7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
600s
max time network
606s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-04-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 14 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
1912	netsh.exe
836	netsh.exe
1804	netsh.exe
320	netsh.exe
2484	netsh.exe
2432	netsh.exe
1572	netsh.exe
2644	netsh.exe
2496	netsh.exe
2580	netsh.exe
2464	netsh.exe
1852	netsh.exe
2960	netsh.exe
2660	netsh.exe

Executes dropped EXE 6 IoCs

Processes:

svchost.exe~tl95F9.tmpsvchost.exe~tlBBD0.tmpsvchost.exe~tl7149.tmp

pid process

1688 svchost.exe
1744 ~tl95F9.tmp
1888 svchost.exe
1072 ~tlBBD0.tmp
2988 svchost.exe
2300 ~tl7149.tmp

pid	process
1688	svchost.exe
1744	~tl95F9.tmp
1888	svchost.exe
1072	~tlBBD0.tmp
2988	svchost.exe
2300	~tl7149.tmp

Loads dropped DLL 11 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tl95F9.tmpsvchost.exetaskeng.exesvchost.exe

pid	process
2200	svchost_dump_SCY - Copy.exe
2200	svchost_dump_SCY - Copy.exe
1688	svchost.exe
1688	svchost.exe
1744	~tl95F9.tmp
1744	~tl95F9.tmp
1888	svchost.exe
1888	svchost.exe
1084	taskeng.exe
2988	svchost.exe
2988	svchost.exe

Drops file in System32 directory 9 IoCs

Processes:

~tl7149.tmppowershell.exesvchost.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl7149.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl7149.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exe~tl95F9.tmpsvchost.exesvchost.exesvchost_dump_SCY - Copy.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl95F9.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl95F9.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1748 schtasks.exe
1604 schtasks.exe

pid	process
1748	schtasks.exe
1604	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exenetsh.exe~tl7149.tmpnetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	~tl7149.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D692452E-6920-4C45-9F4B-CE5205204966}\ee-50-19-7b-f1-8d	~tl7149.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-50-19-7b-f1-8d\WpadDecisionTime = b0989a24df8cda01	~tl7149.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D692452E-6920-4C45-9F4B-CE5205204966}\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-50-19-7b-f1-8d\WpadDecision = "0"	~tl7149.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D692452E-6920-4C45-9F4B-CE5205204966}\WpadDecisionReason = "1"	~tl7149.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D692452E-6920-4C45-9F4B-CE5205204966}\WpadDecision = "0"	~tl7149.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	~tl7149.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D692452E-6920-4C45-9F4B-CE5205204966}\WpadNetworkName = "Network 3"	~tl7149.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-50-19-7b-f1-8d\WpadDecision = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	~tl7149.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D692452E-6920-4C45-9F4B-CE5205204966}\WpadDecisionReason = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl7149.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D692452E-6920-4C45-9F4B-CE5205204966}\WpadNetworkName = "Network 3"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-50-19-7b-f1-8d\WpadDecisionReason = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	~tl7149.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	~tl7149.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	~tl7149.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	~tl7149.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	~tl7149.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl7149.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D692452E-6920-4C45-9F4B-CE5205204966}\WpadDecisionTime = b0989a24df8cda01	~tl7149.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-50-19-7b-f1-8d	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D692452E-6920-4C45-9F4B-CE5205204966}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D692452E-6920-4C45-9F4B-CE5205204966}\WpadDecisionTime = 10f2c80fdf8cda01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000090b29b1adf8cda01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	~tl7149.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-50-19-7b-f1-8d\WpadDetectedUrl	~tl7149.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D692452E-6920-4C45-9F4B-CE5205204966}	~tl7149.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-50-19-7b-f1-8d\WpadDecisionTime = 10f2c80fdf8cda01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tl95F9.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlBBD0.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl7149.tmppowershell.exepowershell.exe

pid	process
2552	powershell.exe
2880	powershell.exe
2200	svchost_dump_SCY - Copy.exe
3020	powershell.exe
1556	powershell.exe
1744	~tl95F9.tmp
3064	powershell.exe
1816	powershell.exe
1744	~tl95F9.tmp
1888	svchost.exe
1880	powershell.exe
2760	powershell.exe
1072	~tlBBD0.tmp
2848	powershell.exe
2972	powershell.exe
2988	svchost.exe
2460	powershell.exe
1880	powershell.exe
2300	~tl7149.tmp
1624	powershell.exe
2960	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2056	WMIC.exe
Token: SeSecurityPrivilege	2056	WMIC.exe
Token: SeTakeOwnershipPrivilege	2056	WMIC.exe
Token: SeLoadDriverPrivilege	2056	WMIC.exe
Token: SeSystemProfilePrivilege	2056	WMIC.exe
Token: SeSystemtimePrivilege	2056	WMIC.exe
Token: SeProfSingleProcessPrivilege	2056	WMIC.exe
Token: SeIncBasePriorityPrivilege	2056	WMIC.exe
Token: SeCreatePagefilePrivilege	2056	WMIC.exe
Token: SeBackupPrivilege	2056	WMIC.exe
Token: SeRestorePrivilege	2056	WMIC.exe
Token: SeShutdownPrivilege	2056	WMIC.exe
Token: SeDebugPrivilege	2056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2056	WMIC.exe
Token: SeRemoteShutdownPrivilege	2056	WMIC.exe
Token: SeUndockPrivilege	2056	WMIC.exe
Token: SeManageVolumePrivilege	2056	WMIC.exe
Token: 33	2056	WMIC.exe
Token: 34	2056	WMIC.exe
Token: 35	2056	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2056	WMIC.exe
Token: SeSecurityPrivilege	2056	WMIC.exe
Token: SeTakeOwnershipPrivilege	2056	WMIC.exe
Token: SeLoadDriverPrivilege	2056	WMIC.exe
Token: SeSystemProfilePrivilege	2056	WMIC.exe
Token: SeSystemtimePrivilege	2056	WMIC.exe
Token: SeProfSingleProcessPrivilege	2056	WMIC.exe
Token: SeIncBasePriorityPrivilege	2056	WMIC.exe
Token: SeCreatePagefilePrivilege	2056	WMIC.exe
Token: SeBackupPrivilege	2056	WMIC.exe
Token: SeRestorePrivilege	2056	WMIC.exe
Token: SeShutdownPrivilege	2056	WMIC.exe
Token: SeDebugPrivilege	2056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2056	WMIC.exe
Token: SeRemoteShutdownPrivilege	2056	WMIC.exe
Token: SeUndockPrivilege	2056	WMIC.exe
Token: SeManageVolumePrivilege	2056	WMIC.exe
Token: 33	2056	WMIC.exe
Token: 34	2056	WMIC.exe
Token: 35	2056	WMIC.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeIncreaseQuotaPrivilege	2224	WMIC.exe
Token: SeSecurityPrivilege	2224	WMIC.exe
Token: SeTakeOwnershipPrivilege	2224	WMIC.exe
Token: SeLoadDriverPrivilege	2224	WMIC.exe
Token: SeSystemProfilePrivilege	2224	WMIC.exe
Token: SeSystemtimePrivilege	2224	WMIC.exe
Token: SeProfSingleProcessPrivilege	2224	WMIC.exe
Token: SeIncBasePriorityPrivilege	2224	WMIC.exe
Token: SeCreatePagefilePrivilege	2224	WMIC.exe
Token: SeBackupPrivilege	2224	WMIC.exe
Token: SeRestorePrivilege	2224	WMIC.exe
Token: SeShutdownPrivilege	2224	WMIC.exe
Token: SeDebugPrivilege	2224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2224	WMIC.exe
Token: SeRemoteShutdownPrivilege	2224	WMIC.exe
Token: SeUndockPrivilege	2224	WMIC.exe
Token: SeManageVolumePrivilege	2224	WMIC.exe
Token: 33	2224	WMIC.exe
Token: 34	2224	WMIC.exe
Token: 35	2224	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2224	WMIC.exe
Token: SeSecurityPrivilege	2224	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tl95F9.tmp

description	pid	process	target process
PID 2200 wrote to memory of 2056	2200	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2200 wrote to memory of 2056	2200	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2200 wrote to memory of 2056	2200	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2200 wrote to memory of 2580	2200	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2200 wrote to memory of 2580	2200	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2200 wrote to memory of 2580	2200	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2200 wrote to memory of 2644	2200	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2200 wrote to memory of 2644	2200	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2200 wrote to memory of 2644	2200	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2200 wrote to memory of 2552	2200	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2200 wrote to memory of 2552	2200	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2200 wrote to memory of 2552	2200	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2200 wrote to memory of 2880	2200	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2200 wrote to memory of 2880	2200	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2200 wrote to memory of 2880	2200	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2200 wrote to memory of 1892	2200	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2200 wrote to memory of 1892	2200	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2200 wrote to memory of 1892	2200	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2200 wrote to memory of 1748	2200	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2200 wrote to memory of 1748	2200	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2200 wrote to memory of 1748	2200	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2200 wrote to memory of 1688	2200	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2200 wrote to memory of 1688	2200	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2200 wrote to memory of 1688	2200	svchost_dump_SCY - Copy.exe	svchost.exe
PID 1688 wrote to memory of 2224	1688	svchost.exe	WMIC.exe
PID 1688 wrote to memory of 2224	1688	svchost.exe	WMIC.exe
PID 1688 wrote to memory of 2224	1688	svchost.exe	WMIC.exe
PID 1688 wrote to memory of 2464	1688	svchost.exe	netsh.exe
PID 1688 wrote to memory of 2464	1688	svchost.exe	netsh.exe
PID 1688 wrote to memory of 2464	1688	svchost.exe	netsh.exe
PID 1688 wrote to memory of 1912	1688	svchost.exe	netsh.exe
PID 1688 wrote to memory of 1912	1688	svchost.exe	netsh.exe
PID 1688 wrote to memory of 1912	1688	svchost.exe	netsh.exe
PID 1688 wrote to memory of 3020	1688	svchost.exe	powershell.exe
PID 1688 wrote to memory of 3020	1688	svchost.exe	powershell.exe
PID 1688 wrote to memory of 3020	1688	svchost.exe	powershell.exe
PID 1688 wrote to memory of 1556	1688	svchost.exe	powershell.exe
PID 1688 wrote to memory of 1556	1688	svchost.exe	powershell.exe
PID 1688 wrote to memory of 1556	1688	svchost.exe	powershell.exe
PID 1688 wrote to memory of 1744	1688	svchost.exe	~tl95F9.tmp
PID 1688 wrote to memory of 1744	1688	svchost.exe	~tl95F9.tmp
PID 1688 wrote to memory of 1744	1688	svchost.exe	~tl95F9.tmp
PID 1744 wrote to memory of 1784	1744	~tl95F9.tmp	netsh.exe
PID 1744 wrote to memory of 1784	1744	~tl95F9.tmp	netsh.exe
PID 1744 wrote to memory of 1784	1744	~tl95F9.tmp	netsh.exe
PID 1744 wrote to memory of 1804	1744	~tl95F9.tmp	netsh.exe
PID 1744 wrote to memory of 1804	1744	~tl95F9.tmp	netsh.exe
PID 1744 wrote to memory of 1804	1744	~tl95F9.tmp	netsh.exe
PID 1744 wrote to memory of 320	1744	~tl95F9.tmp	netsh.exe
PID 1744 wrote to memory of 320	1744	~tl95F9.tmp	netsh.exe
PID 1744 wrote to memory of 320	1744	~tl95F9.tmp	netsh.exe
PID 1744 wrote to memory of 3064	1744	~tl95F9.tmp	powershell.exe
PID 1744 wrote to memory of 3064	1744	~tl95F9.tmp	powershell.exe
PID 1744 wrote to memory of 3064	1744	~tl95F9.tmp	powershell.exe
PID 1744 wrote to memory of 1816	1744	~tl95F9.tmp	powershell.exe
PID 1744 wrote to memory of 1816	1744	~tl95F9.tmp	powershell.exe
PID 1744 wrote to memory of 1816	1744	~tl95F9.tmp	powershell.exe
PID 1744 wrote to memory of 1608	1744	~tl95F9.tmp	schtasks.exe
PID 1744 wrote to memory of 1608	1744	~tl95F9.tmp	schtasks.exe
PID 1744 wrote to memory of 1608	1744	~tl95F9.tmp	schtasks.exe
PID 1744 wrote to memory of 1604	1744	~tl95F9.tmp	schtasks.exe
PID 1744 wrote to memory of 1604	1744	~tl95F9.tmp	schtasks.exe
PID 1744 wrote to memory of 1604	1744	~tl95F9.tmp	schtasks.exe
PID 1744 wrote to memory of 1888	1744	~tl95F9.tmp	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2580

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:1892

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:1748

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2464

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1556

C:\Users\Admin\AppData\Local\Temp\~tl95F9.tmp
C:\Users\Admin\AppData\Local\Temp\~tl95F9.tmp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:1784

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1804

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:1608

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:1604

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:2436

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2484

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2760

C:\Users\Admin\AppData\Local\Temp\~tlBBD0.tmp
C:\Users\Admin\AppData\Local\Temp\~tlBBD0.tmp
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1072

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:1212

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:1852

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Windows\system32\taskeng.exe
taskeng.exe {05D7D55F-45AC-433F-9865-AC5B4A272BDB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1084

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2988

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
- Modifies data under HKEY_USERS
PID:2644

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2432

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Windows\TEMP\~tl7149.tmp
C:\Windows\TEMP\~tl7149.tmp
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
- Modifies data under HKEY_USERS
PID:2328

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:836

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2960

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
fba5f5b0a7aecac89c1c69d7ae7df7a8

SHA1
1d13543232521ec5e54cf91e0a02c6cdeab76a8e

SHA256
7cefe6394cc75430e2e503959d057e79aa836d18f9b294a9715cb64467e3e40b

SHA512
2dbe0b0bb8ac599e96f4d06db8cf91004d6506d5a989464c821397ee254ece933faa1a3f7142103f66d284a50ed51cab45c0b512c904c5b30dcf159b9d2b7165

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a387f9e6a990e55a879db017f123f200

SHA1
f5381df28a85859450da645b25ae9c3edd8014ce

SHA256
18b2258d83a9dabea3988d2661cbd93e1661ff16b9c81c408c18a616d1274d84

SHA512
bd5f1621fd919b182dba7aa469bca0c3da272aa6b9a4e5d5efcec9284f100e97958973f2e281beb14843319589cba9283e64b6689210829f739dd40aa0071b13

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
Filesize
2.7MB

MD5
27acfbf94480631e547b5cb508d9d4fb

SHA1
f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

SHA256
0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

SHA512
902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
5.2MB

MD5
4ae713ba519785eb2be144b62587e775

SHA1
12b478ade5cbce797b21acef68dc0849d62c244d

SHA256
0f32616e3276f1e392465eebe3c3f8df5fd57555f8a8b69038c01f1ac889ccfc

SHA512
dc3b54c6b3a9734bb25208882c80b7c5ddf45f99c189cdff8dbf7e14c7baae789360d7c1337600dac2a8b386942344d309f3761bbb73b631a183d0e43c7f4191

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\~tl95F9.tmp
Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
\Users\Admin\AppData\Local\Temp\~tlBBD0.tmp
Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
\Windows\system\svchost.exe
Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
memory/1072-201-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1072-200-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1072-227-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1072-202-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1556-55-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1556-56-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

Filesize
9.6MB

Download
memory/1556-59-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

Filesize
9.6MB

Download
memory/1556-60-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

Filesize
9.6MB

Download
memory/1556-76-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

Filesize
9.6MB

Download
memory/1556-58-0x0000000002A4B000-0x0000000002AB2000-memory.dmp

Filesize
412KB

Download
memory/1556-57-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1688-61-0x000000001A0D0000-0x000000001A5B2000-memory.dmp

Filesize
4.9MB

Download
memory/1688-35-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1688-120-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1688-33-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1744-121-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1744-122-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1744-123-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1744-163-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1816-140-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/1816-141-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/1816-142-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/1816-145-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/1816-147-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/1880-178-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/1880-186-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/1880-177-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/1880-179-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/1880-184-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/1880-185-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/1888-199-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1888-166-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1888-161-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1888-162-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2200-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2200-31-0x000000001ED70000-0x000000001F3A6000-memory.dmp

Filesize
6.2MB

Download
memory/2200-32-0x000000001ED70000-0x000000001F3A6000-memory.dmp

Filesize
6.2MB

Download
memory/2200-21-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2200-34-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2300-271-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2300-287-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2552-13-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2552-12-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-20-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-15-0x0000000002A44000-0x0000000002A47000-memory.dmp

Filesize
12KB

Download
memory/2552-17-0x0000000002A4B000-0x0000000002AB2000-memory.dmp

Filesize
412KB

Download
memory/2552-16-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/2760-187-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2760-188-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-183-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2760-182-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-181-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2760-180-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/2848-208-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-10-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/2880-11-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2880-14-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/2880-18-0x00000000022E4000-0x00000000022E7000-memory.dmp

Filesize
12KB

Download
memory/2880-19-0x00000000022E0000-0x0000000002360000-memory.dmp

Filesize
512KB

Download
memory/2988-239-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2988-256-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2988-267-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3020-45-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-46-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/3020-50-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-41-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/3020-49-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/3020-43-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-44-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/3020-42-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/3064-146-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/3064-131-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/3064-134-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/3064-139-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/3064-143-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/3064-144-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/3064-130-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/3064-129-0x000000001B150000-0x000000001B432000-memory.dmp

Filesize
2.9MB

Download