Resubmissions
12-04-2024 14:13
240412-rjrz5aba72 812-04-2024 14:12
240412-rh8aqaba68 712-04-2024 14:05
240412-rd9mzsea7x 812-04-2024 14:05
240412-rd82fsea7v 812-04-2024 14:05
240412-rd8exsea7t 809-04-2024 07:05
240409-hws9aacd6z 809-04-2024 07:05
240409-hwljfacd6x 809-04-2024 07:04
240409-hwbz1acd6t 809-04-2024 07:03
240409-hvcvxacd3y 815-01-2024 20:15
240115-y1q8gsfdf2 7Analysis
-
max time kernel
1800s -
max time network
1800s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-04-2024 14:13
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10-20240319-en
Behavioral task
behavioral3
Sample
tmp.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral4
Sample
tmp.exe
Resource
win11-20240221-en
General
-
Target
tmp.exe
-
Size
9.4MB
-
MD5
db3edf03a8a2c8e96fe2d2deaaec76ff
-
SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
-
SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
-
SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
-
SSDEEP
98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK
Malware Config
Signatures
-
Contacts a large (862) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 22 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 1184 netsh.exe 556 netsh.exe 1528 netsh.exe 1540 netsh.exe 2644 netsh.exe 1076 netsh.exe 1936 netsh.exe 1644 netsh.exe 1128 netsh.exe 2108 netsh.exe 1708 netsh.exe 2104 netsh.exe 360 netsh.exe 1808 netsh.exe 1228 netsh.exe 996 netsh.exe 1652 netsh.exe 1552 netsh.exe 956 netsh.exe 752 netsh.exe 1720 netsh.exe 2160 netsh.exe -
Executes dropped EXE 12 IoCs
Processes:
svchost.exe~tl5C22.tmpsvchost.exe~tl3A04.tmpsvchost.exe~tlD76B.tmpsvchost.exe~tl3524.tmpsvchost.exe~tl9750.tmpsvchost.exe~tlFE7B.tmppid process 1568 svchost.exe 2420 ~tl5C22.tmp 816 svchost.exe 1972 ~tl3A04.tmp 1048 svchost.exe 1960 ~tlD76B.tmp 2240 svchost.exe 2164 ~tl3524.tmp 2268 svchost.exe 2652 ~tl9750.tmp 1744 svchost.exe 1512 ~tlFE7B.tmp -
Loads dropped DLL 20 IoCs
Processes:
tmp.exesvchost.exe~tl5C22.tmpsvchost.exetaskeng.exesvchost.exetaskeng.exesvchost.exetaskeng.exesvchost.exetaskeng.exesvchost.exepid process 2232 tmp.exe 2232 tmp.exe 1568 svchost.exe 1568 svchost.exe 2420 ~tl5C22.tmp 2420 ~tl5C22.tmp 816 svchost.exe 816 svchost.exe 1436 taskeng.exe 1048 svchost.exe 1048 svchost.exe 2680 taskeng.exe 2240 svchost.exe 2240 svchost.exe 2336 taskeng.exe 2268 svchost.exe 2268 svchost.exe 892 taskeng.exe 1744 svchost.exe 1744 svchost.exe -
Drops file in System32 directory 51 IoCs
Processes:
powershell.exe~tlD76B.tmppowershell.exesvchost.exepowershell.exesvchost.exe~tl9750.tmppowershell.exepowershell.exepowershell.exesvchost.exepowershell.exesvchost.exe~tlFE7B.tmppowershell.exe~tl3524.tmppowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 ~tlD76B.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tl9750.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416 ~tlD76B.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 ~tlD76B.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tlD76B.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517 ~tlD76B.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 ~tlD76B.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517 ~tlD76B.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\83D863F495E7D991917B3ABB3E1EB382_633EB21D327143A39045A55F051CAC25 ~tlD76B.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tlFE7B.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\83D863F495E7D991917B3ABB3E1EB382_633EB21D327143A39045A55F051CAC25 ~tlD76B.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tl9750.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RCOQPQ4H.htm ~tlD76B.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 ~tlD76B.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tl3524.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 ~tlD76B.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 ~tlD76B.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416 ~tlD76B.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 ~tlD76B.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tl3524.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm ~tlD76B.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 ~tlD76B.tmp File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ~tlFE7B.tmp -
Drops file in Windows directory 11 IoCs
Processes:
~tl5C22.tmpsvchost.exesvchost.exesvchost.exesvchost.exetmp.exesvchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\System\svchost.exe ~tl5C22.tmp File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak tmp.exe File opened for modification C:\Windows\System\svchost.exe tmp.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak ~tl5C22.tmp File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\svchost.exe tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1828 schtasks.exe 808 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
netsh.exe~tlD76B.tmpsvchost.exe~tl3524.tmpsvchost.exenetsh.exesvchost.exenetsh.exe~tl9750.tmpnetsh.exe~tlFE7B.tmpnetsh.exenetsh.exenetsh.exenetsh.exenetsh.exesvchost.exenetsh.exenetsh.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA ~tlD76B.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates ~tlD76B.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-9b-da-77-84-ea ~tl3524.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-9b-da-77-84-ea\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs ~tlD76B.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-9b-da-77-84-ea\WpadDetectedUrl svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ~tl9750.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F7F5CCB-537B-4B7A-BBE8-FE795D760CD2}\WpadDecisionReason = "1" ~tlD76B.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F7F5CCB-537B-4B7A-BBE8-FE795D760CD2}\WpadNetworkName = "Network 3" ~tl3524.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-9b-da-77-84-ea\WpadDecisionTime = 10a47fa0e58cda01 ~tl3524.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ~tl9750.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-9b-da-77-84-ea\WpadDetectedUrl ~tlFE7B.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F7F5CCB-537B-4B7A-BBE8-FE795D760CD2}\26-9b-da-77-84-ea svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-9b-da-77-84-ea\WpadDecisionReason = "1" ~tlD76B.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F7F5CCB-537B-4B7A-BBE8-FE795D760CD2}\WpadDecision = "0" ~tlD76B.tmp Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-9b-da-77-84-ea\WpadDecisionReason = "1" ~tl3524.tmp Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F7F5CCB-537B-4B7A-BBE8-FE795D760CD2}\WpadNetworkName = "Network 3" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates ~tlD76B.tmp Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-9b-da-77-84-ea\WpadDecisionTime = b05238a6e78cda01 ~tlFE7B.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs ~tlD76B.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-9b-da-77-84-ea\WpadDecision = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000008000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ~tl9750.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ~tlD76B.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F7F5CCB-537B-4B7A-BBE8-FE795D760CD2}\26-9b-da-77-84-ea ~tl9750.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs ~tlD76B.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F7F5CCB-537B-4B7A-BBE8-FE795D760CD2}\WpadNetworkName = "Network 3" ~tlD76B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed ~tlD76B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections ~tl3524.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-9b-da-77-84-ea\WpadDetectedUrl ~tl3524.tmp Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-9b-da-77-84-ea\WpadDecisionTime = 90b81aace68cda01 ~tl9750.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F7F5CCB-537B-4B7A-BBE8-FE795D760CD2} svchost.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing ~tlD76B.tmp Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates ~tlD76B.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot ~tlD76B.tmp Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-9b-da-77-84-ea\WpadDecision = "0" ~tl9750.tmp Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F7F5CCB-537B-4B7A-BBE8-FE795D760CD2}\WpadNetworkName = "Network 3" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 ~tlD76B.tmp Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-9b-da-77-84-ea svchost.exe -
Processes:
~tl3A04.tmpdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A ~tl3A04.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 ~tl3A04.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 ~tl3A04.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd ~tl3A04.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd ~tl3A04.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd ~tl3A04.tmp -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
powershell.exepowershell.exetmp.exepowershell.exepowershell.exe~tl5C22.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl3A04.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlD76B.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl3524.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl9750.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlFE7B.tmppowershell.exepowershell.exepid process 2464 powershell.exe 3024 powershell.exe 2232 tmp.exe 672 powershell.exe 380 powershell.exe 2420 ~tl5C22.tmp 1244 powershell.exe 2024 powershell.exe 2420 ~tl5C22.tmp 816 svchost.exe 1720 powershell.exe 2300 powershell.exe 1972 ~tl3A04.tmp 1840 powershell.exe 2308 powershell.exe 1048 svchost.exe 404 powershell.exe 2400 powershell.exe 1960 ~tlD76B.tmp 2020 powershell.exe 2168 powershell.exe 2240 svchost.exe 2700 powershell.exe 2552 powershell.exe 2164 ~tl3524.tmp 2748 powershell.exe 3036 powershell.exe 2268 svchost.exe 836 powershell.exe 1728 powershell.exe 2652 ~tl9750.tmp 2176 powershell.exe 2316 powershell.exe 1744 svchost.exe 300 powershell.exe 2112 powershell.exe 1512 ~tlFE7B.tmp 1616 powershell.exe 832 powershell.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 672 powershell.exe Token: SeDebugPrivilege 380 powershell.exe Token: SeDebugPrivilege 1244 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 1840 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 404 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 836 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 300 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 1616 powershell.exe Token: SeDebugPrivilege 832 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.exesvchost.exe~tl5C22.tmpsvchost.exedescription pid process target process PID 2232 wrote to memory of 2464 2232 tmp.exe powershell.exe PID 2232 wrote to memory of 2464 2232 tmp.exe powershell.exe PID 2232 wrote to memory of 2464 2232 tmp.exe powershell.exe PID 2232 wrote to memory of 3024 2232 tmp.exe powershell.exe PID 2232 wrote to memory of 3024 2232 tmp.exe powershell.exe PID 2232 wrote to memory of 3024 2232 tmp.exe powershell.exe PID 2232 wrote to memory of 2080 2232 tmp.exe schtasks.exe PID 2232 wrote to memory of 2080 2232 tmp.exe schtasks.exe PID 2232 wrote to memory of 2080 2232 tmp.exe schtasks.exe PID 2232 wrote to memory of 1828 2232 tmp.exe schtasks.exe PID 2232 wrote to memory of 1828 2232 tmp.exe schtasks.exe PID 2232 wrote to memory of 1828 2232 tmp.exe schtasks.exe PID 2232 wrote to memory of 1568 2232 tmp.exe svchost.exe PID 2232 wrote to memory of 1568 2232 tmp.exe svchost.exe PID 2232 wrote to memory of 1568 2232 tmp.exe svchost.exe PID 1568 wrote to memory of 672 1568 svchost.exe powershell.exe PID 1568 wrote to memory of 672 1568 svchost.exe powershell.exe PID 1568 wrote to memory of 672 1568 svchost.exe powershell.exe PID 1568 wrote to memory of 380 1568 svchost.exe powershell.exe PID 1568 wrote to memory of 380 1568 svchost.exe powershell.exe PID 1568 wrote to memory of 380 1568 svchost.exe powershell.exe PID 1568 wrote to memory of 2420 1568 svchost.exe ~tl5C22.tmp PID 1568 wrote to memory of 2420 1568 svchost.exe ~tl5C22.tmp PID 1568 wrote to memory of 2420 1568 svchost.exe ~tl5C22.tmp PID 2420 wrote to memory of 884 2420 ~tl5C22.tmp netsh.exe PID 2420 wrote to memory of 884 2420 ~tl5C22.tmp netsh.exe PID 2420 wrote to memory of 884 2420 ~tl5C22.tmp netsh.exe PID 2420 wrote to memory of 2104 2420 ~tl5C22.tmp netsh.exe PID 2420 wrote to memory of 2104 2420 ~tl5C22.tmp netsh.exe PID 2420 wrote to memory of 2104 2420 ~tl5C22.tmp netsh.exe PID 2420 wrote to memory of 1184 2420 ~tl5C22.tmp netsh.exe PID 2420 wrote to memory of 1184 2420 ~tl5C22.tmp netsh.exe PID 2420 wrote to memory of 1184 2420 ~tl5C22.tmp netsh.exe PID 2420 wrote to memory of 1244 2420 ~tl5C22.tmp powershell.exe PID 2420 wrote to memory of 1244 2420 ~tl5C22.tmp powershell.exe PID 2420 wrote to memory of 1244 2420 ~tl5C22.tmp powershell.exe PID 2420 wrote to memory of 2024 2420 ~tl5C22.tmp powershell.exe PID 2420 wrote to memory of 2024 2420 ~tl5C22.tmp powershell.exe PID 2420 wrote to memory of 2024 2420 ~tl5C22.tmp powershell.exe PID 2420 wrote to memory of 1056 2420 ~tl5C22.tmp schtasks.exe PID 2420 wrote to memory of 1056 2420 ~tl5C22.tmp schtasks.exe PID 2420 wrote to memory of 1056 2420 ~tl5C22.tmp schtasks.exe PID 2420 wrote to memory of 808 2420 ~tl5C22.tmp schtasks.exe PID 2420 wrote to memory of 808 2420 ~tl5C22.tmp schtasks.exe PID 2420 wrote to memory of 808 2420 ~tl5C22.tmp schtasks.exe PID 2420 wrote to memory of 816 2420 ~tl5C22.tmp svchost.exe PID 2420 wrote to memory of 816 2420 ~tl5C22.tmp svchost.exe PID 2420 wrote to memory of 816 2420 ~tl5C22.tmp svchost.exe PID 816 wrote to memory of 2712 816 svchost.exe netsh.exe PID 816 wrote to memory of 2712 816 svchost.exe netsh.exe PID 816 wrote to memory of 2712 816 svchost.exe netsh.exe PID 816 wrote to memory of 956 816 svchost.exe netsh.exe PID 816 wrote to memory of 956 816 svchost.exe netsh.exe PID 816 wrote to memory of 956 816 svchost.exe netsh.exe PID 816 wrote to memory of 360 816 svchost.exe netsh.exe PID 816 wrote to memory of 360 816 svchost.exe netsh.exe PID 816 wrote to memory of 360 816 svchost.exe netsh.exe PID 816 wrote to memory of 1720 816 svchost.exe powershell.exe PID 816 wrote to memory of 1720 816 svchost.exe powershell.exe PID 816 wrote to memory of 1720 816 svchost.exe powershell.exe PID 816 wrote to memory of 2300 816 svchost.exe powershell.exe PID 816 wrote to memory of 2300 816 svchost.exe powershell.exe PID 816 wrote to memory of 2300 816 svchost.exe powershell.exe PID 816 wrote to memory of 1972 816 svchost.exe ~tl3A04.tmp -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Timer"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~tl5C22.tmpC:\Users\Admin\AppData\Local\Temp\~tl5C22.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Timer"4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM4⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645115⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~tl3A04.tmpC:\Users\Admin\AppData\Local\Temp\~tl3A04.tmp5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645116⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {5027DA8E-60DC-4FE0-8711-D69FB40D646E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\~tlD76B.tmpC:\Windows\TEMP\~tlD76B.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {D71D0DF4-FBB3-4E05-8711-1D31CF4E839E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\~tl3524.tmpC:\Windows\TEMP\~tl3524.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {94025C5A-7E46-4232-8B3F-802CBBF3E371} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\~tl9750.tmpC:\Windows\TEMP\~tl9750.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {F00FECE5-2F96-4813-B827-445354A5BE79} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\~tlFE7B.tmpC:\Windows\TEMP\~tlFE7B.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57a62d954ec034252f04a2cf0ee1b90a1
SHA114feca02ce0a8c2876c769fc7045ff0cb88a2c8c
SHA25623dada305d7c0a49c34fa47bcf495145c06b7f8758624a60c577d26fb095a2aa
SHA5122ed6973c5e53e9dc0171a7d31739a26d5b2b397ecaa7614fd37f0da8c129b70efc1e1cb6754727ae2225bec25be9931e4c6fbb3453cd13165959f236372b5dd4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5f035e4124cbb5c5f4ec45306d569275b
SHA152158af3e3c41b9874ceb4ca6a79d24f88f29bea
SHA2568e0189ce1415e0664311628ff42e0678fd66ad47eabaf76960399ce4b849ae91
SHA51237c4773d025137191cb9c98ee7524f429b6454011d10668d0a82e8ed5fb86baf016359ef776f3558ff2037f69b78b43258b0b16d764cc938e6f1edfae19a6896
-
C:\Users\Admin\AppData\Local\Temp\Tar88A7.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD55e15de61d657f25a8203850fde4d4a0a
SHA1ab60aeb6bb6945433299bade2340afb281198944
SHA2560f2212a93d2768d9e08fd0ecfebe432a848423ecd103b2e112578e71a2f3d3c9
SHA512bf7eea8925332fa180fa5d26808bea888007f9b1e3df7c0f503c04c99bf496dc1f9db9c66fdf2853b1ae6b074d036ef21ded9948cdb9469f4b6345a05fd8d39e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD56f5787796bb6bd375afe92507652bfc3
SHA116159c086962e90d97120bc84001095651ff02f0
SHA2567b055207fb34d3a54e38eb80fa6a9861f4a188218b08fbe3e7c5c4f05032e4ec
SHA51257ca102d765c781d941af222d57665d550e23cea787f65d5c7f3833605d85cedcf7d1c3f1a8d49bcbeea72099946b788fed532eca3ac22495aa27b2971f5f657
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416Filesize
1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD5e7b2fba0dc8702a8af1dfebf487518d6
SHA10de661ba43754dca299b490ef974bf2d417bf14c
SHA256768e62dd921b51b43a99c8e81757325069d06e05003a00facc8d0244d73f283d
SHA5124085589ce164c57f0d24786d07f3c2d0f42c48fcc779e8f981bc4bc2383a51ec7cff66097b8f6150225be56847a0e25d48d1b12031591e58e2f39ca4754fcb64
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpgFilesize
393KB
MD572e28e2092a43e0d70289f62bec20e65
SHA1944f2b81392ee946f4767376882c5c1bda6dddb5
SHA2566ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f
SHA51231c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466
-
C:\Windows\System\svchost.exeFilesize
385KB
MD50ff45b5fa0d065df3e06c15089477230
SHA15751545ae3931dd2be0bf2d44a71988ed0848c0a
SHA2564e565545e9bb0a8bd601282c00c9e46c996dca600a3ed14234b4dc2b08816c3f
SHA51260bea8f2fa917df12a08ef88d1a98b86f0eb5ab9897d8455c7a48a3d39fc17bd648703eb8ef7f436bec7971ee4b6cea890b6992f97fa18ba722264f197e740dc
-
C:\Windows\Temp\Cab2F8B.tmpFilesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\~tl3A04.tmpFilesize
393KB
MD59dbdd43a2e0b032604943c252eaf634a
SHA19584dc66f3c1cce4210fdf827a1b4e2bb22263af
SHA25633c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86
SHA512b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1
-
\Users\Admin\AppData\Local\Temp\~tl5C22.tmpFilesize
385KB
MD5e802c96760e48c5139995ffb2d891f90
SHA1bba3d278c0eb1094a26e5d2f4c099ad685371578
SHA256cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c
SHA51297300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0
-
\Windows\system\svchost.exeFilesize
9.4MB
MD5db3edf03a8a2c8e96fe2d2deaaec76ff
SHA12d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
-
memory/380-71-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmpFilesize
9.6MB
-
memory/380-70-0x00000000028E0000-0x0000000002960000-memory.dmpFilesize
512KB
-
memory/380-69-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmpFilesize
9.6MB
-
memory/380-72-0x00000000028E0000-0x0000000002960000-memory.dmpFilesize
512KB
-
memory/380-73-0x00000000028E0000-0x0000000002960000-memory.dmpFilesize
512KB
-
memory/380-74-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmpFilesize
9.6MB
-
memory/672-63-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmpFilesize
9.6MB
-
memory/672-62-0x00000000029F0000-0x0000000002A70000-memory.dmpFilesize
512KB
-
memory/672-61-0x00000000029F0000-0x0000000002A70000-memory.dmpFilesize
512KB
-
memory/672-60-0x00000000029F0000-0x0000000002A70000-memory.dmpFilesize
512KB
-
memory/672-59-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmpFilesize
9.6MB
-
memory/672-58-0x00000000029F0000-0x0000000002A70000-memory.dmpFilesize
512KB
-
memory/672-57-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmpFilesize
9.6MB
-
memory/816-549-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/816-512-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/816-514-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/1048-621-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/1048-611-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/1048-594-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/1244-481-0x000007FEF5830000-0x000007FEF61CD000-memory.dmpFilesize
9.6MB
-
memory/1244-482-0x00000000026E0000-0x0000000002760000-memory.dmpFilesize
512KB
-
memory/1244-484-0x000007FEF5830000-0x000007FEF61CD000-memory.dmpFilesize
9.6MB
-
memory/1244-490-0x00000000026E0000-0x0000000002760000-memory.dmpFilesize
512KB
-
memory/1244-489-0x00000000026E0000-0x0000000002760000-memory.dmpFilesize
512KB
-
memory/1244-492-0x000007FEF5830000-0x000007FEF61CD000-memory.dmpFilesize
9.6MB
-
memory/1244-480-0x000000001B4C0000-0x000000001B7A2000-memory.dmpFilesize
2.9MB
-
memory/1568-50-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1568-472-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1568-45-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1568-75-0x0000000180000000-0x000000018070E000-memory.dmpFilesize
7.1MB
-
memory/1568-47-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1720-521-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmpFilesize
9.6MB
-
memory/1720-522-0x0000000002D00000-0x0000000002D80000-memory.dmpFilesize
512KB
-
memory/1720-530-0x0000000002D00000-0x0000000002D80000-memory.dmpFilesize
512KB
-
memory/1720-525-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmpFilesize
9.6MB
-
memory/1720-520-0x000000001B750000-0x000000001BA32000-memory.dmpFilesize
2.9MB
-
memory/1960-644-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/1960-642-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/1960-625-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/1972-578-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/1972-577-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/1972-552-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/1972-550-0x0000000140000000-0x0000000140170400-memory.dmpFilesize
1.4MB
-
memory/2024-493-0x000007FEF5830000-0x000007FEF61CD000-memory.dmpFilesize
9.6MB
-
memory/2024-497-0x0000000002DD0000-0x0000000002E50000-memory.dmpFilesize
512KB
-
memory/2024-491-0x0000000002DD0000-0x0000000002E50000-memory.dmpFilesize
512KB
-
memory/2024-498-0x000007FEF5830000-0x000007FEF61CD000-memory.dmpFilesize
9.6MB
-
memory/2024-494-0x0000000002DD0000-0x0000000002E50000-memory.dmpFilesize
512KB
-
memory/2024-495-0x0000000002DD0000-0x0000000002E50000-memory.dmpFilesize
512KB
-
memory/2024-496-0x000007FEF5830000-0x000007FEF61CD000-memory.dmpFilesize
9.6MB
-
memory/2232-2-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/2232-1-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/2232-3-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/2232-4-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/2232-0-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/2232-48-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/2232-6-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/2300-531-0x0000000002870000-0x00000000028F0000-memory.dmpFilesize
512KB
-
memory/2300-533-0x0000000002870000-0x00000000028F0000-memory.dmpFilesize
512KB
-
memory/2300-532-0x0000000002870000-0x00000000028F0000-memory.dmpFilesize
512KB
-
memory/2420-513-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2420-461-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2420-459-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2420-473-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2420-460-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/2464-19-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmpFilesize
9.6MB
-
memory/2464-13-0x0000000002890000-0x0000000002910000-memory.dmpFilesize
512KB
-
memory/2464-18-0x0000000002890000-0x0000000002910000-memory.dmpFilesize
512KB
-
memory/2464-17-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmpFilesize
9.6MB
-
memory/2464-12-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmpFilesize
9.6MB
-
memory/2464-15-0x0000000002890000-0x0000000002910000-memory.dmpFilesize
512KB
-
memory/2464-16-0x0000000002890000-0x0000000002910000-memory.dmpFilesize
512KB
-
memory/2464-14-0x0000000002870000-0x0000000002878000-memory.dmpFilesize
32KB
-
memory/2464-11-0x000000001B530000-0x000000001B812000-memory.dmpFilesize
2.9MB
-
memory/3024-27-0x0000000002D10000-0x0000000002D90000-memory.dmpFilesize
512KB
-
memory/3024-30-0x0000000002D10000-0x0000000002D90000-memory.dmpFilesize
512KB
-
memory/3024-31-0x0000000002D10000-0x0000000002D90000-memory.dmpFilesize
512KB
-
memory/3024-33-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmpFilesize
9.6MB
-
memory/3024-29-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmpFilesize
9.6MB
-
memory/3024-32-0x0000000002D10000-0x0000000002D90000-memory.dmpFilesize
512KB
-
memory/3024-28-0x0000000001F80000-0x0000000001F88000-memory.dmpFilesize
32KB
-
memory/3024-26-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmpFilesize
9.6MB
-
memory/3024-25-0x000000001B6D0000-0x000000001B9B2000-memory.dmpFilesize
2.9MB