a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

max time kernel
1770s
max time network
1798s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2024 14:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

tmp.exe
Size

9.4MB
MD5

db3edf03a8a2c8e96fe2d2deaaec76ff
SHA1

2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256

a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512

121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
SSDEEP

98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK

Score

8^/10

discovery evasion

Malware Config

Signatures

Contacts a large (762) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 22 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
4256	netsh.exe
4392	netsh.exe
3784	netsh.exe
3180	netsh.exe
1872	netsh.exe
2604	netsh.exe
2092	netsh.exe
1996	netsh.exe
4220	netsh.exe
4448	netsh.exe
4620	netsh.exe
4116	netsh.exe
972	netsh.exe
4436	netsh.exe
4664	netsh.exe
3584	netsh.exe
4076	netsh.exe
2568	netsh.exe
4408	netsh.exe
4696	netsh.exe
3604	netsh.exe
5068	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe~tlBAA2.tmptmp.exesvchost.exe~tlD88F.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	~tlBAA2.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	~tlD88F.tmp

Executes dropped EXE 12 IoCs

Processes:

svchost.exe~tlD88F.tmpsvchost.exe~tlBAA2.tmpsvchost.exe~tlECB0.tmpsvchost.exe~tl5168.tmpsvchost.exe~tlBB6F.tmpsvchost.exe~tl2288.tmp

pid	process
2316	svchost.exe
1672	~tlD88F.tmp
3432	svchost.exe
2648	~tlBAA2.tmp
4848	svchost.exe
4644	~tlECB0.tmp
4724	svchost.exe
3780	~tl5168.tmp
4980	svchost.exe
2140	~tlBB6F.tmp
4340	svchost.exe
1504	~tl2288.tmp

Drops file in System32 directory 40 IoCs

Processes:

svchost.exepowershell.exe~tlECB0.tmppowershell.exesvchost.exepowershell.exepowershell.exe~tlBB6F.tmppowershell.exesvchost.exepowershell.exepowershell.exe~tl2288.tmppowershell.exepowershell.exepowershell.exe~tl5168.tmppowershell.exepowershell.exepowershell.exesvchost.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62	~tlECB0.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	~tlECB0.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\GOQRRY91.htm	~tlECB0.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894	~tlECB0.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlBB6F.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	~tlBB6F.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlECB0.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\83D863F495E7D991917B3ABB3E1EB382_633EB21D327143A39045A55F051CAC25	~tlECB0.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\83D863F495E7D991917B3ABB3E1EB382_633EB21D327143A39045A55F051CAC25	~tlECB0.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894	~tlECB0.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl2288.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517	~tlECB0.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517	~tlECB0.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl5168.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62	~tlECB0.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Windows directory 11 IoCs

Processes:

tmp.exe~tlD88F.tmpsvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\svchost.exe	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	~tlD88F.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tlD88F.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1776 schtasks.exe
3236 schtasks.exe

pid	process
1776	schtasks.exe
3236	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exe~tl2288.tmpsvchost.exepowershell.exe~tlBB6F.tmppowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	~tl2288.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	~tlBB6F.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.exepowershell.exe~tlD88F.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlBAA2.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlECB0.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl5168.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlBB6F.tmppowershell.exe

pid	process
232	powershell.exe
232	powershell.exe
5008	powershell.exe
5008	powershell.exe
2576	tmp.exe
2576	tmp.exe
320	powershell.exe
320	powershell.exe
1824	powershell.exe
1824	powershell.exe
1672	~tlD88F.tmp
1672	~tlD88F.tmp
4724	powershell.exe
1712	powershell.exe
1712	powershell.exe
4724	powershell.exe
1672	~tlD88F.tmp
1672	~tlD88F.tmp
3432	svchost.exe
3432	svchost.exe
4960	powershell.exe
2604	powershell.exe
4960	powershell.exe
2604	powershell.exe
2648	~tlBAA2.tmp
2648	~tlBAA2.tmp
840	powershell.exe
840	powershell.exe
2432	powershell.exe
2432	powershell.exe
4848	svchost.exe
4848	svchost.exe
3788	powershell.exe
3788	powershell.exe
1524	powershell.exe
1524	powershell.exe
4644	~tlECB0.tmp
4644	~tlECB0.tmp
1472	powershell.exe
3376	powershell.exe
3376	powershell.exe
1472	powershell.exe
4724	svchost.exe
4724	svchost.exe
4380	powershell.exe
4556	powershell.exe
4380	powershell.exe
4556	powershell.exe
3780	~tl5168.tmp
3780	~tl5168.tmp
2464	powershell.exe
2464	powershell.exe
1668	powershell.exe
1668	powershell.exe
4980	svchost.exe
4980	svchost.exe
3816	powershell.exe
3816	powershell.exe
2536	powershell.exe
2536	powershell.exe
2140	~tlBB6F.tmp
2140	~tlBB6F.tmp
4648	powershell.exe
4648	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exesvchost.exe~tlD88F.tmpsvchost.exe~tlBAA2.tmpsvchost.exe

description	pid	process	target process
PID 2576 wrote to memory of 232	2576	tmp.exe	powershell.exe
PID 2576 wrote to memory of 232	2576	tmp.exe	powershell.exe
PID 2576 wrote to memory of 5008	2576	tmp.exe	powershell.exe
PID 2576 wrote to memory of 5008	2576	tmp.exe	powershell.exe
PID 2576 wrote to memory of 1612	2576	tmp.exe	schtasks.exe
PID 2576 wrote to memory of 1612	2576	tmp.exe	schtasks.exe
PID 2576 wrote to memory of 1776	2576	tmp.exe	schtasks.exe
PID 2576 wrote to memory of 1776	2576	tmp.exe	schtasks.exe
PID 2576 wrote to memory of 2316	2576	tmp.exe	svchost.exe
PID 2576 wrote to memory of 2316	2576	tmp.exe	svchost.exe
PID 2316 wrote to memory of 320	2316	svchost.exe	powershell.exe
PID 2316 wrote to memory of 320	2316	svchost.exe	powershell.exe
PID 2316 wrote to memory of 1824	2316	svchost.exe	powershell.exe
PID 2316 wrote to memory of 1824	2316	svchost.exe	powershell.exe
PID 2316 wrote to memory of 1672	2316	svchost.exe	~tlD88F.tmp
PID 2316 wrote to memory of 1672	2316	svchost.exe	~tlD88F.tmp
PID 1672 wrote to memory of 1528	1672	~tlD88F.tmp	netsh.exe
PID 1672 wrote to memory of 1528	1672	~tlD88F.tmp	netsh.exe
PID 1672 wrote to memory of 4076	1672	~tlD88F.tmp	netsh.exe
PID 1672 wrote to memory of 4076	1672	~tlD88F.tmp	netsh.exe
PID 1672 wrote to memory of 2568	1672	~tlD88F.tmp	netsh.exe
PID 1672 wrote to memory of 2568	1672	~tlD88F.tmp	netsh.exe
PID 1672 wrote to memory of 4724	1672	~tlD88F.tmp	powershell.exe
PID 1672 wrote to memory of 4724	1672	~tlD88F.tmp	powershell.exe
PID 1672 wrote to memory of 1712	1672	~tlD88F.tmp	powershell.exe
PID 1672 wrote to memory of 1712	1672	~tlD88F.tmp	powershell.exe
PID 1672 wrote to memory of 4732	1672	~tlD88F.tmp	schtasks.exe
PID 1672 wrote to memory of 4732	1672	~tlD88F.tmp	schtasks.exe
PID 1672 wrote to memory of 3236	1672	~tlD88F.tmp	schtasks.exe
PID 1672 wrote to memory of 3236	1672	~tlD88F.tmp	schtasks.exe
PID 1672 wrote to memory of 3432	1672	~tlD88F.tmp	svchost.exe
PID 1672 wrote to memory of 3432	1672	~tlD88F.tmp	svchost.exe
PID 3432 wrote to memory of 2864	3432	svchost.exe	netsh.exe
PID 3432 wrote to memory of 2864	3432	svchost.exe	netsh.exe
PID 3432 wrote to memory of 4116	3432	svchost.exe	netsh.exe
PID 3432 wrote to memory of 4116	3432	svchost.exe	netsh.exe
PID 3432 wrote to memory of 972	3432	svchost.exe	netsh.exe
PID 3432 wrote to memory of 972	3432	svchost.exe	netsh.exe
PID 3432 wrote to memory of 4960	3432	svchost.exe	powershell.exe
PID 3432 wrote to memory of 4960	3432	svchost.exe	powershell.exe
PID 3432 wrote to memory of 2604	3432	svchost.exe	powershell.exe
PID 3432 wrote to memory of 2604	3432	svchost.exe	powershell.exe
PID 3432 wrote to memory of 2648	3432	svchost.exe	~tlBAA2.tmp
PID 3432 wrote to memory of 2648	3432	svchost.exe	~tlBAA2.tmp
PID 2648 wrote to memory of 2848	2648	~tlBAA2.tmp	netsh.exe
PID 2648 wrote to memory of 2848	2648	~tlBAA2.tmp	netsh.exe
PID 2648 wrote to memory of 4408	2648	~tlBAA2.tmp	netsh.exe
PID 2648 wrote to memory of 4408	2648	~tlBAA2.tmp	netsh.exe
PID 2648 wrote to memory of 2092	2648	~tlBAA2.tmp	netsh.exe
PID 2648 wrote to memory of 2092	2648	~tlBAA2.tmp	netsh.exe
PID 2648 wrote to memory of 840	2648	~tlBAA2.tmp	powershell.exe
PID 2648 wrote to memory of 840	2648	~tlBAA2.tmp	powershell.exe
PID 2648 wrote to memory of 2432	2648	~tlBAA2.tmp	powershell.exe
PID 2648 wrote to memory of 2432	2648	~tlBAA2.tmp	powershell.exe
PID 4848 wrote to memory of 496	4848	svchost.exe	netsh.exe
PID 4848 wrote to memory of 496	4848	svchost.exe	netsh.exe
PID 4848 wrote to memory of 4696	4848	svchost.exe	netsh.exe
PID 4848 wrote to memory of 4696	4848	svchost.exe	netsh.exe
PID 4848 wrote to memory of 3604	4848	svchost.exe	netsh.exe
PID 4848 wrote to memory of 3604	4848	svchost.exe	netsh.exe
PID 4848 wrote to memory of 3788	4848	svchost.exe	powershell.exe
PID 4848 wrote to memory of 3788	4848	svchost.exe	powershell.exe
PID 4848 wrote to memory of 1524	4848	svchost.exe	powershell.exe
PID 4848 wrote to memory of 1524	4848	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:1612

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:1776

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Users\Admin\AppData\Local\Temp\~tlD88F.tmp
C:\Users\Admin\AppData\Local\Temp\~tlD88F.tmp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:1528

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4076

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:4732

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:3236

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:2864

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4116

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Users\Admin\AppData\Local\Temp\~tlBAA2.tmp
C:\Users\Admin\AppData\Local\Temp\~tlBAA2.tmp
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:2848

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:4408

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:496

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4696

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\TEMP\~tlECB0.tmp
C:\Windows\TEMP\~tlECB0.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4644

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:4428

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1996

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3376

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4724

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:1268

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4448

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\TEMP\~tl5168.tmp
C:\Windows\TEMP\~tl5168.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3780

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:3644

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4620

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4980

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:1996

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4664

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\TEMP\~tlBB6F.tmp
C:\Windows\TEMP\~tlBB6F.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2140

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:3420

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3784

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4556

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4340

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:4816

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:3180

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\TEMP\~tl2288.tmp
C:\Windows\TEMP\~tl2288.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1504

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:2724

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:5068

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
PID:3880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ea89d89bb68741a1b919ece06a6ac4fa

SHA1
6929525e943c1f56d7fb0687aa4eb257a4e05867

SHA256
4a2aef0e425b133c6147fff146dc8e82d40bb618c9cf0c3c57446e6109ab7040

SHA512
5dd670823f70ee35bde79257a98a941f8e9b83521e3140ac48a814c2b7787ce96355a842fce961ab2770197c1a84cacf3c173c2de0c5bc5060adf9c884be4b87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b444d3f0ddea49d84cc7b3972abe0e6

SHA1
0a896b3808e68d5d72c2655621f43b0b2c65ae02

SHA256
ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

SHA512
eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
124055e711792ed83487c05209071f01

SHA1
eab568c1a67dec897aaddde78691809082565d03

SHA256
829fea0ce6b330acc3e4fd7fd2f0e9f1a2a6c1f3ef9e5962a58a6b323064ac12

SHA512
1d57f03dd3fc924a3acb032c9ef190371d24c79bc3e039c703d6dc5957549d02dd2adb1be96a9c3a9e940dcaaeea3ed632e18679ea182f064d2a38f3b6a142f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
173cfbf7d7586b8297c4cd835640b171

SHA1
c9bbb2096047495872e04d6943b0ea914acc8db4

SHA256
d46148d3d99ea7362f7069b4b2eb9dd2d6037bca356b1d6f7d92f0aa755e478c

SHA512
5301826e4fab43a1029bd494fe6b33080210b4be2d5b9839fa170064a7cd5ef520dcf81552911f47f257657755be8d7760937ee0d51628d6447aca339d67662d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f55sdsgj.ihu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlBAA2.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tlD88F.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg

Filesize
393KB

MD5
72e28e2092a43e0d70289f62bec20e65

SHA1
944f2b81392ee946f4767376882c5c1bda6dddb5

SHA256
6ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f

SHA512
31c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466

Download Submit
C:\Windows\System\svchost.exe

Filesize
9.4MB

MD5
db3edf03a8a2c8e96fe2d2deaaec76ff

SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1

SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0802c82bbc3c604193e9636a6ceed96

SHA1
6d98355e298027e01d5cc40f8cb26b2309888b7d

SHA256
860f8700c8a5f4daaa0e46ba57b8de0c4dd6fbe728ac60e2fbf324d6c94d64d2

SHA512
b27cb5b66a8b10f57674df1e1b91edb9535dd7781d6f4706933f3e8b96b7c9172419ee9056b4ab64e6d98cbc509754dbba25ffdd587205ad9f6514806f62c2ed

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
192B

MD5
795acbc7d838b98c4edfc25f8fae067f

SHA1
bfd814ea62454fa42a01163400d16d50e3268194

SHA256
778d0518c34a6a3bb072a3a1750d746a7b782470ec9c52ddd3ee07e7283c86ed

SHA512
66c06c00184cfa54155154956be5bb6428487e6e10580aef918947e38fb76d58e0b024b86db509f0ece94d10baef39e8c17787ff460c61f0f605a3a3e01e9bc3

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7956f785e05d02ba3e352e0f1b61f88f

SHA1
baf4d50d0a7132ace9a81568730e33ced52e7792

SHA256
0cd8e817ac1ddbcab1aa9d3ed2fee22bbd2c0f3a6806ea1f39d6905cac844fbf

SHA512
5d74a771222edc25530196faebe09790a8af795a0a01c5e6108c993fe110ffde743ce28370a73ef2d4a8a6b6d3222b32a69a3348d45ecce10a57ef1ca882810e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1c557e444bc8de3194697dad63bfb96b

SHA1
d3bbd55a752c262960f35839739bd5f87a3b94a0

SHA256
b2b6d550a7e7a0e7705720fe9d39f74417199b7b0249c730a20114f3ac9a2624

SHA512
17756b11fec3460df28d69e74a33e721127edb5bd1cc94b8eb55930c2b029c57d99f8d6b2c77589dd3ffaa05233a586b5a7115840fc82c73d398234fb5b57352

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
777dcdc95aff94896c58bb7f27313db4

SHA1
5e2e9872700cabad6ce08e07c23752814e66d25d

SHA256
d3d407aac30e2c3a202311a89e2b700c25c359138dba8e5192a342e0c4028dba

SHA512
bdbaef2f65c0cc7ee2b0268be6714f7be41504dd32c14189c9578bf2fed0c8e2208e04419d6ee387d2922e46178a43dc0277c301fa99136a1e6c82171c760e1a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3cfb10d5c8b5c64d7ffb2764e7a5b62

SHA1
927f7b2ca2a3053123d4bba64fa758a62f656acf

SHA256
3c9e294b278566fc67bfe3e179e3a8a8202cb0d9c5d88067383ccb924d3e123b

SHA512
a4a2363a1d2e42a63552d41f3d10524a9aa2d73057d63d3ce1b12db53c2b11cacd7586909b565c1bf7a50131ede39ab15e8e077e0e6af6fab5a039427d3f4beb

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa895201f7c24eb7e9f9833977094b87

SHA1
75470692eace082b534a253e2bb0cdbc57c3f7dc

SHA256
f979cce55a822c1f6776b072fde18e8eb2d9bddb8f0398552ab6a99a114f7c1c

SHA512
0e6b24224d43325d7e8f983e1a8eef99de6841f7106a6b818c747c6e7ed0de05c22f291f34b76f520d6ea4f3f76217f4d972931462dc988df4d05992c7308ffb

Download Submit
memory/232-20-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/232-18-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/232-19-0x000001F244A30000-0x000001F244A40000-memory.dmp

Filesize
64KB

Download
memory/232-12-0x000001F25D100000-0x000001F25D122000-memory.dmp

Filesize
136KB

Download
memory/320-69-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/320-67-0x000001B5AE3E0000-0x000001B5AE3F0000-memory.dmp

Filesize
64KB

Download
memory/320-66-0x000001B5AE3E0000-0x000001B5AE3F0000-memory.dmp

Filesize
64KB

Download
memory/320-64-0x000001B5AE3E0000-0x000001B5AE3F0000-memory.dmp

Filesize
64KB

Download
memory/320-65-0x000001B5AE3E0000-0x000001B5AE3F0000-memory.dmp

Filesize
64KB

Download
memory/320-62-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/840-279-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/840-280-0x000002DFF6010000-0x000002DFF6020000-memory.dmp

Filesize
64KB

Download
memory/840-286-0x000002DFF6010000-0x000002DFF6020000-memory.dmp

Filesize
64KB

Download
memory/840-299-0x000002DFF6010000-0x000002DFF6020000-memory.dmp

Filesize
64KB

Download
memory/840-301-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/1524-335-0x00007FFFE6BF0000-0x00007FFFE76B1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-182-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1672-170-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1672-227-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1672-169-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1672-168-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1672-167-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1712-196-0x000001FF3E590000-0x000001FF3E5A0000-memory.dmp

Filesize
64KB

Download
memory/1712-197-0x000001FF3E590000-0x000001FF3E5A0000-memory.dmp

Filesize
64KB

Download
memory/1712-194-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/1712-212-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/1824-84-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/1824-82-0x0000022240230000-0x0000022240240000-memory.dmp

Filesize
64KB

Download
memory/1824-71-0x0000022240230000-0x0000022240240000-memory.dmp

Filesize
64KB

Download
memory/1824-70-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/2316-52-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2316-85-0x0000000180000000-0x000000018070E000-memory.dmp

Filesize
7.1MB

Download
memory/2316-49-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2316-181-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2316-47-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2432-288-0x0000028A3E460000-0x0000028A3E470000-memory.dmp

Filesize
64KB

Download
memory/2432-306-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/2432-303-0x0000028A3E460000-0x0000028A3E470000-memory.dmp

Filesize
64KB

Download
memory/2432-289-0x0000028A3E460000-0x0000028A3E470000-memory.dmp

Filesize
64KB

Download
memory/2432-287-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/2576-50-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2576-3-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2576-4-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2576-11-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2576-2-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2576-1-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2576-0-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2604-257-0x000002A469F20000-0x000002A469F30000-memory.dmp

Filesize
64KB

Download
memory/2604-260-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/2604-247-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/2604-253-0x000002A469F20000-0x000002A469F30000-memory.dmp

Filesize
64KB

Download
memory/2648-268-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2648-273-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2648-272-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2648-271-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2648-270-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2648-307-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3432-228-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3432-225-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3432-269-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3788-329-0x00007FFFE6BF0000-0x00007FFFE76B1000-memory.dmp

Filesize
10.8MB

Download
memory/4644-401-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4644-461-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4724-207-0x0000026AE10E0000-0x0000026AE10F0000-memory.dmp

Filesize
64KB

Download
memory/4724-208-0x0000026AE10E0000-0x0000026AE10F0000-memory.dmp

Filesize
64KB

Download
memory/4724-183-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/4724-184-0x0000026AE10E0000-0x0000026AE10F0000-memory.dmp

Filesize
64KB

Download
memory/4724-213-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/4848-326-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4848-328-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4848-396-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/4960-238-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/4960-239-0x000001566FD80000-0x000001566FD90000-memory.dmp

Filesize
64KB

Download
memory/4960-240-0x000001566FD80000-0x000001566FD90000-memory.dmp

Filesize
64KB

Download
memory/4960-256-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/4960-254-0x000001566FD80000-0x000001566FD90000-memory.dmp

Filesize
64KB

Download
memory/4960-252-0x000001566FD80000-0x000001566FD90000-memory.dmp

Filesize
64KB

Download
memory/5008-34-0x000001CA41AE0000-0x000001CA41AF0000-memory.dmp

Filesize
64KB

Download
memory/5008-36-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download
memory/5008-33-0x000001CA41AE0000-0x000001CA41AF0000-memory.dmp

Filesize
64KB

Download
memory/5008-32-0x000001CA41AE0000-0x000001CA41AF0000-memory.dmp

Filesize
64KB

Download
memory/5008-31-0x00007FFFE75A0000-0x00007FFFE8061000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads