7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
1787s
max time network
1812s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
12-04-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 12 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
4288	netsh.exe
716	netsh.exe
2560	netsh.exe
5020	netsh.exe
3348	netsh.exe
776	netsh.exe
2264	netsh.exe
2888	netsh.exe
556	netsh.exe
1096	netsh.exe
2840	netsh.exe
4764	netsh.exe

Executes dropped EXE 9 IoCs

Processes:

svchost.exe~tl3692.tmpsvchost.exe~tl28ED.tmpsvchost.exe~tl3DFA.tmpsvchost.exe~tl4177.tmpsvchost.exe

pid process

3304 svchost.exe
3460 ~tl3692.tmp
4328 svchost.exe
4784 ~tl28ED.tmp
4156 svchost.exe
4764 ~tl3DFA.tmp
3644 svchost.exe
4472 ~tl4177.tmp
2116 svchost.exe

pid	process
3304	svchost.exe
3460	~tl3692.tmp
4328	svchost.exe
4784	~tl28ED.tmp
4156	svchost.exe
4764	~tl3DFA.tmp
3644	svchost.exe
4472	~tl4177.tmp
2116	svchost.exe

Drops file in System32 directory 27 IoCs

Processes:

svchost.exepowershell.exepowershell.exesvchost.exepowershell.exesvchost.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.tmp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock	svchost.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp	svchost.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp	svchost.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock	svchost.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new.tmp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new	svchost.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4012 schtasks.exe

pid	process
4012	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exesvchost.exepowershell.exepowershell.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1464	powershell.exe
2904	powershell.exe
2904	powershell.exe
1464	powershell.exe
1584	svchost_dump_SCY - Copy.exe
1584	svchost_dump_SCY - Copy.exe
4448	powershell.exe
4448	powershell.exe
4748	powershell.exe
4748	powershell.exe
3852	powershell.exe
2808	powershell.exe
2808	powershell.exe
3852	powershell.exe
3696	powershell.exe
1440	powershell.exe
1440	powershell.exe
3696	powershell.exe
3456	powershell.exe
2956	powershell.exe
3456	powershell.exe
2956	powershell.exe
2268	powershell.exe
3040	powershell.exe
3040	powershell.exe
2268	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	496	WMIC.exe
Token: SeSecurityPrivilege	496	WMIC.exe
Token: SeTakeOwnershipPrivilege	496	WMIC.exe
Token: SeLoadDriverPrivilege	496	WMIC.exe
Token: SeSystemProfilePrivilege	496	WMIC.exe
Token: SeSystemtimePrivilege	496	WMIC.exe
Token: SeProfSingleProcessPrivilege	496	WMIC.exe
Token: SeIncBasePriorityPrivilege	496	WMIC.exe
Token: SeCreatePagefilePrivilege	496	WMIC.exe
Token: SeBackupPrivilege	496	WMIC.exe
Token: SeRestorePrivilege	496	WMIC.exe
Token: SeShutdownPrivilege	496	WMIC.exe
Token: SeDebugPrivilege	496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	496	WMIC.exe
Token: SeRemoteShutdownPrivilege	496	WMIC.exe
Token: SeUndockPrivilege	496	WMIC.exe
Token: SeManageVolumePrivilege	496	WMIC.exe
Token: 33	496	WMIC.exe
Token: 34	496	WMIC.exe
Token: 35	496	WMIC.exe
Token: 36	496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	496	WMIC.exe
Token: SeSecurityPrivilege	496	WMIC.exe
Token: SeTakeOwnershipPrivilege	496	WMIC.exe
Token: SeLoadDriverPrivilege	496	WMIC.exe
Token: SeSystemProfilePrivilege	496	WMIC.exe
Token: SeSystemtimePrivilege	496	WMIC.exe
Token: SeProfSingleProcessPrivilege	496	WMIC.exe
Token: SeIncBasePriorityPrivilege	496	WMIC.exe
Token: SeCreatePagefilePrivilege	496	WMIC.exe
Token: SeBackupPrivilege	496	WMIC.exe
Token: SeRestorePrivilege	496	WMIC.exe
Token: SeShutdownPrivilege	496	WMIC.exe
Token: SeDebugPrivilege	496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	496	WMIC.exe
Token: SeRemoteShutdownPrivilege	496	WMIC.exe
Token: SeUndockPrivilege	496	WMIC.exe
Token: SeManageVolumePrivilege	496	WMIC.exe
Token: 33	496	WMIC.exe
Token: 34	496	WMIC.exe
Token: 35	496	WMIC.exe
Token: 36	496	WMIC.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeIncreaseQuotaPrivilege	2356	WMIC.exe
Token: SeSecurityPrivilege	2356	WMIC.exe
Token: SeTakeOwnershipPrivilege	2356	WMIC.exe
Token: SeLoadDriverPrivilege	2356	WMIC.exe
Token: SeSystemProfilePrivilege	2356	WMIC.exe
Token: SeSystemtimePrivilege	2356	WMIC.exe
Token: SeProfSingleProcessPrivilege	2356	WMIC.exe
Token: SeIncBasePriorityPrivilege	2356	WMIC.exe
Token: SeCreatePagefilePrivilege	2356	WMIC.exe
Token: SeBackupPrivilege	2356	WMIC.exe
Token: SeRestorePrivilege	2356	WMIC.exe
Token: SeShutdownPrivilege	2356	WMIC.exe
Token: SeDebugPrivilege	2356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2356	WMIC.exe
Token: SeRemoteShutdownPrivilege	2356	WMIC.exe
Token: SeUndockPrivilege	2356	WMIC.exe
Token: SeManageVolumePrivilege	2356	WMIC.exe
Token: 33	2356	WMIC.exe
Token: 34	2356	WMIC.exe
Token: 35	2356	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1584 wrote to memory of 496	1584	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 1584 wrote to memory of 496	1584	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 1584 wrote to memory of 2840	1584	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1584 wrote to memory of 2840	1584	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1584 wrote to memory of 4764	1584	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1584 wrote to memory of 4764	1584	svchost_dump_SCY - Copy.exe	netsh.exe
PID 1584 wrote to memory of 1464	1584	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1584 wrote to memory of 1464	1584	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1584 wrote to memory of 2904	1584	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1584 wrote to memory of 2904	1584	svchost_dump_SCY - Copy.exe	powershell.exe
PID 1584 wrote to memory of 1304	1584	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1584 wrote to memory of 1304	1584	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1584 wrote to memory of 4012	1584	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1584 wrote to memory of 4012	1584	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 1584 wrote to memory of 3304	1584	svchost_dump_SCY - Copy.exe	svchost.exe
PID 1584 wrote to memory of 3304	1584	svchost_dump_SCY - Copy.exe	svchost.exe
PID 3304 wrote to memory of 2356	3304	svchost.exe	WMIC.exe
PID 3304 wrote to memory of 2356	3304	svchost.exe	WMIC.exe
PID 3304 wrote to memory of 3348	3304	svchost.exe	netsh.exe
PID 3304 wrote to memory of 3348	3304	svchost.exe	netsh.exe
PID 3304 wrote to memory of 776	3304	svchost.exe	netsh.exe
PID 3304 wrote to memory of 776	3304	svchost.exe	netsh.exe
PID 3304 wrote to memory of 4448	3304	svchost.exe	powershell.exe
PID 3304 wrote to memory of 4448	3304	svchost.exe	powershell.exe
PID 3304 wrote to memory of 4748	3304	svchost.exe	powershell.exe
PID 3304 wrote to memory of 4748	3304	svchost.exe	powershell.exe
PID 3304 wrote to memory of 3460	3304	svchost.exe	~tl3692.tmp
PID 3304 wrote to memory of 3460	3304	svchost.exe	~tl3692.tmp
PID 4328 wrote to memory of 2864	4328	svchost.exe	WMIC.exe
PID 4328 wrote to memory of 2864	4328	svchost.exe	WMIC.exe
PID 4328 wrote to memory of 2264	4328	svchost.exe	netsh.exe
PID 4328 wrote to memory of 2264	4328	svchost.exe	netsh.exe
PID 4328 wrote to memory of 2888	4328	svchost.exe	netsh.exe
PID 4328 wrote to memory of 2888	4328	svchost.exe	netsh.exe
PID 4328 wrote to memory of 3852	4328	svchost.exe	powershell.exe
PID 4328 wrote to memory of 3852	4328	svchost.exe	powershell.exe
PID 4328 wrote to memory of 2808	4328	svchost.exe	powershell.exe
PID 4328 wrote to memory of 2808	4328	svchost.exe	powershell.exe
PID 4328 wrote to memory of 4784	4328	svchost.exe	~tl28ED.tmp
PID 4328 wrote to memory of 4784	4328	svchost.exe	~tl28ED.tmp
PID 4156 wrote to memory of 2312	4156	svchost.exe	WMIC.exe
PID 4156 wrote to memory of 2312	4156	svchost.exe	WMIC.exe
PID 4156 wrote to memory of 4288	4156	svchost.exe	netsh.exe
PID 4156 wrote to memory of 4288	4156	svchost.exe	netsh.exe
PID 4156 wrote to memory of 556	4156	svchost.exe	netsh.exe
PID 4156 wrote to memory of 556	4156	svchost.exe	netsh.exe
PID 4156 wrote to memory of 3696	4156	svchost.exe	powershell.exe
PID 4156 wrote to memory of 3696	4156	svchost.exe	powershell.exe
PID 4156 wrote to memory of 1440	4156	svchost.exe	powershell.exe
PID 4156 wrote to memory of 1440	4156	svchost.exe	powershell.exe
PID 4156 wrote to memory of 4764	4156	svchost.exe	~tl3DFA.tmp
PID 4156 wrote to memory of 4764	4156	svchost.exe	~tl3DFA.tmp
PID 3644 wrote to memory of 4620	3644	svchost.exe	WMIC.exe
PID 3644 wrote to memory of 4620	3644	svchost.exe	WMIC.exe
PID 3644 wrote to memory of 716	3644	svchost.exe	netsh.exe
PID 3644 wrote to memory of 716	3644	svchost.exe	netsh.exe
PID 3644 wrote to memory of 2560	3644	svchost.exe	netsh.exe
PID 3644 wrote to memory of 2560	3644	svchost.exe	netsh.exe
PID 3644 wrote to memory of 3456	3644	svchost.exe	powershell.exe
PID 3644 wrote to memory of 3456	3644	svchost.exe	powershell.exe
PID 3644 wrote to memory of 2956	3644	svchost.exe	powershell.exe
PID 3644 wrote to memory of 2956	3644	svchost.exe	powershell.exe
PID 3644 wrote to memory of 4472	3644	svchost.exe	~tl4177.tmp
PID 3644 wrote to memory of 4472	3644	svchost.exe	~tl4177.tmp

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2840

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:1304

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:4012

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3348

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4748

C:\Users\Admin\AppData\Local\Temp\~tl3692.tmp
C:\Users\Admin\AppData\Local\Temp\~tl3692.tmp
3⤵
- Executes dropped EXE
PID:3460

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
PID:2864

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2264

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2808

C:\Windows\TEMP\~tl28ED.tmp
C:\Windows\TEMP\~tl28ED.tmp
2⤵
- Executes dropped EXE
PID:4784

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
PID:2312

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4288

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1440

C:\Windows\TEMP\~tl3DFA.tmp
C:\Windows\TEMP\~tl3DFA.tmp
2⤵
- Executes dropped EXE
PID:4764

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
PID:4620

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:716

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2956

C:\Windows\TEMP\~tl4177.tmp
C:\Windows\TEMP\~tl4177.tmp
2⤵
- Executes dropped EXE
PID:4472

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2116

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
PID:3944

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:5020

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
7951407c59243a33ae4079a8420fc388

SHA1
82192722664debf25bc70f62433dd1102bd17a1c

SHA256
5d1243869897d9215d1066153bfbfb7d1b05993260f9d4fcd85b27ed08c705b8

SHA512
bfb31076d4b83100bfdd71052da62db3118746ce062882525ed9747e57e077cf57533039f20688c98ba31145012fa7f910013f967241764552db4be67e04376f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1jo2tmig.o2z.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl3692.tmp
Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus
Filesize
2.7MB

MD5
27acfbf94480631e547b5cb508d9d4fb

SHA1
f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

SHA256
0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

SHA512
902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
10.4MB

MD5
7863e5b3f4abca5fa9e8d2d4ffee5634

SHA1
9b4e3f4561a4f44ec8b62b2f69f3852bb131d137

SHA256
48ebd6345baa1393d4191bf1a7910959e7234e4857df7821c674904b83a904ce

SHA512
ea3db1f97e9bb148634558f08d7dd05a7d58d336aeefc08c0316363367754f94507ece03f79fb9946481ca77f18140738353378c173ab4aaaf181a1e65330d50

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs
Filesize
20KB

MD5
e33f68091400286604f00c5cd424e5b9

SHA1
e7ca003296a5f632ab2363d217e44b21bd1fd0c1

SHA256
48637ad1185fe2885ae6fe98b2792943938522f31035d8284e677feaffb2f3dd

SHA512
a3fa3bca3884432e0a38494ded0addf2b53a62d0595df32da460c7157e18655b7c674963f1c83005c3749f49de821f4593c8a7687aa15a795175ae21f688748b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs
Filesize
20.3MB

MD5
e45f5b6aeaf107da5b291d996f509505

SHA1
d21123755c39487bbad7ff0521c59951316d78ef

SHA256
ebdfb0c948f4e3fc5a59f15305de8782f5df919201dd8e29e8494e1af7aebe9b

SHA512
03cf7ce0a7abc83222efdc1d923672cc4a473018a845d3cca0e51b0c0c11536740d71804c58eb0c66c34057c615cf25d7828a45c14c8cd7d0e23acb1c147af79

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
Filesize
6.6MB

MD5
84c13d59d2554f7c2ab352ff86506f35

SHA1
b284e1e7e5052df0303faeca741d99b6e8aaba95

SHA256
4dedeff319459c36b4f4c76bee3c40b2fbe6eab92bcd77ae9cb154724d49e5d3

SHA512
58b48dab3fdc847c180cd05d7425a6ed8b818317dca739dd8bbc5aba8adeb18888a4094c02f6bb2948982b222a4a3a32d93401ed4f18a3ad76d2bed8330c19dc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
Filesize
20.3MB

MD5
49ddf49211bcf174ff59eb355e48ad2c

SHA1
a02228327ea63c74266e6069a6cd13ae13231546

SHA256
b7ec0a1ca69ae3769d8bd37e8c348d9028de61b9a85c55b17ce7cfbb61a15464

SHA512
cdff460b81f7dafa039cd2b1643744c40907dcc238d8ed221d34162bb3a9a914e4af3663a3286249a8f96a08028e6f6e6a1bb35ac3dc2a831db42d0ce59170c0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state
Filesize
3KB

MD5
7c26faf6ee57e3f22fab3ad288792499

SHA1
eb0fe9c6a4610497ed1053c25a6c65aa53b33966

SHA256
e22627de99b4e7884e0ed3c3fdfff4b8b3463018e238012dace3ca9b6ca9a7e9

SHA512
1f181fce8145c3c12135661b8cb06b7ab6f88837b7475609ce400c2ebdc810852e2fb6d464361816b696b6a8cd776a47e0c13ddfb6f0d6fa10683b45e26d124c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state
Filesize
4KB

MD5
39334023f1da28a38e57b8862554949b

SHA1
7959cf3aa6d51dc8b18dcc6fdcd88f789eca5852

SHA256
52645e74d093a64d4138d11bd10f83f6d5ff8a894cfa1843a71cd5f9328bd854

SHA512
5f29f4010f6ee95e0e8f0dde82f3e214700fa15161224ef4eeb7883debe3d308c66506310fbe61a2cdafd00712fbb82fbbad290ca9b517ef96c98d3791e19865

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state
Filesize
4KB

MD5
bb93b84843af3eb2c1d6ab30a5c5d7a6

SHA1
5e5e8a3fceab9f476c6d69f7eb46449903735042

SHA256
d8e05234e18d1d20c80cb6000bcd978aaa93b6d91f6ceaf9b381a13ccf0d58e0

SHA512
b125da15cb860bacd8b48c828a830d148bd577e989d9fb83a5cbda838f2507918d10cca36eebb50b917837ff235c301e67724ed44194716b92219050b38fd242

Download Submit
C:\Windows\System\svchost.exe
Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
dbbd2d4458d7e8094846420da595dfc3

SHA1
267cb47b904f14a519d2bd73abfdb30e1a06e1a6

SHA256
e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4

SHA512
480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
476B

MD5
2cf137540331c80e66bb0733d1ba412a

SHA1
74bc30b33031d86ccc9e8f984e396b7573395a91

SHA256
1f137593922ab51c4601f66eb74fef9e9b6c7eba76093510db67ca380fa380ce

SHA512
67059e9a8510077ea82a279e1279c6e2a5e0ae272145a8a3a5088f2ee602d7e8569ffaf48f5ee8f67da65e4720238a1f7da11a66891db60a36cb9e136af4b1c5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f2dd68ab8e611f0143c6ad176f223ae9

SHA1
30f580175773f251a9572fe757de6eaef6844abc

SHA256
f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7

SHA512
f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
400B

MD5
9632e8e979a0262defedb3fbdb752106

SHA1
81a50dd844b9655fa7ab75c82dffc533b1a241e6

SHA256
d4031cc14898274fbd93101d28fce0c77185227bec05b72f3cbe49b3b433b69c

SHA512
4323daf53036bff8f0af9700b43bae6bd4541cd71a2c879a4871ba6ea275d53e56562d3a56000f772037bb2f36acff43fa7bc83140179fec2823274674923e76

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
44cd3bdddcf4cc6f31d28fad9ebd65cd

SHA1
4f1407030fd9968fceaa66f3b5a2779b8786c530

SHA256
f62325c028d833ef12ab8cf80a4e03204ae312b7294c62b4c15ec357981ae049

SHA512
807a0d6b56dd046c24ea32756fa0cf4ace77e4e659c2689cd008df5eac949491fa2d318b90e553c2b9a6e6073ecf6fed5d93f64d30fc7f1faedda0ed7ded5690

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0e04f17e0586d37630e4c2c43932952d

SHA1
d3cc9ba1aef4ba45a83bdc765b83d9709b3bf7ac

SHA256
001c5c5c738349bee99e2c22ecf5175a82681bb6eac13505fc23e916efc852b8

SHA512
c403d96cc6e549285a2f33bb335eb986a8c4568416eced0b3991a8df8aa2a21befb1af2e69bbdcb367855ce7bec319e7ecb2bf487639d092d2b99add222e7590

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
61b2c3c021c9128f25108a3a764034db

SHA1
7a9857b26ae1146f2cf3658ad0023fc60e5f84ce

SHA256
971cb1263e0e44f25c2a448adc333332b84d03d0bf95a5c26fea08236f7d7f73

SHA512
65c91f2f85758760a071235df7a5f63e8a5e7c51413b4167eca7e2f1578f58d40fb42b32fb8feb005d40b0736730c55df0cfe189333b979d82d345a96895fbb4

Download Submit
memory/1440-276-0x00007FF4FD1E0000-0x00007FF4FD1F0000-memory.dmp

Filesize
64KB

Download
memory/1440-275-0x0000022A6D1B0000-0x0000022A6D263000-memory.dmp

Filesize
716KB

Download
memory/1440-264-0x0000022A54840000-0x0000022A54850000-memory.dmp

Filesize
64KB

Download
memory/1440-286-0x0000022A54840000-0x0000022A54850000-memory.dmp

Filesize
64KB

Download
memory/1440-266-0x0000022A54840000-0x0000022A54850000-memory.dmp

Filesize
64KB

Download
memory/1440-263-0x00007FFAE6DF0000-0x00007FFAE78B2000-memory.dmp

Filesize
10.8MB

Download
memory/1440-265-0x0000022A54840000-0x0000022A54850000-memory.dmp

Filesize
64KB

Download
memory/1464-33-0x00007FFAE66E0000-0x00007FFAE71A2000-memory.dmp

Filesize
10.8MB

Download
memory/1464-29-0x0000012C20510000-0x0000012C20520000-memory.dmp

Filesize
64KB

Download
memory/1464-19-0x0000012C20510000-0x0000012C20520000-memory.dmp

Filesize
64KB

Download
memory/1464-10-0x00007FFAE66E0000-0x00007FFAE71A2000-memory.dmp

Filesize
10.8MB

Download
memory/1464-23-0x0000012C20510000-0x0000012C20520000-memory.dmp

Filesize
64KB

Download
memory/1464-6-0x0000012C20460000-0x0000012C20482000-memory.dmp

Filesize
136KB

Download
memory/1584-43-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1584-25-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1584-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2808-133-0x00007FFAE6DF0000-0x00007FFAE78B2000-memory.dmp

Filesize
10.8MB

Download
memory/2808-175-0x000002EAE4780000-0x000002EAE478A000-memory.dmp

Filesize
40KB

Download
memory/2808-179-0x000002EAE47D0000-0x000002EAE47DA000-memory.dmp

Filesize
40KB

Download
memory/2808-180-0x000002EAE40A0000-0x000002EAE40B0000-memory.dmp

Filesize
64KB

Download
memory/2808-134-0x000002EAE40A0000-0x000002EAE40B0000-memory.dmp

Filesize
64KB

Download
memory/2808-177-0x000002EAE4790000-0x000002EAE4798000-memory.dmp

Filesize
32KB

Download
memory/2808-152-0x000002EAE40A0000-0x000002EAE40B0000-memory.dmp

Filesize
64KB

Download
memory/2808-161-0x000002EAE4450000-0x000002EAE446C000-memory.dmp

Filesize
112KB

Download
memory/2808-162-0x000002EAE4470000-0x000002EAE4523000-memory.dmp

Filesize
716KB

Download
memory/2808-171-0x000002EAE41D0000-0x000002EAE41DA000-memory.dmp

Filesize
40KB

Download
memory/2808-172-0x00007FF3FF240000-0x00007FF3FF250000-memory.dmp

Filesize
64KB

Download
memory/2808-188-0x00007FFAE6DF0000-0x00007FFAE78B2000-memory.dmp

Filesize
10.8MB

Download
memory/2904-20-0x00007FFAE66E0000-0x00007FFAE71A2000-memory.dmp

Filesize
10.8MB

Download
memory/2904-24-0x0000022335BF0000-0x0000022335C00000-memory.dmp

Filesize
64KB

Download
memory/2904-22-0x0000022335BF0000-0x0000022335C00000-memory.dmp

Filesize
64KB

Download
memory/2904-28-0x00007FFAE66E0000-0x00007FFAE71A2000-memory.dmp

Filesize
10.8MB

Download
memory/2904-21-0x0000022335BF0000-0x0000022335C00000-memory.dmp

Filesize
64KB

Download
memory/3304-127-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3304-42-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3304-44-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3304-76-0x00000000368E0000-0x0000000036DC2000-memory.dmp

Filesize
4.9MB

Download
memory/3460-128-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3460-125-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3696-245-0x0000027BACAE0000-0x0000027BACAF0000-memory.dmp

Filesize
64KB

Download
memory/3696-244-0x00007FFAE6DF0000-0x00007FFAE78B2000-memory.dmp

Filesize
10.8MB

Download
memory/3696-281-0x00007FF4B6B80000-0x00007FF4B6B90000-memory.dmp

Filesize
64KB

Download
memory/3852-174-0x000002A46B540000-0x000002A46B55C000-memory.dmp

Filesize
112KB

Download
memory/3852-131-0x00007FFAE6DF0000-0x00007FFAE78B2000-memory.dmp

Filesize
10.8MB

Download
memory/3852-132-0x000002A46AFC0000-0x000002A46AFD0000-memory.dmp

Filesize
64KB

Download
memory/3852-189-0x00007FFAE6DF0000-0x00007FFAE78B2000-memory.dmp

Filesize
10.8MB

Download
memory/3852-173-0x00007FF49BFE0000-0x00007FF49BFF0000-memory.dmp

Filesize
64KB

Download
memory/3852-178-0x000002A46B560000-0x000002A46B566000-memory.dmp

Filesize
24KB

Download
memory/3852-176-0x000002A46B580000-0x000002A46B59A000-memory.dmp

Filesize
104KB

Download
memory/3852-184-0x000002A46AFC0000-0x000002A46AFD0000-memory.dmp

Filesize
64KB

Download
memory/3852-183-0x00007FFAE6DF0000-0x00007FFAE78B2000-memory.dmp

Filesize
10.8MB

Download
memory/4156-243-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4156-293-0x000000002BCA0000-0x000000002C182000-memory.dmp

Filesize
4.9MB

Download
memory/4328-190-0x000000003A380000-0x000000003A862000-memory.dmp

Filesize
4.9MB

Download
memory/4328-151-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4328-130-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4328-241-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4448-57-0x000002303FC90000-0x000002303FCA0000-memory.dmp

Filesize
64KB

Download
memory/4448-71-0x00007FFAE6890000-0x00007FFAE7352000-memory.dmp

Filesize
10.8MB

Download
memory/4448-69-0x000002303FC90000-0x000002303FCA0000-memory.dmp

Filesize
64KB

Download
memory/4448-47-0x000002303FC90000-0x000002303FCA0000-memory.dmp

Filesize
64KB

Download
memory/4448-46-0x000002303FC90000-0x000002303FCA0000-memory.dmp

Filesize
64KB

Download
memory/4448-45-0x00007FFAE6890000-0x00007FFAE7352000-memory.dmp

Filesize
10.8MB

Download
memory/4748-72-0x0000017DBED10000-0x0000017DBED20000-memory.dmp

Filesize
64KB

Download
memory/4748-60-0x00007FFAE6890000-0x00007FFAE7352000-memory.dmp

Filesize
10.8MB

Download
memory/4748-59-0x0000017DBED10000-0x0000017DBED20000-memory.dmp

Filesize
64KB

Download
memory/4748-58-0x0000017DBED10000-0x0000017DBED20000-memory.dmp

Filesize
64KB

Download
memory/4748-75-0x00007FFAE6890000-0x00007FFAE7352000-memory.dmp

Filesize
10.8MB

Download