af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb

Resubmissions

30-05-2024 16:03

240530-thqrsaeh82 10

26-04-2024 19:20

26-04-2024 19:17

26-04-2024 19:15

26-04-2024 18:18

26-04-2024 17:46

18-04-2024 16:20

17-04-2024 20:42

Analysis

max time kernel
239s
max time network
613s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-04-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

advbattoexeconverter.exe
Size

804KB
MD5

83bb1b476c7143552853a2cf983c1142
SHA1

8ff8ed5c533d70a7d933ec45264dd700145acd8c
SHA256

af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb
SHA512

6916c6c5addf43f56b9de217e1b640ab6f4d7e5a73cd33a7189f66c9b7f0b954c5aa635f92fcef5692ca0ca0c8767e97a678e90d545079b5e6d421555f5b761a
SSDEEP

24576:0xFkFHdJ8aT/iziXH6FGnYhqQuimKC6Qpor:0IdJ1KiBYhsl+r

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

advbattoexeconverter.exe

pid process

1848 advbattoexeconverter.exe
1848 advbattoexeconverter.exe
Modifies file permissions 1 TTPs 7 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid process

2300 takeown.exe
2780 takeown.exe
636 takeown.exe
2840 takeown.exe
2996 takeown.exe
320 takeown.exe
3020 takeown.exe
Drops file in Program Files directory 1 IoCs

Processes:

advbattoexeconverter.exe

description ioc process

File opened for modification C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\uninstall.ini advbattoexeconverter.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1848	advbattoexeconverter.exe
1848	advbattoexeconverter.exe

pid	process
2300	takeown.exe
2780	takeown.exe
636	takeown.exe
2840	takeown.exe
2996	takeown.exe
320	takeown.exe
3020	takeown.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\uninstall.ini	advbattoexeconverter.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2280 taskkill.exe
2380 taskkill.exe
2424 taskkill.exe
1524 taskkill.exe
2152 taskkill.exe
1432 taskkill.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exe

pid process

2596 chrome.exe
2596 chrome.exe
2596 chrome.exe
2596 chrome.exe

pid	process
2280	taskkill.exe
2380	taskkill.exe
2424	taskkill.exe
1524	taskkill.exe
2152	taskkill.exe
1432	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeSndVol.exe

pid	process
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2136	SndVol.exe
2136	SndVol.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeSndVol.exe

pid	process
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2136	SndVol.exe
2136	SndVol.exe
2136	SndVol.exe
2136	SndVol.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2596 wrote to memory of 2692	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2692	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2692	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1676	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1736	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1736	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1736	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2192	2596	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\advbattoexeconverter.exe
"C:\Users\Admin\AppData\Local\Temp\advbattoexeconverter.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:1848

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6029758,0x7fef6029768,0x7fef6029778
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1304,i,15555312518892559635,16064152771679710856,131072 /prefetch:2
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1316 --field-trial-handle=1304,i,15555312518892559635,16064152771679710856,131072 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1304,i,15555312518892559635,16064152771679710856,131072 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2164 --field-trial-handle=1304,i,15555312518892559635,16064152771679710856,131072 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2172 --field-trial-handle=1304,i,15555312518892559635,16064152771679710856,131072 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1512 --field-trial-handle=1304,i,15555312518892559635,16064152771679710856,131072 /prefetch:2
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1568 --field-trial-handle=1304,i,15555312518892559635,16064152771679710856,131072 /prefetch:1
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3544 --field-trial-handle=1304,i,15555312518892559635,16064152771679710856,131072 /prefetch:8
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3560 --field-trial-handle=1304,i,15555312518892559635,16064152771679710856,131072 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 --field-trial-handle=1304,i,15555312518892559635,16064152771679710856,131072 /prefetch:8
  2⤵
  PID:2884

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2472

C:\Windows\system32\SndVol.exe
SndVol.exe -f 45221015 13094
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2136

C:\Windows\notepad.exe
"C:\Windows\notepad.exe"
1⤵
PID:3024

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Downloads\real.bat" "
1⤵
PID:968
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:2056
- C:\Windows\system32\takeown.exe
  takeown /F System32
  2⤵
  - Modifies file permissions
  PID:2300

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2476

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Downloads\real.bat" "
1⤵
PID:1676
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:2884
- C:\Windows\system32\takeown.exe
  takeown /F System32
  2⤵
  - Modifies file permissions
  PID:2780
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sysWOW64
  2⤵
  - Kills process with taskkill
  PID:1524

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Downloads\real.bat" "
1⤵
PID:2288
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:1064
- C:\Windows\system32\takeown.exe
  takeown /F System32
  2⤵
  - Modifies file permissions
  PID:636
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sysWOW64
  2⤵
  - Kills process with taskkill
  PID:2152

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Downloads\real.bat" "
1⤵
PID:2188
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:1624
- C:\Windows\system32\takeown.exe
  takeown /F System32
  2⤵
  - Modifies file permissions
  PID:2840
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sysWOW64
  2⤵
  - Kills process with taskkill
  PID:1432

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Downloads\real.bat" "
1⤵
PID:968
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:2336
- C:\Windows\system32\takeown.exe
  takeown /F System32
  2⤵
  - Modifies file permissions
  PID:2996
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sysWOW64
  2⤵
  - Kills process with taskkill
  PID:2280

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Downloads\real.bat" "
1⤵
PID:2068
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:752
- C:\Windows\system32\takeown.exe
  takeown /F System32
  2⤵
  - Modifies file permissions
  PID:320
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sysWOW64
  2⤵
  - Kills process with taskkill
  PID:2380

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
PID:2012

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2140

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Downloads\real.bat" "
1⤵
PID:2060
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:2160
- C:\Windows\system32\takeown.exe
  takeown /F System32
  2⤵
  - Modifies file permissions
  PID:3020
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wininit.exe
  2⤵
  - Kills process with taskkill
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4a5153a6-25b3-4013-8a91-d6f628b0771e.tmp

Filesize
5KB

MD5
c019143196a048aeeae417dc5cc9f867

SHA1
f045259e269616f8c8667c018b50461c48ea2579

SHA256
5db21b47c0c478a9354cf981f6bdc64bf8d89c5f6fad7af86bc2e9dbf3149a76

SHA512
a8f4d661a5f898733a8a9b4e9fe90e4a0a66f00eaceba1d458ca35352b622ac2b88fc09a7a1c1eb9e937e09ffe3d310b07f9c5e415489e41854fc0cde12847a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
878B

MD5
d62145f99730abc29e4a21f9cd05cc99

SHA1
f2c7fd43240b90b44db32814e0fa4d71ccd2c945

SHA256
fe92e74684667186447168510f5dfc146698c5d93cd1c4046c4175fb7e35f17b

SHA512
a939b1d61a3fa7e2f9143ec2049270e6a3b664434d28420794e54bd433b2d2fbf6cce0c2e37fcc272245a187dd98b87f1d4c2f5809094da70d8ae95b12127cf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
682B

MD5
8691e651c0a95f685efbbbacfdb55d28

SHA1
b0b7a80d70a8da1f8c4b7201f5faa680e755dcf9

SHA256
f1b7da4be34cf5e2a4d1b0c61b2cde7bdbbb10ac286e14c7da637ea443c97455

SHA512
fcab7bd17972e407f00a80b8eee84d0e28a2a0ab4e56ccb490fe0bf14e4fd7c8ece328105fad13c4ea9266a14ee315519e05a16979d919629e55ffc4e08862d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c14b2a36995770492566828bd112f755

SHA1
1496f805d7b25f1574c89efa6ba1877b1c013b2b

SHA256
4967d8f659486e57baf82a926954aaf4f113eab29f97f857c5ff77e8dad33fa4

SHA512
808791aa0d3f875269ce378c95c4f4d194d5ed34094b81d30eea26e9a99e3512d95b084ce7ec1da9c9f2156cbae013db21e9c50d65d10328e000c5f719a259ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\Downloads\real.bat

Filesize
72B

MD5
83bf000bbc3012b265035707b7f35dc0

SHA1
8d293029039a4a03cf3a083a08f24a30acfc4366

SHA256
cdcf02dce85bdac1ca5b93465acd038c7e91c8dbe61ef77bdbfe9d6c0a139c26

SHA512
e9a242ee1f021796996912c63030a5d0cf06a348514adca23de4ca816dd5a1b378390ca4bf64b0effa015066d3b717097e69c93335f65d620bd07cf586930f6f

Download Submit
C:\Users\Admin\Downloads\real.bat

Filesize
100B

MD5
450b909e41f04128f7ba2a6a3e4fd478

SHA1
74108dbef7d457a70df1b97785fe56f175c5bf6c

SHA256
96e1770b9130ee5542a6977f0a328bce10b40c39c64c228fd93c8e54dd7a76c9

SHA512
3503da2771b027631269fa9da0e520275c4828046f3c1b612763130b19e88adcf5311312aac4815acb3928b2e4420d8856eb2892623a3e1b78386552a994a349

Download Submit
C:\Users\Admin\Downloads\real.bat

Filesize
103B

MD5
8b15428e66c0ce51f579082cb53b5c17

SHA1
054de01676057a912446dd9526919590003ea064

SHA256
2b329362473361040e2d8256718f253a288830f451d4ab039fc6d4411cee4056

SHA512
4050cdbfc17aa9ee92265d29597b5ac48839271faf6d502a48b1594b3d3daf97497896629fea661ecf972077bdae0c2f30cab774aca9ec69234dd89fe68c73f7

Download Submit
\??\pipe\crashpad_2596_UHDZGZHEBIXXJZZU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\gentee00\gentee.dll

Filesize
100KB

MD5
30439e079a3d603c461d2c2f4f8cb064

SHA1
aaf470f6bd8deadedbc31adf17035041176c6134

SHA256
d6d0535175fb2302e5b5a498119823c37f6bddff4ab24f551aa7e038c343077a

SHA512
607a81be02bde679aff45770e2fd5c2471d64439fdb23c3e494aed98970131e5d677e1eba3b7b36fca5b8d5b99580856bb8cf1806139c9f73693afb512126b9e

Download Submit
\Users\Admin\AppData\Local\Temp\gentee00\guig.dll

Filesize
20KB

MD5
f78ee6369ada1fb02b776498146cc903

SHA1
d5ba66acdab6a48327c76796d28be1e02643a129

SHA256
f1073319d4868d38e0ae983ad42a00cdc53be93b31275b4b55af676976c1aa3f

SHA512
88cff3e58cf66c3f2b5b3a65b8b9f9e8ac011e1bd6025cadadb0f765f062cb3d608c23c2d3832f89ada0b7681170dce1ee4a0b8b873e84135756d14ba8c69fa9

Download Submit
memory/2136-127-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/3024-169-0x0000000003EA0000-0x0000000003EB0000-memory.dmp

Filesize
64KB

Download