Overview

overview

8

Static

static

3

e9e34828dd...d5.exe

windows10-1703-x64

8

e9e34828dd...d5.exe

windows7-x64

8

e9e34828dd...d5.exe

windows10-1703-x64

8

e9e34828dd...d5.exe

windows10-2004-x64

8

e9e34828dd...d5.exe

windows11-21h2-x64

7

Resubmissions

17/04/2024, 11:54

240417-n29fcafd81 8

17/04/2024, 11:54

240417-n285ksdh43 8

17/04/2024, 11:54

240417-n28h2sfd8z 8

17/04/2024, 11:54

240417-n246mafd8x 8

17/04/2024, 11:54

240417-n24j4afd8w 8

16/04/2024, 10:48

240416-mwlxesad2t 8

Analysis

  • max time kernel
    1800s
  • max time network
    1801s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/04/2024, 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe

  • Size

    5.3MB

  • MD5

    4a6096deaaaf3fe393b61d66540ce4ab

  • SHA1

    9f91f6feae419a73a3371e06206b5e459281cff0

  • SHA256

    e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5

  • SHA512

    9322c12a042ef7914bedf73618b135775f99bcc352e23b606e6887f1e7843bda3fb9025a06eefb4bd1468a69565f6f8d34bacf0d0fcbd4ee7c34cd46c96e6d01

  • SSDEEP

    98304:GBze+DWzwgfjGmMdivlucHq81K0U4DzRtNCC6rYOALRiNKpRyE3Rb1:4ze9cidud8pUSzpXOALRi4pT91

Score
8/10
discoveryevasion

Malware Config

Signatures

  • Contacts a large (755) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 22 IoCs
    evasion
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 20 IoCs
  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe
    "C:\Users\Admin\AppData\Local\Temp\e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2800
    • C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      2⤵
      • Creates scheduled task(s)
      PID:2144
    • C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1640
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1208
      • C:\Users\Admin\AppData\Local\Temp\~tlDBA0.tmp
        C:\Users\Admin\AppData\Local\Temp\~tlDBA0.tmp
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\system32\netsh.exe
          netsh int ipv4 set dynamicport tcp start=1025 num=64511
          4⤵
            PID:2444
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:2540
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:1992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2960
          • C:\Windows\system32\schtasks.exe
            schtasks /delete /TN "Timer"
            4⤵
              PID:580
            • C:\Windows\system32\schtasks.exe
              schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
              4⤵
              • Creates scheduled task(s)
              PID:1096
            • C:\Windows\System\svchost.exe
              "C:\Windows\System\svchost.exe" formal
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:892
              • C:\Windows\system32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                5⤵
                  PID:2312
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:824
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:1376
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2936
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1920
                • C:\Users\Admin\AppData\Local\Temp\~tlB184.tmp
                  C:\Users\Admin\AppData\Local\Temp\~tlB184.tmp
                  5⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:2328
                  • C:\Windows\system32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    6⤵
                      PID:2088
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:2932
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:2488
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2532
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2752
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {8A3CBC4D-EBAC-44C9-9A43-BE6BD86608EC} S-1-5-18:NT AUTHORITY\System:Service:
            1⤵
            • Loads dropped DLL
            PID:904
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:2184
              • C:\Windows\system32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                3⤵
                • Modifies data under HKEY_USERS
                PID:1160
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                3⤵
                • Modifies Windows Firewall
                PID:2840
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                3⤵
                • Modifies Windows Firewall
                PID:1856
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                3⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2548
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                3⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2712
              • C:\Windows\TEMP\~tl3D9D.tmp
                C:\Windows\TEMP\~tl3D9D.tmp
                3⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:2876
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  4⤵
                  • Modifies data under HKEY_USERS
                  PID:592
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  4⤵
                  • Modifies Windows Firewall
                  PID:2976
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  4⤵
                  • Modifies Windows Firewall
                  PID:2096
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  4⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:324
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  4⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1492
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {F26AC842-98E7-478A-AC5C-E9B53A55C178} S-1-5-18:NT AUTHORITY\System:Service:
            1⤵
            • Loads dropped DLL
            PID:1672
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:2944
              • C:\Windows\system32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                3⤵
                • Modifies data under HKEY_USERS
                PID:2964
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                3⤵
                • Modifies Windows Firewall
                PID:2112
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                3⤵
                • Modifies Windows Firewall
                PID:1516
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                3⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1012
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                3⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2552
              • C:\Windows\TEMP\~tl9E33.tmp
                C:\Windows\TEMP\~tl9E33.tmp
                3⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:3048
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  4⤵
                  • Modifies data under HKEY_USERS
                  PID:2888
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  4⤵
                  • Modifies Windows Firewall
                  PID:1900
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  4⤵
                  • Modifies Windows Firewall
                  PID:1628
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  4⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2828
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  4⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2032
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {B0442702-F50B-4BA7-8FB9-2C8E24CC6B76} S-1-5-18:NT AUTHORITY\System:Service:
            1⤵
            • Loads dropped DLL
            PID:1400
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:2508
              • C:\Windows\system32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                3⤵
                  PID:2900
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  3⤵
                  • Modifies Windows Firewall
                  • Modifies data under HKEY_USERS
                  PID:2040
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  3⤵
                  • Modifies Windows Firewall
                  PID:2056
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  3⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1960
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  3⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2604
                • C:\Windows\TEMP\~tl3E8.tmp
                  C:\Windows\TEMP\~tl3E8.tmp
                  3⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2140
                  • C:\Windows\system32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    4⤵
                    • Modifies data under HKEY_USERS
                    PID:852
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    4⤵
                    • Modifies Windows Firewall
                    PID:2296
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    4⤵
                    • Modifies Windows Firewall
                    PID:2292
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                    4⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2952
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                    4⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:828
            • C:\Windows\system32\taskeng.exe
              taskeng.exe {8F25A42F-7E85-4229-BE55-7745E9D686B4} S-1-5-18:NT AUTHORITY\System:Service:
              1⤵
              • Loads dropped DLL
              PID:2716
              • \??\c:\windows\system\svchost.exe
                c:\windows\system\svchost.exe
                2⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:2552
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  3⤵
                  • Modifies data under HKEY_USERS
                  PID:2396
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  3⤵
                  • Modifies Windows Firewall
                  • Modifies data under HKEY_USERS
                  PID:1252
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  3⤵
                  • Modifies Windows Firewall
                  • Modifies data under HKEY_USERS
                  PID:2356
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  3⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2916
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  3⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1812
                • C:\Windows\TEMP\~tl8DA0.tmp
                  C:\Windows\TEMP\~tl8DA0.tmp
                  3⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2132
                  • C:\Windows\system32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    4⤵
                    • Modifies data under HKEY_USERS
                    PID:2268
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    4⤵
                    • Modifies Windows Firewall
                    PID:1404
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    4⤵
                    • Modifies Windows Firewall
                    PID:412
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                    4⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2176
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                    4⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:540

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
              Filesize

              7KB

              MD5

              3e4bf62fa3c132c9cd3ddcf676f80cab

              SHA1

              38994d194dcb8409bf192d7976372c08834bd515

              SHA256

              269dcc114ccd2c841dcc81a4def7cc397d706ec3dc9aef5d75f67e38e7ad0cc4

              SHA512

              ddf066721dbbebc3115015e6ffb54abd829c908ce8edde53e8720b606ae005065f7b8baa4b14d069c2df7761ed1a45a7fdb90d7b7184bf15c491e8856ee93df8

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
              Filesize

              7KB

              MD5

              865682fb4abddbb4ea438c985de468a5

              SHA1

              50fcb2956aa4a8abe8d206703c65fc583d24ce9f

              SHA256

              3ccdd7852ada5163033a3b324a9d2581fd4dc9c18a5603f553a1ce99ae6b1035

              SHA512

              fedd745b59623b9a983d074868a37a02ec5430d5115a835a1d3217ca5e641ed61d7d09339f4d9d561075159cc122304cd2a32bd339e7f6f45047240961dd95b8

              Download Submit

            • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
              Filesize

              2.6MB

              MD5

              8c8bc1908db7ac54e1dd393839811249

              SHA1

              00d3e7d05a0abd7dd8d764a13a90d027c06382a4

              SHA256

              b684399e3c8c9fe286edc15d8a6e14ea9ae7795ea7b5371865140e50fb678b3a

              SHA512

              438d374c3c0ba6db776767906f8ee5cadc4e6042c26f2da4715049f697a7d63e7d178c0e191b8edf91ed1e401401f813c34cd66c0f0b9911826d0b913f3de6d4

              Download Submit

            • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
              Filesize

              5.9MB

              MD5

              585236556f90d3c3a92cb6fabf486a36

              SHA1

              0cd3190c6cd4c4c7c0a748dbb0140bc589623e45

              SHA256

              972cccca6fe2538126c7379b1e5f5ec57743075332d76dbd39e4d95fff4aa26e

              SHA512

              392e8e14122c1992aa76f4253da0708c31d95e549cf73d0af943287a2c148642987fd65d776c6d2d3dc41b929edb7c5659454c0f8dd46be9db74a97832fe6c10

              Download Submit

            • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg
              Filesize

              393KB

              MD5

              72e28e2092a43e0d70289f62bec20e65

              SHA1

              944f2b81392ee946f4767376882c5c1bda6dddb5

              SHA256

              6ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f

              SHA512

              31c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466

              Download Submit

            • \Users\Admin\AppData\Local\Temp\~tlB184.tmp
              Filesize

              393KB

              MD5

              9dbdd43a2e0b032604943c252eaf634a

              SHA1

              9584dc66f3c1cce4210fdf827a1b4e2bb22263af

              SHA256

              33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

              SHA512

              b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

              Download Submit

            • \Users\Admin\AppData\Local\Temp\~tlDBA0.tmp
              Filesize

              385KB

              MD5

              e802c96760e48c5139995ffb2d891f90

              SHA1

              bba3d278c0eb1094a26e5d2f4c099ad685371578

              SHA256

              cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

              SHA512

              97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

              Download Submit

            • \Windows\system\svchost.exe
              Filesize

              5.3MB

              MD5

              4a6096deaaaf3fe393b61d66540ce4ab

              SHA1

              9f91f6feae419a73a3371e06206b5e459281cff0

              SHA256

              e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5

              SHA512

              9322c12a042ef7914bedf73618b135775f99bcc352e23b606e6887f1e7843bda3fb9025a06eefb4bd1468a69565f6f8d34bacf0d0fcbd4ee7c34cd46c96e6d01

              Download Submit

            • memory/892-155-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/892-153-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/892-189-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/1188-111-0x0000000140000000-0x0000000140647000-memory.dmp

              Filesize

              6.3MB

              Download

            • memory/1188-60-0x0000000040510000-0x0000000040A0C000-memory.dmp

              Filesize

              5.0MB

              Download

            • memory/1188-32-0x0000000140000000-0x0000000140647000-memory.dmp

              Filesize

              6.3MB

              Download

            • memory/1208-50-0x0000000002B70000-0x0000000002BF0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1208-51-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1208-58-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1208-57-0x0000000002B70000-0x0000000002BF0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1208-52-0x0000000002B70000-0x0000000002BF0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1208-55-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1640-59-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1640-47-0x0000000001D20000-0x0000000001D28000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1640-49-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1640-48-0x0000000002840000-0x00000000028C0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1640-42-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1640-54-0x0000000002840000-0x00000000028C0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1640-56-0x0000000002840000-0x00000000028C0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1640-53-0x0000000002840000-0x00000000028C0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1640-41-0x000000001B720000-0x000000001BA02000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/1920-173-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1920-193-0x0000000002DB0000-0x0000000002E30000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1920-176-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1920-178-0x0000000002DBB000-0x0000000002E22000-memory.dmp

              Filesize

              412KB

              Download

            • memory/1920-177-0x0000000002DB0000-0x0000000002E30000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1920-174-0x0000000002DB0000-0x0000000002E30000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1920-171-0x0000000002DB0000-0x0000000002E30000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2184-268-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2184-267-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2184-242-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2328-191-0x0000000140000000-0x0000000140170400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2328-192-0x0000000140000000-0x0000000140170400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2328-218-0x0000000140000000-0x0000000140170400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2328-190-0x0000000140000000-0x0000000140170400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2532-200-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2572-114-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2572-113-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2572-112-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2572-154-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2644-12-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2644-14-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2644-13-0x0000000002D90000-0x0000000002E10000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2644-21-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2644-19-0x0000000002D90000-0x0000000002E10000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2644-16-0x0000000002D90000-0x0000000002E10000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2684-33-0x0000000140000000-0x0000000140647000-memory.dmp

              Filesize

              6.3MB

              Download

            • memory/2684-31-0x0000000040A10000-0x0000000041057000-memory.dmp

              Filesize

              6.3MB

              Download

            • memory/2684-30-0x0000000040A10000-0x0000000041057000-memory.dmp

              Filesize

              6.3MB

              Download

            • memory/2684-0-0x0000000140000000-0x0000000140647000-memory.dmp

              Filesize

              6.3MB

              Download

            • memory/2800-11-0x0000000001D90000-0x0000000001D98000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2800-18-0x0000000002E30000-0x0000000002EB0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2800-17-0x0000000002E34000-0x0000000002E37000-memory.dmp

              Filesize

              12KB

              Download

            • memory/2800-10-0x000000001B810000-0x000000001BAF2000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2800-15-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2876-290-0x0000000140000000-0x0000000140170400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2876-273-0x0000000140000000-0x0000000140170400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2876-288-0x0000000140000000-0x0000000140170400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2916-128-0x0000000002D70000-0x0000000002DF0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2916-120-0x000000001B6A0000-0x000000001B982000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2916-122-0x0000000002D70000-0x0000000002DF0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2916-125-0x0000000002D70000-0x0000000002DF0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2916-136-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2916-124-0x0000000002D70000-0x0000000002DF0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2916-123-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2916-121-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2936-162-0x0000000002C20000-0x0000000002CA0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2936-170-0x0000000002C20000-0x0000000002CA0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2936-161-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2936-169-0x0000000002C20000-0x0000000002CA0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2936-172-0x0000000002C24000-0x0000000002C27000-memory.dmp

              Filesize

              12KB

              Download

            • memory/2936-175-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2936-163-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2960-138-0x0000000002C30000-0x0000000002CB0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2960-134-0x0000000002C30000-0x0000000002CB0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2960-133-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2960-135-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2960-137-0x0000000002C30000-0x0000000002CB0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2960-139-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

              Filesize

              9.6MB

              Download