280ecad44f11adc484a3cc298155497699e27c5d862e914e59a3636dd383b724

Analysis

max time kernel
45s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 07:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Elite-Free-tweaking-Panel-OG.test.ps1
Size

1.0MB
MD5

9bb079d59857359641f20ed37185998a
SHA1

adaf3102fb5de1214e6cc7ee828f1390ccd55b27
SHA256

280ecad44f11adc484a3cc298155497699e27c5d862e914e59a3636dd383b724
SHA512

81d49bd3fe6f5e4d8997fab3d638b4c1041ff15ea4c59a752a59b647dbe7410781ee08ee1f2f9fa2ea1d4d0755660ec5847211cc318085c0a0f5d284f3669c5e
SSDEEP

24576:c9L2GqhPTQCW2u4gzS0SoxJvoorMllowz1p9ghXtFMEIdpS+weAcEul2IXub4sJ1:c9L2GqhPTQCW2u4gzS0SoxJvoorMllol

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3556	powershell.exe
4996	powershell.exe
3364	powershell.exe
3592	powershell.exe
1692	powershell.exe
4368	powershell.exe
4244	powershell.exe

Modifies registry key 1 TTPs 10 IoCs

Modify Registry

T1112

pid	Process
4808	reg.exe
4240	reg.exe
4316	reg.exe
3592	reg.exe
4692	reg.exe
3332	reg.exe
2472	reg.exe
2064	reg.exe
3292	reg.exe
892	reg.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4368	powershell.exe
4368	powershell.exe
4244	powershell.exe
4244	powershell.exe
3556	powershell.exe
3556	powershell.exe
4996	powershell.exe
4996	powershell.exe
3364	powershell.exe
3364	powershell.exe
3592	powershell.exe
3592	powershell.exe
1692	powershell.exe
1692	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeIncreaseQuotaPrivilege	4244	powershell.exe
Token: SeSecurityPrivilege	4244	powershell.exe
Token: SeTakeOwnershipPrivilege	4244	powershell.exe
Token: SeLoadDriverPrivilege	4244	powershell.exe
Token: SeSystemProfilePrivilege	4244	powershell.exe
Token: SeSystemtimePrivilege	4244	powershell.exe
Token: SeProfSingleProcessPrivilege	4244	powershell.exe
Token: SeIncBasePriorityPrivilege	4244	powershell.exe
Token: SeCreatePagefilePrivilege	4244	powershell.exe
Token: SeBackupPrivilege	4244	powershell.exe
Token: SeRestorePrivilege	4244	powershell.exe
Token: SeShutdownPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeSystemEnvironmentPrivilege	4244	powershell.exe
Token: SeRemoteShutdownPrivilege	4244	powershell.exe
Token: SeUndockPrivilege	4244	powershell.exe
Token: SeManageVolumePrivilege	4244	powershell.exe
Token: 33	4244	powershell.exe
Token: 34	4244	powershell.exe
Token: 35	4244	powershell.exe
Token: 36	4244	powershell.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeIncreaseQuotaPrivilege	3556	powershell.exe
Token: SeSecurityPrivilege	3556	powershell.exe
Token: SeTakeOwnershipPrivilege	3556	powershell.exe
Token: SeLoadDriverPrivilege	3556	powershell.exe
Token: SeSystemProfilePrivilege	3556	powershell.exe
Token: SeSystemtimePrivilege	3556	powershell.exe
Token: SeProfSingleProcessPrivilege	3556	powershell.exe
Token: SeIncBasePriorityPrivilege	3556	powershell.exe
Token: SeCreatePagefilePrivilege	3556	powershell.exe
Token: SeBackupPrivilege	3556	powershell.exe
Token: SeRestorePrivilege	3556	powershell.exe
Token: SeShutdownPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeSystemEnvironmentPrivilege	3556	powershell.exe
Token: SeRemoteShutdownPrivilege	3556	powershell.exe
Token: SeUndockPrivilege	3556	powershell.exe
Token: SeManageVolumePrivilege	3556	powershell.exe
Token: 33	3556	powershell.exe
Token: 34	3556	powershell.exe
Token: 35	3556	powershell.exe
Token: 36	3556	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeIncreaseQuotaPrivilege	4996	powershell.exe
Token: SeSecurityPrivilege	4996	powershell.exe
Token: SeTakeOwnershipPrivilege	4996	powershell.exe
Token: SeLoadDriverPrivilege	4996	powershell.exe
Token: SeSystemProfilePrivilege	4996	powershell.exe
Token: SeSystemtimePrivilege	4996	powershell.exe
Token: SeProfSingleProcessPrivilege	4996	powershell.exe
Token: SeIncBasePriorityPrivilege	4996	powershell.exe
Token: SeCreatePagefilePrivilege	4996	powershell.exe
Token: SeBackupPrivilege	4996	powershell.exe
Token: SeRestorePrivilege	4996	powershell.exe
Token: SeShutdownPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeSystemEnvironmentPrivilege	4996	powershell.exe
Token: SeRemoteShutdownPrivilege	4996	powershell.exe
Token: SeUndockPrivilege	4996	powershell.exe
Token: SeManageVolumePrivilege	4996	powershell.exe
Token: 33	4996	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 1692	4368	powershell.exe	86
PID 4368 wrote to memory of 1692	4368	powershell.exe	86
PID 4368 wrote to memory of 5012	4368	powershell.exe	87
PID 4368 wrote to memory of 5012	4368	powershell.exe	87
PID 4368 wrote to memory of 2244	4368	powershell.exe	88
PID 4368 wrote to memory of 2244	4368	powershell.exe	88
PID 4368 wrote to memory of 3636	4368	powershell.exe	89
PID 4368 wrote to memory of 3636	4368	powershell.exe	89
PID 4368 wrote to memory of 4464	4368	powershell.exe	90
PID 4368 wrote to memory of 4464	4368	powershell.exe	90
PID 4368 wrote to memory of 4348	4368	powershell.exe	91
PID 4368 wrote to memory of 4348	4368	powershell.exe	91
PID 4368 wrote to memory of 1836	4368	powershell.exe	92
PID 4368 wrote to memory of 1836	4368	powershell.exe	92
PID 4368 wrote to memory of 4204	4368	powershell.exe	93
PID 4368 wrote to memory of 4204	4368	powershell.exe	93
PID 4368 wrote to memory of 1528	4368	powershell.exe	94
PID 4368 wrote to memory of 1528	4368	powershell.exe	94
PID 4368 wrote to memory of 2616	4368	powershell.exe	95
PID 4368 wrote to memory of 2616	4368	powershell.exe	95
PID 4368 wrote to memory of 2152	4368	powershell.exe	96
PID 4368 wrote to memory of 2152	4368	powershell.exe	96
PID 4368 wrote to memory of 4524	4368	powershell.exe	97
PID 4368 wrote to memory of 4524	4368	powershell.exe	97
PID 4368 wrote to memory of 4256	4368	powershell.exe	98
PID 4368 wrote to memory of 4256	4368	powershell.exe	98
PID 4368 wrote to memory of 224	4368	powershell.exe	99
PID 4368 wrote to memory of 224	4368	powershell.exe	99
PID 4368 wrote to memory of 2424	4368	powershell.exe	100
PID 4368 wrote to memory of 2424	4368	powershell.exe	100
PID 4368 wrote to memory of 3720	4368	powershell.exe	101
PID 4368 wrote to memory of 3720	4368	powershell.exe	101
PID 4368 wrote to memory of 4912	4368	powershell.exe	102
PID 4368 wrote to memory of 4912	4368	powershell.exe	102
PID 4368 wrote to memory of 4468	4368	powershell.exe	103
PID 4368 wrote to memory of 4468	4368	powershell.exe	103
PID 4368 wrote to memory of 4076	4368	powershell.exe	104
PID 4368 wrote to memory of 4076	4368	powershell.exe	104
PID 4368 wrote to memory of 4252	4368	powershell.exe	105
PID 4368 wrote to memory of 4252	4368	powershell.exe	105
PID 4368 wrote to memory of 4244	4368	powershell.exe	106
PID 4368 wrote to memory of 4244	4368	powershell.exe	106
PID 4368 wrote to memory of 664	4368	powershell.exe	107
PID 4368 wrote to memory of 664	4368	powershell.exe	107
PID 4368 wrote to memory of 4900	4368	powershell.exe	108
PID 4368 wrote to memory of 4900	4368	powershell.exe	108
PID 4368 wrote to memory of 1500	4368	powershell.exe	109
PID 4368 wrote to memory of 1500	4368	powershell.exe	109
PID 4368 wrote to memory of 2800	4368	powershell.exe	110
PID 4368 wrote to memory of 2800	4368	powershell.exe	110
PID 4368 wrote to memory of 2276	4368	powershell.exe	111
PID 4368 wrote to memory of 2276	4368	powershell.exe	111
PID 4368 wrote to memory of 3504	4368	powershell.exe	112
PID 4368 wrote to memory of 3504	4368	powershell.exe	112
PID 4368 wrote to memory of 5088	4368	powershell.exe	113
PID 4368 wrote to memory of 5088	4368	powershell.exe	113
PID 4368 wrote to memory of 1156	4368	powershell.exe	114
PID 4368 wrote to memory of 1156	4368	powershell.exe	114
PID 4368 wrote to memory of 4692	4368	powershell.exe	115
PID 4368 wrote to memory of 4692	4368	powershell.exe	115
PID 4368 wrote to memory of 3332	4368	powershell.exe	116
PID 4368 wrote to memory of 3332	4368	powershell.exe	116
PID 4368 wrote to memory of 4808	4368	powershell.exe	117
PID 4368 wrote to memory of 4808	4368	powershell.exe	117

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Elite-Free-tweaking-Panel-OG.test.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global rsc=enabled
  2⤵
  PID:1692
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global rss=disabled
  2⤵
  PID:5012
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global taskoffload=disabled
  2⤵
  PID:2244
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global blocknetworkdirect=enabled
  2⤵
  PID:3636
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global packetcoalescingfilter=enabled
  2⤵
  PID:4464
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global NumberOfReceiveQueues=2
  2⤵
  PID:4348
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global Profile=NumaStatic
  2⤵
  PID:1836
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global DisablePortScaling=disabled
  2⤵
  PID:4204
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global ManycoreScaling=disabled
  2⤵
  PID:1528
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int ipv4 set global ipchecksumoffload=3
  2⤵
  PID:2616
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int ipv4 set global tcpchecksumoffload=3
  2⤵
  PID:2152
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int ipv4 set global udpchecksumoffload=3
  2⤵
  PID:4524
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int ipv6 set global tcpchecksumoffload=3
  2⤵
  PID:4256
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int ipv6 set global udpchecksumoffload=3
  2⤵
  PID:224
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int ipv4 set global lsov1=0
  2⤵
  PID:2424
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int ipv4 set global lsov2=1
  2⤵
  PID:3720
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int ipv6 set global lsov2=1
  2⤵
  PID:4912
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global pmarpoffload=1
  2⤵
  PID:4468
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global pmsoffload=1
  2⤵
  PID:4076
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global interruptmoderation=0
  2⤵
  PID:4252
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global txintdelay=0
  2⤵
  PID:4244
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global packetdirect=undefined
  2⤵
  PID:664
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global coalesce=undefined
  2⤵
  PID:4900
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global updtxscaling=undefined
  2⤵
  PID:1500
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global armsleepstats=disabled
  2⤵
  PID:2800
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global connectedpowergating=disabled
  2⤵
  PID:2276
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global autopowersavemode=disabled
  2⤵
  PID:3504
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global delayedpowerup=disabled
  2⤵
  PID:5088
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global reducespeedonpowerdown=disabled
  2⤵
  PID:1156
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001 /v EnableSavePowerNow /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4692
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001 /v NicAutoPowerSaver /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:3332
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider /v Class /t REG_DWORD /d 8 /f
  2⤵
  - Modifies registry key
  PID:4808
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider /v DnsPriority /t REG_DWORD /d 6 /f
  2⤵
  - Modifies registry key
  PID:4240
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider /v HostsPriority /t REG_DWORD /d 5 /f
  2⤵
  - Modifies registry key
  PID:2472
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider /v LocalPriority /t REG_DWORD /d 4 /f
  2⤵
  - Modifies registry key
  PID:4316
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider /v NetbtPriority /t REG_DWORD /d 7 /f
  2⤵
  - Modifies registry key
  PID:2064
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\SOFTWARE\Microsoft\MSMQ\Parameters /v TCPNoDelay /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3592
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Services\NetBT /v Start /t REG_DWORD /d 4 /f
  2⤵
  - Modifies registry key
  PID:3292
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001 /v EnableDynamicPowerGating /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:892
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface teredo set state disabled
  2⤵
  PID:1444
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface 6to4 set state disabled
  2⤵
  PID:4872
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" winsock reset
  2⤵
  PID:348
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int isatap set state disable
  2⤵
  PID:4704
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int ip set global taskoffload=disabled
  2⤵
  PID:5044
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int ip set global neighborcachelimit=4096
  2⤵
  PID:3868
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global timestamps=disabled
  2⤵
  PID:1524
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set heuristics disabled
  2⤵
  PID:1012
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global autotuninglevel=normal
  2⤵
  PID:4020
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global ecncapability=disabled
  2⤵
  PID:2184
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global rss=enabled
  2⤵
  PID:3080
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global rsc=disabled
  2⤵
  PID:3584
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global dca=enabled
  2⤵
  PID:4948
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global netdma=enabled
  2⤵
  PID:4816
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set global nonsackrttresiliency=disabled
  2⤵
  PID:4224
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set security mpp=disabled
  2⤵
  PID:652
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set supplemental Internet congestionprovider=ctcp
  2⤵
  PID:3616
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set security profiles=disabled
  2⤵
  PID:4932
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int ip set global icmpredirects=disabled
  2⤵
  PID:4992
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int tcp set security mpp=disabled profiles=disabled
  2⤵
  PID:4076
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" int ip set global multicastforwarding=disabled
  2⤵
  PID:4056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Disable-NetAdapterLso -Name *"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Set-NetOffloadGlobalSetting -PacketCoalescingFilter disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Disable-NetAdapterChecksumOffload -Name * -IpIPv4 -TcpIPv4 -TcpIPv6 -UdpIPv4 -UdpIPv6"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Disable-NetAdapterLso -Name *"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "ForEach ( In Get-NetAdapter){Disable-NetAdapterPowerManagement -Name .Name -ErrorAction SilentlyContinue}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "ForEach ( In Get-NetAdapter){Disable-NetAdapterLso -Name .Name -ErrorAction SilentlyContinue}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
102406b0a9fd64f67b953e5acf0e3315

SHA1
f732473b214e87aba5c361d9b8dfac133911924e

SHA256
9504bfd6f7fb5db168a210a72ea150b9125e38b44396ae4915931e81f14cf06c

SHA512
94240a0cd429009266dd14ca88bb7c6b10691dbb78e8814de86aaa112ea533f65fd01dc81ee21c184c52d77185d96964d66425e5e86749c60383dd5a520b0c7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4469da80518948f957d678827fd1ea52

SHA1
5c969149e21cfbcb9fe5f0f457a3233e27afba57

SHA256
84757302585db48599b5501271874b4190d27ea51e4e2de6fcca1f1c9e578a8d

SHA512
6579157eb74a257a20f599f84863a4047de161c3782fb1f7f14b30ef97ea1fe0b571a29f46af0ecbec9a33d8be199c9264abe3eb1ba7af2cdcea4ba1fb83093c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f096c681f020bf25437d537134c68841

SHA1
2b4823749851ee1419d7bc01c551253ccf7ee837

SHA256
ea7b82aef29f3a5e2acd520add099fa22c36f6e476964fed3ce4584a54d9743e

SHA512
72b087292c353eb63cc0a06c3df8d4151c399728451b789eed332109a0c6329c37211ad9ddec6de3a7e9055f838891fd51e3351c8788412ae90a33bec6655e60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3a4b0109917b3ee3459cc2c19bd86edc

SHA1
6c3b18002292e922f664dbe084b978a52fffd149

SHA256
75bd10ab39136e1226b3f25038cb00619268d08e3ece28e0ac4ce06bb1a7ab5a

SHA512
cc273ab966f2da81540447119120dd06e4e7643bafead35aad8d85f1e514cb85c13d297e1ccc539863cf3ab481bbef32df321010662b0202701c3d673b15792b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3bdd90e609e6d7d624ed50c64390602e

SHA1
ed43f887d4e586a78dedefd198ba0359396e0589

SHA256
4b600a12820ba118aa0ae48af32433a5e4a04c6a7f9c4aea83892bd08df45b96

SHA512
d0aa28ee773df315a0ad1469cc56ba333019a8e84deb293c104dc81d50eff1f10b77046cde310fcbe635bb55854c9dd52ffcb7c1e572abc8e50068773d49105a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tguko1nm.ig0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4368-16-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

Filesize
10.8MB

Download
memory/4368-0-0x00007FFEFB383000-0x00007FFEFB385000-memory.dmp

Filesize
8KB

Download
memory/4368-17-0x00007FFEFB383000-0x00007FFEFB385000-memory.dmp

Filesize
8KB

Download
memory/4368-18-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

Filesize
10.8MB

Download
memory/4368-19-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

Filesize
10.8MB

Download
memory/4368-20-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

Filesize
10.8MB

Download
memory/4368-15-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

Filesize
10.8MB

Download
memory/4368-14-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

Filesize
10.8MB

Download
memory/4368-13-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

Filesize
10.8MB

Download
memory/4368-12-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

Filesize
10.8MB

Download
memory/4368-11-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

Filesize
10.8MB

Download
memory/4368-10-0x0000024232D30000-0x0000024232D52000-memory.dmp

Filesize
136KB

Download