a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

max time kernel
1200s
max time network
1207s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-04-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

9.4MB
MD5

db3edf03a8a2c8e96fe2d2deaaec76ff
SHA1

2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256

a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512

121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
SSDEEP

98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 14 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
1276	netsh.exe
2184	netsh.exe
4800	netsh.exe
4888	netsh.exe
4044	netsh.exe
4812	netsh.exe
2768	netsh.exe
2612	netsh.exe
316	netsh.exe
4440	netsh.exe
528	netsh.exe
720	netsh.exe
236	netsh.exe
4376	netsh.exe

Executes dropped EXE 9 IoCs

Processes:

svchost.exe~tlFD1F.tmpsvchost.exe~tl6F33.tmp~tlCE41.tmpsvchost.exe~tlB2B5.tmpsvchost.exe~tl1FE8.tmp

pid process

3744 svchost.exe
2020 ~tlFD1F.tmp
1600 svchost.exe
4648 ~tl6F33.tmp
2924 ~tlCE41.tmp
4796 svchost.exe
424 ~tlB2B5.tmp
4312 svchost.exe
4260 ~tl1FE8.tmp

pid	process
3744	svchost.exe
2020	~tlFD1F.tmp
1600	svchost.exe
4648	~tl6F33.tmp
2924	~tlCE41.tmp
4796	svchost.exe
424	~tlB2B5.tmp
4312	svchost.exe
4260	~tl1FE8.tmp

Drops file in System32 directory 34 IoCs

Processes:

svchost.exesvchost.exe~tlCE41.tmppowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exe~tlB2B5.tmp~tl1FE8.tmppowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\torproject\Arti\cache\dir.sqlite3-journal	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\torproject\Arti\data\state\circuit_timeouts.tmp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlCE41.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlB2B5.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tl1FE8.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl1FE8.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\torproject\Arti\data\state\state.lock	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\torproject\Arti\cache\dir.lock	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\torproject\Arti\cache\dir.sqlite3	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tlB2B5.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\9KQ6BOOZ.htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\torproject\Arti\data\state\guards.tmp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\torproject\Arti\cache\dir_blobs\con_microdesc_sha3-256-d956d244a33d013d9095f568a5bf9b3ac42f98026c5a1f090e4784d75b8238bb.tmp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tlCE41.tmp

Drops file in Windows directory 11 IoCs

Processes:

~tlCE41.tmpsvchost.exetmp.exesvchost.exe~tlFD1F.tmpsvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System\svchost.exe	~tlCE41.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tlCE41.tmp
File created	C:\Windows\System\svchost.exe	~tlFD1F.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	tmp.exe
File created	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	~tlFD1F.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1312 schtasks.exe
712 schtasks.exe

pid	process
1312	schtasks.exe
712	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe~tlB2B5.tmppowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exenetsh.exepowershell.exepowershell.exenetsh.exepowershell.exesvchost.exesvchost.exepowershell.exenetsh.exenetsh.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	~tlB2B5.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.exepowershell.exe~tlFD1F.tmppowershell.exepowershell.exepowershell.exepowershell.exe~tl6F33.tmppowershell.exepowershell.exe~tlCE41.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlB2B5.tmppowershell.exepowershell.exe

pid	process
4368	powershell.exe
4368	powershell.exe
4368	powershell.exe
1020	powershell.exe
1020	powershell.exe
1020	powershell.exe
828	tmp.exe
828	tmp.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
928	powershell.exe
928	powershell.exe
928	powershell.exe
2020	~tlFD1F.tmp
2020	~tlFD1F.tmp
2556	powershell.exe
1548	powershell.exe
1548	powershell.exe
2556	powershell.exe
2556	powershell.exe
1548	powershell.exe
2020	~tlFD1F.tmp
2020	~tlFD1F.tmp
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4556	powershell.exe
4556	powershell.exe
4556	powershell.exe
4648	~tl6F33.tmp
4648	~tl6F33.tmp
1508	powershell.exe
4180	powershell.exe
1508	powershell.exe
4180	powershell.exe
4180	powershell.exe
1508	powershell.exe
2924	~tlCE41.tmp
2924	~tlCE41.tmp
3368	powershell.exe
4900	powershell.exe
3368	powershell.exe
4900	powershell.exe
3368	powershell.exe
4900	powershell.exe
2924	~tlCE41.tmp
2924	~tlCE41.tmp
4796	svchost.exe
4796	svchost.exe
4584	powershell.exe
3020	powershell.exe
3020	powershell.exe
4584	powershell.exe
4584	powershell.exe
3020	powershell.exe
424	~tlB2B5.tmp
424	~tlB2B5.tmp
1876	powershell.exe
1876	powershell.exe
1876	powershell.exe
420	powershell.exe
420	powershell.exe
420	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeIncreaseQuotaPrivilege	4368	powershell.exe
Token: SeSecurityPrivilege	4368	powershell.exe
Token: SeTakeOwnershipPrivilege	4368	powershell.exe
Token: SeLoadDriverPrivilege	4368	powershell.exe
Token: SeSystemProfilePrivilege	4368	powershell.exe
Token: SeSystemtimePrivilege	4368	powershell.exe
Token: SeProfSingleProcessPrivilege	4368	powershell.exe
Token: SeIncBasePriorityPrivilege	4368	powershell.exe
Token: SeCreatePagefilePrivilege	4368	powershell.exe
Token: SeBackupPrivilege	4368	powershell.exe
Token: SeRestorePrivilege	4368	powershell.exe
Token: SeShutdownPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeSystemEnvironmentPrivilege	4368	powershell.exe
Token: SeRemoteShutdownPrivilege	4368	powershell.exe
Token: SeUndockPrivilege	4368	powershell.exe
Token: SeManageVolumePrivilege	4368	powershell.exe
Token: 33	4368	powershell.exe
Token: 34	4368	powershell.exe
Token: 35	4368	powershell.exe
Token: 36	4368	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeIncreaseQuotaPrivilege	4608	powershell.exe
Token: SeSecurityPrivilege	4608	powershell.exe
Token: SeTakeOwnershipPrivilege	4608	powershell.exe
Token: SeLoadDriverPrivilege	4608	powershell.exe
Token: SeSystemProfilePrivilege	4608	powershell.exe
Token: SeSystemtimePrivilege	4608	powershell.exe
Token: SeProfSingleProcessPrivilege	4608	powershell.exe
Token: SeIncBasePriorityPrivilege	4608	powershell.exe
Token: SeCreatePagefilePrivilege	4608	powershell.exe
Token: SeBackupPrivilege	4608	powershell.exe
Token: SeRestorePrivilege	4608	powershell.exe
Token: SeShutdownPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeSystemEnvironmentPrivilege	4608	powershell.exe
Token: SeRemoteShutdownPrivilege	4608	powershell.exe
Token: SeUndockPrivilege	4608	powershell.exe
Token: SeManageVolumePrivilege	4608	powershell.exe
Token: 33	4608	powershell.exe
Token: 34	4608	powershell.exe
Token: 35	4608	powershell.exe
Token: 36	4608	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeIncreaseQuotaPrivilege	2556	powershell.exe
Token: SeSecurityPrivilege	2556	powershell.exe
Token: SeTakeOwnershipPrivilege	2556	powershell.exe
Token: SeLoadDriverPrivilege	2556	powershell.exe
Token: SeSystemProfilePrivilege	2556	powershell.exe
Token: SeSystemtimePrivilege	2556	powershell.exe
Token: SeProfSingleProcessPrivilege	2556	powershell.exe
Token: SeIncBasePriorityPrivilege	2556	powershell.exe
Token: SeCreatePagefilePrivilege	2556	powershell.exe
Token: SeBackupPrivilege	2556	powershell.exe
Token: SeRestorePrivilege	2556	powershell.exe
Token: SeShutdownPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeSystemEnvironmentPrivilege	2556	powershell.exe
Token: SeRemoteShutdownPrivilege	2556	powershell.exe
Token: SeUndockPrivilege	2556	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exesvchost.exe~tlFD1F.tmpsvchost.exe~tl6F33.tmp~tlCE41.tmpsvchost.exe

description	pid	process	target process
PID 828 wrote to memory of 4368	828	tmp.exe	powershell.exe
PID 828 wrote to memory of 4368	828	tmp.exe	powershell.exe
PID 828 wrote to memory of 1020	828	tmp.exe	powershell.exe
PID 828 wrote to memory of 1020	828	tmp.exe	powershell.exe
PID 828 wrote to memory of 2776	828	tmp.exe	schtasks.exe
PID 828 wrote to memory of 2776	828	tmp.exe	schtasks.exe
PID 828 wrote to memory of 1312	828	tmp.exe	schtasks.exe
PID 828 wrote to memory of 1312	828	tmp.exe	schtasks.exe
PID 828 wrote to memory of 3744	828	tmp.exe	svchost.exe
PID 828 wrote to memory of 3744	828	tmp.exe	svchost.exe
PID 3744 wrote to memory of 4608	3744	svchost.exe	powershell.exe
PID 3744 wrote to memory of 4608	3744	svchost.exe	powershell.exe
PID 3744 wrote to memory of 928	3744	svchost.exe	powershell.exe
PID 3744 wrote to memory of 928	3744	svchost.exe	powershell.exe
PID 3744 wrote to memory of 2020	3744	svchost.exe	~tlFD1F.tmp
PID 3744 wrote to memory of 2020	3744	svchost.exe	~tlFD1F.tmp
PID 2020 wrote to memory of 2776	2020	~tlFD1F.tmp	netsh.exe
PID 2020 wrote to memory of 2776	2020	~tlFD1F.tmp	netsh.exe
PID 2020 wrote to memory of 236	2020	~tlFD1F.tmp	netsh.exe
PID 2020 wrote to memory of 236	2020	~tlFD1F.tmp	netsh.exe
PID 2020 wrote to memory of 4044	2020	~tlFD1F.tmp	netsh.exe
PID 2020 wrote to memory of 4044	2020	~tlFD1F.tmp	netsh.exe
PID 2020 wrote to memory of 2556	2020	~tlFD1F.tmp	powershell.exe
PID 2020 wrote to memory of 2556	2020	~tlFD1F.tmp	powershell.exe
PID 2020 wrote to memory of 1548	2020	~tlFD1F.tmp	powershell.exe
PID 2020 wrote to memory of 1548	2020	~tlFD1F.tmp	powershell.exe
PID 2020 wrote to memory of 4648	2020	~tlFD1F.tmp	~tl6F33.tmp
PID 2020 wrote to memory of 4648	2020	~tlFD1F.tmp	~tl6F33.tmp
PID 1600 wrote to memory of 4400	1600	svchost.exe	powershell.exe
PID 1600 wrote to memory of 4400	1600	svchost.exe	powershell.exe
PID 1600 wrote to memory of 4556	1600	svchost.exe	powershell.exe
PID 1600 wrote to memory of 4556	1600	svchost.exe	powershell.exe
PID 4648 wrote to memory of 3580	4648	~tl6F33.tmp	netsh.exe
PID 4648 wrote to memory of 3580	4648	~tl6F33.tmp	netsh.exe
PID 4648 wrote to memory of 1276	4648	~tl6F33.tmp	netsh.exe
PID 4648 wrote to memory of 1276	4648	~tl6F33.tmp	netsh.exe
PID 4648 wrote to memory of 316	4648	~tl6F33.tmp	netsh.exe
PID 4648 wrote to memory of 316	4648	~tl6F33.tmp	netsh.exe
PID 4648 wrote to memory of 1508	4648	~tl6F33.tmp	powershell.exe
PID 4648 wrote to memory of 1508	4648	~tl6F33.tmp	powershell.exe
PID 4648 wrote to memory of 4180	4648	~tl6F33.tmp	powershell.exe
PID 4648 wrote to memory of 4180	4648	~tl6F33.tmp	powershell.exe
PID 1600 wrote to memory of 2924	1600	svchost.exe	~tlCE41.tmp
PID 1600 wrote to memory of 2924	1600	svchost.exe	~tlCE41.tmp
PID 2924 wrote to memory of 1604	2924	~tlCE41.tmp	netsh.exe
PID 2924 wrote to memory of 1604	2924	~tlCE41.tmp	netsh.exe
PID 2924 wrote to memory of 4440	2924	~tlCE41.tmp	netsh.exe
PID 2924 wrote to memory of 4440	2924	~tlCE41.tmp	netsh.exe
PID 2924 wrote to memory of 528	2924	~tlCE41.tmp	netsh.exe
PID 2924 wrote to memory of 528	2924	~tlCE41.tmp	netsh.exe
PID 2924 wrote to memory of 3368	2924	~tlCE41.tmp	powershell.exe
PID 2924 wrote to memory of 3368	2924	~tlCE41.tmp	powershell.exe
PID 2924 wrote to memory of 4900	2924	~tlCE41.tmp	powershell.exe
PID 2924 wrote to memory of 4900	2924	~tlCE41.tmp	powershell.exe
PID 2924 wrote to memory of 1600	2924	~tlCE41.tmp	schtasks.exe
PID 2924 wrote to memory of 1600	2924	~tlCE41.tmp	schtasks.exe
PID 2924 wrote to memory of 712	2924	~tlCE41.tmp	schtasks.exe
PID 2924 wrote to memory of 712	2924	~tlCE41.tmp	schtasks.exe
PID 2924 wrote to memory of 4796	2924	~tlCE41.tmp	svchost.exe
PID 2924 wrote to memory of 4796	2924	~tlCE41.tmp	svchost.exe
PID 4796 wrote to memory of 2244	4796	svchost.exe	netsh.exe
PID 4796 wrote to memory of 2244	4796	svchost.exe	netsh.exe
PID 4796 wrote to memory of 2184	4796	svchost.exe	netsh.exe
PID 4796 wrote to memory of 2184	4796	svchost.exe	netsh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:2776

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:1312

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Users\Admin\AppData\Local\Temp\~tlFD1F.tmp
C:\Users\Admin\AppData\Local\Temp\~tlFD1F.tmp
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:2776

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:236

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Users\Admin\AppData\Local\Temp\~tl6F33.tmp
C:\Users\Admin\AppData\Local\Temp\~tl6F33.tmp
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:3580

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1276

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4180

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4556

C:\Windows\TEMP\~tlCE41.tmp
C:\Windows\TEMP\~tlCE41.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
- Modifies data under HKEY_USERS
PID:1604

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4440

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
3⤵
PID:1600

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
3⤵
- Creates scheduled task(s)
PID:712

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:2244

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2184

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Windows\TEMP\~tlB2B5.tmp
C:\Windows\TEMP\~tlB2B5.tmp
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:424

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
- Modifies data under HKEY_USERS
PID:4752

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4376

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:420

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4312

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:2324

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2768

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4232

C:\Windows\TEMP\~tl1FE8.tmp
C:\Windows\TEMP\~tl1FE8.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4260

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:2864

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2612

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
cd5b15b46b9fe0d89c2b8d351c303d2a

SHA1
e1d30a8f98585e20c709732c013e926c7078a3c2

SHA256
0a8a0dcbec27e07c8dc9ef31622ac41591871416ccd9146f40d8cc9a2421da7a

SHA512
d7261b2ff89adcdb909b775c6a47b3cd366b7c3f5cbb4f60428e849582c93e14e76d7dcadec79003eef7c9a3059e305d5e4f6b5b912b9ebc3518e06b0d284dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8f27c55e6a180164ef36599db498a834

SHA1
bc9d15c126b50d9ce03ace640c23d48c1dd1d6da

SHA256
6a3d77b71a34b2bbb7867b426303fbd795f2610d8830043ab4ebd03f6e63192d

SHA512
8e4cf1a7a952fadbc8fa11dca6a26d9883073f12a0f4a63c03ddf3dc668e08381a1ad98dfef8fc67a71b6f8d37bf4b6684be070845b3c42201d3eae1c8d6139c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
668B

MD5
ae8559eaca8b64fd9ccd46122b7bbf53

SHA1
9eb68e8684bd35bd9f68bfd3203d17e83a560247

SHA256
b4b026c279085a84b6aa7e75aef21cf3aa42a8785f212fc0ff7756597f250f98

SHA512
f3300ca0ee08b7f0043ef1c659807fa9eaa9fa143e1183dd8058a2aaa198fac4d74e3adc63a29970f26cf46642ced7ffbe5b1a3f059e595bd18bb6db8325aac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4cb9d67da56362f116f4be1041ae412d

SHA1
355d28ef9ea6b542e0c1088ddef2bede60d9a1f3

SHA256
6c17936f78996db83b6a3b78665d2615900063a01aab4c3e150fcc1175eaaca6

SHA512
e38827bc9c8f0fbd9688ab388c56ff66fd225a5484c9005845d9357f86d366d0deeab4c03ea35039364e85e1f6441e7dd405e53683d44d0f1d3ed04390fbe09b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca1c67909908be18284a33f3d873de7c

SHA1
8726892b658d2b5b3a04eacb23e5498a00d6de18

SHA256
c36a2bb346288d04d07487ccbf0b7311d46452372f36a902dfc72747e1527845

SHA512
77badd349b7cf23f6e270bd824fbb7f188d0762304974e6dcc7fb817950c1cbb878347b4febea4172d9440365d958b87421c1011c266a82a895d54fdcf31b192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d81e3a7a3743b7b795ef103be426bc5e

SHA1
d6c1e092fa9c2d64f59d8294a5cac9550ad5eb6c

SHA256
6d1616c194c83fb2e282b72c12ae8747a61189926aa1fd198cef10f0c8f9edd4

SHA512
e0cd01d3213525ce5cb9998c9fe6fed69d0269f73bf043a3202045f4879aa532d9f5428fcdb5ed011290efd525196683b19ca240cee09a1b2ba2bdb2701238fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oz3nlu2l.wat.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl6F33.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlFD1F.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\torproject\Arti\data\state\circuit_timeouts.tmp

Filesize
65B

MD5
b2b738c82cdfbf56440274e03a50c9f8

SHA1
5c1a0274017a666f069980c3c5a6220026cd3336

SHA256
9dbe12675e515f32f07aea11cc9f8bea69b3f143b3d825d98ca1ef41b2988ee7

SHA512
d4c9dbca06de019b7ea2519e24ad603d6283c3f0aa7f9d97b9b014861f54d9cfb4f6a295b48d6bf69f2ee122668709df175afcf8f90b0e7e67a3e643f28e84e8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\torproject\Arti\data\state\guards.tmp

Filesize
121B

MD5
bd45eb55dc8a46aa313e7f68dd9cf953

SHA1
c6b7653ca38370cd639678a925802d1cd8a282eb

SHA256
a2c2287ea6aa4ba07c2c1ab66268828c011a5d9cacef6dba1179a6bd196c2c3d

SHA512
058ffd60fa2aa2ab14022c0628d72a47440ad99bdfc82f8e6a4e303febde74514bda8e3064c015f57c63760462ca1193ee858040ce85cf8182d638d888e9cb71

Download Submit
C:\Windows\System\svchost.exe

Filesize
9.4MB

MD5
db3edf03a8a2c8e96fe2d2deaaec76ff

SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1

SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
811d351aabd7b708fef7683cf5e29e15

SHA1
06fd89e5a575f45d411cf4b3a2d277e642e73dbb

SHA256
0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18

SHA512
702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3364fbee2ece1510fc2e843961e6bc93

SHA1
e7ac5d7d1cdcd415e0fc572d5548d35bcbdfdfb1

SHA256
e9bd2685dacc5277fc82f4ad61a9b8593bd9cc400d6245d29b40c2333898b16c

SHA512
e14717ff0306103402a9c3d23b87df2c4dfd584242f43324d014fa7180993c2f0634d894a9f794edd28b711caca30e6a316427b4beb1c28d9c1d556a24bee2ef

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00268b5320e237097f5f34d54d0e1639

SHA1
6edf97a2e9c292d8d7458347aea40cb26819b0cf

SHA256
a5d49191293cba8943cfc46bb9e6d22f4832d830bdc3fa30f523ec98280e6c73

SHA512
0efa5fe5446d164791c371be71ad7ff37c10e5ddbda19e1ac7502fb4f3aaf5b569ffde7353b4a9a39a8267855bd3e7f6950d62213911107c42c00bc502f5f5f9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a49c7cccb9646313a3e0a34f4e89c470

SHA1
609856a04383c6f74a313f683371d87b9360a9be

SHA256
f320cc57a74a762fd5a0671d4706933bdbc2701c6231e8d56430f98fca4d1d1e

SHA512
31526bfe913654947945b8281bd527941ec15890f0bfe07d2137574780c7b89af10d8170ebff2c876e9b6d51470d8f25f3ca1d08135eecccb69bb6e15727062c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc468c6b7e2a740f360d0e3cab0c299f

SHA1
b29c0effcd9f68921511d0ae9e835f33559c72ef

SHA256
7ba41fa590ec295223275b375fd1bcea7449dc62109d6ea3d286ed7752ba2a3f

SHA512
e343100627d3675e08264157ebb72c9a96dfe32aa4ffe25d8346f0dfc1d4263b9951af6e4b79ebdc1e0fb696620f94c16c641a7b8901f228eb7db55bdff97eb8

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
13ce9ceca4c790047cc87f00c68dceab

SHA1
773d4dbc2c028f115c9e7a15b220868fe6607b5f

SHA256
fb913170b3ce01e039d21928ef8a8891a2052fbd106b2d7f0a98c083e7f9a470

SHA512
756487c0fcf8c525570e7bf190a2085c785d03870e47c031f76922768a113b446a33c0a7bcbb0f100cd0c7e27f71423cba41efef5dd58b3fb590cb38870c5ca7

Download Submit
memory/828-1-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/828-10-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/828-0-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/828-4-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/828-122-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/828-3-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/828-2-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/928-152-0x00007FF9F4A60000-0x00007FF9F544C000-memory.dmp

Filesize
9.9MB

Download
memory/928-163-0x000001F8FEE80000-0x000001F8FEE90000-memory.dmp

Filesize
64KB

Download
memory/928-192-0x000001F8FEE80000-0x000001F8FEE90000-memory.dmp

Filesize
64KB

Download
memory/928-226-0x00007FF9F4A60000-0x00007FF9F544C000-memory.dmp

Filesize
9.9MB

Download
memory/928-222-0x000001F8FEE80000-0x000001F8FEE90000-memory.dmp

Filesize
64KB

Download
memory/928-161-0x000001F8FEE80000-0x000001F8FEE90000-memory.dmp

Filesize
64KB

Download
memory/1020-33-0x000001D046750000-0x000001D046760000-memory.dmp

Filesize
64KB

Download
memory/1020-28-0x00007FF9F4A60000-0x00007FF9F544C000-memory.dmp

Filesize
9.9MB

Download
memory/1020-31-0x000001D046750000-0x000001D046760000-memory.dmp

Filesize
64KB

Download
memory/1020-105-0x00007FF9F4A60000-0x00007FF9F544C000-memory.dmp

Filesize
9.9MB

Download
memory/1020-68-0x000001D046750000-0x000001D046760000-memory.dmp

Filesize
64KB

Download
memory/1020-99-0x000001D046750000-0x000001D046760000-memory.dmp

Filesize
64KB

Download
memory/1548-374-0x00000216F0100000-0x00000216F0110000-memory.dmp

Filesize
64KB

Download
memory/1548-335-0x00000216F0100000-0x00000216F0110000-memory.dmp

Filesize
64KB

Download
memory/1548-413-0x00000216F0100000-0x00000216F0110000-memory.dmp

Filesize
64KB

Download
memory/1548-334-0x00000216F0100000-0x00000216F0110000-memory.dmp

Filesize
64KB

Download
memory/1548-332-0x00007FF9F4A60000-0x00007FF9F544C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-419-0x00007FF9F4A60000-0x00007FF9F544C000-memory.dmp

Filesize
9.9MB

Download
memory/1600-425-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/1600-320-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/1600-321-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2020-303-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2020-315-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2020-433-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2020-302-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2020-301-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2556-326-0x00007FF9F4A60000-0x00007FF9F544C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-327-0x000002CBFCD70000-0x000002CBFCD80000-memory.dmp

Filesize
64KB

Download
memory/2556-328-0x000002CBFCD70000-0x000002CBFCD80000-memory.dmp

Filesize
64KB

Download
memory/2556-418-0x000002CBFCD70000-0x000002CBFCD80000-memory.dmp

Filesize
64KB

Download
memory/2556-366-0x000002CBFCD70000-0x000002CBFCD80000-memory.dmp

Filesize
64KB

Download
memory/2556-423-0x00007FF9F4A60000-0x00007FF9F544C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-1296-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2924-969-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3744-119-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3744-121-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3744-227-0x0000000180000000-0x000000018070E000-memory.dmp

Filesize
7.1MB

Download
memory/3744-314-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3744-124-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4368-16-0x00000287B55C0000-0x00000287B55D0000-memory.dmp

Filesize
64KB

Download
memory/4368-13-0x00007FF9F4A60000-0x00007FF9F544C000-memory.dmp

Filesize
9.9MB

Download
memory/4368-17-0x00000287B5750000-0x00000287B57C6000-memory.dmp

Filesize
472KB

Download
memory/4368-38-0x00000287B55C0000-0x00000287B55D0000-memory.dmp

Filesize
64KB

Download
memory/4368-106-0x00000287B55C0000-0x00000287B55D0000-memory.dmp

Filesize
64KB

Download
memory/4368-111-0x00007FF9F4A60000-0x00007FF9F544C000-memory.dmp

Filesize
9.9MB

Download
memory/4368-15-0x00000287B55C0000-0x00000287B55D0000-memory.dmp

Filesize
64KB

Download
memory/4368-11-0x00000287B5560000-0x00000287B5582000-memory.dmp

Filesize
136KB

Download
memory/4400-460-0x000001B479A90000-0x000001B479AA0000-memory.dmp

Filesize
64KB

Download
memory/4400-583-0x000001B479A90000-0x000001B479AA0000-memory.dmp

Filesize
64KB

Download
memory/4400-465-0x00007FF6E6DF0000-0x00007FF6E6E00000-memory.dmp

Filesize
64KB

Download
memory/4400-466-0x000001B47A270000-0x000001B47A28C000-memory.dmp

Filesize
112KB

Download
memory/4400-459-0x000001B479A90000-0x000001B479AA0000-memory.dmp

Filesize
64KB

Download
memory/4400-584-0x000001B479A90000-0x000001B479AA0000-memory.dmp

Filesize
64KB

Download
memory/4400-458-0x00007FF9F4A60000-0x00007FF9F544C000-memory.dmp

Filesize
9.9MB

Download
memory/4400-480-0x000001B47A470000-0x000001B47A529000-memory.dmp

Filesize
740KB

Download
memory/4400-526-0x000001B479D10000-0x000001B479D1A000-memory.dmp

Filesize
40KB

Download
memory/4556-477-0x00000243258E0000-0x00000243258F0000-memory.dmp

Filesize
64KB

Download
memory/4556-476-0x00007FF9F4A60000-0x00007FF9F544C000-memory.dmp

Filesize
9.9MB

Download
memory/4556-478-0x00000243258E0000-0x00000243258F0000-memory.dmp

Filesize
64KB

Download
memory/4608-131-0x0000022287C70000-0x0000022287C80000-memory.dmp

Filesize
64KB

Download
memory/4608-130-0x0000022287C70000-0x0000022287C80000-memory.dmp

Filesize
64KB

Download
memory/4608-129-0x00007FF9F4A60000-0x00007FF9F544C000-memory.dmp

Filesize
9.9MB

Download
memory/4608-200-0x00007FF9F4A60000-0x00007FF9F544C000-memory.dmp

Filesize
9.9MB

Download
memory/4608-193-0x0000022287C70000-0x0000022287C80000-memory.dmp

Filesize
64KB

Download
memory/4608-147-0x0000022287C70000-0x0000022287C80000-memory.dmp

Filesize
64KB

Download
memory/4648-436-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4648-432-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4648-434-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4648-435-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4648-439-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4648-878-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4796-1298-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download