7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
300s
max time network
308s
platform
windows10-1703_x64
resource
win10-20240319-en
resource tags

arch:x64arch:x86image:win10-20240319-enlocale:en-usos:windows10-1703-x64system
submitted
12-04-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 10 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

1260 netsh.exe
2932 netsh.exe
672 netsh.exe
2140 netsh.exe
2184 netsh.exe
2560 netsh.exe
1936 netsh.exe
2992 netsh.exe
1488 netsh.exe
1964 netsh.exe
Executes dropped EXE 4 IoCs

Processes:

svchost.exe~tl105D.tmpsvchost.exe~tl2D65.tmp

pid process

2832 svchost.exe
2816 ~tl105D.tmp
4136 svchost.exe
2760 ~tl2D65.tmp

pid	process
1260	netsh.exe
2932	netsh.exe
672	netsh.exe
2140	netsh.exe
2184	netsh.exe
2560	netsh.exe
1936	netsh.exe
2992	netsh.exe
1488	netsh.exe
1964	netsh.exe

pid	process
2832	svchost.exe
2816	~tl105D.tmp
4136	svchost.exe
2760	~tl2D65.tmp

Drops file in Windows directory 7 IoCs

Processes:

~tl105D.tmpsvchost.exesvchost_dump_SCY - Copy.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System\svchost.exe	~tl105D.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl105D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5000 schtasks.exe
4684 schtasks.exe

pid	process
5000	schtasks.exe
4684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tl105D.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl2D65.tmppowershell.exepowershell.exe

pid	process
2068	powershell.exe
3916	powershell.exe
3916	powershell.exe
2068	powershell.exe
2068	powershell.exe
3916	powershell.exe
4896	svchost_dump_SCY - Copy.exe
4896	svchost_dump_SCY - Copy.exe
4804	powershell.exe
4804	powershell.exe
4804	powershell.exe
1912	powershell.exe
1912	powershell.exe
1912	powershell.exe
2816	~tl105D.tmp
2816	~tl105D.tmp
3392	powershell.exe
3392	powershell.exe
5024	powershell.exe
5024	powershell.exe
3392	powershell.exe
5024	powershell.exe
2816	~tl105D.tmp
2816	~tl105D.tmp
4136	svchost.exe
4136	svchost.exe
4456	powershell.exe
4456	powershell.exe
3332	powershell.exe
3332	powershell.exe
4456	powershell.exe
3332	powershell.exe
2760	~tl2D65.tmp
2760	~tl2D65.tmp
4556	powershell.exe
4556	powershell.exe
1120	powershell.exe
4556	powershell.exe
1120	powershell.exe
1120	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3936	WMIC.exe
Token: SeSecurityPrivilege	3936	WMIC.exe
Token: SeTakeOwnershipPrivilege	3936	WMIC.exe
Token: SeLoadDriverPrivilege	3936	WMIC.exe
Token: SeSystemProfilePrivilege	3936	WMIC.exe
Token: SeSystemtimePrivilege	3936	WMIC.exe
Token: SeProfSingleProcessPrivilege	3936	WMIC.exe
Token: SeIncBasePriorityPrivilege	3936	WMIC.exe
Token: SeCreatePagefilePrivilege	3936	WMIC.exe
Token: SeBackupPrivilege	3936	WMIC.exe
Token: SeRestorePrivilege	3936	WMIC.exe
Token: SeShutdownPrivilege	3936	WMIC.exe
Token: SeDebugPrivilege	3936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3936	WMIC.exe
Token: SeRemoteShutdownPrivilege	3936	WMIC.exe
Token: SeUndockPrivilege	3936	WMIC.exe
Token: SeManageVolumePrivilege	3936	WMIC.exe
Token: 33	3936	WMIC.exe
Token: 34	3936	WMIC.exe
Token: 35	3936	WMIC.exe
Token: 36	3936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3936	WMIC.exe
Token: SeSecurityPrivilege	3936	WMIC.exe
Token: SeTakeOwnershipPrivilege	3936	WMIC.exe
Token: SeLoadDriverPrivilege	3936	WMIC.exe
Token: SeSystemProfilePrivilege	3936	WMIC.exe
Token: SeSystemtimePrivilege	3936	WMIC.exe
Token: SeProfSingleProcessPrivilege	3936	WMIC.exe
Token: SeIncBasePriorityPrivilege	3936	WMIC.exe
Token: SeCreatePagefilePrivilege	3936	WMIC.exe
Token: SeBackupPrivilege	3936	WMIC.exe
Token: SeRestorePrivilege	3936	WMIC.exe
Token: SeShutdownPrivilege	3936	WMIC.exe
Token: SeDebugPrivilege	3936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3936	WMIC.exe
Token: SeRemoteShutdownPrivilege	3936	WMIC.exe
Token: SeUndockPrivilege	3936	WMIC.exe
Token: SeManageVolumePrivilege	3936	WMIC.exe
Token: 33	3936	WMIC.exe
Token: 34	3936	WMIC.exe
Token: 35	3936	WMIC.exe
Token: 36	3936	WMIC.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeIncreaseQuotaPrivilege	2068	powershell.exe
Token: SeSecurityPrivilege	2068	powershell.exe
Token: SeTakeOwnershipPrivilege	2068	powershell.exe
Token: SeLoadDriverPrivilege	2068	powershell.exe
Token: SeSystemProfilePrivilege	2068	powershell.exe
Token: SeSystemtimePrivilege	2068	powershell.exe
Token: SeProfSingleProcessPrivilege	2068	powershell.exe
Token: SeIncBasePriorityPrivilege	2068	powershell.exe
Token: SeCreatePagefilePrivilege	2068	powershell.exe
Token: SeBackupPrivilege	2068	powershell.exe
Token: SeRestorePrivilege	2068	powershell.exe
Token: SeShutdownPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeSystemEnvironmentPrivilege	2068	powershell.exe
Token: SeRemoteShutdownPrivilege	2068	powershell.exe
Token: SeUndockPrivilege	2068	powershell.exe
Token: SeManageVolumePrivilege	2068	powershell.exe
Token: 33	2068	powershell.exe
Token: 34	2068	powershell.exe
Token: 35	2068	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tl105D.tmpsvchost.exe~tl2D65.tmp

description	pid	process	target process
PID 4896 wrote to memory of 3936	4896	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 4896 wrote to memory of 3936	4896	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 4896 wrote to memory of 1488	4896	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4896 wrote to memory of 1488	4896	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4896 wrote to memory of 2140	4896	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4896 wrote to memory of 2140	4896	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4896 wrote to memory of 2068	4896	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4896 wrote to memory of 2068	4896	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4896 wrote to memory of 3916	4896	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4896 wrote to memory of 3916	4896	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4896 wrote to memory of 4472	4896	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4896 wrote to memory of 4472	4896	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4896 wrote to memory of 5000	4896	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4896 wrote to memory of 5000	4896	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4896 wrote to memory of 2832	4896	svchost_dump_SCY - Copy.exe	svchost.exe
PID 4896 wrote to memory of 2832	4896	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2832 wrote to memory of 4136	2832	svchost.exe	WMIC.exe
PID 2832 wrote to memory of 4136	2832	svchost.exe	WMIC.exe
PID 2832 wrote to memory of 2184	2832	svchost.exe	netsh.exe
PID 2832 wrote to memory of 2184	2832	svchost.exe	netsh.exe
PID 2832 wrote to memory of 1964	2832	svchost.exe	netsh.exe
PID 2832 wrote to memory of 1964	2832	svchost.exe	netsh.exe
PID 2832 wrote to memory of 4804	2832	svchost.exe	powershell.exe
PID 2832 wrote to memory of 4804	2832	svchost.exe	powershell.exe
PID 2832 wrote to memory of 1912	2832	svchost.exe	powershell.exe
PID 2832 wrote to memory of 1912	2832	svchost.exe	powershell.exe
PID 2832 wrote to memory of 2816	2832	svchost.exe	~tl105D.tmp
PID 2832 wrote to memory of 2816	2832	svchost.exe	~tl105D.tmp
PID 2816 wrote to memory of 2708	2816	~tl105D.tmp	netsh.exe
PID 2816 wrote to memory of 2708	2816	~tl105D.tmp	netsh.exe
PID 2816 wrote to memory of 1260	2816	~tl105D.tmp	netsh.exe
PID 2816 wrote to memory of 1260	2816	~tl105D.tmp	netsh.exe
PID 2816 wrote to memory of 2560	2816	~tl105D.tmp	netsh.exe
PID 2816 wrote to memory of 2560	2816	~tl105D.tmp	netsh.exe
PID 2816 wrote to memory of 3392	2816	~tl105D.tmp	powershell.exe
PID 2816 wrote to memory of 3392	2816	~tl105D.tmp	powershell.exe
PID 2816 wrote to memory of 5024	2816	~tl105D.tmp	powershell.exe
PID 2816 wrote to memory of 5024	2816	~tl105D.tmp	powershell.exe
PID 2816 wrote to memory of 4880	2816	~tl105D.tmp	schtasks.exe
PID 2816 wrote to memory of 4880	2816	~tl105D.tmp	schtasks.exe
PID 2816 wrote to memory of 4684	2816	~tl105D.tmp	schtasks.exe
PID 2816 wrote to memory of 4684	2816	~tl105D.tmp	schtasks.exe
PID 2816 wrote to memory of 4136	2816	~tl105D.tmp	svchost.exe
PID 2816 wrote to memory of 4136	2816	~tl105D.tmp	svchost.exe
PID 4136 wrote to memory of 732	4136	svchost.exe	netsh.exe
PID 4136 wrote to memory of 732	4136	svchost.exe	netsh.exe
PID 4136 wrote to memory of 1936	4136	svchost.exe	netsh.exe
PID 4136 wrote to memory of 1936	4136	svchost.exe	netsh.exe
PID 4136 wrote to memory of 2992	4136	svchost.exe	netsh.exe
PID 4136 wrote to memory of 2992	4136	svchost.exe	netsh.exe
PID 4136 wrote to memory of 4456	4136	svchost.exe	powershell.exe
PID 4136 wrote to memory of 4456	4136	svchost.exe	powershell.exe
PID 4136 wrote to memory of 3332	4136	svchost.exe	powershell.exe
PID 4136 wrote to memory of 3332	4136	svchost.exe	powershell.exe
PID 4136 wrote to memory of 2760	4136	svchost.exe	~tl2D65.tmp
PID 4136 wrote to memory of 2760	4136	svchost.exe	~tl2D65.tmp
PID 2760 wrote to memory of 4208	2760	~tl2D65.tmp	netsh.exe
PID 2760 wrote to memory of 4208	2760	~tl2D65.tmp	netsh.exe
PID 2760 wrote to memory of 2932	2760	~tl2D65.tmp	netsh.exe
PID 2760 wrote to memory of 2932	2760	~tl2D65.tmp	netsh.exe
PID 2760 wrote to memory of 672	2760	~tl2D65.tmp	netsh.exe
PID 2760 wrote to memory of 672	2760	~tl2D65.tmp	netsh.exe
PID 2760 wrote to memory of 4556	2760	~tl2D65.tmp	powershell.exe
PID 2760 wrote to memory of 4556	2760	~tl2D65.tmp	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1488

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:4472

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:5000

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
PID:4136

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2184

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1912

C:\Users\Admin\AppData\Local\Temp\~tl105D.tmp
C:\Users\Admin\AppData\Local\Temp\~tl105D.tmp
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:2708

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1260

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5024

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:4880

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:4684

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:732

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1936

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3332

C:\Users\Admin\AppData\Local\Temp\~tl2D65.tmp
C:\Users\Admin\AppData\Local\Temp\~tl2D65.tmp
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:4208

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2932

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
268b890dae39e430e8b127909067ed96

SHA1
35939515965c0693ef46e021254c3e73ea8c4a2b

SHA256
7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c

SHA512
abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
024956586c8faf8d872636adf8bff04e

SHA1
9ee51bd1d2253ae20303028d65eeb0a3dc102a7f

SHA256
56f9184f696b5ac0c6cda71436a69e8985649f6152e98f7ac639bddf80d8d605

SHA512
33a8c2b24db9617ae7a4df15d77ebc9570e250f92fca37032f72690bad9c050c78cd8fee26ec3d50f4b9253b6cf5ff4e04960d6246e34323a29abf15f408f268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88fc22ce183b29b37a554d53cb1ea5a4

SHA1
1dfc5c1b04f49b26bcd8b2463e365866901abbc4

SHA256
58c00c44054b004cd52038cd416f4ad825feed65b43ee8d1eca7d90afc5f547c

SHA512
739810313a9776843b5a1c3c39548b57d7887404de910534d219d9a3c31bbc06182eb39fdce154c439d7f832e856c2c6388171402de257a48cd2bb1c4a687268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8c3aedcf24461a57b84cb7c1cc13d8b3

SHA1
15b39a0107b95ce532e937d91297d7d83277a3d3

SHA256
b2cdcef87bab249515d0b028c24e1793fe19d53e70e64607a8a84083e0c79571

SHA512
56bbec5d90499df2e43210c59a63fae802dd05337b4ee1a24e396689fff0ecaec2751ffd7ef8fa8065bb975e420b2ca429fed3c96a866d273f7b947f86b475e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca5911ce6193b8d1c59c89fbd7656475

SHA1
bf3f527f23530593c355ee9a1f8ac3e1d8fcb2de

SHA256
f6ae1134ac837738a757696db3ad87899e1f6848568afadf9c80294977cbd19a

SHA512
e3803b2eb4b2da9a890a8770386368c68e33fab765b7a49fa1b697a9c76ce4cdef02c785ed76938f526784075a28431ca2a54c63f5c05ed2e115132469602bd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3d41e46927b2b72f21f36d5647607a0a

SHA1
6780dd639c711558af30136491676e1bcdf60852

SHA256
8f7138299a4a40dbf285413aaabffba9d8e1d7bcf94f1377f631e745b2f5d357

SHA512
254dfd76568cf41a8cd5502c8fd42ccd74e930bc87297e4b354b65c2e806b84c3cc3cd397c920038cb190d92b71efd30fbb7871843e819b5eaf228e51b2b85e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlz0cqpk.2u4.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl105D.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl2D65.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
27acfbf94480631e547b5cb508d9d4fb

SHA1
f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

SHA256
0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

SHA512
902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
6.2MB

MD5
8fb11bb8db354661ae22c0e453a28c8b

SHA1
fe4034a22fef148491bf5f7a4540b2eba068658d

SHA256
21ef4d8192146e11609403d462ec540e0b4effc7198bb456c03272b384213a26

SHA512
137c02d6cd725f5493dc10cd2d4288de622bd6ba8386aef3bc79be3d99d109bcc75f93dad99007345d8a40dacbeefb9b75115df2ec0ed0fc3bf01d3a78d1e9f3

Download Submit
C:\Windows\System\svchost.exe

Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
memory/1912-215-0x00007FF8D0A80000-0x00007FF8D146C000-memory.dmp

Filesize
9.9MB

Download
memory/1912-136-0x00007FF8D0A80000-0x00007FF8D146C000-memory.dmp

Filesize
9.9MB

Download
memory/1912-209-0x000001DAFE2A0000-0x000001DAFE2B0000-memory.dmp

Filesize
64KB

Download
memory/1912-179-0x000001DAFE2A0000-0x000001DAFE2B0000-memory.dmp

Filesize
64KB

Download
memory/1912-138-0x000001DAFE2A0000-0x000001DAFE2B0000-memory.dmp

Filesize
64KB

Download
memory/1912-139-0x000001DAFE2A0000-0x000001DAFE2B0000-memory.dmp

Filesize
64KB

Download
memory/2068-46-0x0000019240F70000-0x0000019240F80000-memory.dmp

Filesize
64KB

Download
memory/2068-106-0x00007FF8D1110000-0x00007FF8D1AFC000-memory.dmp

Filesize
9.9MB

Download
memory/2068-101-0x0000019240F70000-0x0000019240F80000-memory.dmp

Filesize
64KB

Download
memory/2068-13-0x0000019240F70000-0x0000019240F80000-memory.dmp

Filesize
64KB

Download
memory/2068-14-0x0000019240EC0000-0x0000019240EE2000-memory.dmp

Filesize
136KB

Download
memory/2068-8-0x0000019240F70000-0x0000019240F80000-memory.dmp

Filesize
64KB

Download
memory/2068-7-0x00007FF8D1110000-0x00007FF8D1AFC000-memory.dmp

Filesize
9.9MB

Download
memory/2760-503-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2760-500-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2760-609-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2760-505-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2760-504-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2760-502-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2816-275-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2816-274-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2816-273-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2816-389-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2816-276-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2816-269-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2832-112-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2832-271-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2832-217-0x0000000036B60000-0x0000000037042000-memory.dmp

Filesize
4.9MB

Download
memory/2832-133-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3332-403-0x0000021E65160000-0x0000021E65170000-memory.dmp

Filesize
64KB

Download
memory/3332-402-0x00007FF8D0CF0000-0x00007FF8D16DC000-memory.dmp

Filesize
9.9MB

Download
memory/3332-404-0x0000021E65160000-0x0000021E65170000-memory.dmp

Filesize
64KB

Download
memory/3332-446-0x0000021E65160000-0x0000021E65170000-memory.dmp

Filesize
64KB

Download
memory/3332-484-0x0000021E65160000-0x0000021E65170000-memory.dmp

Filesize
64KB

Download
memory/3332-491-0x00007FF8D0CF0000-0x00007FF8D16DC000-memory.dmp

Filesize
9.9MB

Download
memory/3392-281-0x00007FF8D0CF0000-0x00007FF8D16DC000-memory.dmp

Filesize
9.9MB

Download
memory/3392-374-0x000001939ABE0000-0x000001939ABF0000-memory.dmp

Filesize
64KB

Download
memory/3392-378-0x00007FF8D0CF0000-0x00007FF8D16DC000-memory.dmp

Filesize
9.9MB

Download
memory/3392-282-0x000001939ABE0000-0x000001939ABF0000-memory.dmp

Filesize
64KB

Download
memory/3392-283-0x000001939ABE0000-0x000001939ABF0000-memory.dmp

Filesize
64KB

Download
memory/3392-316-0x000001939ABE0000-0x000001939ABF0000-memory.dmp

Filesize
64KB

Download
memory/3916-94-0x00000189E0600000-0x00000189E0610000-memory.dmp

Filesize
64KB

Download
memory/3916-98-0x00007FF8D1110000-0x00007FF8D1AFC000-memory.dmp

Filesize
9.9MB

Download
memory/3916-47-0x00000189E0600000-0x00000189E0610000-memory.dmp

Filesize
64KB

Download
memory/3916-20-0x00000189E07C0000-0x00000189E0836000-memory.dmp

Filesize
472KB

Download
memory/3916-15-0x00000189E0600000-0x00000189E0610000-memory.dmp

Filesize
64KB

Download
memory/3916-12-0x00000189E0600000-0x00000189E0610000-memory.dmp

Filesize
64KB

Download
memory/3916-11-0x00007FF8D1110000-0x00007FF8D1AFC000-memory.dmp

Filesize
9.9MB

Download
memory/4136-493-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4136-501-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4136-386-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4136-387-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4136-390-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4456-396-0x0000022958A00000-0x0000022958A10000-memory.dmp

Filesize
64KB

Download
memory/4456-485-0x0000022958A00000-0x0000022958A10000-memory.dmp

Filesize
64KB

Download
memory/4456-492-0x00007FF8D0CF0000-0x00007FF8D16DC000-memory.dmp

Filesize
9.9MB

Download
memory/4456-430-0x0000022958A00000-0x0000022958A10000-memory.dmp

Filesize
64KB

Download
memory/4456-393-0x00007FF8D0CF0000-0x00007FF8D16DC000-memory.dmp

Filesize
9.9MB

Download
memory/4556-512-0x000001AE4D9F0000-0x000001AE4DA00000-memory.dmp

Filesize
64KB

Download
memory/4556-511-0x000001AE4D9F0000-0x000001AE4DA00000-memory.dmp

Filesize
64KB

Download
memory/4556-509-0x00007FF8D1110000-0x00007FF8D1AFC000-memory.dmp

Filesize
9.9MB

Download
memory/4804-117-0x00007FF8D0A80000-0x00007FF8D146C000-memory.dmp

Filesize
9.9MB

Download
memory/4804-119-0x00000239E45C0000-0x00000239E45D0000-memory.dmp

Filesize
64KB

Download
memory/4804-216-0x00007FF8D0A80000-0x00007FF8D146C000-memory.dmp

Filesize
9.9MB

Download
memory/4804-197-0x00000239E45C0000-0x00000239E45D0000-memory.dmp

Filesize
64KB

Download
memory/4804-144-0x00000239E45C0000-0x00000239E45D0000-memory.dmp

Filesize
64KB

Download
memory/4804-120-0x00000239E45C0000-0x00000239E45D0000-memory.dmp

Filesize
64KB

Download
memory/4896-113-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4896-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4896-45-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/5024-368-0x000001D479420000-0x000001D479430000-memory.dmp

Filesize
64KB

Download
memory/5024-287-0x00007FF8D0CF0000-0x00007FF8D16DC000-memory.dmp

Filesize
9.9MB

Download
memory/5024-292-0x000001D479420000-0x000001D479430000-memory.dmp

Filesize
64KB

Download
memory/5024-293-0x000001D479420000-0x000001D479430000-memory.dmp

Filesize
64KB

Download
memory/5024-338-0x000001D479420000-0x000001D479430000-memory.dmp

Filesize
64KB

Download
memory/5024-373-0x00007FF8D0CF0000-0x00007FF8D16DC000-memory.dmp

Filesize
9.9MB

Download