a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

max time kernel
1800s
max time network
1802s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

9.4MB
MD5

db3edf03a8a2c8e96fe2d2deaaec76ff
SHA1

2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256

a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512

121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
SSDEEP

98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK

Score

8^/10

discovery evasion

Malware Config

Signatures

Contacts a large (866) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 18 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
3212	netsh.exe
2212	netsh.exe
1572	netsh.exe
1032	netsh.exe
1084	netsh.exe
5052	netsh.exe
3432	netsh.exe
428	netsh.exe
3992	netsh.exe
2868	netsh.exe
2800	netsh.exe
2136	netsh.exe
2356	netsh.exe
2024	netsh.exe
3444	netsh.exe
3180	netsh.exe
1400	netsh.exe
5076	netsh.exe

Executes dropped EXE 11 IoCs

Processes:

svchost.exesvchost.exe~tl646C.tmpsvchost.exe~tl410F.tmpsvchost.exe~tl46E8.tmpsvchost.exe~tlB072.tmpsvchost.exe~tl1A1C.tmp

pid	process
4840	svchost.exe
3336	svchost.exe
4524	~tl646C.tmp
1920	svchost.exe
2460	~tl410F.tmp
1424	svchost.exe
2476	~tl46E8.tmp
360	svchost.exe
1812	~tlB072.tmp
3376	svchost.exe
1876	~tl1A1C.tmp

Drops file in System32 directory 31 IoCs

Processes:

svchost.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exesvchost.exe~tlB072.tmp~tl1A1C.tmppowershell.exepowershell.exepowershell.exesvchost.exe~tl46E8.tmppowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	~tlB072.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tlB072.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tl1A1C.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tl46E8.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl46E8.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	~tl46E8.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlB072.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl1A1C.tmp

Drops file in Windows directory 10 IoCs

Processes:

tmp.exesvchost.exe~tl646C.tmpsvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl646C.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl646C.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4396 schtasks.exe
1524 schtasks.exe

pid	process
4396	schtasks.exe
1524	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exenetsh.exepowershell.exesvchost.exepowershell.exepowershell.exesvchost.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe~tl46E8.tmppowershell.exesvchost.exe~tlB072.tmp

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	~tl46E8.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	~tlB072.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	~tl46E8.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.exepowershell.exe~tl646C.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl410F.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl46E8.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe

pid	process
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
1820	powershell.exe
1820	powershell.exe
1820	powershell.exe
4188	tmp.exe
4188	tmp.exe
3892	powershell.exe
3892	powershell.exe
3892	powershell.exe
4124	powershell.exe
4124	powershell.exe
4124	powershell.exe
4524	~tl646C.tmp
4524	~tl646C.tmp
3436	powershell.exe
3436	powershell.exe
3436	powershell.exe
3164	powershell.exe
3164	powershell.exe
3164	powershell.exe
4524	~tl646C.tmp
4524	~tl646C.tmp
1920	svchost.exe
1920	svchost.exe
836	powershell.exe
836	powershell.exe
1812	powershell.exe
1812	powershell.exe
836	powershell.exe
1812	powershell.exe
2460	~tl410F.tmp
2460	~tl410F.tmp
4436	powershell.exe
4436	powershell.exe
4068	powershell.exe
4068	powershell.exe
4436	powershell.exe
4068	powershell.exe
1424	svchost.exe
1424	svchost.exe
3408	powershell.exe
3408	powershell.exe
4624	powershell.exe
4624	powershell.exe
4624	powershell.exe
3408	powershell.exe
2476	~tl46E8.tmp
2476	~tl46E8.tmp
224	powershell.exe
3556	powershell.exe
224	powershell.exe
3556	powershell.exe
224	powershell.exe
3556	powershell.exe
360	svchost.exe
360	svchost.exe
2988	powershell.exe
2988	powershell.exe
3784	powershell.exe
2988	powershell.exe
3784	powershell.exe
3784	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeIncreaseQuotaPrivilege	4696	powershell.exe
Token: SeSecurityPrivilege	4696	powershell.exe
Token: SeTakeOwnershipPrivilege	4696	powershell.exe
Token: SeLoadDriverPrivilege	4696	powershell.exe
Token: SeSystemProfilePrivilege	4696	powershell.exe
Token: SeSystemtimePrivilege	4696	powershell.exe
Token: SeProfSingleProcessPrivilege	4696	powershell.exe
Token: SeIncBasePriorityPrivilege	4696	powershell.exe
Token: SeCreatePagefilePrivilege	4696	powershell.exe
Token: SeBackupPrivilege	4696	powershell.exe
Token: SeRestorePrivilege	4696	powershell.exe
Token: SeShutdownPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeSystemEnvironmentPrivilege	4696	powershell.exe
Token: SeRemoteShutdownPrivilege	4696	powershell.exe
Token: SeUndockPrivilege	4696	powershell.exe
Token: SeManageVolumePrivilege	4696	powershell.exe
Token: 33	4696	powershell.exe
Token: 34	4696	powershell.exe
Token: 35	4696	powershell.exe
Token: 36	4696	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeIncreaseQuotaPrivilege	3892	powershell.exe
Token: SeSecurityPrivilege	3892	powershell.exe
Token: SeTakeOwnershipPrivilege	3892	powershell.exe
Token: SeLoadDriverPrivilege	3892	powershell.exe
Token: SeSystemProfilePrivilege	3892	powershell.exe
Token: SeSystemtimePrivilege	3892	powershell.exe
Token: SeProfSingleProcessPrivilege	3892	powershell.exe
Token: SeIncBasePriorityPrivilege	3892	powershell.exe
Token: SeCreatePagefilePrivilege	3892	powershell.exe
Token: SeBackupPrivilege	3892	powershell.exe
Token: SeRestorePrivilege	3892	powershell.exe
Token: SeShutdownPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeSystemEnvironmentPrivilege	3892	powershell.exe
Token: SeRemoteShutdownPrivilege	3892	powershell.exe
Token: SeUndockPrivilege	3892	powershell.exe
Token: SeManageVolumePrivilege	3892	powershell.exe
Token: 33	3892	powershell.exe
Token: 34	3892	powershell.exe
Token: 35	3892	powershell.exe
Token: 36	3892	powershell.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeIncreaseQuotaPrivilege	3436	powershell.exe
Token: SeSecurityPrivilege	3436	powershell.exe
Token: SeTakeOwnershipPrivilege	3436	powershell.exe
Token: SeLoadDriverPrivilege	3436	powershell.exe
Token: SeSystemProfilePrivilege	3436	powershell.exe
Token: SeSystemtimePrivilege	3436	powershell.exe
Token: SeProfSingleProcessPrivilege	3436	powershell.exe
Token: SeIncBasePriorityPrivilege	3436	powershell.exe
Token: SeCreatePagefilePrivilege	3436	powershell.exe
Token: SeBackupPrivilege	3436	powershell.exe
Token: SeRestorePrivilege	3436	powershell.exe
Token: SeShutdownPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeSystemEnvironmentPrivilege	3436	powershell.exe
Token: SeRemoteShutdownPrivilege	3436	powershell.exe
Token: SeUndockPrivilege	3436	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exesvchost.exe~tl646C.tmpsvchost.exe~tl410F.tmpsvchost.exe

description	pid	process	target process
PID 4188 wrote to memory of 4696	4188	tmp.exe	powershell.exe
PID 4188 wrote to memory of 4696	4188	tmp.exe	powershell.exe
PID 4188 wrote to memory of 1820	4188	tmp.exe	powershell.exe
PID 4188 wrote to memory of 1820	4188	tmp.exe	powershell.exe
PID 4188 wrote to memory of 2476	4188	tmp.exe	schtasks.exe
PID 4188 wrote to memory of 2476	4188	tmp.exe	schtasks.exe
PID 4188 wrote to memory of 4396	4188	tmp.exe	schtasks.exe
PID 4188 wrote to memory of 4396	4188	tmp.exe	schtasks.exe
PID 4188 wrote to memory of 4840	4188	tmp.exe	svchost.exe
PID 4188 wrote to memory of 4840	4188	tmp.exe	svchost.exe
PID 4840 wrote to memory of 3892	4840	svchost.exe	powershell.exe
PID 4840 wrote to memory of 3892	4840	svchost.exe	powershell.exe
PID 4840 wrote to memory of 4124	4840	svchost.exe	powershell.exe
PID 4840 wrote to memory of 4124	4840	svchost.exe	powershell.exe
PID 4840 wrote to memory of 4524	4840	svchost.exe	~tl646C.tmp
PID 4840 wrote to memory of 4524	4840	svchost.exe	~tl646C.tmp
PID 4524 wrote to memory of 2336	4524	~tl646C.tmp	netsh.exe
PID 4524 wrote to memory of 2336	4524	~tl646C.tmp	netsh.exe
PID 4524 wrote to memory of 2800	4524	~tl646C.tmp	netsh.exe
PID 4524 wrote to memory of 2800	4524	~tl646C.tmp	netsh.exe
PID 4524 wrote to memory of 3444	4524	~tl646C.tmp	netsh.exe
PID 4524 wrote to memory of 3444	4524	~tl646C.tmp	netsh.exe
PID 4524 wrote to memory of 3436	4524	~tl646C.tmp	powershell.exe
PID 4524 wrote to memory of 3436	4524	~tl646C.tmp	powershell.exe
PID 4524 wrote to memory of 3164	4524	~tl646C.tmp	powershell.exe
PID 4524 wrote to memory of 3164	4524	~tl646C.tmp	powershell.exe
PID 4524 wrote to memory of 1576	4524	~tl646C.tmp	schtasks.exe
PID 4524 wrote to memory of 1576	4524	~tl646C.tmp	schtasks.exe
PID 4524 wrote to memory of 1524	4524	~tl646C.tmp	schtasks.exe
PID 4524 wrote to memory of 1524	4524	~tl646C.tmp	schtasks.exe
PID 4524 wrote to memory of 1920	4524	~tl646C.tmp	svchost.exe
PID 4524 wrote to memory of 1920	4524	~tl646C.tmp	svchost.exe
PID 1920 wrote to memory of 424	1920	svchost.exe	netsh.exe
PID 1920 wrote to memory of 424	1920	svchost.exe	netsh.exe
PID 1920 wrote to memory of 2136	1920	svchost.exe	netsh.exe
PID 1920 wrote to memory of 2136	1920	svchost.exe	netsh.exe
PID 1920 wrote to memory of 3180	1920	svchost.exe	netsh.exe
PID 1920 wrote to memory of 3180	1920	svchost.exe	netsh.exe
PID 1920 wrote to memory of 836	1920	svchost.exe	powershell.exe
PID 1920 wrote to memory of 836	1920	svchost.exe	powershell.exe
PID 1920 wrote to memory of 1812	1920	svchost.exe	powershell.exe
PID 1920 wrote to memory of 1812	1920	svchost.exe	powershell.exe
PID 1920 wrote to memory of 2460	1920	svchost.exe	~tl410F.tmp
PID 1920 wrote to memory of 2460	1920	svchost.exe	~tl410F.tmp
PID 2460 wrote to memory of 5040	2460	~tl410F.tmp	netsh.exe
PID 2460 wrote to memory of 5040	2460	~tl410F.tmp	netsh.exe
PID 2460 wrote to memory of 2356	2460	~tl410F.tmp	netsh.exe
PID 2460 wrote to memory of 2356	2460	~tl410F.tmp	netsh.exe
PID 2460 wrote to memory of 1084	2460	~tl410F.tmp	netsh.exe
PID 2460 wrote to memory of 1084	2460	~tl410F.tmp	netsh.exe
PID 2460 wrote to memory of 4436	2460	~tl410F.tmp	powershell.exe
PID 2460 wrote to memory of 4436	2460	~tl410F.tmp	powershell.exe
PID 2460 wrote to memory of 4068	2460	~tl410F.tmp	powershell.exe
PID 2460 wrote to memory of 4068	2460	~tl410F.tmp	powershell.exe
PID 1424 wrote to memory of 1468	1424	svchost.exe	netsh.exe
PID 1424 wrote to memory of 1468	1424	svchost.exe	netsh.exe
PID 1424 wrote to memory of 1400	1424	svchost.exe	netsh.exe
PID 1424 wrote to memory of 1400	1424	svchost.exe	netsh.exe
PID 1424 wrote to memory of 5076	1424	svchost.exe	netsh.exe
PID 1424 wrote to memory of 5076	1424	svchost.exe	netsh.exe
PID 1424 wrote to memory of 3408	1424	svchost.exe	powershell.exe
PID 1424 wrote to memory of 3408	1424	svchost.exe	powershell.exe
PID 1424 wrote to memory of 4624	1424	svchost.exe	powershell.exe
PID 1424 wrote to memory of 4624	1424	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:2476

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:4396

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Users\Admin\AppData\Local\Temp\~tl646C.tmp
C:\Users\Admin\AppData\Local\Temp\~tl646C.tmp
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:2336

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2800

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:3444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:1576

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:1524

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:424

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2136

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:3180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1812

C:\Users\Admin\AppData\Local\Temp\~tl410F.tmp
C:\Users\Admin\AppData\Local\Temp\~tl410F.tmp
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:5040

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2356

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:1084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4068

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3336

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
- Modifies data under HKEY_USERS
PID:1468

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1400

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4624

C:\Windows\TEMP\~tl46E8.tmp
C:\Windows\TEMP\~tl46E8.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2476

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:4260

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2024

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:5052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3556

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:360

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:3524

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3992

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3784

C:\Windows\TEMP\~tlB072.tmp
C:\Windows\TEMP\~tlB072.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1812

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:3292

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3212

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2516

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3376

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:4284

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:428

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3464

C:\Windows\TEMP\~tl1A1C.tmp
C:\Windows\TEMP\~tl1A1C.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1876

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:2520

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1032

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
97328e73ecaad0c4e87ed45b67a7de88

SHA1
7c8be016b78b3e24c544e997865466a89bbf93ed

SHA256
60900c4df8fcff34cad7bf4dd7105127abc55f19c7f6fd3f4c931991aad14b2e

SHA512
c748688fbc50fad13ce5520a2de727d8b7ee3a49ef781273c5b0c7b4bbe335230c9b8c5c2b5de8636b6a40bdce7df80161a44f3f7b6f9d1b58dfbe3590833f07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb291afd0fabe86816330c12183121bd

SHA1
b33585894fd0d3c8508da0b23a66a5543f9b0196

SHA256
44a00eed6114fa7de56d0134bbce595529bd40638537ac7a77cdca0327f58782

SHA512
4934327abf84f22d5351ff999dcac871f19ea45c35d47b3a702c4b24773d367d43d368fd4cfb3c39ea6bed094983f226b0b6844b398e6013aff1bed4f32e7efa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
182281b674531485ad3ac05d04bf663e

SHA1
eb82d1be905bc6f60082a7d1bd9ad6165524fa61

SHA256
7d66d04c2e7141dc4fa62a8911adf2f1dd9398f6532f8a2fb34c36c482f2ff8f

SHA512
f5587a83740046cd818a1c5894b0d39774cb55a46d8b7c00752f7cb1f062682b90bbb765ca6fb635d5bc05a122de6729515e7fa28c3437b81ad19f2c32344832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
19b5a56e82934af406411a85f27d56da

SHA1
dbd9c95a28e4e2159c588632bac92416a4df49df

SHA256
109512aea8a5e9455d58a076d70c512d733746b5c72bc021caced09c0ad85530

SHA512
5ef68ae110d9d34ad37c229d30c27be10e25c5b6c261eabaeb3b55a2a455ba643ed11aa3e9e6f8911636a5e3404bc8f730deb58cb29e1c47c71104811af10eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f761b82256ef1f3629f2482af364bcc

SHA1
1710c045654cfd5f5d8e02de6f2a63d50901e06a

SHA256
943a4a01583b296de706c67eca5b0da50f99966b23995a0811723fb29fbf8c54

SHA512
67a9df99c4992a819c6f2c0c31973c100b63bf059fcb9f67ec5d41b515bd0c447df3af12ba07073cbd946d043d98e05f60a320d9f52a947db06369d8f77da975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
238B

MD5
ded20df9e334bb537b5b1ad759f3e43a

SHA1
37acd7b450a81c8eb39876c4986535007ffd6467

SHA256
2425f4e2e277fa141993980d0b45ff6139af35e99a0515192293e589d46f8353

SHA512
368119d74bb4372ac2627d4654370c5cbcb0c724902650206ab38c2e2d7b70043b97fa01f153ff99d69fe5028e7abde1d9997b6878d3e85f44620699b582e935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
69abcd08613191ad21525687013e2d48

SHA1
332351b7bcf3814224838fa88f7e73878532f0b2

SHA256
8cba22b81411afbe50d6585c793f25a9088cf3696c968128d0c26686d9573f56

SHA512
cee0bf8e5b075b878581b9340649441f23b0536edac7273d73a163170a184342c5b9ac455a3970bd6a557b4f8438bb96a921d27358d44049ea429ce52143590e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yclnqyul.huq.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl410F.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl646C.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Windows\System\svchost.exe

Filesize
9.4MB

MD5
db3edf03a8a2c8e96fe2d2deaaec76ff

SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1

SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
478f1c1fcff584f4f440469ed71d2d43

SHA1
0900e9dc39580d527c145715f985a5a86e80b66c

SHA256
c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb

SHA512
4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
668B

MD5
f1e6b88584a0bff4fa40f99dc1a5c922

SHA1
3804477722b32947ef946d3928aaa2b5b43e709b

SHA256
afdcd47ba7e19f0693866348a74cd1acfbde5755d3e0010e2439cef670f07429

SHA512
0db1daf5b248e91f3f37544314fe2a9c49ac04346e43c810390cb542676c67c8c94623eaf87670a6ce654ee1a6f91e40ca92a0c857fc5acb6785b7a1bc9fdc8c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fe356669e00a85664b5c62dbd1ba7f58

SHA1
8bca11896338b6a9694b5cfed2bb26f0736b338d

SHA256
dd443a5e2e4b19ded479a7d5c3aece3b1ddf3fda5add40d3a98c575281a0096e

SHA512
7aebf55fd5fe46f279fca91dd68168cc2e93ce2e1c91aa034ea0a419ec84b07d981ac71e979c921bda6f160e13e1411b96527accadf9d2a2cd16d1f8c557e6ec

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
600B

MD5
eedef966f335680abec6ff953f68b0f9

SHA1
fd0d1bee5a4200670710d872e77b4512aab83c45

SHA256
603e37046371bad11f21415c9ae1e53a6eb0e6340ce41af0fdba23779f060e72

SHA512
6f40ef8a0412fe89d00ca18ae151db97cce974a77a575c6fb6ff1627503aaa9877c5c8d666c6e5425646f9d9c674674ff8fb863b047eaa840257f5ea181b6df8

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f5f9dc94feda104f118dfd4afff50f8

SHA1
f2f60d9ecc2d115ea68bfe4035f1e73df10192c2

SHA256
e3265e7875e69209079678c96f9d9e28a722c0ff0cb7b62ce72a194eae79bb91

SHA512
e10c4e0d38ad26d78af31f9af77adee29b1ff7fb7ebff8c77a9789770f85fc99e06dd72941d35f39c7b1d21a5973e9e7e16513019a1c007801ace4ea0fa3601a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
668B

MD5
5432e034ea1eec7f9a8252c151e89280

SHA1
d24b3c24a29c552f999fbc31cd91bd7bab8d8e20

SHA256
2ca5ab1c42fd8aa2a1ba93e9559b3b9a145df9af53c1eb1b88ef1d4a4abc9786

SHA512
e4ec0c1b69a168471e33094a282cad8f4f95a11eb7f68cef0ad44e2b4f33bca672846d05afbc97a847b722077cf2ebaed49511da9ca75877a87cdb47ac0f2802

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a30bf0f60d7608b3d52352ca26681ee

SHA1
17bdc755eba3fbe9dd4dd5f0440794e6fe9fc977

SHA256
b99d4e7dc0802fa25987604ba4943fc97ed487348f96d1b88e656e07de1510e0

SHA512
1708bfe417d4d836c2e5b88d475d2b35bec427e47175dcec86a0aeea7f868b03f5bfd59531ec77620be225b1f746a2339f0e97db05df5a3195b0b8bd4ed92c50

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6b8c9f4d478e07a51cd5aceba0deb733

SHA1
81042217d51aabab9c4773b8de61bf3ff09c6e61

SHA256
8e7c2bde3b3d194aa6bf50ecf025cfa52c017323903ca46edf43b089e7148d8c

SHA512
7f21a33c0f01f12ef7827dfaa753b13346172462569ac0dcdeed62778b4d2e207af40aa5428f553b072e1f7cfd3a51af230c8d44760a990298b61414630a6fad

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
792B

MD5
6538f59e65a85f9e840455e4b14c2a84

SHA1
cec96a964455246acbeaa340c1728e3e18bf685e

SHA256
2799e4b5789c77817ac3651c55ce76afa6657f2e5d25a90990d10fb9020f2deb

SHA512
eced9acd39785b539c5edd4847965fb8cc63f3b66cdeccc71c50031ba9fefe1075f8bc9fecac8ef8de088014d3fee76203408916a76a789ae8eeb2d39cdfcb2e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
memory/836-440-0x000001EE4DCB0000-0x000001EE4DCC0000-memory.dmp

Filesize
64KB

Download
memory/836-475-0x000001EE4DCB0000-0x000001EE4DCC0000-memory.dmp

Filesize
64KB

Download
memory/836-533-0x00007FFF2DF10000-0x00007FFF2E8FC000-memory.dmp

Filesize
9.9MB

Download
memory/836-437-0x00007FFF2DF10000-0x00007FFF2E8FC000-memory.dmp

Filesize
9.9MB

Download
memory/836-526-0x000001EE4DCB0000-0x000001EE4DCC0000-memory.dmp

Filesize
64KB

Download
memory/1424-676-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1424-1003-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1812-532-0x00007FFF2DF10000-0x00007FFF2E8FC000-memory.dmp

Filesize
9.9MB

Download
memory/1812-444-0x00007FFF2DF10000-0x00007FFF2E8FC000-memory.dmp

Filesize
9.9MB

Download
memory/1812-524-0x0000022F75930000-0x0000022F75940000-memory.dmp

Filesize
64KB

Download
memory/1812-480-0x0000022F75930000-0x0000022F75940000-memory.dmp

Filesize
64KB

Download
memory/1820-62-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

Filesize
9.9MB

Download
memory/1820-111-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

Filesize
9.9MB

Download
memory/1820-108-0x000001FB92070000-0x000001FB92080000-memory.dmp

Filesize
64KB

Download
memory/1820-81-0x000001FB92070000-0x000001FB92080000-memory.dmp

Filesize
64KB

Download
memory/1820-63-0x000001FB92070000-0x000001FB92080000-memory.dmp

Filesize
64KB

Download
memory/1820-65-0x000001FB92070000-0x000001FB92080000-memory.dmp

Filesize
64KB

Download
memory/1920-431-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1920-432-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1920-434-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1920-542-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2460-545-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2460-544-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2460-546-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2460-541-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2460-650-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2460-543-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2476-1007-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3164-422-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

Filesize
9.9MB

Download
memory/3164-388-0x000002AF17750000-0x000002AF17760000-memory.dmp

Filesize
64KB

Download
memory/3164-413-0x000002AF17750000-0x000002AF17760000-memory.dmp

Filesize
64KB

Download
memory/3164-338-0x000002AF17750000-0x000002AF17760000-memory.dmp

Filesize
64KB

Download
memory/3164-337-0x000002AF17750000-0x000002AF17760000-memory.dmp

Filesize
64KB

Download
memory/3164-333-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

Filesize
9.9MB

Download
memory/3336-298-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3336-301-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3336-300-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/3436-328-0x0000021187180000-0x0000021187190000-memory.dmp

Filesize
64KB

Download
memory/3436-327-0x0000021187180000-0x0000021187190000-memory.dmp

Filesize
64KB

Download
memory/3436-352-0x0000021187180000-0x0000021187190000-memory.dmp

Filesize
64KB

Download
memory/3436-423-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

Filesize
9.9MB

Download
memory/3436-326-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

Filesize
9.9MB

Download
memory/3436-416-0x0000021187180000-0x0000021187190000-memory.dmp

Filesize
64KB

Download
memory/3892-147-0x000002368E2E0000-0x000002368E2F0000-memory.dmp

Filesize
64KB

Download
memory/3892-171-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

Filesize
9.9MB

Download
memory/3892-128-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

Filesize
9.9MB

Download
memory/3892-130-0x000002368E2E0000-0x000002368E2F0000-memory.dmp

Filesize
64KB

Download
memory/3892-168-0x000002368E2E0000-0x000002368E2F0000-memory.dmp

Filesize
64KB

Download
memory/4124-177-0x000001EE3FF20000-0x000001EE3FF30000-memory.dmp

Filesize
64KB

Download
memory/4124-224-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

Filesize
9.9MB

Download
memory/4124-176-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

Filesize
9.9MB

Download
memory/4124-178-0x000001EE3FF20000-0x000001EE3FF30000-memory.dmp

Filesize
64KB

Download
memory/4124-194-0x000001EE3FF20000-0x000001EE3FF30000-memory.dmp

Filesize
64KB

Download
memory/4124-221-0x000001EE3FF20000-0x000001EE3FF30000-memory.dmp

Filesize
64KB

Download
memory/4188-0-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4188-122-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4188-6-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4188-4-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4188-2-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4188-3-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4188-1-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4436-549-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

Filesize
9.9MB

Download
memory/4524-321-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4524-306-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4524-433-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4524-309-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4524-308-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4524-307-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4696-30-0x0000013AF81F0000-0x0000013AF8200000-memory.dmp

Filesize
64KB

Download
memory/4696-57-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

Filesize
9.9MB

Download
memory/4696-52-0x0000013AF81F0000-0x0000013AF8200000-memory.dmp

Filesize
64KB

Download
memory/4696-17-0x0000013AF8480000-0x0000013AF84F6000-memory.dmp

Filesize
472KB

Download
memory/4696-13-0x0000013AF8150000-0x0000013AF8172000-memory.dmp

Filesize
136KB

Download
memory/4696-14-0x0000013AF81F0000-0x0000013AF8200000-memory.dmp

Filesize
64KB

Download
memory/4696-12-0x0000013AF81F0000-0x0000013AF8200000-memory.dmp

Filesize
64KB

Download
memory/4696-11-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

Filesize
9.9MB

Download
memory/4840-225-0x0000000180000000-0x000000018070E000-memory.dmp

Filesize
7.1MB

Download
memory/4840-124-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4840-121-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4840-120-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/4840-320-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download