Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
12/04/2024, 13:32
240412-qtgfpsag84 812/04/2024, 13:32
240412-qtc4aaag83 812/04/2024, 13:32
240412-qtcshsag82 812/04/2024, 13:32
240412-qtb6zsag79 812/04/2024, 13:32
240412-qtbkfsdh4s 809/04/2024, 05:34
240409-f9mmjsbc9t 809/04/2024, 05:33
240409-f9bkaabc8w 809/04/2024, 05:33
240409-f86n2abc71 809/04/2024, 05:33
240409-f8wh3afh27 801/02/2024, 11:29
240201-nlq9tsebck 10Analysis
-
max time kernel
1799s -
max time network
1805s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/04/2024, 13:32
Static task
static1
Behavioral task
behavioral1
Sample
svchost_dump_SCY - Copy.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
svchost_dump_SCY - Copy.exe
Resource
win10-20240319-en
Behavioral task
behavioral3
Sample
svchost_dump_SCY - Copy.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral4
Sample
svchost_dump_SCY - Copy.exe
Resource
win11-20240221-en
General
-
Target
svchost_dump_SCY - Copy.exe
-
Size
5.2MB
-
MD5
5fd3d21a968f4b8a1577b5405ab1c36a
-
SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
-
SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
-
SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
-
SSDEEP
98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs
Malware Config
Signatures
-
Contacts a large (751) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 26 IoCs
pid Process 1332 netsh.exe 1824 netsh.exe 1804 netsh.exe 588 netsh.exe 476 netsh.exe 2448 netsh.exe 1284 netsh.exe 1868 netsh.exe 2588 netsh.exe 872 netsh.exe 1680 netsh.exe 2560 netsh.exe 1160 netsh.exe 1248 netsh.exe 1680 netsh.exe 2224 netsh.exe 2880 netsh.exe 2380 netsh.exe 816 netsh.exe 2200 netsh.exe 2584 netsh.exe 2188 netsh.exe 1108 netsh.exe 2896 netsh.exe 1104 netsh.exe 2600 netsh.exe -
Executes dropped EXE 12 IoCs
pid Process 2280 svchost.exe 3036 ~tlC1C9.tmp 1076 svchost.exe 2360 ~tl9BA3.tmp 2464 svchost.exe 2584 ~tlBE60.tmp 872 svchost.exe 2280 ~tlFE4C.tmp 908 svchost.exe 576 ~tl7253.tmp 2152 svchost.exe 2776 ~tlD22E.tmp -
Loads dropped DLL 20 IoCs
pid Process 2236 svchost_dump_SCY - Copy.exe 2236 svchost_dump_SCY - Copy.exe 2280 svchost.exe 2280 svchost.exe 3036 ~tlC1C9.tmp 3036 ~tlC1C9.tmp 1076 svchost.exe 1076 svchost.exe 2416 taskeng.exe 2464 svchost.exe 2464 svchost.exe 2300 taskeng.exe 872 svchost.exe 872 svchost.exe 2536 taskeng.exe 908 svchost.exe 908 svchost.exe 2000 taskeng.exe 2152 svchost.exe 2152 svchost.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tlBE60.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\22GPQPYU.htm ~tlFE4C.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[2].htm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tlBE60.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tlFE4C.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[2].htm ~tl7253.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tlD22E.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[2].htm ~tlD22E.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tlFE4C.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tl7253.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tlD22E.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tl7253.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\System\svchost.exe svchost_dump_SCY - Copy.exe File created C:\Windows\System\xxx1.bak ~tlC1C9.tmp File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost_dump_SCY - Copy.exe File opened for modification C:\Windows\System\svchost.exe svchost_dump_SCY - Copy.exe File created C:\Windows\System\xxx1.bak svchost.exe File opened for modification C:\Windows\System\svchost.exe ~tlC1C9.tmp File created C:\Windows\System\xxx1.bak svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1280 schtasks.exe 2064 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadNetworkName = "Network 2" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadDecision = "0" ~tl7253.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadNetworkName = "Network 2" ~tlD22E.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDetectedUrl ~tlBE60.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections ~tlFE4C.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDetectedUrl svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadDecision = "0" ~tlBE60.tmp Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000009000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings ~tlD22E.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ~tlFE4C.tmp Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadDecision = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecisionTime = 9056160ae08cda01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\5a-38-e2-66-6c-a1 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections ~tl7253.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings ~tlBE60.tmp Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecisionReason = "1" ~tl7253.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ~tlFE4C.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad ~tlD22E.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ~tlD22E.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ~tlD22E.tmp Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30afb31adf8cda01 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852} svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\5a-38-e2-66-6c-a1 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\5a-38-e2-66-6c-a1 ~tlFE4C.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ~tlBE60.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" ~tlD22E.tmp Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecisionTime = f0fe3210e28cda01 ~tlD22E.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ~tl7253.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecisionTime = b0e52b17e18cda01 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecision = "0" ~tlFE4C.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 ~tl9BA3.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 ~tl9BA3.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd ~tl9BA3.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd ~tl9BA3.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd ~tl9BA3.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A ~tl9BA3.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 ~tl9BA3.tmp -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2712 powershell.exe 2540 powershell.exe 2236 svchost_dump_SCY - Copy.exe 2708 powershell.exe 568 powershell.exe 3036 ~tlC1C9.tmp 1684 powershell.exe 2740 powershell.exe 3036 ~tlC1C9.tmp 1076 svchost.exe 1608 powershell.exe 2812 powershell.exe 2360 ~tl9BA3.tmp 1156 powershell.exe 804 powershell.exe 2464 svchost.exe 2512 powershell.exe 2696 powershell.exe 2584 ~tlBE60.tmp 1104 powershell.exe 2940 powershell.exe 872 svchost.exe 2580 powershell.exe 1712 powershell.exe 2280 ~tlFE4C.tmp 1304 powershell.exe 1320 powershell.exe 908 svchost.exe 2152 powershell.exe 1932 powershell.exe 576 ~tl7253.tmp 1908 powershell.exe 2636 powershell.exe 2152 svchost.exe 1320 powershell.exe 2412 powershell.exe 2776 ~tlD22E.tmp 2116 powershell.exe 2992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1388 WMIC.exe Token: SeSecurityPrivilege 1388 WMIC.exe Token: SeTakeOwnershipPrivilege 1388 WMIC.exe Token: SeLoadDriverPrivilege 1388 WMIC.exe Token: SeSystemProfilePrivilege 1388 WMIC.exe Token: SeSystemtimePrivilege 1388 WMIC.exe Token: SeProfSingleProcessPrivilege 1388 WMIC.exe Token: SeIncBasePriorityPrivilege 1388 WMIC.exe Token: SeCreatePagefilePrivilege 1388 WMIC.exe Token: SeBackupPrivilege 1388 WMIC.exe Token: SeRestorePrivilege 1388 WMIC.exe Token: SeShutdownPrivilege 1388 WMIC.exe Token: SeDebugPrivilege 1388 WMIC.exe Token: SeSystemEnvironmentPrivilege 1388 WMIC.exe Token: SeRemoteShutdownPrivilege 1388 WMIC.exe Token: SeUndockPrivilege 1388 WMIC.exe Token: SeManageVolumePrivilege 1388 WMIC.exe Token: 33 1388 WMIC.exe Token: 34 1388 WMIC.exe Token: 35 1388 WMIC.exe Token: SeIncreaseQuotaPrivilege 1388 WMIC.exe Token: SeSecurityPrivilege 1388 WMIC.exe Token: SeTakeOwnershipPrivilege 1388 WMIC.exe Token: SeLoadDriverPrivilege 1388 WMIC.exe Token: SeSystemProfilePrivilege 1388 WMIC.exe Token: SeSystemtimePrivilege 1388 WMIC.exe Token: SeProfSingleProcessPrivilege 1388 WMIC.exe Token: SeIncBasePriorityPrivilege 1388 WMIC.exe Token: SeCreatePagefilePrivilege 1388 WMIC.exe Token: SeBackupPrivilege 1388 WMIC.exe Token: SeRestorePrivilege 1388 WMIC.exe Token: SeShutdownPrivilege 1388 WMIC.exe Token: SeDebugPrivilege 1388 WMIC.exe Token: SeSystemEnvironmentPrivilege 1388 WMIC.exe Token: SeRemoteShutdownPrivilege 1388 WMIC.exe Token: SeUndockPrivilege 1388 WMIC.exe Token: SeManageVolumePrivilege 1388 WMIC.exe Token: 33 1388 WMIC.exe Token: 34 1388 WMIC.exe Token: 35 1388 WMIC.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeIncreaseQuotaPrivilege 924 WMIC.exe Token: SeSecurityPrivilege 924 WMIC.exe Token: SeTakeOwnershipPrivilege 924 WMIC.exe Token: SeLoadDriverPrivilege 924 WMIC.exe Token: SeSystemProfilePrivilege 924 WMIC.exe Token: SeSystemtimePrivilege 924 WMIC.exe Token: SeProfSingleProcessPrivilege 924 WMIC.exe Token: SeIncBasePriorityPrivilege 924 WMIC.exe Token: SeCreatePagefilePrivilege 924 WMIC.exe Token: SeBackupPrivilege 924 WMIC.exe Token: SeRestorePrivilege 924 WMIC.exe Token: SeShutdownPrivilege 924 WMIC.exe Token: SeDebugPrivilege 924 WMIC.exe Token: SeSystemEnvironmentPrivilege 924 WMIC.exe Token: SeRemoteShutdownPrivilege 924 WMIC.exe Token: SeUndockPrivilege 924 WMIC.exe Token: SeManageVolumePrivilege 924 WMIC.exe Token: 33 924 WMIC.exe Token: 34 924 WMIC.exe Token: 35 924 WMIC.exe Token: SeIncreaseQuotaPrivilege 924 WMIC.exe Token: SeSecurityPrivilege 924 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1388 2236 svchost_dump_SCY - Copy.exe 29 PID 2236 wrote to memory of 1388 2236 svchost_dump_SCY - Copy.exe 29 PID 2236 wrote to memory of 1388 2236 svchost_dump_SCY - Copy.exe 29 PID 2236 wrote to memory of 2588 2236 svchost_dump_SCY - Copy.exe 33 PID 2236 wrote to memory of 2588 2236 svchost_dump_SCY - Copy.exe 33 PID 2236 wrote to memory of 2588 2236 svchost_dump_SCY - Copy.exe 33 PID 2236 wrote to memory of 2600 2236 svchost_dump_SCY - Copy.exe 34 PID 2236 wrote to memory of 2600 2236 svchost_dump_SCY - Copy.exe 34 PID 2236 wrote to memory of 2600 2236 svchost_dump_SCY - Copy.exe 34 PID 2236 wrote to memory of 2540 2236 svchost_dump_SCY - Copy.exe 37 PID 2236 wrote to memory of 2540 2236 svchost_dump_SCY - Copy.exe 37 PID 2236 wrote to memory of 2540 2236 svchost_dump_SCY - Copy.exe 37 PID 2236 wrote to memory of 2712 2236 svchost_dump_SCY - Copy.exe 39 PID 2236 wrote to memory of 2712 2236 svchost_dump_SCY - Copy.exe 39 PID 2236 wrote to memory of 2712 2236 svchost_dump_SCY - Copy.exe 39 PID 2236 wrote to memory of 1284 2236 svchost_dump_SCY - Copy.exe 41 PID 2236 wrote to memory of 1284 2236 svchost_dump_SCY - Copy.exe 41 PID 2236 wrote to memory of 1284 2236 svchost_dump_SCY - Copy.exe 41 PID 2236 wrote to memory of 1280 2236 svchost_dump_SCY - Copy.exe 43 PID 2236 wrote to memory of 1280 2236 svchost_dump_SCY - Copy.exe 43 PID 2236 wrote to memory of 1280 2236 svchost_dump_SCY - Copy.exe 43 PID 2236 wrote to memory of 2280 2236 svchost_dump_SCY - Copy.exe 45 PID 2236 wrote to memory of 2280 2236 svchost_dump_SCY - Copy.exe 45 PID 2236 wrote to memory of 2280 2236 svchost_dump_SCY - Copy.exe 45 PID 2280 wrote to memory of 924 2280 svchost.exe 47 PID 2280 wrote to memory of 924 2280 svchost.exe 47 PID 2280 wrote to memory of 924 2280 svchost.exe 47 PID 2280 wrote to memory of 2560 2280 svchost.exe 49 PID 2280 wrote to memory of 2560 2280 svchost.exe 49 PID 2280 wrote to memory of 2560 2280 svchost.exe 49 PID 2280 wrote to memory of 1824 2280 svchost.exe 51 PID 2280 wrote to memory of 1824 2280 svchost.exe 51 PID 2280 wrote to memory of 1824 2280 svchost.exe 51 PID 2280 wrote to memory of 2708 2280 svchost.exe 53 PID 2280 wrote to memory of 2708 2280 svchost.exe 53 PID 2280 wrote to memory of 2708 2280 svchost.exe 53 PID 2280 wrote to memory of 568 2280 svchost.exe 55 PID 2280 wrote to memory of 568 2280 svchost.exe 55 PID 2280 wrote to memory of 568 2280 svchost.exe 55 PID 2280 wrote to memory of 3036 2280 svchost.exe 57 PID 2280 wrote to memory of 3036 2280 svchost.exe 57 PID 2280 wrote to memory of 3036 2280 svchost.exe 57 PID 3036 wrote to memory of 2888 3036 ~tlC1C9.tmp 59 PID 3036 wrote to memory of 2888 3036 ~tlC1C9.tmp 59 PID 3036 wrote to memory of 2888 3036 ~tlC1C9.tmp 59 PID 3036 wrote to memory of 476 3036 ~tlC1C9.tmp 61 PID 3036 wrote to memory of 476 3036 ~tlC1C9.tmp 61 PID 3036 wrote to memory of 476 3036 ~tlC1C9.tmp 61 PID 3036 wrote to memory of 1332 3036 ~tlC1C9.tmp 63 PID 3036 wrote to memory of 1332 3036 ~tlC1C9.tmp 63 PID 3036 wrote to memory of 1332 3036 ~tlC1C9.tmp 63 PID 3036 wrote to memory of 1684 3036 ~tlC1C9.tmp 65 PID 3036 wrote to memory of 1684 3036 ~tlC1C9.tmp 65 PID 3036 wrote to memory of 1684 3036 ~tlC1C9.tmp 65 PID 3036 wrote to memory of 2740 3036 ~tlC1C9.tmp 67 PID 3036 wrote to memory of 2740 3036 ~tlC1C9.tmp 67 PID 3036 wrote to memory of 2740 3036 ~tlC1C9.tmp 67 PID 3036 wrote to memory of 240 3036 ~tlC1C9.tmp 69 PID 3036 wrote to memory of 240 3036 ~tlC1C9.tmp 69 PID 3036 wrote to memory of 240 3036 ~tlC1C9.tmp 69 PID 3036 wrote to memory of 2064 3036 ~tlC1C9.tmp 71 PID 3036 wrote to memory of 2064 3036 ~tlC1C9.tmp 71 PID 3036 wrote to memory of 2064 3036 ~tlC1C9.tmp 71 PID 3036 wrote to memory of 1076 3036 ~tlC1C9.tmp 73 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:2588
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Timer"2⤵PID:1284
-
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
PID:1280
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName3⤵
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:2560
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:1824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
PID:568
-
-
C:\Users\Admin\AppData\Local\Temp\~tlC1C9.tmpC:\Users\Admin\AppData\Local\Temp\~tlC1C9.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵PID:2888
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:476
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2740
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Timer"4⤵PID:240
-
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM4⤵
- Creates scheduled task(s)
PID:2064
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1076 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645115⤵PID:920
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:872
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\~tl9BA3.tmpC:\Users\Admin\AppData\Local\Temp\~tl9BA3.tmp5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2360 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645116⤵PID:3016
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:2584
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \6⤵
- Suspicious behavior: EnumeratesProcesses
PID:804
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {AD15272E-6E1A-4545-AB30-D3989F5483DF} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
PID:2416 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2464 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵
- Modifies data under HKEY_USERS
PID:2424
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2188
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:2224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
-
C:\Windows\TEMP\~tlBE60.tmpC:\Windows\TEMP\~tlBE60.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2584 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
- Modifies data under HKEY_USERS
PID:2236
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1160
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3FC433BE-E3A2-4A71-9592-1954BB8E66ED} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
PID:2300 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:872 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵
- Modifies data under HKEY_USERS
PID:1956
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:2880
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1712
-
-
C:\Windows\TEMP\~tlFE4C.tmpC:\Windows\TEMP\~tlFE4C.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2280 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵PID:1904
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1680
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1320
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {AD4F6672-7E36-4150-A13F-28596210849F} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
PID:2536 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:908 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵
- Modifies data under HKEY_USERS
PID:2556
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:2380
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:1108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1932
-
-
C:\Windows\TEMP\~tl7253.tmpC:\Windows\TEMP\~tl7253.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:576 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
- Modifies data under HKEY_USERS
PID:1740
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1804
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2636
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {F9F77FBB-1F56-41CD-A5AB-32F48D5D2EBD} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
PID:2000 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2152 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵PID:1600
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:1680
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:1104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2412
-
-
C:\Windows\TEMP\~tlD22E.tmpC:\Windows\TEMP\~tlD22E.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2776 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
- Modifies data under HKEY_USERS
PID:2432
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1284
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2116
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD574c66ff2cfbd8288b3d63ef66b1f2b64
SHA15a7582a161702f99acdacfc8778f9128eae2716c
SHA2563bde6edd107d3a0508fbba0fcd09c81d625c32c72acd3060711889a2aa1813fb
SHA51233f773b790dc983878dac29bd8dc869f4050f020a6f91c78280c2af0bc8c55d67e2786494fe201b2acc8cf03ea373bb222e01edecdb58d3148efaefffd5992c1
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b9558663828db83485b5a606bb1f1ab6
SHA1e9728a743bd4e198ef8d020d3bd970418f4cfd65
SHA25699154d0622c447046ba34ead9292063f0fec1d662b949ef2c3716b5cb026ae73
SHA512eaf765fe740d46d38b06660742ac62163a815866b1587ad1d0790d036490cc3157b771deca1ec098f5d5e89ada8627426b6a584bcf41b5434c30b52ac6b23808
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57f43d9fdf9552e9140c3fc7203b6ffc4
SHA143f556d949924debaec5cdab3d92ad5d3f724041
SHA256845ee194936e30619c0113feff831e859afedee404a1c6272422e0c126e06f40
SHA5124252cb097865f68f1b28859aa74b6015d95d193a8d2a1cf34fc2ad5b4826d78061d28de697edbe2a84f4d30602d8bcb9ad4334ffdc4aeb510a30afb8ae518013
-
Filesize
2.7MB
MD527acfbf94480631e547b5cb508d9d4fb
SHA1f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c
SHA2560fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e
SHA512902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929
-
Filesize
9.8MB
MD537502b9a9fe5b4558f745129ca5bb5a1
SHA145cb79551d1176e3a94ea5a71c2ddb0a29ad699c
SHA256979084ea4af12b4ee8c899a0ab76869154bc8fb60d09598c3bde21c2c65d742d
SHA5123d4daff15c1a2dcf28daa68270965ec5e21687dfc072881027f377e5dea701f6ba2ce32e67fc21175a4a4bf96acc0f26dd4d0b3c4ee4b160a0f78b58fd058fa7
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg
Filesize393KB
MD572e28e2092a43e0d70289f62bec20e65
SHA1944f2b81392ee946f4767376882c5c1bda6dddb5
SHA2566ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f
SHA51231c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466
-
Filesize
393KB
MD59dbdd43a2e0b032604943c252eaf634a
SHA19584dc66f3c1cce4210fdf827a1b4e2bb22263af
SHA25633c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86
SHA512b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1
-
Filesize
385KB
MD5e802c96760e48c5139995ffb2d891f90
SHA1bba3d278c0eb1094a26e5d2f4c099ad685371578
SHA256cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c
SHA51297300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0
-
Filesize
5.2MB
MD55fd3d21a968f4b8a1577b5405ab1c36a
SHA1710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA2567ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f