Resubmissions
12-04-2024 13:32
240412-qtgfpsag84 812-04-2024 13:32
240412-qtc4aaag83 812-04-2024 13:32
240412-qtcshsag82 812-04-2024 13:32
240412-qtb6zsag79 812-04-2024 13:32
240412-qtbkfsdh4s 809-04-2024 05:34
240409-f9mmjsbc9t 809-04-2024 05:33
240409-f9bkaabc8w 809-04-2024 05:33
240409-f86n2abc71 809-04-2024 05:33
240409-f8wh3afh27 801-02-2024 11:29
240201-nlq9tsebck 10Analysis
-
max time kernel
1199s -
max time network
1200s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-04-2024 13:32
Static task
static1
Behavioral task
behavioral1
Sample
svchost_dump_SCY - Copy.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
svchost_dump_SCY - Copy.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
svchost_dump_SCY - Copy.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
svchost_dump_SCY - Copy.exe
Resource
win11-20240221-en
General
-
Target
svchost_dump_SCY - Copy.exe
-
Size
5.2MB
-
MD5
5fd3d21a968f4b8a1577b5405ab1c36a
-
SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
-
SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
-
SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
-
SSDEEP
98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 18 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 2472 netsh.exe 2712 netsh.exe 696 netsh.exe 2480 netsh.exe 1704 netsh.exe 2104 netsh.exe 2440 netsh.exe 1056 netsh.exe 2308 netsh.exe 2668 netsh.exe 1160 netsh.exe 2776 netsh.exe 408 netsh.exe 1160 netsh.exe 2020 netsh.exe 1716 netsh.exe 2784 netsh.exe 1476 netsh.exe -
Executes dropped EXE 8 IoCs
Processes:
svchost.exe~tlA7A5.tmpsvchost.exe~tlD5C6.tmpsvchost.exe~tl4AC6.tmpsvchost.exe~tl981B.tmppid process 2316 svchost.exe 2956 ~tlA7A5.tmp 2308 svchost.exe 2464 ~tlD5C6.tmp 2664 svchost.exe 2268 ~tl4AC6.tmp 1728 svchost.exe 2420 ~tl981B.tmp -
Loads dropped DLL 14 IoCs
Processes:
svchost_dump_SCY - Copy.exesvchost.exe~tlA7A5.tmpsvchost.exetaskeng.exesvchost.exetaskeng.exesvchost.exepid process 2184 svchost_dump_SCY - Copy.exe 2184 svchost_dump_SCY - Copy.exe 2316 svchost.exe 2316 svchost.exe 2956 ~tlA7A5.tmp 2956 ~tlA7A5.tmp 2308 svchost.exe 2308 svchost.exe 2500 taskeng.exe 2664 svchost.exe 2664 svchost.exe 2156 taskeng.exe 1728 svchost.exe 1728 svchost.exe -
Drops file in System32 directory 20 IoCs
Processes:
powershell.exe~tl981B.tmpsvchost.exepowershell.exepowershell.exesvchost.exe~tl4AC6.tmppowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tl981B.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tl981B.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tl4AC6.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8MJ0U9PK.htm ~tl981B.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3JLJMOT4.htm ~tl981B.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tl4AC6.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe -
Drops file in Windows directory 9 IoCs
Processes:
svchost_dump_SCY - Copy.exe~tlA7A5.tmpsvchost.exesvchost.exesvchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\System\svchost.exe svchost_dump_SCY - Copy.exe File created C:\Windows\System\xxx1.bak ~tlA7A5.tmp File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost_dump_SCY - Copy.exe File created C:\Windows\System\svchost.exe svchost_dump_SCY - Copy.exe File created C:\Windows\System\xxx1.bak svchost.exe File opened for modification C:\Windows\System\svchost.exe ~tlA7A5.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 332 schtasks.exe 996 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
svchost.exe~tl981B.tmpsvchost.exepowershell.exe~tl4AC6.tmpnetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ~tl981B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 2031001bdf8cda01 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDecisionReason = "1" ~tl4AC6.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ~tl4AC6.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDecision = "0" ~tl981B.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadDecision = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDecisionTime = 00da0325df8cda01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\56-e2-a6-17-91-f9 ~tl981B.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadDecisionReason = "1" ~tl4AC6.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadDecision = "0" ~tl4AC6.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" ~tl4AC6.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadNetworkName = "Network 3" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ~tl4AC6.tmp Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDecisionTime = 00da0325df8cda01 ~tl4AC6.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadDecisionTime = 00da0325df8cda01 ~tl4AC6.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDecisionReason = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ~tl981B.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDetectedUrl ~tl981B.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ~tl4AC6.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" ~tl981B.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ~tl981B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad ~tl4AC6.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDetectedUrl ~tl4AC6.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ~tl4AC6.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ~tl981B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ~tl4AC6.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" ~tl4AC6.tmp -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tlA7A5.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlD5C6.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl4AC6.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl981B.tmppowershell.exepowershell.exepid process 2776 powershell.exe 2460 powershell.exe 2184 svchost_dump_SCY - Copy.exe 568 powershell.exe 1136 powershell.exe 2956 ~tlA7A5.tmp 2748 powershell.exe 616 powershell.exe 2956 ~tlA7A5.tmp 2308 svchost.exe 1504 powershell.exe 2696 powershell.exe 2464 ~tlD5C6.tmp 1976 powershell.exe 600 powershell.exe 2664 svchost.exe 1264 powershell.exe 484 powershell.exe 2268 ~tl4AC6.tmp 2788 powershell.exe 1012 powershell.exe 1728 svchost.exe 2012 powershell.exe 2316 powershell.exe 2420 ~tl981B.tmp 1700 powershell.exe 1612 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2548 WMIC.exe Token: SeSecurityPrivilege 2548 WMIC.exe Token: SeTakeOwnershipPrivilege 2548 WMIC.exe Token: SeLoadDriverPrivilege 2548 WMIC.exe Token: SeSystemProfilePrivilege 2548 WMIC.exe Token: SeSystemtimePrivilege 2548 WMIC.exe Token: SeProfSingleProcessPrivilege 2548 WMIC.exe Token: SeIncBasePriorityPrivilege 2548 WMIC.exe Token: SeCreatePagefilePrivilege 2548 WMIC.exe Token: SeBackupPrivilege 2548 WMIC.exe Token: SeRestorePrivilege 2548 WMIC.exe Token: SeShutdownPrivilege 2548 WMIC.exe Token: SeDebugPrivilege 2548 WMIC.exe Token: SeSystemEnvironmentPrivilege 2548 WMIC.exe Token: SeRemoteShutdownPrivilege 2548 WMIC.exe Token: SeUndockPrivilege 2548 WMIC.exe Token: SeManageVolumePrivilege 2548 WMIC.exe Token: 33 2548 WMIC.exe Token: 34 2548 WMIC.exe Token: 35 2548 WMIC.exe Token: SeIncreaseQuotaPrivilege 2548 WMIC.exe Token: SeSecurityPrivilege 2548 WMIC.exe Token: SeTakeOwnershipPrivilege 2548 WMIC.exe Token: SeLoadDriverPrivilege 2548 WMIC.exe Token: SeSystemProfilePrivilege 2548 WMIC.exe Token: SeSystemtimePrivilege 2548 WMIC.exe Token: SeProfSingleProcessPrivilege 2548 WMIC.exe Token: SeIncBasePriorityPrivilege 2548 WMIC.exe Token: SeCreatePagefilePrivilege 2548 WMIC.exe Token: SeBackupPrivilege 2548 WMIC.exe Token: SeRestorePrivilege 2548 WMIC.exe Token: SeShutdownPrivilege 2548 WMIC.exe Token: SeDebugPrivilege 2548 WMIC.exe Token: SeSystemEnvironmentPrivilege 2548 WMIC.exe Token: SeRemoteShutdownPrivilege 2548 WMIC.exe Token: SeUndockPrivilege 2548 WMIC.exe Token: SeManageVolumePrivilege 2548 WMIC.exe Token: 33 2548 WMIC.exe Token: 34 2548 WMIC.exe Token: 35 2548 WMIC.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeIncreaseQuotaPrivilege 1496 WMIC.exe Token: SeSecurityPrivilege 1496 WMIC.exe Token: SeTakeOwnershipPrivilege 1496 WMIC.exe Token: SeLoadDriverPrivilege 1496 WMIC.exe Token: SeSystemProfilePrivilege 1496 WMIC.exe Token: SeSystemtimePrivilege 1496 WMIC.exe Token: SeProfSingleProcessPrivilege 1496 WMIC.exe Token: SeIncBasePriorityPrivilege 1496 WMIC.exe Token: SeCreatePagefilePrivilege 1496 WMIC.exe Token: SeBackupPrivilege 1496 WMIC.exe Token: SeRestorePrivilege 1496 WMIC.exe Token: SeShutdownPrivilege 1496 WMIC.exe Token: SeDebugPrivilege 1496 WMIC.exe Token: SeSystemEnvironmentPrivilege 1496 WMIC.exe Token: SeRemoteShutdownPrivilege 1496 WMIC.exe Token: SeUndockPrivilege 1496 WMIC.exe Token: SeManageVolumePrivilege 1496 WMIC.exe Token: 33 1496 WMIC.exe Token: 34 1496 WMIC.exe Token: 35 1496 WMIC.exe Token: SeIncreaseQuotaPrivilege 1496 WMIC.exe Token: SeSecurityPrivilege 1496 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
svchost_dump_SCY - Copy.exesvchost.exe~tlA7A5.tmpdescription pid process target process PID 2184 wrote to memory of 2548 2184 svchost_dump_SCY - Copy.exe WMIC.exe PID 2184 wrote to memory of 2548 2184 svchost_dump_SCY - Copy.exe WMIC.exe PID 2184 wrote to memory of 2548 2184 svchost_dump_SCY - Copy.exe WMIC.exe PID 2184 wrote to memory of 2668 2184 svchost_dump_SCY - Copy.exe netsh.exe PID 2184 wrote to memory of 2668 2184 svchost_dump_SCY - Copy.exe netsh.exe PID 2184 wrote to memory of 2668 2184 svchost_dump_SCY - Copy.exe netsh.exe PID 2184 wrote to memory of 2712 2184 svchost_dump_SCY - Copy.exe netsh.exe PID 2184 wrote to memory of 2712 2184 svchost_dump_SCY - Copy.exe netsh.exe PID 2184 wrote to memory of 2712 2184 svchost_dump_SCY - Copy.exe netsh.exe PID 2184 wrote to memory of 2776 2184 svchost_dump_SCY - Copy.exe powershell.exe PID 2184 wrote to memory of 2776 2184 svchost_dump_SCY - Copy.exe powershell.exe PID 2184 wrote to memory of 2776 2184 svchost_dump_SCY - Copy.exe powershell.exe PID 2184 wrote to memory of 2460 2184 svchost_dump_SCY - Copy.exe powershell.exe PID 2184 wrote to memory of 2460 2184 svchost_dump_SCY - Copy.exe powershell.exe PID 2184 wrote to memory of 2460 2184 svchost_dump_SCY - Copy.exe powershell.exe PID 2184 wrote to memory of 764 2184 svchost_dump_SCY - Copy.exe schtasks.exe PID 2184 wrote to memory of 764 2184 svchost_dump_SCY - Copy.exe schtasks.exe PID 2184 wrote to memory of 764 2184 svchost_dump_SCY - Copy.exe schtasks.exe PID 2184 wrote to memory of 332 2184 svchost_dump_SCY - Copy.exe schtasks.exe PID 2184 wrote to memory of 332 2184 svchost_dump_SCY - Copy.exe schtasks.exe PID 2184 wrote to memory of 332 2184 svchost_dump_SCY - Copy.exe schtasks.exe PID 2184 wrote to memory of 2316 2184 svchost_dump_SCY - Copy.exe svchost.exe PID 2184 wrote to memory of 2316 2184 svchost_dump_SCY - Copy.exe svchost.exe PID 2184 wrote to memory of 2316 2184 svchost_dump_SCY - Copy.exe svchost.exe PID 2316 wrote to memory of 1496 2316 svchost.exe WMIC.exe PID 2316 wrote to memory of 1496 2316 svchost.exe WMIC.exe PID 2316 wrote to memory of 1496 2316 svchost.exe WMIC.exe PID 2316 wrote to memory of 696 2316 svchost.exe netsh.exe PID 2316 wrote to memory of 696 2316 svchost.exe netsh.exe PID 2316 wrote to memory of 696 2316 svchost.exe netsh.exe PID 2316 wrote to memory of 1160 2316 svchost.exe netsh.exe PID 2316 wrote to memory of 1160 2316 svchost.exe netsh.exe PID 2316 wrote to memory of 1160 2316 svchost.exe netsh.exe PID 2316 wrote to memory of 568 2316 svchost.exe powershell.exe PID 2316 wrote to memory of 568 2316 svchost.exe powershell.exe PID 2316 wrote to memory of 568 2316 svchost.exe powershell.exe PID 2316 wrote to memory of 1136 2316 svchost.exe powershell.exe PID 2316 wrote to memory of 1136 2316 svchost.exe powershell.exe PID 2316 wrote to memory of 1136 2316 svchost.exe powershell.exe PID 2316 wrote to memory of 2956 2316 svchost.exe ~tlA7A5.tmp PID 2316 wrote to memory of 2956 2316 svchost.exe ~tlA7A5.tmp PID 2316 wrote to memory of 2956 2316 svchost.exe ~tlA7A5.tmp PID 2956 wrote to memory of 2268 2956 ~tlA7A5.tmp netsh.exe PID 2956 wrote to memory of 2268 2956 ~tlA7A5.tmp netsh.exe PID 2956 wrote to memory of 2268 2956 ~tlA7A5.tmp netsh.exe PID 2956 wrote to memory of 2480 2956 ~tlA7A5.tmp netsh.exe PID 2956 wrote to memory of 2480 2956 ~tlA7A5.tmp netsh.exe PID 2956 wrote to memory of 2480 2956 ~tlA7A5.tmp netsh.exe PID 2956 wrote to memory of 2020 2956 ~tlA7A5.tmp netsh.exe PID 2956 wrote to memory of 2020 2956 ~tlA7A5.tmp netsh.exe PID 2956 wrote to memory of 2020 2956 ~tlA7A5.tmp netsh.exe PID 2956 wrote to memory of 2748 2956 ~tlA7A5.tmp powershell.exe PID 2956 wrote to memory of 2748 2956 ~tlA7A5.tmp powershell.exe PID 2956 wrote to memory of 2748 2956 ~tlA7A5.tmp powershell.exe PID 2956 wrote to memory of 616 2956 ~tlA7A5.tmp powershell.exe PID 2956 wrote to memory of 616 2956 ~tlA7A5.tmp powershell.exe PID 2956 wrote to memory of 616 2956 ~tlA7A5.tmp powershell.exe PID 2956 wrote to memory of 2860 2956 ~tlA7A5.tmp schtasks.exe PID 2956 wrote to memory of 2860 2956 ~tlA7A5.tmp schtasks.exe PID 2956 wrote to memory of 2860 2956 ~tlA7A5.tmp schtasks.exe PID 2956 wrote to memory of 996 2956 ~tlA7A5.tmp schtasks.exe PID 2956 wrote to memory of 996 2956 ~tlA7A5.tmp schtasks.exe PID 2956 wrote to memory of 996 2956 ~tlA7A5.tmp schtasks.exe PID 2956 wrote to memory of 2308 2956 ~tlA7A5.tmp svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Timer"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\~tlA7A5.tmpC:\Users\Admin\AppData\Local\Temp\~tlA7A5.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Timer"4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM4⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645115⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\~tlD5C6.tmpC:\Users\Admin\AppData\Local\Temp\~tlD5C6.tmp5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645116⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {6D83325B-23DB-40F2-8295-A00879C79796} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\TEMP\~tl4AC6.tmpC:\Windows\TEMP\~tl4AC6.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {2B76F4C4-D4C5-4198-B8B6-3BB627AD8710} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\TEMP\~tl981B.tmpC:\Windows\TEMP\~tl981B.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5cf991352a4f4dc35956bebbcf38fcb59
SHA104c6212f4cde38b8b0bf929539b2172fe71ef221
SHA256244aa7e60ceb23f478c990100f7cb0d03c6d01152f7e6b22403f543a26ba0a07
SHA512c15a66f3d0d6c55917a79cf651518af49032ca2def291fe89b3ded7a6d8191e635b0a313516b48f56b99b2db78635fe0167b7b539d59ee526ad00473d2cda775
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MQ5879M2JYH79REVHLSF.tempFilesize
7KB
MD51a05be584ef2f980e129712e6fa29dab
SHA1243240316ba8535e9ee3eb114f24fe73f7425349
SHA256b6e9a1185b06ffa6651e1ed2e6f8e84b266d3c44278bccf2e60873d5c80d0620
SHA5121a8d28eb75c9a2bb284c86cf60edbddbfc33d5e639d1bad0aafcf249a543bee1063d1d59969ced048d23df2b7ef21c6551c4c6eaaae4e1834ae763013447ebe3
-
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmpFilesize
2.7MB
MD527acfbf94480631e547b5cb508d9d4fb
SHA1f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c
SHA2560fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e
SHA512902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929
-
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.newFilesize
6.2MB
MD5f0da454a7f974ee85a535efff8998f72
SHA1030e8b8ec61fe0657e47e73bbe874ff1549e64eb
SHA256891817b1e5e55b35cf723a89b3874e67658c4f347a12bd5789a54e5b31c9fd81
SHA512343636670b72ac478a5399e4ddb04776786f6c2cbb7c92332638fa726fa77ff0603193dc803ea252a12a7e914ef3e08f5f3619a1ff09317401dc2300985eb4ea
-
C:\Windows\System\svchost.exeFilesize
385KB
MD5afca213ee0321f46e8bde639ae2de3e2
SHA14dc7621667b7cdb544c03c4b756cd0193b9d74f9
SHA256664200ddc8a80df3122556faae95263e64a5affe4d086982e690aec7d1bae7dc
SHA512a075fbb1648b87768ab7973ff8ba97d658dd1f5c8b07e3ba4e535d7f318ded08aab4714eff38becf61cbc2d68cb5a6bc7011b6e7cdc2ea47ecd2d143ea7cb843
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\~tlA7A5.tmpFilesize
385KB
MD5e802c96760e48c5139995ffb2d891f90
SHA1bba3d278c0eb1094a26e5d2f4c099ad685371578
SHA256cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c
SHA51297300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0
-
\Users\Admin\AppData\Local\Temp\~tlD5C6.tmpFilesize
393KB
MD59dbdd43a2e0b032604943c252eaf634a
SHA19584dc66f3c1cce4210fdf827a1b4e2bb22263af
SHA25633c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86
SHA512b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1
-
\Windows\system\svchost.exeFilesize
5.2MB
MD55fd3d21a968f4b8a1577b5405ab1c36a
SHA1710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA2567ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
-
memory/568-48-0x0000000002BC0000-0x0000000002C40000-memory.dmpFilesize
512KB
-
memory/568-60-0x0000000002BC4000-0x0000000002BC7000-memory.dmpFilesize
12KB
-
memory/568-45-0x000000001B6F0000-0x000000001B9D2000-memory.dmpFilesize
2.9MB
-
memory/568-64-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmpFilesize
9.6MB
-
memory/568-46-0x0000000002790000-0x0000000002798000-memory.dmpFilesize
32KB
-
memory/568-47-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmpFilesize
9.6MB
-
memory/568-52-0x0000000002BC0000-0x0000000002C40000-memory.dmpFilesize
512KB
-
memory/568-49-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmpFilesize
9.6MB
-
memory/568-61-0x0000000002BCB000-0x0000000002C32000-memory.dmpFilesize
412KB
-
memory/616-146-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmpFilesize
9.6MB
-
memory/616-152-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmpFilesize
9.6MB
-
memory/616-151-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmpFilesize
9.6MB
-
memory/616-145-0x0000000002D60000-0x0000000002DE0000-memory.dmpFilesize
512KB
-
memory/616-150-0x0000000002D60000-0x0000000002DE0000-memory.dmpFilesize
512KB
-
memory/616-148-0x0000000002D60000-0x0000000002DE0000-memory.dmpFilesize
512KB
-
memory/616-149-0x0000000002D60000-0x0000000002DE0000-memory.dmpFilesize
512KB
-
memory/1136-63-0x0000000002BD0000-0x0000000002C50000-memory.dmpFilesize
512KB
-
memory/1136-67-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmpFilesize
9.6MB
-
memory/1136-62-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmpFilesize
9.6MB
-
memory/1136-66-0x0000000002BD0000-0x0000000002C50000-memory.dmpFilesize
512KB
-
memory/1136-57-0x0000000002BD0000-0x0000000002C50000-memory.dmpFilesize
512KB
-
memory/1136-58-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmpFilesize
9.6MB
-
memory/1136-59-0x0000000002BD0000-0x0000000002C50000-memory.dmpFilesize
512KB
-
memory/1504-178-0x0000000002C60000-0x0000000002CE0000-memory.dmpFilesize
512KB
-
memory/1504-176-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmpFilesize
9.6MB
-
memory/1504-175-0x0000000002C60000-0x0000000002CE0000-memory.dmpFilesize
512KB
-
memory/1504-174-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmpFilesize
9.6MB
-
memory/2184-39-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/2184-26-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/2184-0-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/2184-36-0x000000001F3E0000-0x000000001FA16000-memory.dmpFilesize
6.2MB
-
memory/2184-37-0x000000001F3E0000-0x000000001FA16000-memory.dmpFilesize
6.2MB
-
memory/2268-306-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/2268-287-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/2308-168-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2308-166-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2308-194-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2308-202-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2316-65-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/2316-68-0x000000001ED60000-0x000000001F242000-memory.dmpFilesize
4.9MB
-
memory/2316-38-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/2316-123-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/2460-19-0x000007FEF5740000-0x000007FEF60DD000-memory.dmpFilesize
9.6MB
-
memory/2460-17-0x0000000002D20000-0x0000000002DA0000-memory.dmpFilesize
512KB
-
memory/2460-22-0x000007FEF5740000-0x000007FEF60DD000-memory.dmpFilesize
9.6MB
-
memory/2460-23-0x000007FEF5740000-0x000007FEF60DD000-memory.dmpFilesize
9.6MB
-
memory/2460-20-0x0000000002D20000-0x0000000002DA0000-memory.dmpFilesize
512KB
-
memory/2460-24-0x0000000002D24000-0x0000000002D27000-memory.dmpFilesize
12KB
-
memory/2460-25-0x0000000002D20000-0x0000000002DA0000-memory.dmpFilesize
512KB
-
memory/2464-233-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/2464-232-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/2464-206-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/2464-203-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/2664-273-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2664-283-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2664-255-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2696-186-0x0000000002AA0000-0x0000000002B20000-memory.dmpFilesize
512KB
-
memory/2696-183-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmpFilesize
9.6MB
-
memory/2696-187-0x0000000002AA0000-0x0000000002B20000-memory.dmpFilesize
512KB
-
memory/2696-184-0x0000000002AA0000-0x0000000002B20000-memory.dmpFilesize
512KB
-
memory/2696-185-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmpFilesize
9.6MB
-
memory/2748-134-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmpFilesize
9.6MB
-
memory/2748-147-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmpFilesize
9.6MB
-
memory/2748-135-0x00000000027B0000-0x0000000002830000-memory.dmpFilesize
512KB
-
memory/2748-136-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmpFilesize
9.6MB
-
memory/2748-137-0x00000000027B0000-0x0000000002830000-memory.dmpFilesize
512KB
-
memory/2748-140-0x00000000027B0000-0x0000000002830000-memory.dmpFilesize
512KB
-
memory/2776-21-0x000007FEF5740000-0x000007FEF60DD000-memory.dmpFilesize
9.6MB
-
memory/2776-15-0x0000000002C00000-0x0000000002C80000-memory.dmpFilesize
512KB
-
memory/2776-5-0x000000001B590000-0x000000001B872000-memory.dmpFilesize
2.9MB
-
memory/2776-6-0x0000000001DE0000-0x0000000001DE8000-memory.dmpFilesize
32KB
-
memory/2776-18-0x0000000002C04000-0x0000000002C07000-memory.dmpFilesize
12KB
-
memory/2776-16-0x0000000002C00000-0x0000000002C80000-memory.dmpFilesize
512KB
-
memory/2776-14-0x000007FEF5740000-0x000007FEF60DD000-memory.dmpFilesize
9.6MB
-
memory/2776-13-0x0000000002C00000-0x0000000002C80000-memory.dmpFilesize
512KB
-
memory/2776-12-0x000007FEF5740000-0x000007FEF60DD000-memory.dmpFilesize
9.6MB
-
memory/2956-167-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2956-128-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2956-125-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2956-124-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB