1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

max time kernel
1799s
max time network
1801s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07/04/2024, 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

5.3MB
MD5

5fe4ea367cee11e92ad4644d8ac3cef7
SHA1

44faea4a352b7860a9eafca82bd3c9b054b6db29
SHA256

1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b
SHA512

1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f
SSDEEP

98304:lgU5484Bq1qdguoOzv4I3KOn6Ka1uFof9Hn6sdw5yOc4:iU54mqL9zvH3qO

Score

8^/10

discovery evasion

Malware Config

Signatures

Contacts a large (535) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 22 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
620	netsh.exe
1272	netsh.exe
2072	netsh.exe
2324	netsh.exe
2600	netsh.exe
844	netsh.exe
2868	netsh.exe
2964	netsh.exe
888	netsh.exe
2512	netsh.exe
1364	netsh.exe
1568	netsh.exe
1292	netsh.exe
3064	netsh.exe
704	netsh.exe
696	netsh.exe
1224	netsh.exe
1556	netsh.exe
1856	netsh.exe
1588	netsh.exe
2432	netsh.exe
2280	netsh.exe

Executes dropped EXE 12 IoCs

pid	Process
580	svchost.exe
2412	~tl4634.tmp
1412	svchost.exe
1512	~tl1719.tmp
2028	svchost.exe
1368	~tlA573.tmp
1248	svchost.exe
1672	~tlA1F.tmp
2612	svchost.exe
2132	~tlA1FA.tmp
2448	svchost.exe
2764	~tlEE55.tmp

Loads dropped DLL 20 IoCs

pid	Process
2604	tmp.exe
2604	tmp.exe
580	svchost.exe
580	svchost.exe
2412	~tl4634.tmp
2412	~tl4634.tmp
1412	svchost.exe
1412	svchost.exe
2764	taskeng.exe
2028	svchost.exe
2028	svchost.exe
1416	taskeng.exe
1248	svchost.exe
1248	svchost.exe
2876	taskeng.exe
2612	svchost.exe
2612	svchost.exe
1652	taskeng.exe
2448	svchost.exe
2448	svchost.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tlA1F.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tlA1FA.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tlEE55.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tlA1F.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tlEE55.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tlA573.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tlA573.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tlA1FA.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	tmp.exe
File created	C:\Windows\System\svchost.exe	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	~tl4634.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl4634.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
484	schtasks.exe
1200	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\be-04-05-8a-ad-59	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecisionTime = 80f2cbbc2689da01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	~tlEE55.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59\WpadDecisionTime = 80f2cbbc2689da01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0139000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a063abd62389da01	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	~tlA573.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecisionTime = 00eed8da2589da01	~tlA1FA.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0139000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59	~tlA1F.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0139000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tlA1F.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59\WpadDecisionTime = e0074bd92489da01	~tlA1F.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000008000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0139000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59\WpadDecisionTime = a03bbecd2389da01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}	~tlA573.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	~tlA1F.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59\WpadDecisionTime = 20068fdf2389da01	~tlA573.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59	~tlEE55.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecisionTime = e0074bd92489da01	~tlA1F.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\be-04-05-8a-ad-59	~tlA1FA.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecisionReason = "1"	~tlA573.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59\WpadDecision = "0"	~tlA1F.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000007000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0139000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59	~tlA1FA.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	~tlA1FA.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	~tlA1FA.tmp

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2148	powershell.exe
320	powershell.exe
2604	tmp.exe
1872	powershell.exe
1884	powershell.exe
2412	~tl4634.tmp
468	powershell.exe
1520	powershell.exe
2412	~tl4634.tmp
1412	svchost.exe
3036	powershell.exe
2020	powershell.exe
1512	~tl1719.tmp
1584	powershell.exe
1664	powershell.exe
2028	svchost.exe
2356	powershell.exe
112	powershell.exe
1368	~tlA573.tmp
888	powershell.exe
1248	powershell.exe
1248	svchost.exe
1424	powershell.exe
1440	powershell.exe
1672	~tlA1F.tmp
2096	powershell.exe
2400	powershell.exe
2612	svchost.exe
2128	powershell.exe
2616	powershell.exe
2132	~tlA1FA.tmp
1652	powershell.exe
1664	powershell.exe
2448	svchost.exe
2068	powershell.exe
1984	powershell.exe
2764	~tlEE55.tmp
1596	powershell.exe
2416	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2148	2604	tmp.exe	32
PID 2604 wrote to memory of 2148	2604	tmp.exe	32
PID 2604 wrote to memory of 2148	2604	tmp.exe	32
PID 2604 wrote to memory of 320	2604	tmp.exe	34
PID 2604 wrote to memory of 320	2604	tmp.exe	34
PID 2604 wrote to memory of 320	2604	tmp.exe	34
PID 2604 wrote to memory of 484	2604	tmp.exe	36
PID 2604 wrote to memory of 484	2604	tmp.exe	36
PID 2604 wrote to memory of 484	2604	tmp.exe	36
PID 2604 wrote to memory of 580	2604	tmp.exe	38
PID 2604 wrote to memory of 580	2604	tmp.exe	38
PID 2604 wrote to memory of 580	2604	tmp.exe	38
PID 580 wrote to memory of 1884	580	svchost.exe	40
PID 580 wrote to memory of 1884	580	svchost.exe	40
PID 580 wrote to memory of 1884	580	svchost.exe	40
PID 580 wrote to memory of 1872	580	svchost.exe	42
PID 580 wrote to memory of 1872	580	svchost.exe	42
PID 580 wrote to memory of 1872	580	svchost.exe	42
PID 580 wrote to memory of 2412	580	svchost.exe	44
PID 580 wrote to memory of 2412	580	svchost.exe	44
PID 580 wrote to memory of 2412	580	svchost.exe	44
PID 2412 wrote to memory of 1728	2412	~tl4634.tmp	46
PID 2412 wrote to memory of 1728	2412	~tl4634.tmp	46
PID 2412 wrote to memory of 1728	2412	~tl4634.tmp	46
PID 2412 wrote to memory of 1588	2412	~tl4634.tmp	48
PID 2412 wrote to memory of 1588	2412	~tl4634.tmp	48
PID 2412 wrote to memory of 1588	2412	~tl4634.tmp	48
PID 2412 wrote to memory of 2324	2412	~tl4634.tmp	50
PID 2412 wrote to memory of 2324	2412	~tl4634.tmp	50
PID 2412 wrote to memory of 2324	2412	~tl4634.tmp	50
PID 2412 wrote to memory of 468	2412	~tl4634.tmp	52
PID 2412 wrote to memory of 468	2412	~tl4634.tmp	52
PID 2412 wrote to memory of 468	2412	~tl4634.tmp	52
PID 2412 wrote to memory of 1520	2412	~tl4634.tmp	54
PID 2412 wrote to memory of 1520	2412	~tl4634.tmp	54
PID 2412 wrote to memory of 1520	2412	~tl4634.tmp	54
PID 2412 wrote to memory of 2576	2412	~tl4634.tmp	56
PID 2412 wrote to memory of 2576	2412	~tl4634.tmp	56
PID 2412 wrote to memory of 2576	2412	~tl4634.tmp	56
PID 2412 wrote to memory of 1200	2412	~tl4634.tmp	58
PID 2412 wrote to memory of 1200	2412	~tl4634.tmp	58
PID 2412 wrote to memory of 1200	2412	~tl4634.tmp	58
PID 2412 wrote to memory of 1412	2412	~tl4634.tmp	60
PID 2412 wrote to memory of 1412	2412	~tl4634.tmp	60
PID 2412 wrote to memory of 1412	2412	~tl4634.tmp	60
PID 1412 wrote to memory of 1308	1412	svchost.exe	62
PID 1412 wrote to memory of 1308	1412	svchost.exe	62
PID 1412 wrote to memory of 1308	1412	svchost.exe	62
PID 1412 wrote to memory of 1224	1412	svchost.exe	64
PID 1412 wrote to memory of 1224	1412	svchost.exe	64
PID 1412 wrote to memory of 1224	1412	svchost.exe	64
PID 1412 wrote to memory of 1556	1412	svchost.exe	66
PID 1412 wrote to memory of 1556	1412	svchost.exe	66
PID 1412 wrote to memory of 1556	1412	svchost.exe	66
PID 1412 wrote to memory of 3036	1412	svchost.exe	68
PID 1412 wrote to memory of 3036	1412	svchost.exe	68
PID 1412 wrote to memory of 3036	1412	svchost.exe	68
PID 1412 wrote to memory of 2020	1412	svchost.exe	70
PID 1412 wrote to memory of 2020	1412	svchost.exe	70
PID 1412 wrote to memory of 2020	1412	svchost.exe	70
PID 1412 wrote to memory of 1512	1412	svchost.exe	72
PID 1412 wrote to memory of 1512	1412	svchost.exe	72
PID 1412 wrote to memory of 1512	1412	svchost.exe	72
PID 1512 wrote to memory of 1724	1512	~tl1719.tmp	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\system32\schtasks.exe
  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:484
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Users\Admin\AppData\Local\Temp\~tl4634.tmp
    C:\Users\Admin\AppData\Local\Temp\~tl4634.tmp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\system32\netsh.exe
      netsh int ipv4 set dynamicport tcp start=1025 num=64511
      4⤵
      PID:1728
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1588
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1520
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /TN "Timer"
      4⤵
      PID:2576
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      4⤵
      Creates scheduled task(s)
      PID:1200
  - - C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\system32\netsh.exe
        
        netsh int ipv4 set dynamicport tcp start=1025 num=64511
        5⤵
        
        PID:1308
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1224
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Users\Admin\AppData\Local\Temp\~tl1719.tmp
        
        C:\Users\Admin\AppData\Local\Temp\~tl1719.tmp
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1512
      - C:\Windows\system32\netsh.exe
        
        netsh int ipv4 set dynamicport tcp start=1025 num=64511
        6⤵
        
        PID:1724
      - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2432
      - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2280
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664

C:\Windows\system32\taskeng.exe
taskeng.exe {8FCACB8B-27AD-41D0-A6F7-181E7E2EC341} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2764
- \??\c:\windows\system\svchost.exe
  c:\windows\system\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2028
- - C:\Windows\system32\netsh.exe
    netsh int ipv4 set dynamicport tcp start=1025 num=64511
    3⤵
    - Modifies data under HKEY_USERS
    PID:2056
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Modifies data under HKEY_USERS
    PID:2512
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:112
- - C:\Windows\TEMP\~tlA573.tmp
    C:\Windows\TEMP\~tlA573.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1368
  - - C:\Windows\system32\netsh.exe
      netsh int ipv4 set dynamicport tcp start=1025 num=64511
      4⤵
      PID:1372
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:1364
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1248

C:\Windows\system32\taskeng.exe
taskeng.exe {14416A9D-AE78-4DC6-A434-9E6A0834C417} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1416
- \??\c:\windows\system\svchost.exe
  c:\windows\system\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1248
- - C:\Windows\system32\netsh.exe
    netsh int ipv4 set dynamicport tcp start=1025 num=64511
    3⤵
    - Modifies data under HKEY_USERS
    PID:2488
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1568
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Modifies data under HKEY_USERS
    PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\TEMP\~tlA1F.tmp
    C:\Windows\TEMP\~tlA1F.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1672
  - - C:\Windows\system32\netsh.exe
      netsh int ipv4 set dynamicport tcp start=1025 num=64511
      4⤵
      PID:2820
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:1856
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:1292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2400

C:\Windows\system32\taskeng.exe
taskeng.exe {81585A36-AB81-4FA6-A60D-A997A05043C8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2876
- \??\c:\windows\system\svchost.exe
  c:\windows\system\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- - C:\Windows\system32\netsh.exe
    netsh int ipv4 set dynamicport tcp start=1025 num=64511
    3⤵
    - Modifies data under HKEY_USERS
    PID:2596
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:620
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\TEMP\~tlA1FA.tmp
    C:\Windows\TEMP\~tlA1FA.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2132
  - - C:\Windows\system32\netsh.exe
      netsh int ipv4 set dynamicport tcp start=1025 num=64511
      4⤵
      Modifies data under HKEY_USERS
      PID:1536
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3064
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:1272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1664

C:\Windows\system32\taskeng.exe
taskeng.exe {4FFB0C6B-0C81-4692-9974-AB9CB8E361C9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1652
- \??\c:\windows\system\svchost.exe
  c:\windows\system\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2448
- - C:\Windows\system32\netsh.exe
    netsh int ipv4 set dynamicport tcp start=1025 num=64511
    3⤵
    - Modifies data under HKEY_USERS
    PID:1860
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Modifies data under HKEY_USERS
    PID:704
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\TEMP\~tlEE55.tmp
    C:\Windows\TEMP\~tlEE55.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2764
  - - C:\Windows\system32\netsh.exe
      netsh int ipv4 set dynamicport tcp start=1025 num=64511
      4⤵
      PID:2692
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:696
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2393c7c6892f82a64caa07b41d70269e

SHA1
6983a01963b4deb9d52b5c7cd674f08f8a4e1357

SHA256
ced46447571922580ce6d4eb18dca3b320109c04e87061ae58a5881648ab6495

SHA512
218b31baff93532047505f958eb55daa365dc5622215eb22c73d9e09aad780b7692f9f6ef797a8fadf9aa2769336ad19022218de2826948605735cbe940f2408

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
186867b003c626a127b4ddf25ebcd510

SHA1
86a350c0b5a82447649e94f5e4c815ffefb73d9f

SHA256
41930b530d84d1ab33258da71fbd8be5e54bd5ac071c3cc19ee49cf4791cc314

SHA512
6fb66b908ce7cbbd8c1f0586cbfb98a0e47771c0789e6f10e4f1d293dd24243372826f3046020dc61f1cd45da7a24e9d87e22a4ca7ac32099abe10bfd2869ac1

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
16.6MB

MD5
8cfcd0ea8ed44049e1b56d184133b010

SHA1
d1094b85d04fbebf16edea1a068d829ea8088e56

SHA256
d268e52cb3a0bf72890a04179d80a5edf4996f06875e0fcefa63ae5d17b9d0f0

SHA512
1bee897c4e524473462e00d1f0ca76692ea2a4043ae6c50655452ae4983da96973cef01ac9001a59d9cdb68dbd704fb6899a3c40bd7cb1f48db353db99ab4788

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg

Filesize
393KB

MD5
72e28e2092a43e0d70289f62bec20e65

SHA1
944f2b81392ee946f4767376882c5c1bda6dddb5

SHA256
6ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f

SHA512
31c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466

Download Submit
C:\Windows\System\svchost.exe

Filesize
385KB

MD5
e4947751f6277ee8a777b9b984b83df2

SHA1
00142511fd103d3a87229efbbf1d360b9ce7af06

SHA256
e49b0873063e2765239b4dcc80b61cc0ec53d8ad6653b2b9fb08b9a62bfa9ea3

SHA512
47f436ed0ffbe80dc7893de230d1798e433ef2389de379eeb18f9c646504d1a9b0663b494ecd47d6fccbdbe0c24448a92c883b9babd8b49e6f2170c8845e006c

Download Submit
C:\Windows\system\svchost.exe

Filesize
5.3MB

MD5
5fe4ea367cee11e92ad4644d8ac3cef7

SHA1
44faea4a352b7860a9eafca82bd3c9b054b6db29

SHA256
1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

SHA512
1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f

Download Submit
\Users\Admin\AppData\Local\Temp\~tl1719.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
\Users\Admin\AppData\Local\Temp\~tl4634.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
memory/320-42-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/320-25-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/320-21-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/320-26-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/320-28-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/320-24-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/320-27-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/468-139-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/468-127-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/468-126-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/468-125-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/468-128-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/468-130-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/468-129-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/468-131-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/580-43-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/580-66-0x000000001EC30000-0x000000001F12C000-memory.dmp

Filesize
5.0MB

Download
memory/580-116-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/1248-297-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1368-277-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1368-296-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1412-158-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1412-194-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1412-156-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1512-295-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1512-198-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1512-195-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1512-197-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1512-196-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1512-225-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1512-224-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/1520-142-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/1520-141-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1520-140-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/1520-138-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1520-137-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/1872-61-0x000000000296B000-0x00000000029D2000-memory.dmp

Filesize
412KB

Download
memory/1872-60-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/1872-55-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/1872-59-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1884-64-0x0000000002CE4000-0x0000000002CE7000-memory.dmp

Filesize
12KB

Download
memory/1884-63-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1884-62-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1884-58-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1884-54-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1884-57-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1884-56-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1884-65-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-180-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2020-177-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-183-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-182-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2020-181-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2020-178-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2020-179-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2028-273-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2028-248-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2148-23-0x0000000002D44000-0x0000000002D47000-memory.dmp

Filesize
12KB

Download
memory/2148-18-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2148-15-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2148-14-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2148-22-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2148-20-0x0000000002D4B000-0x0000000002DB2000-memory.dmp

Filesize
412KB

Download
memory/2148-19-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/2148-16-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2148-17-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/2412-117-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2412-157-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2412-118-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2412-119-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2604-3-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/2604-0-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/2604-39-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/2604-4-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/2604-1-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/3036-166-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/3036-167-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-176-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-169-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/3036-168-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/3036-170-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/3036-165-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download