9235d2676794ff9cc054258ec08e894647ed0112a94f078c9b901d8f1aa049ce

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Files/Apps/ps7.bat
Size

1KB
MD5

836e111b6dfc84c70ef6fe21b9ebccc0
SHA1

0c7b272f348cdb6358d29cbeba9a851dfa525c18
SHA256

3195d2cf69059001b92914d3c0495fbdce875cdc8c5b4c9357206fb8c658b53c
SHA512

53c82a6d8725b92dc411dd4bc8d4001a70acf088538af84c686dbbda0f40159fbb8cb8122bd906537e542e12b8b7b649c686dcaf5b25425ca123c97048ca2cee

Score

10^/10

dropper execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://chocolatey.org/install.ps1

Signatures

Blocklisted process makes network request 22 IoCs

flow	pid	Process
13	2564	powershell.exe
14	2564	powershell.exe
21	2852	powershell.exe
22	2852	powershell.exe
28	2124	powershell.exe
29	2124	powershell.exe
35	1940	powershell.exe
36	1940	powershell.exe
42	2284	powershell.exe
43	2284	powershell.exe
49	1636	powershell.exe
50	1636	powershell.exe
56	1740	powershell.exe
57	1740	powershell.exe
63	2488	powershell.exe
64	2488	powershell.exe
70	2576	powershell.exe
71	2576	powershell.exe
77	2784	powershell.exe
78	2784	powershell.exe
84	1768	powershell.exe
85	1768	powershell.exe

Download via BitsAdmin 1 TTPs 24 IoCs

dropper

BITS Jobs

T1197

pid	Process
2208	bitsadmin.exe
320	bitsadmin.exe
2020	bitsadmin.exe
2876	bitsadmin.exe
1328	bitsadmin.exe
1312	bitsadmin.exe
1420	bitsadmin.exe
2280	bitsadmin.exe
1956	bitsadmin.exe
1820	bitsadmin.exe
1536	bitsadmin.exe
2728	bitsadmin.exe
328	bitsadmin.exe
2160	bitsadmin.exe
604	bitsadmin.exe
112	bitsadmin.exe
2012	bitsadmin.exe
2592	bitsadmin.exe
1308	bitsadmin.exe
2544	bitsadmin.exe
536	bitsadmin.exe
3012	bitsadmin.exe
2828	bitsadmin.exe
2692	bitsadmin.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2284	powershell.exe
1636	powershell.exe
1740	powershell.exe
1768	powershell.exe
2124	powershell.exe
2852	powershell.exe
1940	powershell.exe
2488	powershell.exe
2576	powershell.exe
2784	powershell.exe
2304	powershell.exe
2564	powershell.exe
1748	powershell.exe
2436	powershell.exe
992	powershell.exe
2812	powershell.exe
848	powershell.exe
2420	powershell.exe
1976	powershell.exe
848	powershell.exe
1964	powershell.exe
2472	powershell.exe
3024	powershell.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 11 IoCs

evasion

pid	Process
2104	timeout.exe
1340	timeout.exe
2928	timeout.exe
1436	timeout.exe
2132	timeout.exe
3004	timeout.exe
2616	timeout.exe
2348	timeout.exe
2132	timeout.exe
2728	timeout.exe
1724	timeout.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2564	powershell.exe
2812	powershell.exe
2812	powershell.exe
2812	powershell.exe
2852	powershell.exe
848	powershell.exe
848	powershell.exe
848	powershell.exe
2124	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1940	powershell.exe
2284	powershell.exe
2420	powershell.exe
2420	powershell.exe
2420	powershell.exe
1636	powershell.exe
1748	powershell.exe
1748	powershell.exe
1748	powershell.exe
1740	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
2488	powershell.exe
1976	powershell.exe
1976	powershell.exe
1976	powershell.exe
2576	powershell.exe
2436	powershell.exe
2436	powershell.exe
2436	powershell.exe
2784	powershell.exe
848	powershell.exe
848	powershell.exe
848	powershell.exe
1768	powershell.exe
992	powershell.exe
992	powershell.exe
992	powershell.exe
2304	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1800	2324	cmd.exe	32
PID 2324 wrote to memory of 1800	2324	cmd.exe	32
PID 2324 wrote to memory of 1800	2324	cmd.exe	32
PID 1800 wrote to memory of 2484	1800	cmd.exe	33
PID 1800 wrote to memory of 2484	1800	cmd.exe	33
PID 1800 wrote to memory of 2484	1800	cmd.exe	33
PID 2324 wrote to memory of 2452	2324	cmd.exe	34
PID 2324 wrote to memory of 2452	2324	cmd.exe	34
PID 2324 wrote to memory of 2452	2324	cmd.exe	34
PID 2324 wrote to memory of 2488	2324	cmd.exe	35
PID 2324 wrote to memory of 2488	2324	cmd.exe	35
PID 2324 wrote to memory of 2488	2324	cmd.exe	35
PID 2324 wrote to memory of 604	2324	cmd.exe	36
PID 2324 wrote to memory of 604	2324	cmd.exe	36
PID 2324 wrote to memory of 604	2324	cmd.exe	36
PID 2324 wrote to memory of 2280	2324	cmd.exe	37
PID 2324 wrote to memory of 2280	2324	cmd.exe	37
PID 2324 wrote to memory of 2280	2324	cmd.exe	37
PID 2324 wrote to memory of 2684	2324	cmd.exe	38
PID 2324 wrote to memory of 2684	2324	cmd.exe	38
PID 2324 wrote to memory of 2684	2324	cmd.exe	38
PID 2324 wrote to memory of 2564	2324	cmd.exe	39
PID 2324 wrote to memory of 2564	2324	cmd.exe	39
PID 2324 wrote to memory of 2564	2324	cmd.exe	39
PID 2324 wrote to memory of 2728	2324	cmd.exe	40
PID 2324 wrote to memory of 2728	2324	cmd.exe	40
PID 2324 wrote to memory of 2728	2324	cmd.exe	40
PID 2324 wrote to memory of 2812	2324	cmd.exe	41
PID 2324 wrote to memory of 2812	2324	cmd.exe	41
PID 2324 wrote to memory of 2812	2324	cmd.exe	41
PID 2812 wrote to memory of 2608	2812	powershell.exe	42
PID 2812 wrote to memory of 2608	2812	powershell.exe	42
PID 2812 wrote to memory of 2608	2812	powershell.exe	42
PID 2608 wrote to memory of 1028	2608	cmd.exe	44
PID 2608 wrote to memory of 1028	2608	cmd.exe	44
PID 2608 wrote to memory of 1028	2608	cmd.exe	44
PID 1028 wrote to memory of 1156	1028	cmd.exe	45
PID 1028 wrote to memory of 1156	1028	cmd.exe	45
PID 1028 wrote to memory of 1156	1028	cmd.exe	45
PID 2608 wrote to memory of 1340	2608	cmd.exe	46
PID 2608 wrote to memory of 1340	2608	cmd.exe	46
PID 2608 wrote to memory of 1340	2608	cmd.exe	46
PID 2608 wrote to memory of 1984	2608	cmd.exe	47
PID 2608 wrote to memory of 1984	2608	cmd.exe	47
PID 2608 wrote to memory of 1984	2608	cmd.exe	47
PID 2608 wrote to memory of 1956	2608	cmd.exe	48
PID 2608 wrote to memory of 1956	2608	cmd.exe	48
PID 2608 wrote to memory of 1956	2608	cmd.exe	48
PID 2608 wrote to memory of 536	2608	cmd.exe	49
PID 2608 wrote to memory of 536	2608	cmd.exe	49
PID 2608 wrote to memory of 536	2608	cmd.exe	49
PID 2608 wrote to memory of 2876	2608	cmd.exe	50
PID 2608 wrote to memory of 2876	2608	cmd.exe	50
PID 2608 wrote to memory of 2876	2608	cmd.exe	50
PID 2608 wrote to memory of 2852	2608	cmd.exe	51
PID 2608 wrote to memory of 2852	2608	cmd.exe	51
PID 2608 wrote to memory of 2852	2608	cmd.exe	51
PID 2608 wrote to memory of 1436	2608	cmd.exe	52
PID 2608 wrote to memory of 1436	2608	cmd.exe	52
PID 2608 wrote to memory of 1436	2608	cmd.exe	52
PID 2608 wrote to memory of 848	2608	cmd.exe	53
PID 2608 wrote to memory of 848	2608	cmd.exe	53
PID 2608 wrote to memory of 848	2608	cmd.exe	53
PID 848 wrote to memory of 2936	848	powershell.exe	54

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:2484
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2452
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2488
- C:\Windows\system32\bitsadmin.exe
  bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
  2⤵
  - Download via BitsAdmin
  PID:604
- C:\Windows\system32\bitsadmin.exe
  bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
  2⤵
  - Download via BitsAdmin
  PID:2280
- C:\Windows\system32\wusa.exe
  wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
  2⤵
  - Drops file in Windows directory
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1156
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1340
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:1984
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
      4⤵
      Download via BitsAdmin
      PID:1956
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
      4⤵
      Download via BitsAdmin
      PID:536
  - - C:\Windows\system32\wusa.exe
      wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2852
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:1436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        5⤵
        
        PID:2936
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        6⤵
        
        PID:2152
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:1632
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1980
      - C:\Windows\system32\chcp.com
        
        chcp 437
        6⤵
        
        PID:684
      - C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        6⤵
        Download via BitsAdmin
        
        PID:1820
      - C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        6⤵
        Download via BitsAdmin
        
        PID:112
      - C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        6⤵
        Drops file in Windows directory
        
        PID:3036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
      - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        6⤵
        Delays execution with timeout.exe
        
        PID:1724
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        7⤵
        
        PID:1412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        8⤵
        
        PID:1888
        
        C:\Windows\system32\chcp.com
        
        chcp
        9⤵
        
        PID:1668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:560
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        8⤵
        
        PID:2192
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        8⤵
        Download via BitsAdmin
        
        PID:1536
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        8⤵
        Download via BitsAdmin
        
        PID:3012
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        8⤵
        Drops file in Windows directory
        
        PID:2128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        8⤵
        Delays execution with timeout.exe
        
        PID:3004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2472
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        9⤵
        
        PID:2484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        10⤵
        
        PID:2644
        
        C:\Windows\system32\chcp.com
        
        chcp
        11⤵
        
        PID:2328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2348
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        10⤵
        
        PID:2336
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        10⤵
        Download via BitsAdmin
        
        PID:2828
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        10⤵
        Download via BitsAdmin
        
        PID:2692
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        10⤵
        Drops file in Windows directory
        
        PID:2136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        10⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        10⤵
        Delays execution with timeout.exe
        
        PID:2616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        11⤵
        
        PID:2080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        12⤵
        
        PID:2448
        
        C:\Windows\system32\chcp.com
        
        chcp
        13⤵
        
        PID:1404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1176
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        12⤵
        
        PID:2924
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        12⤵
        Download via BitsAdmin
        
        PID:2208
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        12⤵
        Download via BitsAdmin
        
        PID:320
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        12⤵
        Drops file in Windows directory
        
        PID:2648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        12⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        12⤵
        Delays execution with timeout.exe
        
        PID:2132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        13⤵
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        14⤵
        
        PID:684
        
        C:\Windows\system32\chcp.com
        
        chcp
        15⤵
        
        PID:2432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2656
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        14⤵
        
        PID:2492
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        14⤵
        Download via BitsAdmin
        
        PID:2012
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        14⤵
        Download via BitsAdmin
        
        PID:2020
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        14⤵
        Drops file in Windows directory
        
        PID:1056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        14⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        14⤵
        Delays execution with timeout.exe
        
        PID:2104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        15⤵
        
        PID:2376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        16⤵
        
        PID:2960
        
        C:\Windows\system32\chcp.com
        
        chcp
        17⤵
        
        PID:2368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1080
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        16⤵
        
        PID:3016
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        16⤵
        Download via BitsAdmin
        
        PID:1328
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        16⤵
        Download via BitsAdmin
        
        PID:1308
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        16⤵
        Drops file in Windows directory
        
        PID:1940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        16⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        16⤵
        Delays execution with timeout.exe
        
        PID:2348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        17⤵
        
        PID:2676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        18⤵
        
        PID:2380
        
        C:\Windows\system32\chcp.com
        
        chcp
        19⤵
        
        PID:2224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2136
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        18⤵
        
        PID:2252
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        18⤵
        Download via BitsAdmin
        
        PID:2592
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        18⤵
        Download via BitsAdmin
        
        PID:2728
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        18⤵
        Drops file in Windows directory
        
        PID:2624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        18⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        18⤵
        Delays execution with timeout.exe
        
        PID:1340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        19⤵
        
        PID:1552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        20⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp
        21⤵
        
        PID:2932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1816
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        20⤵
        
        PID:2208
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        20⤵
        Download via BitsAdmin
        
        PID:2544
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        20⤵
        Download via BitsAdmin
        
        PID:2876
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        20⤵
        Drops file in Windows directory
        
        PID:1196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        20⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        20⤵
        Delays execution with timeout.exe
        
        PID:2132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        21⤵
        
        PID:2804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        22⤵
        
        PID:2196
        
        C:\Windows\system32\chcp.com
        
        chcp
        23⤵
        
        PID:2524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1664
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        22⤵
        
        PID:1944
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        22⤵
        Download via BitsAdmin
        
        PID:328
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        22⤵
        Download via BitsAdmin
        
        PID:1312
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        22⤵
        Drops file in Windows directory
        
        PID:2988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        22⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        22⤵
        Delays execution with timeout.exe
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        23⤵
        
        PID:3024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        24⤵
        
        PID:3020
        
        C:\Windows\system32\chcp.com
        
        chcp
        25⤵
        
        PID:2240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:568
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        24⤵
        
        PID:3012
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        24⤵
        Download via BitsAdmin
        
        PID:1420
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        24⤵
        Download via BitsAdmin
        
        PID:2160
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        24⤵
        Drops file in Windows directory
        
        PID:1084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cc52a9c5b70db18ed99048b0066317a3

SHA1
fe9b879fcca00ecc5162ee929ca061ebc19966c8

SHA256
2b2b16dd240d92d213fe42e4ced24e421020a23e81a10d7de8df179042900b2b

SHA512
fc6ffc67714b2af0ecabb6b5b55bf58ac1dad85ed1f1b510abc57d24fa133a385292226ca3ceee76e0fa25e7d96c4d3595c6c71e828b3f7be17ce8ac802fd976

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5df216838f31abc22a308a5cc393f527

SHA1
87143f6bf9b3cb72c5ed670219c39739cffe333f

SHA256
97da72cfa705c31c8408a69743b55b9e90376a122531d7222bc716bf3a54578f

SHA512
b577287d6f48a7bc8a9478f17dbce5c80d2472b944e899325edff2be0cbf015f86be3786cefa362c81eeee06bc5eb7ea29c97e05c0fc8793e0323b52d113d550

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4dd3ecdcbb339f2ae78d992172ed87f3

SHA1
c7b92acfa79ed9f58ef5180b45e7af2d6a724c66

SHA256
b3e40f0223a5f03f9096990c813ad03bff9c9a4f4ccf077f455b47418af1c962

SHA512
0891edf20149cb4ec0e7720abce4ff65c0606ad73c63fa0cf392212b8feecb325d9e04b36ad93d4a3ddbb67f62cad97a6cc8a78b4d30bd122a23b8dc354b6545

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
28dfe8a38bd5aa4947cc1ac1c7ffbb4d

SHA1
7a2ad8f1b6387d10845526d5f5c330e72273bc5b

SHA256
35ead1b06abfe3aeff360ff20b2c17bf5ae6262f20badd3bf5373073a65ba634

SHA512
74f6bc619cfd630f64abccdf685249bb21f149b0f80453e5cdbed832a09ce46916f88b24eec7eb303f10787164710210f512409c84bbf684b1ac20c464d622cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3ebcd647b3a68c4020cd32215af6e49c

SHA1
f4b7cc3a425763ca857fd4bee9fe30a4fdefc4e9

SHA256
4e97212b7d5e32512762391b33489eda28d7ed4be327489eb901403c71aa82ad

SHA512
347c99417c3dd12ed506af696d3ed0672faf63e3109e674c407c25ad079fca0461a77fa27cc156d7ccb90310d9192e3e970eed00288f2bd4ed5037bc7b251e54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9c458124d6465c145a8c928e881323bf

SHA1
03fe9c89a4cb02c4e020c002bbdcb5a4a907be69

SHA256
d7d1ac78b510f4d5ab95f93734301fdddeabd5bbec33e81043a9fe7d917dc1c0

SHA512
100b2da4156457d401022c5c7c78714581d23296c6373821a698c29f03d8f1fbb626396bb4a5447bd544474c08711a0b9f3500b192de8b29839839450ce325ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e29343c2571176451f7fb6be76b3021a

SHA1
339247706d5265ffc1c3f3047d0bda252692def2

SHA256
87de205a7af92ef1817007fd1efb79df15d6f981f13b7de4766495628a53ef28

SHA512
6f84af1fd89839f61832b4f3aedae93ebae0791affcbf37612885d246371b7ad9f526c8124159cb631dcec3834e39ab3c131e66b059a5b7bf58f1e4f7c50d25b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1eaeb7efeef1f7e6d93bdcd394786039

SHA1
9a62506bd2cdc866fefb9a1f44241c267ba5f9b1

SHA256
a24b31c0084f0e74baa2a17af1b6f9ee62ff57814b802434567754592d683715

SHA512
f5227c920e1c5231632363d614c22282053224bfc589da62fca0f1d5dfdc91677521ba2940a1e6f29696ac214f4ada5faa636517f35e7d6161800e74a12d972a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3f4251d6656e5315d26763ea0daccf3f

SHA1
c2e5a9a4f8631b29736fb67b1fa4239350dc6348

SHA256
29f2454d6459a256dfc0a635624f3c243b496439e844f39423fa54d14085d3a3

SHA512
27f4ba07dbdb6d3f3baa75c3532a888633f5666844ebe4fd03add931301e14a11aeb4f59c4b2b03bbb0753434347f7866e6c38b77c278ac79cc2ec0fa4f328cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8565df95a59596f15069929d43195920

SHA1
6e31056bd2cb50cebbd097cc1946d5e4b5d006ff

SHA256
f6524eef38aae30832afd8716a7ff14c26b853e0c6587fb91532271a8cd0eb6c

SHA512
0015e7ce066ff99267a027a01a072bfd645b1f8b7843847111365ecf103163be93345a916797f862d3df06b38974aaccd0aaf6d10e79a685b042e465f3202c5c

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
12KB

MD5
cf0fd065da142e2b7033d25e415155c2

SHA1
b3d8df5c353d7f9cab097f47aa91aa0c7d1d42e3

SHA256
f05c37f8441726efe6b1c3bd95d3866374732fd3c98bcbc6dafaab21fbc9422a

SHA512
ad54e5d1a339b21d89c8079c818cf0debcf0f539cb8a2a83f25815e2b4a6f6b393638e08c924152ee322ecb14dda452e65d788d5a199131e4c578bae49ab9e40

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
13KB

MD5
208c9eb3902101780d8327b13e8caf41

SHA1
0b684d1b4e0e5f3f2069bbeae392691ac9fb8e1d

SHA256
90da178e8f6dd15047229d325b7c6b2051e6a5a393af62778e82213df45ec613

SHA512
629bedcd8d9680cbd7addc1f9eec55df866440c3dfb0ec9c7dec1080ee4842dd7d8743fb16dc17ad522b63126b65b2939b0b9aab6e1ecdef67f422fd8f6c93b4

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
13KB

MD5
ff119173a3f248e83b5101fe665df8c2

SHA1
c19b179d73e83555348eaec9d6e630a0db664da6

SHA256
5cad8045dd4f5cd6ca6654cd571c5d1afbd97b91185706c9466e26b69527c091

SHA512
012275c5114ac642f1e3cb3d9f287109013330b8b28f31863f148cf5b8fd11678f7f4d0b6b6a78deea50c8eb600be11f3e67cc57cd78ce328b0f5015e02cbc8f

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
6KB

MD5
0482c29562167ad70d852b806a46ce64

SHA1
a46f82ab474ee6a9cf77041a1bdd2a05632bec63

SHA256
f89ac1137d5199fe492c39e7647f1a695f45d52c6a299dd70e779836860df3f5

SHA512
ff1c6cad3a074aea44d89b226a977d1579e0160ab771dfa1023d26c7f5a073aaa8c54015e127c68e8858ed34ced6a9cca80d27f741714c9f534e763527b3d698

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
7KB

MD5
4fda6f1805bd6ab05bdf9297cf6d1530

SHA1
3762522ce9bb811edd3e09d8553857e91a5749ad

SHA256
fa17b1374d0062b745bb2b21de61573bb6f963dd84e238e9cf2a6a898832399f

SHA512
91657ec78e3975a8aa370e2a5473ba1154a81cf4eb70072b78c3fb48e46958dd845cdd6b4df278dae08d6b48e24a2b9d4e5645c71e89cde740e17d3d217354f1

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
8KB

MD5
458d9561d0952e8c102c6b717e0da2fe

SHA1
4c10c4abab800dcc17dfa93f74e1da01762c3ecf

SHA256
21e286ef014770876e66c452502f1d4162c0d8036c102c4aa58181925f8c25c5

SHA512
f2042efbdd5e9b785230736776ea89730c3dec2f9ac159aa548fa5c183717e555afd477d3e089451f659ca64299dfb76cfa5f77df59493abaed13f6938451234

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
8KB

MD5
f71ef5f68bff7f071318f84a5c3f5c99

SHA1
7ef40f8cdcfbb2c2465980144669f20b38b51d38

SHA256
00b23e681c7d818018435589d25de478ba0504aaf0147e1847330b181c9b17b2

SHA512
6fd05b766832d7cf3c0ecab802927536d29e955be716a410b42d64bbff26f558461982967d2b43d2c92637687ad6bfcf1adb94895517f37d12b4e50528a202fe

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
9KB

MD5
ec9eaac05a724f8a23d2cc372c72a05e

SHA1
6a6c6ead363ea7b934021c51ed40d06605ea79a4

SHA256
b522c435da7b45190e305da1d44fc447d077a4e5885528fba8863673ef77881a

SHA512
7b73a315b1a7d40eae695c80ead6c79884f3ea0f2df7bada77ff6d24771e4e6432ddc8b6d8491a12116d3f17a65d539d79389f32dd5b18879b55566ee5b992eb

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
10KB

MD5
57b82e49c10b5ea6f30c4253d2f5af11

SHA1
9eb0f24d7c4fecb705af4574941d58a7e54e8bd7

SHA256
04ead13fd0baa3ccd6677d8e68985e4ed111f2c186b57181cfb391a18c59ece0

SHA512
4211a410e5780fb65f1a7a7277a9209f35bf7752ff3c2198bee4742efdf18d3f2d58ea6cc95e02516cc892e7bd703d719183379164c7c351ed60178bcef19177

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
11KB

MD5
00f43ef8baa68330aab125f2103e95a5

SHA1
1af54ce82a39d1f163fbd93c00d58a8b3383c55b

SHA256
2e2846931643916e4c318e4d4095dd380aa48172d6d210a77f0ddd6f31413049

SHA512
bce8c6a939b7106b41c8d5eb77f146c7299a0d30b6160a537850ab4ce6fc3f697a92995f4ac04d4644d1ca89938a5d795c52bed73bd86cb7a84dba49268d2adc

Download Submit
memory/2564-5-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2564-6-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2812-13-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download
memory/2812-12-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download