7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
1198s
max time network
1201s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 18 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
1356	netsh.exe
1592	netsh.exe
556	netsh.exe
708	netsh.exe
4084	netsh.exe
1116	netsh.exe
4448	netsh.exe
4080	netsh.exe
4596	netsh.exe
680	netsh.exe
4648	netsh.exe
1512	netsh.exe
3532	netsh.exe
464	netsh.exe
3868	netsh.exe
3880	netsh.exe
936	netsh.exe
2652	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tlB046.tmpsvchost.exe~tl8809.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	svchost_dump_SCY - Copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	~tlB046.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	~tl8809.tmp

Executes dropped EXE 8 IoCs

Processes:

svchost.exe~tlB046.tmpsvchost.exe~tl8809.tmpsvchost.exe~tl7CDF.tmpsvchost.exe~tlD429.tmp

pid process

2264 svchost.exe
1036 ~tlB046.tmp
4336 svchost.exe
1156 ~tl8809.tmp
1132 svchost.exe
4436 ~tl7CDF.tmp
4092 svchost.exe
3144 ~tlD429.tmp

pid	process
2264	svchost.exe
1036	~tlB046.tmp
4336	svchost.exe
1156	~tl8809.tmp
1132	svchost.exe
4436	~tl7CDF.tmp
4092	svchost.exe
3144	~tlD429.tmp

Drops file in System32 directory 16 IoCs

Processes:

powershell.exepowershell.exe~tl7CDF.tmppowershell.exepowershell.exesvchost.exepowershell.exesvchost.exe~tlD429.tmppowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl7CDF.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlD429.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\J8MVG8Q4.htm	~tlD429.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe

Drops file in Windows directory 9 IoCs

Processes:

~tlB046.tmpsvchost.exesvchost_dump_SCY - Copy.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	~tlB046.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\System\svchost.exe	~tlB046.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1464 schtasks.exe
1644 schtasks.exe

pid	process
1464	schtasks.exe
1644	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe~tl7CDF.tmppowershell.exesvchost.exe~tlD429.tmp

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	~tl7CDF.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	~tlD429.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tlB046.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl8809.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl7CDF.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlD429.tmppowershell.exepowershell.exe

pid	process
1644	powershell.exe
436	powershell.exe
436	powershell.exe
1644	powershell.exe
3312	svchost_dump_SCY - Copy.exe
3312	svchost_dump_SCY - Copy.exe
1028	powershell.exe
1028	powershell.exe
5056	powershell.exe
5056	powershell.exe
1036	~tlB046.tmp
1036	~tlB046.tmp
2044	powershell.exe
2044	powershell.exe
1368	powershell.exe
1368	powershell.exe
1036	~tlB046.tmp
1036	~tlB046.tmp
4336	svchost.exe
4336	svchost.exe
4908	powershell.exe
4908	powershell.exe
2224	powershell.exe
2224	powershell.exe
1156	~tl8809.tmp
1156	~tl8809.tmp
4432	powershell.exe
4432	powershell.exe
4712	powershell.exe
4712	powershell.exe
1132	svchost.exe
1132	svchost.exe
3776	powershell.exe
3776	powershell.exe
228	powershell.exe
228	powershell.exe
4436	~tl7CDF.tmp
4436	~tl7CDF.tmp
4092	powershell.exe
4092	powershell.exe
3956	powershell.exe
3956	powershell.exe
4092	svchost.exe
4092	svchost.exe
4524	powershell.exe
4524	powershell.exe
5084	powershell.exe
5084	powershell.exe
3144	~tlD429.tmp
3144	~tlD429.tmp
1152	powershell.exe
3512	powershell.exe
3512	powershell.exe
1152	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2100	WMIC.exe
Token: SeSecurityPrivilege	2100	WMIC.exe
Token: SeTakeOwnershipPrivilege	2100	WMIC.exe
Token: SeLoadDriverPrivilege	2100	WMIC.exe
Token: SeSystemProfilePrivilege	2100	WMIC.exe
Token: SeSystemtimePrivilege	2100	WMIC.exe
Token: SeProfSingleProcessPrivilege	2100	WMIC.exe
Token: SeIncBasePriorityPrivilege	2100	WMIC.exe
Token: SeCreatePagefilePrivilege	2100	WMIC.exe
Token: SeBackupPrivilege	2100	WMIC.exe
Token: SeRestorePrivilege	2100	WMIC.exe
Token: SeShutdownPrivilege	2100	WMIC.exe
Token: SeDebugPrivilege	2100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2100	WMIC.exe
Token: SeRemoteShutdownPrivilege	2100	WMIC.exe
Token: SeUndockPrivilege	2100	WMIC.exe
Token: SeManageVolumePrivilege	2100	WMIC.exe
Token: 33	2100	WMIC.exe
Token: 34	2100	WMIC.exe
Token: 35	2100	WMIC.exe
Token: 36	2100	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2100	WMIC.exe
Token: SeSecurityPrivilege	2100	WMIC.exe
Token: SeTakeOwnershipPrivilege	2100	WMIC.exe
Token: SeLoadDriverPrivilege	2100	WMIC.exe
Token: SeSystemProfilePrivilege	2100	WMIC.exe
Token: SeSystemtimePrivilege	2100	WMIC.exe
Token: SeProfSingleProcessPrivilege	2100	WMIC.exe
Token: SeIncBasePriorityPrivilege	2100	WMIC.exe
Token: SeCreatePagefilePrivilege	2100	WMIC.exe
Token: SeBackupPrivilege	2100	WMIC.exe
Token: SeRestorePrivilege	2100	WMIC.exe
Token: SeShutdownPrivilege	2100	WMIC.exe
Token: SeDebugPrivilege	2100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2100	WMIC.exe
Token: SeRemoteShutdownPrivilege	2100	WMIC.exe
Token: SeUndockPrivilege	2100	WMIC.exe
Token: SeManageVolumePrivilege	2100	WMIC.exe
Token: 33	2100	WMIC.exe
Token: 34	2100	WMIC.exe
Token: 35	2100	WMIC.exe
Token: 36	2100	WMIC.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeIncreaseQuotaPrivilege	516	WMIC.exe
Token: SeSecurityPrivilege	516	WMIC.exe
Token: SeTakeOwnershipPrivilege	516	WMIC.exe
Token: SeLoadDriverPrivilege	516	WMIC.exe
Token: SeSystemProfilePrivilege	516	WMIC.exe
Token: SeSystemtimePrivilege	516	WMIC.exe
Token: SeProfSingleProcessPrivilege	516	WMIC.exe
Token: SeIncBasePriorityPrivilege	516	WMIC.exe
Token: SeCreatePagefilePrivilege	516	WMIC.exe
Token: SeBackupPrivilege	516	WMIC.exe
Token: SeRestorePrivilege	516	WMIC.exe
Token: SeShutdownPrivilege	516	WMIC.exe
Token: SeDebugPrivilege	516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	516	WMIC.exe
Token: SeRemoteShutdownPrivilege	516	WMIC.exe
Token: SeUndockPrivilege	516	WMIC.exe
Token: SeManageVolumePrivilege	516	WMIC.exe
Token: 33	516	WMIC.exe
Token: 34	516	WMIC.exe
Token: 35	516	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tlB046.tmpsvchost.exe~tl8809.tmp

description	pid	process	target process
PID 3312 wrote to memory of 2100	3312	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 3312 wrote to memory of 2100	3312	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 3312 wrote to memory of 1592	3312	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3312 wrote to memory of 1592	3312	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3312 wrote to memory of 4648	3312	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3312 wrote to memory of 4648	3312	svchost_dump_SCY - Copy.exe	netsh.exe
PID 3312 wrote to memory of 1644	3312	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3312 wrote to memory of 1644	3312	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3312 wrote to memory of 436	3312	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3312 wrote to memory of 436	3312	svchost_dump_SCY - Copy.exe	powershell.exe
PID 3312 wrote to memory of 2600	3312	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3312 wrote to memory of 2600	3312	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3312 wrote to memory of 1464	3312	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3312 wrote to memory of 1464	3312	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 3312 wrote to memory of 2264	3312	svchost_dump_SCY - Copy.exe	svchost.exe
PID 3312 wrote to memory of 2264	3312	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2264 wrote to memory of 516	2264	svchost.exe	WMIC.exe
PID 2264 wrote to memory of 516	2264	svchost.exe	WMIC.exe
PID 2264 wrote to memory of 4448	2264	svchost.exe	netsh.exe
PID 2264 wrote to memory of 4448	2264	svchost.exe	netsh.exe
PID 2264 wrote to memory of 556	2264	svchost.exe	netsh.exe
PID 2264 wrote to memory of 556	2264	svchost.exe	netsh.exe
PID 2264 wrote to memory of 1028	2264	svchost.exe	powershell.exe
PID 2264 wrote to memory of 1028	2264	svchost.exe	powershell.exe
PID 2264 wrote to memory of 5056	2264	svchost.exe	powershell.exe
PID 2264 wrote to memory of 5056	2264	svchost.exe	powershell.exe
PID 2264 wrote to memory of 1036	2264	svchost.exe	~tlB046.tmp
PID 2264 wrote to memory of 1036	2264	svchost.exe	~tlB046.tmp
PID 1036 wrote to memory of 996	1036	~tlB046.tmp	netsh.exe
PID 1036 wrote to memory of 996	1036	~tlB046.tmp	netsh.exe
PID 1036 wrote to memory of 3868	1036	~tlB046.tmp	netsh.exe
PID 1036 wrote to memory of 3868	1036	~tlB046.tmp	netsh.exe
PID 1036 wrote to memory of 3880	1036	~tlB046.tmp	netsh.exe
PID 1036 wrote to memory of 3880	1036	~tlB046.tmp	netsh.exe
PID 1036 wrote to memory of 2044	1036	~tlB046.tmp	powershell.exe
PID 1036 wrote to memory of 2044	1036	~tlB046.tmp	powershell.exe
PID 1036 wrote to memory of 1368	1036	~tlB046.tmp	powershell.exe
PID 1036 wrote to memory of 1368	1036	~tlB046.tmp	powershell.exe
PID 1036 wrote to memory of 4236	1036	~tlB046.tmp	schtasks.exe
PID 1036 wrote to memory of 4236	1036	~tlB046.tmp	schtasks.exe
PID 1036 wrote to memory of 1644	1036	~tlB046.tmp	schtasks.exe
PID 1036 wrote to memory of 1644	1036	~tlB046.tmp	schtasks.exe
PID 1036 wrote to memory of 4336	1036	~tlB046.tmp	svchost.exe
PID 1036 wrote to memory of 4336	1036	~tlB046.tmp	svchost.exe
PID 4336 wrote to memory of 3328	4336	svchost.exe	netsh.exe
PID 4336 wrote to memory of 3328	4336	svchost.exe	netsh.exe
PID 4336 wrote to memory of 4080	4336	svchost.exe	netsh.exe
PID 4336 wrote to memory of 4080	4336	svchost.exe	netsh.exe
PID 4336 wrote to memory of 936	4336	svchost.exe	netsh.exe
PID 4336 wrote to memory of 936	4336	svchost.exe	netsh.exe
PID 4336 wrote to memory of 4908	4336	svchost.exe	powershell.exe
PID 4336 wrote to memory of 4908	4336	svchost.exe	powershell.exe
PID 4336 wrote to memory of 2224	4336	svchost.exe	powershell.exe
PID 4336 wrote to memory of 2224	4336	svchost.exe	powershell.exe
PID 4336 wrote to memory of 1156	4336	svchost.exe	~tl8809.tmp
PID 4336 wrote to memory of 1156	4336	svchost.exe	~tl8809.tmp
PID 1156 wrote to memory of 1912	1156	~tl8809.tmp	netsh.exe
PID 1156 wrote to memory of 1912	1156	~tl8809.tmp	netsh.exe
PID 1156 wrote to memory of 1512	1156	~tl8809.tmp	netsh.exe
PID 1156 wrote to memory of 1512	1156	~tl8809.tmp	netsh.exe
PID 1156 wrote to memory of 3532	1156	~tl8809.tmp	netsh.exe
PID 1156 wrote to memory of 3532	1156	~tl8809.tmp	netsh.exe
PID 1156 wrote to memory of 4432	1156	~tl8809.tmp	powershell.exe
PID 1156 wrote to memory of 4432	1156	~tl8809.tmp	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1592

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:2600

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:1464

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4448

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5056

C:\Users\Admin\AppData\Local\Temp\~tlB046.tmp
C:\Users\Admin\AppData\Local\Temp\~tlB046.tmp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:996

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:3868

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:3880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:4236

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:1644

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:3328

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4080

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2224

C:\Users\Admin\AppData\Local\Temp\~tl8809.tmp
C:\Users\Admin\AppData\Local\Temp\~tl8809.tmp
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:1912

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:1512

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:3532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4712

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1132

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:612

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:464

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:228

C:\Windows\TEMP\~tl7CDF.tmp
C:\Windows\TEMP\~tl7CDF.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4436

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:4624

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2652

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3956

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4092

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:392

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1116

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5084

C:\Windows\TEMP\~tlD429.tmp
C:\Windows\TEMP\~tlD429.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3144

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:5096

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1356

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbb22d95851b93abf2afe8fb96a8e544

SHA1
920ec5fdb323537bcf78f7e29a4fc274e657f7a4

SHA256
e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

SHA512
16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ab24765a7393bd3cef8acbf0a617fba2

SHA1
ef2c12a457a11f6204344afed09a39f4d3e803cb

SHA256
3a03c7efabe880ae9f283b1cf373d3f09d07ab619028319b3599b643ae140d47

SHA512
e16306674a8c89f54467d7fba3857e1e0bdf3729f5de9f4451520cfbddfa535c4d653dde6efcac38efd693e9b3e4965fcd08c559e720c372feca65050b46e355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t1jichse.5l1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl8809.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlB046.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
27acfbf94480631e547b5cb508d9d4fb

SHA1
f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

SHA256
0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

SHA512
902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
7.6MB

MD5
fae81f148a47b61ec45552bf3838d20d

SHA1
e435e415def4f5d74926ffe14a24700672bf2776

SHA256
7c1ed917dd5aa8af08dc900d7637e95f305e50f1341ff9ea259e93ae6bea13ce

SHA512
3d2461a22f3479b8f949be39a0584a1a43efd873dfac700da099bdf521d9ab89cf8fdea110e6a4b0d0e1ad5e2b1cca4192b1b2a0e5e9a4afe49b27307a06452c

Download Submit
C:\Windows\System\svchost.exe

Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
536B

MD5
cafb71d95af33af1c725ee8d9360e5ca

SHA1
50c3301a2e79365d9b6337484a8c4f47a2ffbac8

SHA256
c24a9d74309fc9a135f277501a6b1c13a098ee4628d34ff7402f24bd8feebbc8

SHA512
fff39dab765e208c5dea9d526404c19fddf0133756cdb3283d8ca28950faff028d2cb2ac99d9557ee8cf8b01ed24c7264fb2414a6722004fc7a9d37c9d0da919

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6494311bccf8e3d2d71012d83579d25d

SHA1
6506537ba1cdae2d53537fee1e773b70a362952b

SHA256
7886bd67277429059000b622d932e1a177e9677690a8e2c27d7bcb168da96388

SHA512
159810bfbf60a017bd9fbf877f96bc0c1621461020a8b59173a69f45880e4689a3a324b38b19e04c6e00a2a8467e23d14aa3f9d9e00a9c290ed9950c64f94e2f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
793B

MD5
41d71092d3b52f06f4351cae92b89cef

SHA1
6ca51e48b2ac2542fd1ca585ca9396b7a8750a62

SHA256
eb624d82c2b770d04284150d9d15848ea193c5f9b927d7662eb611d9bb40684b

SHA512
3adf3929d54dd7ba35be0459f6f9f9da3b962c2487ae4b747ea76952026e81e4c2ace5f54f047808be383d81efc53e0329f6e56995ee8f785af12940983b3be1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3af6b6752764b70e843397de266e5e5

SHA1
067a680a02a8eab0ce869b9d7adcecde95668b33

SHA256
a6187a6b67113725ad9c54050be51232ee15408e6fac2b8a6166e87af04689c4

SHA512
de1e1af659dd1ebb18ca008ea3103f14b66396c7af2a0a73e999d05d5572cafbe1f84816e330953e2f4d136fecad983a03f747480c9ddb92895204b34fe232e2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
05264067780a4a2b4c1fc8a0c3fc6983

SHA1
2085d6e446ea9ac9ba890503dcfe4c2c8986dc93

SHA256
597580578b1326c528b467ba82d20f02f62d11ebae0df1cb21ee4b1af6127b68

SHA512
2ca2723cf7c00c49994d6e27826a3b6280a9fd03f59ba38d8ffd38af279f11733714bd01d2560617181358e0b46a1972fc43be8bfe67f446c60ac1a906cf07ac

Download Submit
memory/228-320-0x000001C37A0E0000-0x000001C37A0F0000-memory.dmp

Filesize
64KB

Download
memory/228-319-0x00007FF4806C0000-0x00007FF4806D0000-memory.dmp

Filesize
64KB

Download
memory/228-285-0x00007FFB35160000-0x00007FFB35C21000-memory.dmp

Filesize
10.8MB

Download
memory/228-318-0x000001C37C2A0000-0x000001C37C2AA000-memory.dmp

Filesize
40KB

Download
memory/228-286-0x000001C37A0E0000-0x000001C37A0F0000-memory.dmp

Filesize
64KB

Download
memory/228-288-0x000001C37A0E0000-0x000001C37A0F0000-memory.dmp

Filesize
64KB

Download
memory/436-15-0x00000155F18D0000-0x00000155F18E0000-memory.dmp

Filesize
64KB

Download
memory/436-33-0x00007FFB34900000-0x00007FFB353C1000-memory.dmp

Filesize
10.8MB

Download
memory/436-27-0x00000155F18D0000-0x00000155F18E0000-memory.dmp

Filesize
64KB

Download
memory/436-25-0x00007FFB34900000-0x00007FFB353C1000-memory.dmp

Filesize
10.8MB

Download
memory/436-14-0x00000155F18D0000-0x00000155F18E0000-memory.dmp

Filesize
64KB

Download
memory/1028-46-0x000001D83A990000-0x000001D83A9A0000-memory.dmp

Filesize
64KB

Download
memory/1028-45-0x00007FFB346D0000-0x00007FFB35191000-memory.dmp

Filesize
10.8MB

Download
memory/1028-47-0x000001D83A990000-0x000001D83A9A0000-memory.dmp

Filesize
64KB

Download
memory/1028-71-0x00007FFB346D0000-0x00007FFB35191000-memory.dmp

Filesize
10.8MB

Download
memory/1036-134-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1036-132-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1036-133-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1036-131-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1036-178-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1036-128-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1132-270-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1132-344-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1132-272-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1132-336-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1156-253-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1156-216-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1156-218-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1156-219-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1156-220-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1156-221-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1368-150-0x000002407CF90000-0x000002407CFA0000-memory.dmp

Filesize
64KB

Download
memory/1368-149-0x000002407CF90000-0x000002407CFA0000-memory.dmp

Filesize
64KB

Download
memory/1368-164-0x00007FFB35160000-0x00007FFB35C21000-memory.dmp

Filesize
10.8MB

Download
memory/1368-148-0x00007FFB35160000-0x00007FFB35C21000-memory.dmp

Filesize
10.8MB

Download
memory/1644-12-0x00000191F24D0000-0x00000191F24E0000-memory.dmp

Filesize
64KB

Download
memory/1644-10-0x00000191F3410000-0x00000191F3432000-memory.dmp

Filesize
136KB

Download
memory/1644-11-0x00007FFB34900000-0x00007FFB353C1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-13-0x00000191F24D0000-0x00000191F24E0000-memory.dmp

Filesize
64KB

Download
memory/1644-34-0x00007FFB34900000-0x00007FFB353C1000-memory.dmp

Filesize
10.8MB

Download
memory/2044-135-0x00007FFB35160000-0x00007FFB35C21000-memory.dmp

Filesize
10.8MB

Download
memory/2044-136-0x000001E821950000-0x000001E821960000-memory.dmp

Filesize
64KB

Download
memory/2044-161-0x00007FFB35160000-0x00007FFB35C21000-memory.dmp

Filesize
10.8MB

Download
memory/2044-137-0x000001E821950000-0x000001E821960000-memory.dmp

Filesize
64KB

Download
memory/2224-193-0x000002702E3A0000-0x000002702E3B0000-memory.dmp

Filesize
64KB

Download
memory/2224-208-0x00007FFB35160000-0x00007FFB35C21000-memory.dmp

Filesize
10.8MB

Download
memory/2224-199-0x000002702E3A0000-0x000002702E3B0000-memory.dmp

Filesize
64KB

Download
memory/2224-192-0x00007FFB35160000-0x00007FFB35C21000-memory.dmp

Filesize
10.8MB

Download
memory/2264-76-0x0000000031C20000-0x0000000032102000-memory.dmp

Filesize
4.9MB

Download
memory/2264-43-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2264-75-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2264-130-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3312-26-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3312-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3312-44-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/3776-308-0x000001C3F0BA0000-0x000001C3F0C55000-memory.dmp

Filesize
724KB

Download
memory/3776-307-0x000001C3EE330000-0x000001C3EE34C000-memory.dmp

Filesize
112KB

Download
memory/3776-275-0x000001C3EE820000-0x000001C3EE830000-memory.dmp

Filesize
64KB

Download
memory/3776-274-0x00007FFB35160000-0x00007FFB35C21000-memory.dmp

Filesize
10.8MB

Download
memory/4336-176-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4336-177-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4336-179-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4336-217-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4432-222-0x00007FFB35160000-0x00007FFB35C21000-memory.dmp

Filesize
10.8MB

Download
memory/4432-248-0x00007FFB35160000-0x00007FFB35C21000-memory.dmp

Filesize
10.8MB

Download
memory/4432-223-0x0000021389480000-0x0000021389490000-memory.dmp

Filesize
64KB

Download
memory/4432-224-0x0000021389480000-0x0000021389490000-memory.dmp

Filesize
64KB

Download
memory/4436-404-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4436-348-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4712-236-0x000001B626A80000-0x000001B626A90000-memory.dmp

Filesize
64KB

Download
memory/4712-237-0x000001B626A80000-0x000001B626A90000-memory.dmp

Filesize
64KB

Download
memory/4712-235-0x00007FFB35160000-0x00007FFB35C21000-memory.dmp

Filesize
10.8MB

Download
memory/4712-251-0x00007FFB35160000-0x00007FFB35C21000-memory.dmp

Filesize
10.8MB

Download
memory/4908-205-0x00007FFB35160000-0x00007FFB35C21000-memory.dmp

Filesize
10.8MB

Download
memory/4908-181-0x000001C6F1A90000-0x000001C6F1AA0000-memory.dmp

Filesize
64KB

Download
memory/4908-180-0x00007FFB35160000-0x00007FFB35C21000-memory.dmp

Filesize
10.8MB

Download
memory/5056-74-0x00007FFB346D0000-0x00007FFB35191000-memory.dmp

Filesize
10.8MB

Download
memory/5056-66-0x0000025F416C0000-0x0000025F416D0000-memory.dmp

Filesize
64KB

Download
memory/5056-63-0x00007FFB346D0000-0x00007FFB35191000-memory.dmp

Filesize
10.8MB

Download
memory/5056-64-0x0000025F416C0000-0x0000025F416D0000-memory.dmp

Filesize
64KB

Download