982a3be68f1f0e

SHA512
6c0da84c60874b0b728e3ca00a88582f3c5d1ddf4cc9acdb7cff792e9b41ea8c11de00aa8a6ab02589cbc43676e544261c289a42a185296e72ebadebf8140f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
70f9cdde78ac5040e72106930c010521

SHA1
4881c39064221d36a1d9bc77c2be62043bf2c50b

SHA256
e87b7d9cc69f00eba3bdef718f7a9287e63bc675ee4688e046c1d9b0f9635351

SHA512
614b9ea7886839759ce7c5275773b53b54f5ce1fe49bb661568ceef22438209feabb7ddcc913395ab80d9cd7b2847851c82a02366bebc4c946e2e5b9c3e73bd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0d6d65d9abdf3a43045aafabec7ef01

SHA1
c7159c8d95ee17589c959eb3ca827420dcac49d8

SHA256
ea4c6b4e1c7f543b3dd1a668ed6929f537131074a4f1a74925564747bc5080ea

SHA512
88360e9330b9bee3688ab6eaaa47f36d3d2296fa614cdcbe430a393231cce2a1fd9f8067d7ee9fd0acab19b215c24f7b975799eeeb213604fed90ae6660f8f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4f1d27d294a314ef0b1e0e474a3de587

SHA1
8a9ac0b3db9e0247946e8375fcbb70b356b3f5a1

SHA256
60fe9391fdcaac11de7c8945b568d0781a924077251a12a90d163e4da66b02d1

SHA512
9f9af2603bc1ce68070a71e7d39e5e3dce11dd2d60c9a158500a8bb9db65325333bd6490a878610655f4a74e7d8a84303fd6cabda3f5839b16ac53e428dbf979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
611bb420ccec4ea633236f19acaef002

SHA1
63ace7957ee61d7629a2c986cd0cccb1134c6da3

SHA256
a00da965d3907da803179952756dfcdebbdd20138f72732f70916976b5b7ff1b

SHA512
e9d64d31347e2212263c2562d2d7e2075cc6c76465293d77f7d6689c40d0ce191c863dd46a4efdfc366ecadd288abe7d1780ff67f29b3802cdfb40947d8bc4dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
612B

MD5
abfce130f0fbfa245476a1f2e9282727

SHA1
a504e4159fe236ee235a17e8aac728d7f75bc44a

SHA256
4c82dae28b582569113582a2f481ec434c085863be4bd8d750ce6c6642de84dc

SHA512
22603c045f12bfb7c5a634e6fa4b4b258b6a0d477731625e93233268e726c18196eee8af6a5ec2c6030d8c674ae80f54fcae18e14ba80fd72c3b70f3d80810cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4a1cfdbd68ee8e1c3e6b47ecf06b5651

SHA1
65a05c9f6a331e28e8f7e263308d3fa959630ef9

SHA256
9563a210072b3a36883ed728760d46113994073eb266d3ed81ce4d51827af20b

SHA512
2fa08c392f2dff0250bd00c1b86afbee36666f8ce08845210ee3a259014f6a58300819cd32dd60dedd321383c3d876502fb181ea1028a78e03d544c522f5f859

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0h1d1vi4.4v2.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlD667.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlF723.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Windows\System\svchost.exe

Filesize
9.4MB

MD5
db3edf03a8a2c8e96fe2d2deaaec76ff

SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1

SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
478f1c1fcff584f4f440469ed71d2d43

SHA1
0900e9dc39580d527c145715f985a5a86e80b66c

SHA256
c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb

SHA512
4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
192B

MD5
ed1a3f54a3c7def0665a9fb59fd1e388

SHA1
5817d6aca61412341fc0af7d0390128fb4a5ec71

SHA256
54e5013daba84f1e56535fa6b3e454ac64e5dad679863208e58f7f551a6331cc

SHA512
a567f53be6a61c724ac120302d0acaec95b53012b680c20c4b955d77747bbdaebc93ca4b6353c2f794c6ffd407e84a42e2cf0f856d275baec08d4e2ab6bc673d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
19bd737da639051fac9de903c422c49a

SHA1
63ece7600e87bda5bb2c2d7f6b31d766426ed4c4

SHA256
5d25184423337f65668b623a760a406e8dfb369ed6e6068febbe273b6ac53a39

SHA512
c097f035ea03a4372282f840faf50057db4cdb08de1ff78bc4d4f620e59740195c1821b4388db970b974e8af8152267f7857d9de160fb5fdc61a2ce6a0873758

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
39f931a79be89a693b0a7494a3b858c5

SHA1
ae286d9a760c7f45d1d64766dd6a77dad239669c

SHA256
3f731b0858d79afbab2f4cc320774e2cf043a72062f21e4bd8cfe5600d36a57b

SHA512
1bf9cb9993c784074a76c6e67878edbc9e682fcd02dcc056275312a5527cdae0f3854deeb3e688b483541c37d425acfb28893b92f9596fe31f62818266b438b1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
120B

MD5
84c8790923b202b5722aa540ff5c2855

SHA1
38a60c959b86c888cfff80d54b74361348d9e655

SHA256
97ea7b86ae391cf26026e39f5fc8603a108cbe5b5d5442782bb5b4cb721b1e2c

SHA512
7240520303f5ddb30804ad5a67f2060e90cdef36abb124bec70695cee614cbf754f7301e136f45e26e8763f886d4e73003601632e829ab773d161ba58ab473ab

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/216-991-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/216-665-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/544-313-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/544-227-0x0000000180000000-0x000000018070E000-memory.dmp

Filesize
7.1MB

Download
memory/544-124-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/544-119-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/544-121-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/1368-321-0x00000266BE520000-0x00000266BE530000-memory.dmp

Filesize
64KB

Download
memory/1368-403-0x00000266BE520000-0x00000266BE530000-memory.dmp

Filesize
64KB

Download
memory/1368-320-0x00000266BE520000-0x00000266BE530000-memory.dmp

Filesize
64KB

Download
memory/1368-416-0x00007FF8BC450000-0x00007FF8BCE3C000-memory.dmp

Filesize
9.9MB

Download
memory/1368-318-0x00007FF8BC450000-0x00007FF8BCE3C000-memory.dmp

Filesize
9.9MB

Download
memory/1368-354-0x00000266BE520000-0x00000266BE530000-memory.dmp

Filesize
64KB

Download
memory/1408-542-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1408-645-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1408-537-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1408-539-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1408-540-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1408-541-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2364-179-0x00000212ECC70000-0x00000212ECC80000-memory.dmp

Filesize
64KB

Download
memory/2364-196-0x00000212ECC70000-0x00000212ECC80000-memory.dmp

Filesize
64KB

Download
memory/2364-223-0x00000212ECC70000-0x00000212ECC80000-memory.dmp

Filesize
64KB

Download
memory/2364-226-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-180-0x00000212ECC70000-0x00000212ECC80000-memory.dmp

Filesize
64KB

Download
memory/2364-178-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp

Filesize
9.9MB

Download
memory/3024-170-0x000001CFFD3D0000-0x000001CFFD3E0000-memory.dmp

Filesize
64KB

Download
memory/3024-173-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp

Filesize
9.9MB

Download
memory/3024-147-0x000001CFFD3D0000-0x000001CFFD3E0000-memory.dmp

Filesize
64KB

Download
memory/3024-132-0x000001CFFD3D0000-0x000001CFFD3E0000-memory.dmp

Filesize
64KB

Download
memory/3024-131-0x000001CFFD3D0000-0x000001CFFD3E0000-memory.dmp

Filesize
64KB

Download
memory/3024-130-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp

Filesize
9.9MB

Download
memory/3156-538-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3156-427-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3156-425-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3156-424-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3492-529-0x00007FF8BC4C0000-0x00007FF8BCEAC000-memory.dmp

Filesize
9.9MB

Download
memory/3492-520-0x0000022A1A6B0000-0x0000022A1A6C0000-memory.dmp

Filesize
64KB

Download
memory/3492-459-0x0000022A1A6B0000-0x0000022A1A6C0000-memory.dmp

Filesize
64KB

Download
memory/3492-434-0x0000022A1A6B0000-0x0000022A1A6C0000-memory.dmp

Filesize
64KB

Download
memory/3492-433-0x0000022A1A6B0000-0x0000022A1A6C0000-memory.dmp

Filesize
64KB

Download
memory/3492-430-0x00007FF8BC4C0000-0x00007FF8BCEAC000-memory.dmp

Filesize
9.9MB

Download
memory/3608-6-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3608-122-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3608-2-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3608-0-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3608-3-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3608-1-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3608-4-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3628-57-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp

Filesize
9.9MB

Download
memory/3628-16-0x0000015828990000-0x00000158289A0000-memory.dmp

Filesize
64KB

Download
memory/3628-30-0x0000015828990000-0x00000158289A0000-memory.dmp

Filesize
64KB

Download
memory/3628-53-0x0000015828990000-0x00000158289A0000-memory.dmp

Filesize
64KB

Download
memory/3628-11-0x0000015828930000-0x0000015828952000-memory.dmp

Filesize
136KB

Download
memory/3628-12-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp

Filesize
9.9MB

Download
memory/3628-14-0x0000015828990000-0x00000158289A0000-memory.dmp

Filesize
64KB

Download
memory/3628-17-0x0000015828B20000-0x0000015828B96000-memory.dmp

Filesize
472KB

Download
memory/4288-375-0x000002BA1D540000-0x000002BA1D550000-memory.dmp

Filesize
64KB

Download
memory/4288-327-0x00007FF8BC450000-0x00007FF8BCE3C000-memory.dmp

Filesize
9.9MB

Download
memory/4288-330-0x000002BA1D540000-0x000002BA1D550000-memory.dmp

Filesize
64KB

Download
memory/4288-415-0x00007FF8BC450000-0x00007FF8BCE3C000-memory.dmp

Filesize
9.9MB

Download
memory/4288-409-0x000002BA1D540000-0x000002BA1D550000-memory.dmp

Filesize
64KB

Download
memory/4288-331-0x000002BA1D540000-0x000002BA1D550000-memory.dmp

Filesize
64KB

Download
memory/4440-522-0x0000020DC9990000-0x0000020DC99A0000-memory.dmp

Filesize
64KB

Download
memory/4440-438-0x00007FF8BC4C0000-0x00007FF8BCEAC000-memory.dmp

Filesize
9.9MB

Download
memory/4440-525-0x00007FF8BC4C0000-0x00007FF8BCEAC000-memory.dmp

Filesize
9.9MB

Download
memory/4440-482-0x0000020DC9990000-0x0000020DC99A0000-memory.dmp

Filesize
64KB

Download
memory/4440-442-0x0000020DC9990000-0x0000020DC99A0000-memory.dmp

Filesize
64KB

Download
memory/4440-443-0x0000020DC9990000-0x0000020DC99A0000-memory.dmp

Filesize
64KB

Download
memory/4844-300-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4844-299-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4844-314-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4844-426-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4844-302-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4844-301-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4908-995-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4908-1312-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/5080-111-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp

Filesize
9.9MB

Download
memory/5080-108-0x000002A511AF0000-0x000002A511B00000-memory.dmp

Filesize
64KB

Download
memory/5080-81-0x000002A511AF0000-0x000002A511B00000-memory.dmp

Filesize
64KB

Download
memory/5080-62-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp

Filesize
9.9MB

Download
memory/5080-65-0x000002A511AF0000-0x000002A511B00000-memory.dmp

Filesize
64KB

Download
memory/5080-64-0x000002A511AF0000-0x000002A511B00000-memory.dmp

Filesize
64KB

Download