7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
1199s
max time network
1199s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-04-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 18 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
60	netsh.exe
2032	netsh.exe
4932	netsh.exe
3336	netsh.exe
8	netsh.exe
1876	netsh.exe
3080	netsh.exe
3612	netsh.exe
1824	netsh.exe
2620	netsh.exe
4848	netsh.exe
1596	netsh.exe
1860	netsh.exe
4364	netsh.exe
824	netsh.exe
348	netsh.exe
4604	netsh.exe
4192	netsh.exe

Executes dropped EXE 8 IoCs

Processes:

svchost.exe~tl3C5.tmpsvchost.exe~tlDBB6.tmpsvchost.exe~tlAB32.tmpsvchost.exe~tlD6C9.tmp

pid process

432 svchost.exe
596 ~tl3C5.tmp
1592 svchost.exe
4916 ~tlDBB6.tmp
1532 svchost.exe
3228 ~tlAB32.tmp
3712 svchost.exe
1368 ~tlD6C9.tmp

pid	process
432	svchost.exe
596	~tl3C5.tmp
1592	svchost.exe
4916	~tlDBB6.tmp
1532	svchost.exe
3228	~tlAB32.tmp
3712	svchost.exe
1368	~tlD6C9.tmp

Drops file in System32 directory 20 IoCs

Processes:

powershell.exesvchost.exepowershell.exesvchost.exe~tlAB32.tmppowershell.exe~tlD6C9.tmppowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlAB32.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlD6C9.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tlD6C9.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\18U1WOZJ.htm	~tlD6C9.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tlAB32.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

svchost.exesvchost_dump_SCY - Copy.exe~tl3C5.tmpsvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	~tl3C5.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl3C5.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2296 schtasks.exe
1404 schtasks.exe

pid	process
2296	schtasks.exe
1404	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

netsh.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tl3C5.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlDBB6.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlAB32.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe

pid	process
4204	powershell.exe
4204	powershell.exe
4204	powershell.exe
1476	powershell.exe
1476	powershell.exe
1476	powershell.exe
4208	svchost_dump_SCY - Copy.exe
4208	svchost_dump_SCY - Copy.exe
1832	powershell.exe
1832	powershell.exe
1832	powershell.exe
708	powershell.exe
708	powershell.exe
708	powershell.exe
596	~tl3C5.tmp
596	~tl3C5.tmp
4532	powershell.exe
3700	powershell.exe
4532	powershell.exe
3700	powershell.exe
4532	powershell.exe
3700	powershell.exe
596	~tl3C5.tmp
596	~tl3C5.tmp
1592	svchost.exe
1592	svchost.exe
1164	powershell.exe
1164	powershell.exe
216	powershell.exe
216	powershell.exe
1164	powershell.exe
216	powershell.exe
4916	~tlDBB6.tmp
4916	~tlDBB6.tmp
1888	powershell.exe
1888	powershell.exe
1888	powershell.exe
4276	powershell.exe
4276	powershell.exe
4276	powershell.exe
1532	svchost.exe
1532	svchost.exe
1104	powershell.exe
1104	powershell.exe
1468	powershell.exe
1104	powershell.exe
1468	powershell.exe
1468	powershell.exe
3228	~tlAB32.tmp
3228	~tlAB32.tmp
2888	powershell.exe
2888	powershell.exe
32	powershell.exe
32	powershell.exe
32	powershell.exe
2888	powershell.exe
3712	svchost.exe
3712	svchost.exe
4412	powershell.exe
4532	powershell.exe
4412	powershell.exe
4532	powershell.exe
4412	powershell.exe
4532	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	428	WMIC.exe
Token: SeSecurityPrivilege	428	WMIC.exe
Token: SeTakeOwnershipPrivilege	428	WMIC.exe
Token: SeLoadDriverPrivilege	428	WMIC.exe
Token: SeSystemProfilePrivilege	428	WMIC.exe
Token: SeSystemtimePrivilege	428	WMIC.exe
Token: SeProfSingleProcessPrivilege	428	WMIC.exe
Token: SeIncBasePriorityPrivilege	428	WMIC.exe
Token: SeCreatePagefilePrivilege	428	WMIC.exe
Token: SeBackupPrivilege	428	WMIC.exe
Token: SeRestorePrivilege	428	WMIC.exe
Token: SeShutdownPrivilege	428	WMIC.exe
Token: SeDebugPrivilege	428	WMIC.exe
Token: SeSystemEnvironmentPrivilege	428	WMIC.exe
Token: SeRemoteShutdownPrivilege	428	WMIC.exe
Token: SeUndockPrivilege	428	WMIC.exe
Token: SeManageVolumePrivilege	428	WMIC.exe
Token: 33	428	WMIC.exe
Token: 34	428	WMIC.exe
Token: 35	428	WMIC.exe
Token: 36	428	WMIC.exe
Token: SeIncreaseQuotaPrivilege	428	WMIC.exe
Token: SeSecurityPrivilege	428	WMIC.exe
Token: SeTakeOwnershipPrivilege	428	WMIC.exe
Token: SeLoadDriverPrivilege	428	WMIC.exe
Token: SeSystemProfilePrivilege	428	WMIC.exe
Token: SeSystemtimePrivilege	428	WMIC.exe
Token: SeProfSingleProcessPrivilege	428	WMIC.exe
Token: SeIncBasePriorityPrivilege	428	WMIC.exe
Token: SeCreatePagefilePrivilege	428	WMIC.exe
Token: SeBackupPrivilege	428	WMIC.exe
Token: SeRestorePrivilege	428	WMIC.exe
Token: SeShutdownPrivilege	428	WMIC.exe
Token: SeDebugPrivilege	428	WMIC.exe
Token: SeSystemEnvironmentPrivilege	428	WMIC.exe
Token: SeRemoteShutdownPrivilege	428	WMIC.exe
Token: SeUndockPrivilege	428	WMIC.exe
Token: SeManageVolumePrivilege	428	WMIC.exe
Token: 33	428	WMIC.exe
Token: 34	428	WMIC.exe
Token: 35	428	WMIC.exe
Token: 36	428	WMIC.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeIncreaseQuotaPrivilege	4204	powershell.exe
Token: SeSecurityPrivilege	4204	powershell.exe
Token: SeTakeOwnershipPrivilege	4204	powershell.exe
Token: SeLoadDriverPrivilege	4204	powershell.exe
Token: SeSystemProfilePrivilege	4204	powershell.exe
Token: SeSystemtimePrivilege	4204	powershell.exe
Token: SeProfSingleProcessPrivilege	4204	powershell.exe
Token: SeIncBasePriorityPrivilege	4204	powershell.exe
Token: SeCreatePagefilePrivilege	4204	powershell.exe
Token: SeBackupPrivilege	4204	powershell.exe
Token: SeRestorePrivilege	4204	powershell.exe
Token: SeShutdownPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeSystemEnvironmentPrivilege	4204	powershell.exe
Token: SeRemoteShutdownPrivilege	4204	powershell.exe
Token: SeUndockPrivilege	4204	powershell.exe
Token: SeManageVolumePrivilege	4204	powershell.exe
Token: 33	4204	powershell.exe
Token: 34	4204	powershell.exe
Token: 35	4204	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tl3C5.tmpsvchost.exe~tlDBB6.tmp

description	pid	process	target process
PID 4208 wrote to memory of 428	4208	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 4208 wrote to memory of 428	4208	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 4208 wrote to memory of 4932	4208	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4208 wrote to memory of 4932	4208	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4208 wrote to memory of 3336	4208	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4208 wrote to memory of 3336	4208	svchost_dump_SCY - Copy.exe	netsh.exe
PID 4208 wrote to memory of 4204	4208	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4208 wrote to memory of 4204	4208	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4208 wrote to memory of 1476	4208	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4208 wrote to memory of 1476	4208	svchost_dump_SCY - Copy.exe	powershell.exe
PID 4208 wrote to memory of 2640	4208	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4208 wrote to memory of 2640	4208	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4208 wrote to memory of 2296	4208	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4208 wrote to memory of 2296	4208	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 4208 wrote to memory of 432	4208	svchost_dump_SCY - Copy.exe	svchost.exe
PID 4208 wrote to memory of 432	4208	svchost_dump_SCY - Copy.exe	svchost.exe
PID 432 wrote to memory of 2760	432	svchost.exe	WMIC.exe
PID 432 wrote to memory of 2760	432	svchost.exe	WMIC.exe
PID 432 wrote to memory of 1860	432	svchost.exe	netsh.exe
PID 432 wrote to memory of 1860	432	svchost.exe	netsh.exe
PID 432 wrote to memory of 4364	432	svchost.exe	netsh.exe
PID 432 wrote to memory of 4364	432	svchost.exe	netsh.exe
PID 432 wrote to memory of 1832	432	svchost.exe	powershell.exe
PID 432 wrote to memory of 1832	432	svchost.exe	powershell.exe
PID 432 wrote to memory of 708	432	svchost.exe	powershell.exe
PID 432 wrote to memory of 708	432	svchost.exe	powershell.exe
PID 432 wrote to memory of 596	432	svchost.exe	~tl3C5.tmp
PID 432 wrote to memory of 596	432	svchost.exe	~tl3C5.tmp
PID 596 wrote to memory of 1832	596	~tl3C5.tmp	netsh.exe
PID 596 wrote to memory of 1832	596	~tl3C5.tmp	netsh.exe
PID 596 wrote to memory of 2620	596	~tl3C5.tmp	netsh.exe
PID 596 wrote to memory of 2620	596	~tl3C5.tmp	netsh.exe
PID 596 wrote to memory of 8	596	~tl3C5.tmp	netsh.exe
PID 596 wrote to memory of 8	596	~tl3C5.tmp	netsh.exe
PID 596 wrote to memory of 4532	596	~tl3C5.tmp	powershell.exe
PID 596 wrote to memory of 4532	596	~tl3C5.tmp	powershell.exe
PID 596 wrote to memory of 3700	596	~tl3C5.tmp	powershell.exe
PID 596 wrote to memory of 3700	596	~tl3C5.tmp	powershell.exe
PID 596 wrote to memory of 4496	596	~tl3C5.tmp	schtasks.exe
PID 596 wrote to memory of 4496	596	~tl3C5.tmp	schtasks.exe
PID 596 wrote to memory of 1404	596	~tl3C5.tmp	schtasks.exe
PID 596 wrote to memory of 1404	596	~tl3C5.tmp	schtasks.exe
PID 596 wrote to memory of 1592	596	~tl3C5.tmp	svchost.exe
PID 596 wrote to memory of 1592	596	~tl3C5.tmp	svchost.exe
PID 1592 wrote to memory of 3312	1592	svchost.exe	netsh.exe
PID 1592 wrote to memory of 3312	1592	svchost.exe	netsh.exe
PID 1592 wrote to memory of 4848	1592	svchost.exe	netsh.exe
PID 1592 wrote to memory of 4848	1592	svchost.exe	netsh.exe
PID 1592 wrote to memory of 824	1592	svchost.exe	netsh.exe
PID 1592 wrote to memory of 824	1592	svchost.exe	netsh.exe
PID 1592 wrote to memory of 1164	1592	svchost.exe	powershell.exe
PID 1592 wrote to memory of 1164	1592	svchost.exe	powershell.exe
PID 1592 wrote to memory of 216	1592	svchost.exe	powershell.exe
PID 1592 wrote to memory of 216	1592	svchost.exe	powershell.exe
PID 1592 wrote to memory of 4916	1592	svchost.exe	~tlDBB6.tmp
PID 1592 wrote to memory of 4916	1592	svchost.exe	~tlDBB6.tmp
PID 4916 wrote to memory of 2204	4916	~tlDBB6.tmp	netsh.exe
PID 4916 wrote to memory of 2204	4916	~tlDBB6.tmp	netsh.exe
PID 4916 wrote to memory of 1876	4916	~tlDBB6.tmp	netsh.exe
PID 4916 wrote to memory of 1876	4916	~tlDBB6.tmp	netsh.exe
PID 4916 wrote to memory of 3080	4916	~tlDBB6.tmp	netsh.exe
PID 4916 wrote to memory of 3080	4916	~tlDBB6.tmp	netsh.exe
PID 4916 wrote to memory of 1888	4916	~tlDBB6.tmp	powershell.exe
PID 4916 wrote to memory of 1888	4916	~tlDBB6.tmp	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4932

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:2640

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:2296

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
PID:2760

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1860

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:708

C:\Users\Admin\AppData\Local\Temp\~tl3C5.tmp
C:\Users\Admin\AppData\Local\Temp\~tl3C5.tmp
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:1832

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2620

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3700

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:4496

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:1404

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:3312

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4848

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:216

C:\Users\Admin\AppData\Local\Temp\~tlDBB6.tmp
C:\Users\Admin\AppData\Local\Temp\~tlDBB6.tmp
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:2204

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:1876

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:3080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4276

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1532

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
- Modifies data under HKEY_USERS
PID:4672

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:348

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Windows\TEMP\~tlAB32.tmp
C:\Windows\TEMP\~tlAB32.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3228

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:5112

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:60

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:32

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3712

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
- Modifies data under HKEY_USERS
PID:3376

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1824

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\Windows\TEMP\~tlD6C9.tmp
C:\Windows\TEMP\~tlD6C9.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1368

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:4960

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1596

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
cd5b15b46b9fe0d89c2b8d351c303d2a

SHA1
e1d30a8f98585e20c709732c013e926c7078a3c2

SHA256
0a8a0dcbec27e07c8dc9ef31622ac41591871416ccd9146f40d8cc9a2421da7a

SHA512
d7261b2ff89adcdb909b775c6a47b3cd366b7c3f5cbb4f60428e849582c93e14e76d7dcadec79003eef7c9a3059e305d5e4f6b5b912b9ebc3518e06b0d284dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
41ee1edecbe7d06d72ee993f1e644f71

SHA1
20055e4fbe36c8ca6580ddc98db4bf9c8c3dec90

SHA256
217bcc3258cdac08cc7a561ae333c6f83c21aa77d6a263b8759f3366a1dbf55f

SHA512
8bd0d28972c4524a25e5e15d40a9a0fe54c115b72fae6ae4cf9a64b6006a657d7a52091cbca91821a917078a601137c0cc7d84b994a3715cf167b509a156dec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
866acb5d5132762235d10d5ee28bd7ba

SHA1
851ef33390119d3a58e0afac256fba9bc08c6e5f

SHA256
0279c440bb6b1c162badac03e7cc21b9ceee3509f09c20cb84c7a2b009b1fc92

SHA512
59c5d9809f74e07e5a4531b05b40ce85c3d0de3c75660401a4735f424ec06ac84717eb135a3bfa7619b16f48f521b783facf9284c6a37ee7534b81c6a75574b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7808a889ebee64dfc13020f31517e3d0

SHA1
dc43543d5ec1e3656769e3daa92979da1120876c

SHA256
b58767c57927fca49b903a16fa52143d2011600f7fa7902a1c00346f96029090

SHA512
e85ed3f4a86a60d71aa5fd95b3c5116ffb2ac1250b01e950f94695eab5ed3de0129f6ad28ea07bc62df2283907346f3adc273ee3fc8f1be76b2437a4653de3da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
63c374e7af09e7b366a22f592b825da1

SHA1
f4b734b8c96082b74b99c4906eeed9df894f18e6

SHA256
798e89044c7f1438757fc15f934d4b927c70cefe8961f4310d0fd0e15bb7aae9

SHA512
8d786f34f1a062cbe4ec13f2a9139c7ce102207917807c3057b44dcb47ee9e3c1c4366ff6a9fbe4ccc9ddbbe431e4d67bd700783e8767e3545db19ae2003eeab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
192B

MD5
83aab16b68903d03a7abd3943d473f75

SHA1
acebede95f0f78ac6d4c5099cfb63e9252ab83e6

SHA256
b6124656aec39cdcecce4c3e4180cc4062efb2c689a5be104435db2696b66fe0

SHA512
7b65e4bf5491f85944379d0d29bbb6d6b22bf238c0e48d76d8b2e09d3d0cc2382a38ab34eba5dbfe2e04bdb5c71ad27f84e39b5c50f28ab18e6d5fc304b3f2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1zynh0g3.vev.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl3C5.tmp
Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlDBB6.tmp
Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
Filesize
2.7MB

MD5
27acfbf94480631e547b5cb508d9d4fb

SHA1
f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

SHA256
0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

SHA512
902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
5.8MB

MD5
c54b2945a090d9bf6d2b736f04c283f9

SHA1
ffffaa477541c137c130287468d3dae1e6998317

SHA256
8cafc156d505e89ac0dad75c03f5ba47e45528ced7916dbc76651c955aa0e2a0

SHA512
a076a2d214dd246083259c7ca7564274c47fdd05f5f171988558ceba03530b798596c996519ab5b99fb89ff105c546f660774c9f82b680913381bd80c83521f7

Download Submit
C:\Windows\System\svchost.exe
Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
478f1c1fcff584f4f440469ed71d2d43

SHA1
0900e9dc39580d527c145715f985a5a86e80b66c

SHA256
c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb

SHA512
4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
192B

MD5
8bf8b0fb6b8f51b348062b490a2e33f1

SHA1
cc915be2a41ba8b5595f6d7d0c5a6a74ee7e12fa

SHA256
aa367d7048ef175a9227110d06687ddb7c7e942120a9f1c66dbf0aee6ad9206e

SHA512
e444f0ee338d63a7517dde840c501dcd8329492b523ff1a2616017a91437b872f2f5ba9bd37cb5da7a8ea064c743055b30256df8699b039109c6a2afaccf8ec4

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2ebfea138c6fbedeb0e321cb822beaac

SHA1
b104a3cb9f8e5e29408e294f5c1f061ebfa03d10

SHA256
073456914fa4666530cfd4be0bcbbf9f551b324057152b4589e41b038a868297

SHA512
77f59acdeffec3c48ae0778445ef141e7e7710642ad55f58fb0830d28e2156e7236ebc2a9b4ba11a608581cfa3d13de70d40c8e27b07731a23d8becfab91f78e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
94a4b127067d09a42a41068adfc3ab4e

SHA1
4bfde257ae5c1f2f1832c20100be264d54085292

SHA256
78d2564b3d69be6c2174111e5d99e509f2246643cebd603236b055d6e45ae054

SHA512
830e9503ca5997d717ae03b864c4d59142a8690bf0e178e2c358c1f2c37b8dafb49697c50e81597e56bff6c3b670fed7284c9bdfde7a4a55794c49d92c461c8d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
719B

MD5
0f8f527dc9b7a096903fee037bb3770a

SHA1
5cc8237f7c6342b1103d4d89a4c256c09e95f62c

SHA256
6166410bdbd5b0a1b0924a8e46fd2a0379156d9e5383930a93a32002bb61f476

SHA512
b386815c5a8938b7f5721861832432d2febfffd2937b89ec48b2fe6680f788cdecf623fdc0a471dd1cd231583d3464e077f79199c2c46efbf9cfb3fd8aa5d6ba

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
98fd0b040f103993ebdb8b784dcd68fb

SHA1
a492f69939fc31bfd809a8fcd7d760c515048f30

SHA256
d110d8a4d161a3f515e18d2cc470e0cb05b8807562e42b0506da701ccd1ad8f1

SHA512
b9861aa65ae6d2eeb1019bf9c6f79dbf4691e32cfb02b63de005243b20d40caab7992a0d0a50aa3f49e5d56c18246ca541e570f52bdcca610111fd4c0c0b644d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
memory/216-397-0x000001944DA30000-0x000001944DA40000-memory.dmp

Filesize
64KB

Download
memory/216-448-0x000001944DA30000-0x000001944DA40000-memory.dmp

Filesize
64KB

Download
memory/216-393-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

Filesize
9.9MB

Download
memory/216-398-0x000001944DA30000-0x000001944DA40000-memory.dmp

Filesize
64KB

Download
memory/216-485-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

Filesize
9.9MB

Download
memory/216-480-0x000001944DA30000-0x000001944DA40000-memory.dmp

Filesize
64KB

Download
memory/432-216-0x0000000036B60000-0x0000000037042000-memory.dmp

Filesize
4.9MB

Download
memory/432-128-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/432-111-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/432-268-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/596-270-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/596-266-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/596-269-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/596-271-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/596-382-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/708-123-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

Filesize
9.9MB

Download
memory/708-210-0x000002345F120000-0x000002345F130000-memory.dmp

Filesize
64KB

Download
memory/708-174-0x000002345F120000-0x000002345F130000-memory.dmp

Filesize
64KB

Download
memory/708-130-0x000002345F120000-0x000002345F130000-memory.dmp

Filesize
64KB

Download
memory/708-129-0x000002345F120000-0x000002345F130000-memory.dmp

Filesize
64KB

Download
memory/708-215-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

Filesize
9.9MB

Download
memory/1164-415-0x000001DD7B480000-0x000001DD7B490000-memory.dmp

Filesize
64KB

Download
memory/1164-390-0x000001DD7B480000-0x000001DD7B490000-memory.dmp

Filesize
64KB

Download
memory/1164-389-0x000001DD7B480000-0x000001DD7B490000-memory.dmp

Filesize
64KB

Download
memory/1164-386-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

Filesize
9.9MB

Download
memory/1164-468-0x000001DD7B480000-0x000001DD7B490000-memory.dmp

Filesize
64KB

Download
memory/1164-481-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

Filesize
9.9MB

Download
memory/1476-18-0x0000024651370000-0x0000024651380000-memory.dmp

Filesize
64KB

Download
memory/1476-14-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

Filesize
9.9MB

Download
memory/1476-17-0x0000024651370000-0x0000024651380000-memory.dmp

Filesize
64KB

Download
memory/1476-96-0x0000024651370000-0x0000024651380000-memory.dmp

Filesize
64KB

Download
memory/1476-105-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

Filesize
9.9MB

Download
memory/1476-48-0x0000024651370000-0x0000024651380000-memory.dmp

Filesize
64KB

Download
memory/1532-620-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1532-942-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1532-950-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1592-494-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1592-381-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1592-383-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1832-118-0x0000024DF0E00000-0x0000024DF0E10000-memory.dmp

Filesize
64KB

Download
memory/1832-119-0x0000024DF0E00000-0x0000024DF0E10000-memory.dmp

Filesize
64KB

Download
memory/1832-144-0x0000024DF0E00000-0x0000024DF0E10000-memory.dmp

Filesize
64KB

Download
memory/1832-196-0x0000024DF0E00000-0x0000024DF0E10000-memory.dmp

Filesize
64KB

Download
memory/1832-211-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

Filesize
9.9MB

Download
memory/1832-115-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

Filesize
9.9MB

Download
memory/1888-505-0x0000021E65E50000-0x0000021E65E60000-memory.dmp

Filesize
64KB

Download
memory/1888-502-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

Filesize
9.9MB

Download
memory/1888-504-0x0000021E65E50000-0x0000021E65E60000-memory.dmp

Filesize
64KB

Download
memory/3228-954-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3228-1270-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3700-364-0x0000018EF9750000-0x0000018EF9760000-memory.dmp

Filesize
64KB

Download
memory/3700-372-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

Filesize
9.9MB

Download
memory/3700-284-0x0000018EF9750000-0x0000018EF9760000-memory.dmp

Filesize
64KB

Download
memory/3700-283-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

Filesize
9.9MB

Download
memory/3700-321-0x0000018EF9750000-0x0000018EF9760000-memory.dmp

Filesize
64KB

Download
memory/3700-285-0x0000018EF9750000-0x0000018EF9760000-memory.dmp

Filesize
64KB

Download
memory/4204-6-0x000002C658DE0000-0x000002C658DF0000-memory.dmp

Filesize
64KB

Download
memory/4204-7-0x000002C658DE0000-0x000002C658DF0000-memory.dmp

Filesize
64KB

Download
memory/4204-8-0x000002C658D90000-0x000002C658DB2000-memory.dmp

Filesize
136KB

Download
memory/4204-104-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

Filesize
9.9MB

Download
memory/4204-5-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

Filesize
9.9MB

Download
memory/4204-45-0x000002C658DE0000-0x000002C658DF0000-memory.dmp

Filesize
64KB

Download
memory/4204-19-0x000002C659070000-0x000002C6590E6000-memory.dmp

Filesize
472KB

Download
memory/4208-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4208-12-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4208-112-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4276-510-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

Filesize
9.9MB

Download
memory/4276-514-0x0000024155A90000-0x0000024155AA0000-memory.dmp

Filesize
64KB

Download
memory/4532-277-0x00000263ECF80000-0x00000263ECF90000-memory.dmp

Filesize
64KB

Download
memory/4532-315-0x00000263ECF80000-0x00000263ECF90000-memory.dmp

Filesize
64KB

Download
memory/4532-278-0x00000263ECF80000-0x00000263ECF90000-memory.dmp

Filesize
64KB

Download
memory/4532-366-0x00000263ECF80000-0x00000263ECF90000-memory.dmp

Filesize
64KB

Download
memory/4532-274-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

Filesize
9.9MB

Download
memory/4532-373-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

Filesize
9.9MB

Download
memory/4916-602-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4916-498-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4916-497-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4916-496-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4916-495-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4916-493-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download