6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
Size

1.8MB
MD5

330a09824e901f7c2fb65be086df1493
SHA1

236a6a080f1ea340343bedab226a88b3b92ea9cf
SHA256

6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa
SHA512

8da1191fb37876db6e4747d3807999995dbd965c0d13d21b944b941e8455daa7512c9322c7e56bb228c83fc8babe849685685c16dd000cb3e8e5a3822e7a6c77
SSDEEP

24576:lZFeGcDsavzoey8aUB/WN0/AZ7mNUxrE3cmOrwAUqGStlkuVUoPYQhMaXeRTl:laiUB/WN0/AZ7mNUxrEle3/JVU0Yb

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 15 IoCs

pid	Process
2428	csrss.exe
2028	csrss.exe
2356	csrss.exe
2264	csrss.exe
1596	csrss.exe
2268	csrss.exe
2316	csrss.exe
2896	csrss.exe
600	csrss.exe
2796	csrss.exe
2184	csrss.exe
852	csrss.exe
2420	csrss.exe
3004	csrss.exe
2344	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2180	PING.EXE
2416	PING.EXE
2732	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2732	PING.EXE
2180	PING.EXE
2416	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
Token: SeDebugPrivilege	2428	csrss.exe
Token: SeDebugPrivilege	2028	csrss.exe
Token: SeDebugPrivilege	2356	csrss.exe
Token: SeDebugPrivilege	2264	csrss.exe
Token: SeDebugPrivilege	1596	csrss.exe
Token: SeDebugPrivilege	2268	csrss.exe
Token: SeDebugPrivilege	2316	csrss.exe
Token: SeDebugPrivilege	2896	csrss.exe
Token: SeDebugPrivilege	600	csrss.exe
Token: SeDebugPrivilege	2796	csrss.exe
Token: SeDebugPrivilege	2184	csrss.exe
Token: SeDebugPrivilege	852	csrss.exe
Token: SeDebugPrivilege	2420	csrss.exe
Token: SeDebugPrivilege	3004	csrss.exe
Token: SeDebugPrivilege	2344	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2668	2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe	30
PID 2756 wrote to memory of 2668	2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe	30
PID 2756 wrote to memory of 2668	2756	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe	30
PID 2668 wrote to memory of 2572	2668	cmd.exe	32
PID 2668 wrote to memory of 2572	2668	cmd.exe	32
PID 2668 wrote to memory of 2572	2668	cmd.exe	32
PID 2668 wrote to memory of 2600	2668	cmd.exe	33
PID 2668 wrote to memory of 2600	2668	cmd.exe	33
PID 2668 wrote to memory of 2600	2668	cmd.exe	33
PID 2668 wrote to memory of 2428	2668	cmd.exe	34
PID 2668 wrote to memory of 2428	2668	cmd.exe	34
PID 2668 wrote to memory of 2428	2668	cmd.exe	34
PID 2428 wrote to memory of 1584	2428	csrss.exe	35
PID 2428 wrote to memory of 1584	2428	csrss.exe	35
PID 2428 wrote to memory of 1584	2428	csrss.exe	35
PID 1584 wrote to memory of 2464	1584	cmd.exe	37
PID 1584 wrote to memory of 2464	1584	cmd.exe	37
PID 1584 wrote to memory of 2464	1584	cmd.exe	37
PID 1584 wrote to memory of 2180	1584	cmd.exe	38
PID 1584 wrote to memory of 2180	1584	cmd.exe	38
PID 1584 wrote to memory of 2180	1584	cmd.exe	38
PID 1584 wrote to memory of 2028	1584	cmd.exe	39
PID 1584 wrote to memory of 2028	1584	cmd.exe	39
PID 1584 wrote to memory of 2028	1584	cmd.exe	39
PID 2028 wrote to memory of 2920	2028	csrss.exe	40
PID 2028 wrote to memory of 2920	2028	csrss.exe	40
PID 2028 wrote to memory of 2920	2028	csrss.exe	40
PID 2920 wrote to memory of 2880	2920	cmd.exe	42
PID 2920 wrote to memory of 2880	2920	cmd.exe	42
PID 2920 wrote to memory of 2880	2920	cmd.exe	42
PID 2920 wrote to memory of 1992	2920	cmd.exe	43
PID 2920 wrote to memory of 1992	2920	cmd.exe	43
PID 2920 wrote to memory of 1992	2920	cmd.exe	43
PID 2920 wrote to memory of 2356	2920	cmd.exe	44
PID 2920 wrote to memory of 2356	2920	cmd.exe	44
PID 2920 wrote to memory of 2356	2920	cmd.exe	44
PID 2356 wrote to memory of 1792	2356	csrss.exe	45
PID 2356 wrote to memory of 1792	2356	csrss.exe	45
PID 2356 wrote to memory of 1792	2356	csrss.exe	45
PID 1792 wrote to memory of 2784	1792	cmd.exe	47
PID 1792 wrote to memory of 2784	1792	cmd.exe	47
PID 1792 wrote to memory of 2784	1792	cmd.exe	47
PID 1792 wrote to memory of 2980	1792	cmd.exe	48
PID 1792 wrote to memory of 2980	1792	cmd.exe	48
PID 1792 wrote to memory of 2980	1792	cmd.exe	48
PID 1792 wrote to memory of 2264	1792	cmd.exe	50
PID 1792 wrote to memory of 2264	1792	cmd.exe	50
PID 1792 wrote to memory of 2264	1792	cmd.exe	50
PID 2264 wrote to memory of 1788	2264	csrss.exe	51
PID 2264 wrote to memory of 1788	2264	csrss.exe	51
PID 2264 wrote to memory of 1788	2264	csrss.exe	51
PID 1788 wrote to memory of 1196	1788	cmd.exe	53
PID 1788 wrote to memory of 1196	1788	cmd.exe	53
PID 1788 wrote to memory of 1196	1788	cmd.exe	53
PID 1788 wrote to memory of 108	1788	cmd.exe	54
PID 1788 wrote to memory of 108	1788	cmd.exe	54
PID 1788 wrote to memory of 108	1788	cmd.exe	54
PID 1788 wrote to memory of 1596	1788	cmd.exe	55
PID 1788 wrote to memory of 1596	1788	cmd.exe	55
PID 1788 wrote to memory of 1596	1788	cmd.exe	55
PID 1596 wrote to memory of 1736	1596	csrss.exe	56
PID 1596 wrote to memory of 1736	1596	csrss.exe	56
PID 1596 wrote to memory of 1736	1596	csrss.exe	56
PID 1736 wrote to memory of 1032	1736	cmd.exe	58

C:\Users\Admin\AppData\Local\Temp\6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe
"C:\Users\Admin\AppData\Local\Temp\6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LvznYZfujE.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2572
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2600
- - C:\Users\Public\Recorded TV\Sample Media\csrss.exe
    "C:\Users\Public\Recorded TV\Sample Media\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hFxofDmc2H.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2464
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2180
    - - C:\Users\Public\Recorded TV\Sample Media\csrss.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qraPNM7MJR.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1992
        
        C:\Users\Public\Recorded TV\Sample Media\csrss.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2980
        
        C:\Users\Public\Recorded TV\Sample Media\csrss.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WmJu8eLYHf.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:108
        
        C:\Users\Public\Recorded TV\Sample Media\csrss.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yC86nPihDu.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1056
        
        C:\Users\Public\Recorded TV\Sample Media\csrss.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Vg1jnREOGb.bat"
        14⤵
        
        PID:1928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2416
        
        C:\Users\Public\Recorded TV\Sample Media\csrss.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JBcEZiC4nP.bat"
        16⤵
        
        PID:2760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2808
        
        C:\Users\Public\Recorded TV\Sample Media\csrss.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5vvLuoFXBX.bat"
        18⤵
        
        PID:2608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2732
        
        C:\Users\Public\Recorded TV\Sample Media\csrss.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l0cWqgOPfJ.bat"
        20⤵
        
        PID:1504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1584
        
        C:\Users\Public\Recorded TV\Sample Media\csrss.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ar6wdwHCe.bat"
        22⤵
        
        PID:2928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1016
        
        C:\Users\Public\Recorded TV\Sample Media\csrss.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TAB96jcSpT.bat"
        24⤵
        
        PID:2980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2192
        
        C:\Users\Public\Recorded TV\Sample Media\csrss.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tnXcb7QBZk.bat"
        26⤵
        
        PID:2736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:848
        
        C:\Users\Public\Recorded TV\Sample Media\csrss.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\csrss.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bjcQ5hKx2L.bat"
        28⤵
        
        PID:1596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1492
        
        C:\Users\Public\Recorded TV\Sample Media\csrss.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\csrss.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sTLrgzBrGH.bat"
        30⤵
        
        PID:556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2284
        
        C:\Users\Public\Recorded TV\Sample Media\csrss.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\csrss.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UYuVgvOfQS.bat"
        32⤵
        
        PID:1256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5vvLuoFXBX.bat

Filesize
178B

MD5
6143bf7256c702cf6904cbd068c4034b

SHA1
e681d3785508d5db415b7292f67ba015faa7803a

SHA256
e23a865b4f8486c971a9277988620d94c22b19d3bc2721edb3136f177c65e25b

SHA512
c8a1e1e7a020e90716890cac16b45539cbe3f1aff56d17ad6f4f54706f2494d945241455e4f12952d60cf4ebd4edb89349b4c55b0281fa72875704a6e9f1bd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ar6wdwHCe.bat

Filesize
226B

MD5
dd8129d2b0e67d2b35a458b03fa0203d

SHA1
2803d1ef23a2d4e9d914d0c07b9401dc31e4d71e

SHA256
36416c4fba43092fcd37911ae4bc0d4a70f9dbb26a396a20d826bf80cc6ff9b7

SHA512
d099f55fee612cd53037884f5c19802adef24e7cd9c555b0d17cda5f315814b6e53c1eb98cdb3f95fdb0f60b7b39e63c090c9dd3c7e5096c09a92ce9de5fc2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\JBcEZiC4nP.bat

Filesize
226B

MD5
a654daeb509496b09d9b63a1c7a404b8

SHA1
222488f3b6f913cc5bc148f1c7e27cb2e41f8a1f

SHA256
4b96539ba2b2e73ce0029f2b6a34996cf3ab1fdd8d06644645a9d719de58d277

SHA512
c0901c04ca553db8b97fc047efefdea9b9019b342897c5b5bd369f90afce71cd9faf5f85bed5a7b6a0d28c1291c76d5c00021d696c9f52d98a3aac910a4d7370

Download Submit
C:\Users\Admin\AppData\Local\Temp\LvznYZfujE.bat

Filesize
226B

MD5
f6e6f08790d11b3fdaa29d40a456039b

SHA1
a998f8d013019a11a499bd87c49b7418e0bc0604

SHA256
ca25dbeea4e84e4647c1569a2c3d65f7ac7cd4ec1e198e0adefd499ab56a92cc

SHA512
df8c6f33302b78e1f52e5569bdfd1a930ec48d6376ecfec5912f58b9051af4c7576d6b22cdc1cc5168bd1453e71b45ca07ffa3bd149db2f42fe15013f358549e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAB96jcSpT.bat

Filesize
226B

MD5
43b761034fb7cca9ded1c5669ebc9414

SHA1
2d8d63330d82fa180789d6fcf8391d2ebe3e6acd

SHA256
d4f58dd7f6f74a24a8036cb405353a40d1d3b10c8e35666e7953dd48fa4bcdce

SHA512
948684f97800c29e181e14a9b2924ab3122e6dad682d0772f6f48af5253c2add6676d96b9a50e011382839d2cef0e6f2c3c8482eaaade6b366f8444cf40bd971

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYuVgvOfQS.bat

Filesize
226B

MD5
a377de6f82081237a5c7e15b52c36f85

SHA1
77fce9de664fa8b399430425292cb9643567a069

SHA256
47dc918d0fe9145dae6d95cbf3a379865e2031176422700999b1bb1b4adc0b5a

SHA512
ef48f00a496e95c33479c3f70177aebb8ef2df0e9da777f4f35d33a4a162ad4b9b22003e012323b31e22cc5e33a7ece8c060ebeb9f7d190ccca4300684a2a8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vg1jnREOGb.bat

Filesize
178B

MD5
7646b13b1394479f0b9a463ab77c60a3

SHA1
0a8c3af2896a5ca77464af361a2121319cf4824d

SHA256
7cb98f50801bbf7a0fe975acf0853c3e0e14f33f34f2c6ec733e481f0a070fb0

SHA512
bba15603e85017b27e6641f6920db3de7e98e8a593faf2cc3617ef8b9f362ef4a0c934c2444d7ed706ba4254e6078b8b2882ce56c39907442d895bfaf9de915b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WmJu8eLYHf.bat

Filesize
226B

MD5
3e3b393f3c94a094b84a477c103b77e4

SHA1
9413b76f9f8b7afb1f4216dfd8dddb832a6fc68e

SHA256
0a5d89312fff4f8f299c3f2b8a5ecc480504117bc6a6285326a7b9e1b27d9aee

SHA512
36f2d81c99501717ecf4f4dba0b509848a80438db0df2be54c0aa76ebd95c2e750c975666db7a3538755ad42c7f777473a014c0c869804f4f32f76a9256cdf78

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjcQ5hKx2L.bat

Filesize
226B

MD5
697f85ce36869e7e882e0eb903cd3d38

SHA1
b2eaa1b406e55dacb63e22eb824eb2dbab27ae91

SHA256
df1e490912c7a6e17224d557b3b5f3f29c64b5ef45976b61e621237b99b4bea8

SHA512
5e91e697df5b2d00de26125a98330bfbc84b412d8df2de8e364c8f350143651769c37af28c1fd64729306fb2031b1940f40e49920560cdec4cb2cf8bbe95f0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hFxofDmc2H.bat

Filesize
178B

MD5
5ca033404d95898a81b40a3d5f432fe0

SHA1
96e2ac9a3f3d7849afba13c2cd3d056282d6d3fd

SHA256
ef173dd0ac81bdb671e92ea1ba1a9cc77553234e0010a4ebfd5c6c8e29903477

SHA512
deda6c315af5b79e0c8d1f41fd84d5070dc032e0c3c491b9c19b07c66742dad07e1ab0f395c8b59c62338cfcb13fca7ca5ef2bd4001fd8d1db6e2fa2f3f0737a

Download Submit
C:\Users\Admin\AppData\Local\Temp\l0cWqgOPfJ.bat

Filesize
226B

MD5
b1f48f2689cafab21154fea134bf2aba

SHA1
7506fd5fd24a57c823eeb6ad60d8bc7b54462b2d

SHA256
c7cdad1e792b70e113334bef458dfa4556a3c0201b7d094588d449562afd00e4

SHA512
7b92813a7236c96e3930f7bddbe2a006d2f1abc312e424eb61f5174c5976dd5725595d6ba5e3503724a212d8a722baa005d1813d6da9dc24ee599003a61a1779

Download Submit
C:\Users\Admin\AppData\Local\Temp\qraPNM7MJR.bat

Filesize
226B

MD5
377fca82f49a4ef67b034f16e7b9877b

SHA1
d1a40aa01d9b666e6048c267a60a63f7e1cab6b3

SHA256
855ef31890f4af79a74674db61d11f92331b90ca47655f5c58061f3789393f25

SHA512
37158ed3162efec420a15fec40ab5e4372ea70195c488038cf2553c7a27102e30306ba078c91430562e9b22eb7a06f38e9c0524762a38dce5b0e883c6622ac3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sTLrgzBrGH.bat

Filesize
226B

MD5
aa25a4c2a5ba64209e5ccaed27264bf1

SHA1
949b53f282138c64d6a0dd8a04653fad6d18154e

SHA256
d8014c49c0ba764443e0b67d221c8dffca2df9ea1e601c8353284a417674499b

SHA512
d736cd0357eb368ac25bc300302b5f0035b6c25cf4163cfd9fe1bfebd01cb2a502310a9c8378f88e92aba8231687400f9be54ba2f86bed52dd504aaaaff02afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnXcb7QBZk.bat

Filesize
226B

MD5
a93ddbdef53e93983a1594fe40f85a62

SHA1
d06b4180f772afa7ea58892d79131aac7a7928ac

SHA256
24dd6b0787d1ef3ece11577756fcb40e43dbf84847273dfe6715a2e94ca5e548

SHA512
d9b481e3b178e8a2af7ca810385c9d22e997ec388b495a33f510ae27b0271d79a94babd1bab3e4c1ddbcabf83724c751e62dd1b987c567b10d928eb5dacaaeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat

Filesize
226B

MD5
c52f17cc3c637492b4550f14d7095ba3

SHA1
b8439e1219744cc6fb243c042cbb19aa908ef63c

SHA256
137e73b45485a8eb411eedb403e0eb22c691de0ab0ea523af21feb52661de6ee

SHA512
a686ca7a09face55657c3d65a2ffef31b2dc3ec0572401ab2f01e28080eaee04b8a25d11f97a2c8bf3addac501a275fe7fdfec126d60d34cdc07fd5d296b3407

Download Submit
C:\Users\Admin\AppData\Local\Temp\yC86nPihDu.bat

Filesize
226B

MD5
c64ffb93284fc539c26c01317bae754d

SHA1
03604a331e01022166218176bed1f01c3985ef5a

SHA256
e72b30473ca8951a30d65079043e5a20a856029e43f674eaa40776ffeba4d857

SHA512
f8bc9e3c1ff4681c100ff7ab27bb3c6ebaf7b1b085378d472cc32bb3cee358cfd1b1d7d10d6e7adfd43a9a001620ac006e641e16597fe4d4f2cc4262d8972d2c

Download Submit
C:\Users\Public\Recorded TV\Sample Media\csrss.exe

Filesize
1.8MB

MD5
330a09824e901f7c2fb65be086df1493

SHA1
236a6a080f1ea340343bedab226a88b3b92ea9cf

SHA256
6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa

SHA512
8da1191fb37876db6e4747d3807999995dbd965c0d13d21b944b941e8455daa7512c9322c7e56bb228c83fc8babe849685685c16dd000cb3e8e5a3822e7a6c77

Download Submit
memory/600-123-0x0000000000350000-0x000000000052A000-memory.dmp

Filesize
1.9MB

Download
memory/2028-46-0x0000000000CF0000-0x0000000000ECA000-memory.dmp

Filesize
1.9MB

Download
memory/2184-145-0x0000000000EF0000-0x00000000010CA000-memory.dmp

Filesize
1.9MB

Download
memory/2264-68-0x0000000000B20000-0x0000000000CFA000-memory.dmp

Filesize
1.9MB

Download
memory/2268-89-0x00000000000F0000-0x00000000002CA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-100-0x00000000003E0000-0x00000000005BA000-memory.dmp

Filesize
1.9MB

Download
memory/2356-57-0x00000000001A0000-0x000000000037A000-memory.dmp

Filesize
1.9MB

Download
memory/2428-35-0x0000000000AB0000-0x0000000000C8A000-memory.dmp

Filesize
1.9MB

Download
memory/2756-12-0x0000000000A50000-0x0000000000A5C000-memory.dmp

Filesize
48KB

Download
memory/2756-8-0x0000000002160000-0x000000000217C000-memory.dmp

Filesize
112KB

Download
memory/2756-13-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-1-0x0000000000A70000-0x0000000000C4A000-memory.dmp

Filesize
1.9MB

Download
memory/2756-25-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-26-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-10-0x0000000002180000-0x0000000002198000-memory.dmp

Filesize
96KB

Download
memory/2756-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

Filesize
4KB

Download
memory/2756-32-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-6-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/2756-4-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-3-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-2-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2896-112-0x0000000000810000-0x00000000009EA000-memory.dmp

Filesize
1.9MB

Download
memory/3004-176-0x0000000001300000-0x00000000014DA000-memory.dmp

Filesize
1.9MB

Download