de7741a1b4e38e18f595621651df024e56db034c692190b5b6115d2b4b1033cb

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
Size

8.7MB
MD5

3b8558d14b8bec08fe9f9ef78c1fb7c6
SHA1

d8cfe796e8a12b1c46598fe3daee9eb65a3aac0d
SHA256

de7741a1b4e38e18f595621651df024e56db034c692190b5b6115d2b4b1033cb
SHA512

d388d818a770a081b4d2cddfcc66a32f04357afa3905d63929fed9c77d723572436ab2d3efe2f2d3e4fcebb35fce5fd93100f9b31695fbeb5a28c6e49268941c
SSDEEP

24576:XaVPwvlamIBIEurOuSmKAFdrQLY9MyUT/iMWSFHJNzjyfJV5v7KInxhygjsSL:XiPeAVIbSmKAFaWbUTRrzeft+Ixhrj

Score

10^/10

discovery

Malware Config

Signatures

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1988	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1988	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	1988	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1988	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1988	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	1988	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1988	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	1988	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1988	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	1988	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1988	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1988	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	1988	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1988	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	1988	schtasks.exe	30

Executes dropped EXE 13 IoCs

pid	Process
1140	lsm.exe
2272	lsm.exe
1268	lsm.exe
2996	lsm.exe
2756	lsm.exe
2264	lsm.exe
2700	lsm.exe
1424	lsm.exe
632	lsm.exe
1980	lsm.exe
2336	lsm.exe
2560	lsm.exe
568	lsm.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\lsm.exe	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
File created	C:\Program Files\7-Zip\Lang\101b941d020240	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\taskhost.exe	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
File created	C:\Windows\Resources\b75386f1303e64	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2136	PING.EXE
2284	PING.EXE
2392	PING.EXE
2900	PING.EXE
448	PING.EXE

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
2900	PING.EXE
448	PING.EXE
2136	PING.EXE
2284	PING.EXE
2392	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2544	schtasks.exe
2384	schtasks.exe
2260	schtasks.exe
920	schtasks.exe
588	schtasks.exe
3064	schtasks.exe
2592	schtasks.exe
2024	schtasks.exe
2588	schtasks.exe
1232	schtasks.exe
2228	schtasks.exe
2720	schtasks.exe
2584	schtasks.exe
1500	schtasks.exe
1628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe
1140	lsm.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
Token: SeDebugPrivilege	1140	lsm.exe
Token: SeDebugPrivilege	2272	lsm.exe
Token: SeDebugPrivilege	1268	lsm.exe
Token: SeDebugPrivilege	2996	lsm.exe
Token: SeDebugPrivilege	2756	lsm.exe
Token: SeDebugPrivilege	2264	lsm.exe
Token: SeDebugPrivilege	2700	lsm.exe
Token: SeDebugPrivilege	1424	lsm.exe
Token: SeDebugPrivilege	632	lsm.exe
Token: SeDebugPrivilege	1980	lsm.exe
Token: SeDebugPrivilege	2336	lsm.exe
Token: SeDebugPrivilege	2560	lsm.exe
Token: SeDebugPrivilege	568	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2104	1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe	46
PID 1924 wrote to memory of 2104	1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe	46
PID 1924 wrote to memory of 2104	1924	3b8558d14b8bec08fe9f9ef78c1fb7c6.exe	46
PID 2104 wrote to memory of 2792	2104	cmd.exe	48
PID 2104 wrote to memory of 2792	2104	cmd.exe	48
PID 2104 wrote to memory of 2792	2104	cmd.exe	48
PID 2104 wrote to memory of 2900	2104	cmd.exe	49
PID 2104 wrote to memory of 2900	2104	cmd.exe	49
PID 2104 wrote to memory of 2900	2104	cmd.exe	49
PID 2104 wrote to memory of 1140	2104	cmd.exe	50
PID 2104 wrote to memory of 1140	2104	cmd.exe	50
PID 2104 wrote to memory of 1140	2104	cmd.exe	50
PID 1140 wrote to memory of 848	1140	lsm.exe	51
PID 1140 wrote to memory of 848	1140	lsm.exe	51
PID 1140 wrote to memory of 848	1140	lsm.exe	51
PID 848 wrote to memory of 1204	848	cmd.exe	53
PID 848 wrote to memory of 1204	848	cmd.exe	53
PID 848 wrote to memory of 1204	848	cmd.exe	53
PID 848 wrote to memory of 2316	848	cmd.exe	54
PID 848 wrote to memory of 2316	848	cmd.exe	54
PID 848 wrote to memory of 2316	848	cmd.exe	54
PID 848 wrote to memory of 2272	848	cmd.exe	55
PID 848 wrote to memory of 2272	848	cmd.exe	55
PID 848 wrote to memory of 2272	848	cmd.exe	55
PID 2272 wrote to memory of 1084	2272	lsm.exe	56
PID 2272 wrote to memory of 1084	2272	lsm.exe	56
PID 2272 wrote to memory of 1084	2272	lsm.exe	56
PID 1084 wrote to memory of 2060	1084	cmd.exe	58
PID 1084 wrote to memory of 2060	1084	cmd.exe	58
PID 1084 wrote to memory of 2060	1084	cmd.exe	58
PID 1084 wrote to memory of 448	1084	cmd.exe	59
PID 1084 wrote to memory of 448	1084	cmd.exe	59
PID 1084 wrote to memory of 448	1084	cmd.exe	59
PID 1084 wrote to memory of 1268	1084	cmd.exe	61
PID 1084 wrote to memory of 1268	1084	cmd.exe	61
PID 1084 wrote to memory of 1268	1084	cmd.exe	61
PID 1268 wrote to memory of 856	1268	lsm.exe	62
PID 1268 wrote to memory of 856	1268	lsm.exe	62
PID 1268 wrote to memory of 856	1268	lsm.exe	62
PID 856 wrote to memory of 2476	856	cmd.exe	64
PID 856 wrote to memory of 2476	856	cmd.exe	64
PID 856 wrote to memory of 2476	856	cmd.exe	64
PID 856 wrote to memory of 2136	856	cmd.exe	65
PID 856 wrote to memory of 2136	856	cmd.exe	65
PID 856 wrote to memory of 2136	856	cmd.exe	65
PID 856 wrote to memory of 2996	856	cmd.exe	66
PID 856 wrote to memory of 2996	856	cmd.exe	66
PID 856 wrote to memory of 2996	856	cmd.exe	66
PID 2996 wrote to memory of 2732	2996	lsm.exe	67
PID 2996 wrote to memory of 2732	2996	lsm.exe	67
PID 2996 wrote to memory of 2732	2996	lsm.exe	67
PID 2732 wrote to memory of 2696	2732	cmd.exe	69
PID 2732 wrote to memory of 2696	2732	cmd.exe	69
PID 2732 wrote to memory of 2696	2732	cmd.exe	69
PID 2732 wrote to memory of 2012	2732	cmd.exe	70
PID 2732 wrote to memory of 2012	2732	cmd.exe	70
PID 2732 wrote to memory of 2012	2732	cmd.exe	70
PID 2732 wrote to memory of 2756	2732	cmd.exe	71
PID 2732 wrote to memory of 2756	2732	cmd.exe	71
PID 2732 wrote to memory of 2756	2732	cmd.exe	71
PID 2756 wrote to memory of 1836	2756	lsm.exe	72
PID 2756 wrote to memory of 1836	2756	lsm.exe	72
PID 2756 wrote to memory of 1836	2756	lsm.exe	72
PID 1836 wrote to memory of 476	1836	cmd.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3b8558d14b8bec08fe9f9ef78c1fb7c6.exe
"C:\Users\Admin\AppData\Local\Temp\3b8558d14b8bec08fe9f9ef78c1fb7c6.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8TCB7Lhlu.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2792
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2900
- - C:\Program Files\7-Zip\Lang\lsm.exe
    "C:\Program Files\7-Zip\Lang\lsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g9fdK0eS1C.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1204
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2316
    - - C:\Program Files\7-Zip\Lang\lsm.exe
        
        "C:\Program Files\7-Zip\Lang\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CbjDYjSaFp.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:448
        
        C:\Program Files\7-Zip\Lang\lsm.exe
        
        "C:\Program Files\7-Zip\Lang\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zkmgT0HHEw.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2136
        
        C:\Program Files\7-Zip\Lang\lsm.exe
        
        "C:\Program Files\7-Zip\Lang\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EdToEt2qxP.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2012
        
        C:\Program Files\7-Zip\Lang\lsm.exe
        
        "C:\Program Files\7-Zip\Lang\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HLyChA1PXA.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2880
        
        C:\Program Files\7-Zip\Lang\lsm.exe
        
        "C:\Program Files\7-Zip\Lang\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HLyChA1PXA.bat"
        14⤵
        
        PID:1944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2392
        
        C:\Program Files\7-Zip\Lang\lsm.exe
        
        "C:\Program Files\7-Zip\Lang\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aKt4VVYkRN.bat"
        16⤵
        
        PID:2108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:348
        
        C:\Program Files\7-Zip\Lang\lsm.exe
        
        "C:\Program Files\7-Zip\Lang\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qf9bALi5DQ.bat"
        18⤵
        
        PID:2232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2524
        
        C:\Program Files\7-Zip\Lang\lsm.exe
        
        "C:\Program Files\7-Zip\Lang\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bzGZZMGSnB.bat"
        20⤵
        
        PID:1716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2952
        
        C:\Program Files\7-Zip\Lang\lsm.exe
        
        "C:\Program Files\7-Zip\Lang\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XA2Giq7lse.bat"
        22⤵
        
        PID:2136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2284
        
        C:\Program Files\7-Zip\Lang\lsm.exe
        
        "C:\Program Files\7-Zip\Lang\lsm.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yC86nPihDu.bat"
        24⤵
        
        PID:776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2596
        
        C:\Program Files\7-Zip\Lang\lsm.exe
        
        "C:\Program Files\7-Zip\Lang\lsm.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat"
        26⤵
        
        PID:2556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2396
        
        C:\Program Files\7-Zip\Lang\lsm.exe
        
        "C:\Program Files\7-Zip\Lang\lsm.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZFxA7ALGfV.bat"
        28⤵
        
        PID:2264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Resources\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\lsm.exe

Filesize
8.7MB

MD5
3b8558d14b8bec08fe9f9ef78c1fb7c6

SHA1
d8cfe796e8a12b1c46598fe3daee9eb65a3aac0d

SHA256
de7741a1b4e38e18f595621651df024e56db034c692190b5b6115d2b4b1033cb

SHA512
d388d818a770a081b4d2cddfcc66a32f04357afa3905d63929fed9c77d723572436ab2d3efe2f2d3e4fcebb35fce5fd93100f9b31695fbeb5a28c6e49268941c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbjDYjSaFp.bat

Filesize
163B

MD5
516838a6ac9d91f9e6c9e70b59280d94

SHA1
6ad1b9003cb663e9ecce976f389d3ba5c7d635f8

SHA256
876642cd4a51840f02560da240bbf0310fa519d5f6d8bd93517e122b521a7101

SHA512
2b5a46f1f3774351ef6b68ce80c68a643845f9381c6ecb5d09038f4005549d5f6edb8060a74b6129c78ae41d26099574121a32146e8311b3d12ec0aaf40f0595

Download Submit
C:\Users\Admin\AppData\Local\Temp\EdToEt2qxP.bat

Filesize
211B

MD5
d09c972ab64c04f63bc2494fac0eb438

SHA1
cda077f25733013817c54a2cb7873925fc9d48d9

SHA256
6b32c63f8ed6060c42e14772cc3c4e4546b2b3fbf363fccba4e07d1959862140

SHA512
26f3978e6aaf6f48bf88c9f096c2431dfff1b7a5acab983f1b8af7c9368556441abe2392b953a2092bce35eabf520790e2eeb975d915cd7a61aec3dc9fd1129e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HLyChA1PXA.bat

Filesize
211B

MD5
5ac041aef58eea2b48541e608595c5a5

SHA1
fae25a65e4dd39dad161c1002546d193f19d0c30

SHA256
fc99b8016cfb33f701e91aaccbd5f71d0952cc2864499ec66821945aee02989e

SHA512
714b46df336d8fbdfab2eb9fa174add9eccd09f817375e6284ce2f2c411a920eca07ee26cb8d0623d36ca26663334978bc9a959cae53316420b38c9d83fac173

Download Submit
C:\Users\Admin\AppData\Local\Temp\L8TCB7Lhlu.bat

Filesize
163B

MD5
240311682df4546917516a5195b81e00

SHA1
2e1973bca571c61ab20160c457c5765baa3872fd

SHA256
5e8fd280d7aece8f6ada85506e29450c0681ac5e67aff7bc5b7e83b5821812d4

SHA512
518756460386cc88817489c887ed86ac10a63b8e21feee375ffd8970529f6e6efed1077d7e138f69db443e7ddcfec555f7b7df08f620be2d7523368a07a16721

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qf9bALi5DQ.bat

Filesize
211B

MD5
443df1f8c66e6fc76172eb152cafa75f

SHA1
d6e3c63996de82b48a65f89398a4dee9c7ed0dc4

SHA256
94725cdbace22abd075e85f24e399b0d506586303dbde26a5c2f1b0f1587899d

SHA512
01fe1c0db63710cc52ddf2c9793466b238db379d1e702602e7598089c97c3baf5b04e11acc2b013f40a7f79d526b350a1fcc5bc21cab844a445dd72077f74807

Download Submit
C:\Users\Admin\AppData\Local\Temp\XA2Giq7lse.bat

Filesize
163B

MD5
39d18ee3f9314c2e048b9bee001ca13b

SHA1
94991f9bcb78ccbb8ca8e382b36891ccc3237d18

SHA256
3a7c8e78472240f60799f5b7689ab7f81a89e415dc2b0537ef40e9634b2d3a10

SHA512
32be95649e6ce36c0787415a5ba7ea31fd6af9009939ba8ca508e486c263e2797097820c045318f89aa9753be899bdf18192dbdb6b639b8a596c48dacd176fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZFxA7ALGfV.bat

Filesize
163B

MD5
5d9f296a8cd06a5d5348fe1396eb71e6

SHA1
28fabd23c2e0d2e0b963ed76be1e6acde24d3e45

SHA256
cf0c663ec8078a483a091bbba42feadc516981e33ecf5f48269c39281980eb79

SHA512
e051f671cf5234004af3ceaec6107cc4953e2c71dab219e5deba88a7cd15067fe2fc94e072fb48674ea776cd8d0c4ea7c1a542f5a980271091894bc0c520e098

Download Submit
C:\Users\Admin\AppData\Local\Temp\aKt4VVYkRN.bat

Filesize
211B

MD5
44d17102719bbddf1727cca636cabdf7

SHA1
729a0d45ad3356c32e9c2a59451a4ad7725c1360

SHA256
05f268f00b7a0a609f67f63fc9830f35c2716f79caba2afd7590ad4ee1d52724

SHA512
b26c1caeaee9813f74c21c4557cfaf379441766806651d6ba297a87cbeac97a6dc85b1cf76b2a171c0a97632a99f535b4a139c4e71258722c9f7c09e48d454e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzGZZMGSnB.bat

Filesize
211B

MD5
6f423e0d7ffdbd64de2c7bccb2aabf3e

SHA1
187f49068c4c33703f43c40a64cf5d234aa79d65

SHA256
b0e8aae124588bb71cefc52c4ede76939dcbf1bf1049915c7aa48bbb8043daee

SHA512
9bdb52830bc97e97466506f1764b8cdba7575ed91391ec9c748eefa3832d2002f11bd2f0288f00566ade8f37f04643e07d519e97b9383af8801f7bbc729ccee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat

Filesize
211B

MD5
e3d2f4ead49c785e525be7c1994aa6b9

SHA1
38ee6b3a152395ed54c8ebf2a415299c03d19da5

SHA256
3e945772ccffca228d7d021f10c9c8c85f4ea381c354adfab827dace6cb0c25b

SHA512
fab2e19d5b4bc4cd66e18c8209163736b9176d9ecb83e8d857f6a96b05099ed09f101c7916e91f93af3a970f030a387fb5306e6841a2bf86d0ba8be6687e9b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\g9fdK0eS1C.bat

Filesize
211B

MD5
71a20904254bd824fb534a9160bd6808

SHA1
063caa040f8759ac84d4ea4150c4185fde156653

SHA256
067faedb6568b4ae4e77242dcdf347955c497fead250e69d6c68ddc3c569c973

SHA512
ef486cb4cc50e89342eec303252aeacbefd01c8ada50cba7ce2820c0361aa514ba93d4075247b1a16c3b29bd27fc653ddd30eb2bd628f551de552f72ccf0f38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yC86nPihDu.bat

Filesize
211B

MD5
b288dfcaceb1aa9424f63450498b1b0b

SHA1
8495f9f68e07922deb0b98003b488c88e3649012

SHA256
8fc5e218e3fa6d14ef38408dabd3277112da2bb48bd4c8007dc0362c8d2a5f44

SHA512
4ad458b298597b194ca1ae1c5cf4dd7e59b0471067b29b5d7653106b983d46ddf04fe88c6dc417e93662cf73898f81dcfc14b3351aa79a95cb2754672157cfbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkmgT0HHEw.bat

Filesize
163B

MD5
260a15953c3a7270fbec9db0177e9257

SHA1
21a947ead78ce6c8af9ec65f34deae24f8a875b0

SHA256
6b35fd6ddf9def457ab3f0471df0415db469a15330eeb2b26b96f9ee7d1fd4a7

SHA512
84ac2862fe8abe3b23e602e6652bf3652fdc5b3db7b2208926d366628427cb100bb3796e50f81bb682564b4900f04d99ee18cf1469daa86381d2e010cf2652c0

Download Submit
memory/632-100-0x00000000013A0000-0x000000000154E000-memory.dmp

Filesize
1.7MB

Download
memory/1140-30-0x0000000000990000-0x0000000000B3E000-memory.dmp

Filesize
1.7MB

Download
memory/1268-49-0x0000000000220000-0x00000000003CE000-memory.dmp

Filesize
1.7MB

Download
memory/1924-9-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

Filesize
4KB

Download
memory/1924-1-0x00000000012E0000-0x000000000148E000-memory.dmp

Filesize
1.7MB

Download
memory/1924-21-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-12-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-2-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-8-0x0000000000A50000-0x0000000000A5E000-memory.dmp

Filesize
56KB

Download
memory/1924-27-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-6-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/1924-4-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-3-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2272-39-0x0000000001390000-0x000000000153E000-memory.dmp

Filesize
1.7MB

Download
memory/2336-119-0x00000000000A0000-0x000000000024E000-memory.dmp

Filesize
1.7MB

Download
memory/2560-129-0x00000000012F0000-0x000000000149E000-memory.dmp

Filesize
1.7MB

Download
memory/2996-58-0x0000000000F40000-0x00000000010EE000-memory.dmp

Filesize
1.7MB

Download