a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

max time kernel
1200s
max time network
1205s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

9.4MB
MD5

db3edf03a8a2c8e96fe2d2deaaec76ff
SHA1

2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256

a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512

121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
SSDEEP

98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 14 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
1016	netsh.exe
400	netsh.exe
4716	netsh.exe
4936	netsh.exe
2164	netsh.exe
3388	netsh.exe
4056	netsh.exe
4700	netsh.exe
2780	netsh.exe
756	netsh.exe
3136	netsh.exe
2256	netsh.exe
2836	netsh.exe
4116	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe~tl5396.tmpsvchost.exe~tl376E.tmptmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	~tl5396.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	~tl376E.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	tmp.exe

Executes dropped EXE 8 IoCs

Processes:

svchost.exe~tl5396.tmpsvchost.exe~tl376E.tmpsvchost.exe~tl976B.tmpsvchost.exe~tl2F9.tmp

pid process

4280 svchost.exe
5108 ~tl5396.tmp
768 svchost.exe
4508 ~tl376E.tmp
2968 svchost.exe
2272 ~tl976B.tmp
3764 svchost.exe
2732 ~tl2F9.tmp

pid	process
4280	svchost.exe
5108	~tl5396.tmp
768	svchost.exe
4508	~tl376E.tmp
2968	svchost.exe
2272	~tl976B.tmp
3764	svchost.exe
2732	~tl2F9.tmp

Drops file in System32 directory 16 IoCs

Processes:

powershell.exepowershell.exesvchost.exe~tl2F9.tmppowershell.exe~tl976B.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl2F9.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl976B.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe

Drops file in Windows directory 9 IoCs

Processes:

tmp.exe~tl5396.tmpsvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	~tl5396.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\svchost.exe	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl5396.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4056 schtasks.exe
4724 schtasks.exe

pid	process
4056	schtasks.exe
4724	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe~tl976B.tmppowershell.exepowershell.exepowershell.exe~tl2F9.tmppowershell.exesvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	~tl976B.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	~tl976B.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	~tl2F9.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.exepowershell.exe~tl5396.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl376E.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl976B.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl2F9.tmppowershell.exepowershell.exe

pid	process
3700	powershell.exe
3700	powershell.exe
4716	powershell.exe
4716	powershell.exe
4896	tmp.exe
4896	tmp.exe
1760	powershell.exe
1760	powershell.exe
1280	powershell.exe
1280	powershell.exe
5108	~tl5396.tmp
5108	~tl5396.tmp
1424	powershell.exe
3104	powershell.exe
1424	powershell.exe
3104	powershell.exe
5108	~tl5396.tmp
5108	~tl5396.tmp
768	svchost.exe
768	svchost.exe
4956	powershell.exe
4956	powershell.exe
1712	powershell.exe
1712	powershell.exe
4508	~tl376E.tmp
4508	~tl376E.tmp
3536	powershell.exe
1548	powershell.exe
3536	powershell.exe
1548	powershell.exe
2968	svchost.exe
2968	svchost.exe
2172	powershell.exe
2172	powershell.exe
3480	powershell.exe
3480	powershell.exe
2272	~tl976B.tmp
2272	~tl976B.tmp
1268	powershell.exe
4076	powershell.exe
4076	powershell.exe
1268	powershell.exe
3764	svchost.exe
3764	svchost.exe
1584	powershell.exe
1584	powershell.exe
2460	powershell.exe
2460	powershell.exe
2732	~tl2F9.tmp
2732	~tl2F9.tmp
1428	powershell.exe
1428	powershell.exe
2764	powershell.exe
2764	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exesvchost.exe~tl5396.tmpsvchost.exe~tl376E.tmpsvchost.exe

description	pid	process	target process
PID 4896 wrote to memory of 3700	4896	tmp.exe	powershell.exe
PID 4896 wrote to memory of 3700	4896	tmp.exe	powershell.exe
PID 4896 wrote to memory of 4716	4896	tmp.exe	powershell.exe
PID 4896 wrote to memory of 4716	4896	tmp.exe	powershell.exe
PID 4896 wrote to memory of 1872	4896	tmp.exe	schtasks.exe
PID 4896 wrote to memory of 1872	4896	tmp.exe	schtasks.exe
PID 4896 wrote to memory of 4056	4896	tmp.exe	schtasks.exe
PID 4896 wrote to memory of 4056	4896	tmp.exe	schtasks.exe
PID 4896 wrote to memory of 4280	4896	tmp.exe	svchost.exe
PID 4896 wrote to memory of 4280	4896	tmp.exe	svchost.exe
PID 4280 wrote to memory of 1760	4280	svchost.exe	powershell.exe
PID 4280 wrote to memory of 1760	4280	svchost.exe	powershell.exe
PID 4280 wrote to memory of 1280	4280	svchost.exe	powershell.exe
PID 4280 wrote to memory of 1280	4280	svchost.exe	powershell.exe
PID 4280 wrote to memory of 5108	4280	svchost.exe	~tl5396.tmp
PID 4280 wrote to memory of 5108	4280	svchost.exe	~tl5396.tmp
PID 5108 wrote to memory of 4312	5108	~tl5396.tmp	netsh.exe
PID 5108 wrote to memory of 4312	5108	~tl5396.tmp	netsh.exe
PID 5108 wrote to memory of 2836	5108	~tl5396.tmp	netsh.exe
PID 5108 wrote to memory of 2836	5108	~tl5396.tmp	netsh.exe
PID 5108 wrote to memory of 4700	5108	~tl5396.tmp	netsh.exe
PID 5108 wrote to memory of 4700	5108	~tl5396.tmp	netsh.exe
PID 5108 wrote to memory of 1424	5108	~tl5396.tmp	powershell.exe
PID 5108 wrote to memory of 1424	5108	~tl5396.tmp	powershell.exe
PID 5108 wrote to memory of 3104	5108	~tl5396.tmp	powershell.exe
PID 5108 wrote to memory of 3104	5108	~tl5396.tmp	powershell.exe
PID 5108 wrote to memory of 2488	5108	~tl5396.tmp	schtasks.exe
PID 5108 wrote to memory of 2488	5108	~tl5396.tmp	schtasks.exe
PID 5108 wrote to memory of 4724	5108	~tl5396.tmp	schtasks.exe
PID 5108 wrote to memory of 4724	5108	~tl5396.tmp	schtasks.exe
PID 5108 wrote to memory of 768	5108	~tl5396.tmp	svchost.exe
PID 5108 wrote to memory of 768	5108	~tl5396.tmp	svchost.exe
PID 768 wrote to memory of 3156	768	svchost.exe	netsh.exe
PID 768 wrote to memory of 3156	768	svchost.exe	netsh.exe
PID 768 wrote to memory of 2780	768	svchost.exe	netsh.exe
PID 768 wrote to memory of 2780	768	svchost.exe	netsh.exe
PID 768 wrote to memory of 756	768	svchost.exe	netsh.exe
PID 768 wrote to memory of 756	768	svchost.exe	netsh.exe
PID 768 wrote to memory of 4956	768	svchost.exe	powershell.exe
PID 768 wrote to memory of 4956	768	svchost.exe	powershell.exe
PID 768 wrote to memory of 1712	768	svchost.exe	powershell.exe
PID 768 wrote to memory of 1712	768	svchost.exe	powershell.exe
PID 768 wrote to memory of 4508	768	svchost.exe	~tl376E.tmp
PID 768 wrote to memory of 4508	768	svchost.exe	~tl376E.tmp
PID 4508 wrote to memory of 3344	4508	~tl376E.tmp	netsh.exe
PID 4508 wrote to memory of 3344	4508	~tl376E.tmp	netsh.exe
PID 4508 wrote to memory of 3136	4508	~tl376E.tmp	netsh.exe
PID 4508 wrote to memory of 3136	4508	~tl376E.tmp	netsh.exe
PID 4508 wrote to memory of 1016	4508	~tl376E.tmp	netsh.exe
PID 4508 wrote to memory of 1016	4508	~tl376E.tmp	netsh.exe
PID 4508 wrote to memory of 3536	4508	~tl376E.tmp	powershell.exe
PID 4508 wrote to memory of 3536	4508	~tl376E.tmp	powershell.exe
PID 4508 wrote to memory of 1548	4508	~tl376E.tmp	powershell.exe
PID 4508 wrote to memory of 1548	4508	~tl376E.tmp	powershell.exe
PID 2968 wrote to memory of 2992	2968	svchost.exe	netsh.exe
PID 2968 wrote to memory of 2992	2968	svchost.exe	netsh.exe
PID 2968 wrote to memory of 4716	2968	svchost.exe	netsh.exe
PID 2968 wrote to memory of 4716	2968	svchost.exe	netsh.exe
PID 2968 wrote to memory of 2256	2968	svchost.exe	netsh.exe
PID 2968 wrote to memory of 2256	2968	svchost.exe	netsh.exe
PID 2968 wrote to memory of 2172	2968	svchost.exe	powershell.exe
PID 2968 wrote to memory of 2172	2968	svchost.exe	powershell.exe
PID 2968 wrote to memory of 3480	2968	svchost.exe	powershell.exe
PID 2968 wrote to memory of 3480	2968	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:1872

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:4056

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Users\Admin\AppData\Local\Temp\~tl5396.tmp
C:\Users\Admin\AppData\Local\Temp\~tl5396.tmp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:4312

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2836

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:2488

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:4724

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:3156

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2780

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Users\Admin\AppData\Local\Temp\~tl376E.tmp
C:\Users\Admin\AppData\Local\Temp\~tl376E.tmp
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:3344

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:3136

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:1016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:2992

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4716

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\TEMP\~tl976B.tmp
C:\Windows\TEMP\~tl976B.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2272

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:2440

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4936

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3764

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:3216

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4116

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\TEMP\~tl2F9.tmp
C:\Windows\TEMP\~tl2F9.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2732

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:208

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:400

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a98fa066c774166d29a0c5156e597b89

SHA1
9dc9cfcc35bc458e88758bdf23d89b397a86c17c

SHA256
aec919528e804283332ad1c2e36928ddf1b1f391b8bead2bb5c929a6b337f0f8

SHA512
af7157ecc1ab15cb87105bb7a52e3cd7fb2484e6c0f815c2f861689a0f3c65123346cc8debd2715cc52161694d53160def2a770d8aa0ab1d7232fea5b167ef13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f8ddd0bc8e597b4dd54abf0f21bbc3c2

SHA1
a0f3f5fad3dff9626b17b310df75f76c2b2d8609

SHA256
797022b4edccf9b42c878f4211472bfedacfa6e86fd7e4e74f1c0208dd024c27

SHA512
24f377a4b101531927eada1c24d69902ab24373adbb47d9ef81f911cacb7f402e8f3f09b35ea7ea7d94983029d15b3d011ae88d352c19b04ec96babe265143f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9293ef980c925abe33d940554ed8575

SHA1
9b6d85f2595f7fd4923f52b21ab7607279066969

SHA256
8313a191aa9d11cce868d95ac9a9b1609275bfe93131fcb6e547b985b0242fbe

SHA512
2003d90bb2bc89378ccaeb9c5edf76b2dfd93c80369d063e56141abb8d7fea6acee6a103874ab227bc1548437269c8e4ee5174bf482ecf3d66c38f3e0ba35d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3db1c0d23daacf01eb99125ccc2787d3

SHA1
0849528de1ba411279231d635d8f39d54cc829d2

SHA256
bceb96f5c3d31447980eb8cd891bba75b3e5b6eb60abf4d829fc13cd8faf2582

SHA512
3d84635a3395bca1d91ce182ccfb9e38c8da87ad678704673a72d580e4251cedc5a6b2a89040a172a5687b67952e74a13673bd115bce7bdabaed06f89323de5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7f6705d2d7ab39c64cb8e4e1b341e176

SHA1
9f9bac74906697536982a0cc12da7e92ab3f9706

SHA256
f8b5567226896fe346d3b6227e7d99bdd15979249e81830b19fd9281b929599f

SHA512
cbe9f7d438395e12045ff86a0fe139cbf274b918329531ab4b0d55f9ea33cd73aae7e7ad41e8e080459ed22447360351c11817aa399560de3f17e0ab697b1fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6220edbe29813f61b261359f511f8bdc

SHA1
6554c3c0540a99fd7351e374e81e37c451f7b731

SHA256
70d9aaab1e17ab9f626a96973c4054e76eb50b84f6cd2efca0a13406f0411907

SHA512
df085078ee421ace32eb297600151001943ad7ac24405a5676b77700104d38e9dd1efc59e3e04fe82faeadae06a995ab72203742463c46eb0d429f3aa472b982

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_exmk11w1.kuc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl376E.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl5396.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Windows\System\svchost.exe

Filesize
9.4MB

MD5
db3edf03a8a2c8e96fe2d2deaaec76ff

SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1

SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7956f785e05d02ba3e352e0f1b61f88f

SHA1
baf4d50d0a7132ace9a81568730e33ced52e7792

SHA256
0cd8e817ac1ddbcab1aa9d3ed2fee22bbd2c0f3a6806ea1f39d6905cac844fbf

SHA512
5d74a771222edc25530196faebe09790a8af795a0a01c5e6108c993fe110ffde743ce28370a73ef2d4a8a6b6d3222b32a69a3348d45ecce10a57ef1ca882810e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
72a8a092e723581f095e22a45bff2e82

SHA1
77d15a55156e3f68ad6a971f1c0506ccd1d61d21

SHA256
f6a235aa3523f4d5a9dcc8cc1c828c9428fdcfed4e762cc22acd2dd86c319e9e

SHA512
853037b912cc5fe0cd95db91de3cd894ff1b48878ffba746c2c6120e18a30af49b2b0809c5323686494740498f15c9e02c9952e288cbcfbaaf59483239cb8160

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
682adf03577956f0a6414acd72b8ad65

SHA1
475734457db2f0b409a5f1b11ca97aecf7d5ff39

SHA256
079ce400b09565dba54d9aadfa43a0aeaa64b4c691b0aaa527c2e790c7f57966

SHA512
0a4bc4e4810c0587f292e554baf462a8c257c7c02f59fa4b1ebffc18ecf9038afe9da8db7b55b202d4126ec01d536e87fa2143e6259a11454801f82c4f7da4e0

Download Submit
memory/768-234-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/768-231-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/768-230-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/768-272-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1280-71-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/1280-84-0x000001D74E020000-0x000001D74E030000-memory.dmp

Filesize
64KB

Download
memory/1280-72-0x000001D74E020000-0x000001D74E030000-memory.dmp

Filesize
64KB

Download
memory/1280-86-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/1280-73-0x000001D74E020000-0x000001D74E030000-memory.dmp

Filesize
64KB

Download
memory/1424-215-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/1424-189-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/1424-212-0x000001D7FE3F0000-0x000001D7FE400000-memory.dmp

Filesize
64KB

Download
memory/1548-297-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/1548-298-0x000002040CC30000-0x000002040CC40000-memory.dmp

Filesize
64KB

Download
memory/1548-304-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/1712-257-0x000001F4F25D0000-0x000001F4F25E0000-memory.dmp

Filesize
64KB

Download
memory/1712-263-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/1712-247-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/1760-65-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/1760-68-0x000001F9805E0000-0x000001F9805F0000-memory.dmp

Filesize
64KB

Download
memory/1760-70-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/1760-67-0x000001F9805E0000-0x000001F9805F0000-memory.dmp

Filesize
64KB

Download
memory/1760-66-0x000001F9805E0000-0x000001F9805F0000-memory.dmp

Filesize
64KB

Download
memory/2172-316-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/2172-317-0x000001B4442C0000-0x000001B4442D0000-memory.dmp

Filesize
64KB

Download
memory/2172-349-0x000001B446790000-0x000001B446845000-memory.dmp

Filesize
724KB

Download
memory/2172-348-0x000001B446770000-0x000001B44678C000-memory.dmp

Filesize
112KB

Download
memory/2968-313-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2968-384-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2968-315-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3104-200-0x0000015B2A420000-0x0000015B2A430000-memory.dmp

Filesize
64KB

Download
memory/3104-211-0x0000015B2A420000-0x0000015B2A430000-memory.dmp

Filesize
64KB

Download
memory/3104-199-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3104-214-0x0000015B2A420000-0x0000015B2A430000-memory.dmp

Filesize
64KB

Download
memory/3104-218-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-338-0x0000013C10F10000-0x0000013C10F20000-memory.dmp

Filesize
64KB

Download
memory/3480-328-0x0000013C10F10000-0x0000013C10F20000-memory.dmp

Filesize
64KB

Download
memory/3480-327-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3536-303-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3536-277-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3536-299-0x000002A9DBAE0000-0x000002A9DBAF0000-memory.dmp

Filesize
64KB

Download
memory/3700-17-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3700-12-0x000001FB7F960000-0x000001FB7F982000-memory.dmp

Filesize
136KB

Download
memory/3700-18-0x000001FB7D870000-0x000001FB7D880000-memory.dmp

Filesize
64KB

Download
memory/3700-19-0x000001FB7D870000-0x000001FB7D880000-memory.dmp

Filesize
64KB

Download
memory/3700-20-0x000001FB7D870000-0x000001FB7D880000-memory.dmp

Filesize
64KB

Download
memory/3700-22-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/4280-54-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4280-51-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4280-87-0x0000000180000000-0x000000018070E000-memory.dmp

Filesize
7.1MB

Download
memory/4280-187-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4280-49-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4508-306-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4508-307-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4508-275-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4508-276-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4508-273-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4508-271-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4508-274-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4716-38-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/4716-34-0x0000022DFEAB0000-0x0000022DFEAC0000-memory.dmp

Filesize
64KB

Download
memory/4716-36-0x0000022DFEAB0000-0x0000022DFEAC0000-memory.dmp

Filesize
64KB

Download
memory/4716-33-0x0000022DFEAB0000-0x0000022DFEAC0000-memory.dmp

Filesize
64KB

Download
memory/4716-32-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/4896-1-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4896-2-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4896-6-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4896-3-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4896-4-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4896-52-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4896-0-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4956-244-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/4956-246-0x000002099D970000-0x000002099D980000-memory.dmp

Filesize
64KB

Download
memory/4956-258-0x000002099D970000-0x000002099D980000-memory.dmp

Filesize
64KB

Download
memory/4956-260-0x00007FF87BCE0000-0x00007FF87C7A1000-memory.dmp

Filesize
10.8MB

Download
memory/5108-176-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/5108-175-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/5108-174-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/5108-173-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/5108-188-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/5108-233-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download