Analysis
-
max time kernel
149s -
resource
win7v191014 -
submitted
08-01-2020 15:26
Task
task1
Sample
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe
Resource
win10v191014
0 signatures
General
-
Target
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe
-
Sample
200108-d1xesb4fw2
-
SHA256
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.execmd.execonhost.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 1384 wrote to memory of 736 1384 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe cmd.exe PID 1620 wrote to memory of 2016 1620 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe cmd.exe PID 1620 wrote to memory of 736 1620 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe cmd.exe PID 1620 wrote to memory of 288 1620 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe cmd.exe PID 288 wrote to memory of 1172 288 cmd.exe conhost.exe PID 1172 wrote to memory of 2024 1172 conhost.exe cmd.exe PID 2024 wrote to memory of 1308 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1940 2024 cmd.exe net.exe PID 1940 wrote to memory of 1188 1940 net.exe net1.exe PID 1172 wrote to memory of 828 1172 conhost.exe cmd.exe PID 828 wrote to memory of 1968 828 cmd.exe PING.EXE PID 828 wrote to memory of 1068 828 cmd.exe net.exe PID 1068 wrote to memory of 1096 1068 net.exe net1.exe PID 1172 wrote to memory of 1952 1172 conhost.exe cmd.exe PID 1952 wrote to memory of 788 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1188 1952 cmd.exe net.exe PID 1188 wrote to memory of 1940 1188 net.exe net1.exe PID 1172 wrote to memory of 2024 1172 conhost.exe cmd.exe PID 2024 wrote to memory of 1964 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1968 2024 cmd.exe net.exe PID 1968 wrote to memory of 1096 1968 net.exe net1.exe PID 1172 wrote to memory of 1932 1172 conhost.exe cmd.exe PID 1932 wrote to memory of 112 1932 cmd.exe PING.EXE PID 1932 wrote to memory of 1940 1932 cmd.exe net.exe PID 1940 wrote to memory of 1188 1940 net.exe net1.exe PID 1172 wrote to memory of 832 1172 conhost.exe cmd.exe PID 832 wrote to memory of 1276 832 cmd.exe PING.EXE PID 832 wrote to memory of 2024 832 cmd.exe net.exe PID 2024 wrote to memory of 1828 2024 net.exe net1.exe PID 1172 wrote to memory of 1604 1172 conhost.exe cmd.exe PID 1604 wrote to memory of 1584 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1308 1604 cmd.exe net.exe PID 1308 wrote to memory of 1952 1308 net.exe net1.exe PID 1172 wrote to memory of 656 1172 conhost.exe cmd.exe PID 656 wrote to memory of 1332 656 cmd.exe PING.EXE PID 656 wrote to memory of 464 656 cmd.exe net.exe PID 464 wrote to memory of 788 464 net.exe net1.exe PID 1172 wrote to memory of 1956 1172 conhost.exe cmd.exe PID 1956 wrote to memory of 988 1956 cmd.exe PING.EXE PID 1956 wrote to memory of 580 1956 cmd.exe net.exe PID 580 wrote to memory of 1128 580 net.exe net1.exe PID 1172 wrote to memory of 1540 1172 conhost.exe cmd.exe PID 1540 wrote to memory of 1032 1540 cmd.exe PING.EXE PID 1540 wrote to memory of 1640 1540 cmd.exe net.exe PID 1640 wrote to memory of 1632 1640 net.exe net1.exe PID 1172 wrote to memory of 1644 1172 conhost.exe cmd.exe PID 1644 wrote to memory of 1080 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1940 1644 cmd.exe net.exe PID 1940 wrote to memory of 1832 1940 net.exe net1.exe PID 1172 wrote to memory of 852 1172 conhost.exe cmd.exe PID 852 wrote to memory of 612 852 cmd.exe PING.EXE PID 852 wrote to memory of 1964 852 cmd.exe net.exe PID 1964 wrote to memory of 1332 1964 net.exe net1.exe PID 1172 wrote to memory of 1828 1172 conhost.exe cmd.exe PID 1828 wrote to memory of 776 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1064 1828 cmd.exe net.exe PID 1064 wrote to memory of 1884 1064 net.exe net1.exe PID 1172 wrote to memory of 1408 1172 conhost.exe cmd.exe PID 1408 wrote to memory of 1036 1408 cmd.exe PING.EXE PID 1408 wrote to memory of 580 1408 cmd.exe net.exe PID 580 wrote to memory of 1420 580 net.exe net1.exe PID 1172 wrote to memory of 1956 1172 conhost.exe cmd.exe PID 1956 wrote to memory of 1716 1956 cmd.exe PING.EXE PID 1956 wrote to memory of 1668 1956 cmd.exe net.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.execonhost.exepid process 1620 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe 1172 conhost.exe -
Drops file in Windows directory 8 IoCs
Processes:
cmd.exe30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.execmd.exedescription ioc process File renamed C:\Users\Admin\AppData\Local\Temp\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe => C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe cmd.exe File opened for modification C:\Windows\InstallUtil.InstallLog 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe File opened for modification C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.InstallLog 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe File created C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.InstallState 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe File deleted C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.InstallLog 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe File deleted C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.InstallState 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe File deleted C:\Windows\InstallUtil.InstallLog 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe File renamed C:\Windows\Temp\tmp8CE3.tmp => C:\Windows\conhost.exe cmd.exe -
Runs net.exe 46 IoCs
Processes:
net.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exepid process 656 net.exe 1332 net.exe 1848 net.exe 2024 net.exe 1940 net.exe 1940 net.exe 1308 net.exe 1940 net.exe 580 net.exe 1216 net.exe 1304 net.exe 1976 net.exe 1188 net.exe 2024 net.exe 464 net.exe 1064 net.exe 1068 net.exe 580 net.exe 1964 net.exe 1096 net.exe 1968 net.exe 1640 net.exe 1668 net.exe 1536 net1.exe 1828 net1.exe 280 net1.exe 776 net1.exe 1096 net1.exe 1972 net1.exe 788 net1.exe 1884 net1.exe 1188 net1.exe 1952 net1.exe 1128 net1.exe 1216 net1.exe 1788 net1.exe 1788 net1.exe 1096 net1.exe 1096 net1.exe 1632 net1.exe 1832 net1.exe 1332 net1.exe 1420 net1.exe 432 net1.exe 1188 net1.exe 1940 net1.exe -
Modifies service 2 TTPs 2 IoCs
Processes:
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\AutoBackupLogFiles = "0" 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\csrss\EventMessageFile = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\EventLogMessages.dll" 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.execonhost.exedescription pid process Token: SeDebugPrivilege 1384 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe Token: SeDebugPrivilege 2004 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe Token: SeDebugPrivilege 1620 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe Token: SeDebugPrivilege 1172 conhost.exe Token: 33 1172 conhost.exe Token: SeIncBasePriorityPrivilege 1172 conhost.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cmd.exepid process 736 cmd.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
conhost.exepid process 1172 conhost.exe -
Executes dropped EXE 1 IoCs
Processes:
conhost.exepid process 1172 conhost.exe -
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 788 PING.EXE 112 PING.EXE 1276 PING.EXE 988 PING.EXE 1584 PING.EXE 1080 PING.EXE 1108 PING.EXE 2024 PING.EXE 1992 PING.EXE 1368 PING.EXE 1964 PING.EXE 1036 PING.EXE 1696 PING.EXE 612 PING.EXE 776 PING.EXE 1104 PING.EXE 1276 PING.EXE 1032 PING.EXE 1096 PING.EXE 1584 PING.EXE 1852 PING.EXE 1308 PING.EXE 1968 PING.EXE 1332 PING.EXE 1716 PING.EXE 1584 PING.EXE 2004 PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe"C:\Users\Admin\AppData\Local\Temp\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"cmd" /c ping 127.0.0.1 -n 3 > nul && move "C:\Users\Admin\AppData\Local\Temp\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe" "C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe" && start "" C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe && exit2⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
-
C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exeC:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe3⤵
- Drops file in Windows directory
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe"C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"cmd" /c ping 127.0.0.1 -n 1 > nul && del "C:\Windows\conhost".exe && exit2⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 13⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exe"cmd" /c ping 127.0.0.1 -n 1 > nul && cd C:\Windows\TEMP && move "tmp8CE3.tmp" "C:\Windows\conhost.exe" && exit2⤵
- Drops file in Windows directory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 13⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exe"cmd" /c ping 127.0.0.1 -n 2 > nul && start "" "C:\Windows\conhost.exe" FrMDePGbenrOTaLfeJUsDlB3CRqwJAl+ECjBTGCegLvDPermROFLZIyVEG890/b3LxqXVEMzIOWPbAtlo2HYdVQLotwEpEXuj+a0b7H6mIyWJavckjlozsFAZRq3Yfuv9bqgvwkeQs5dSmGCUIEtCGmINz/N1uPWvJOvzvojQOdeyKPgrfnNTpdoQ2enx/bNqweCryr2FN4uQNev8IXHWisdCME1z1/1OPBrmawROa2ervV+KmjerH3sMqYpVisLA0rAXUwQia3lZ1PD27QB9B/Bhw7QvuRvZH6OSRwnHcBGEqFisPuejgC7P3K5cAKGrx0udhzKFrHF/7SL/+iBfPxlmvmJuUlpe70oKVRglf4SuRIBu/QNgylyJJAvrlSOotFTivrTDVRdDF537Xyp+bPMUCzrxxL+QCTEf/0qvgAgXKe3U6ghSzId26SvHqlc8o6c9k8QYO7SyXQRPAVcPjYJ1DC4uTMpG6TtsCW/9JVZHQWWsV8Wp8H/6jy4ZvscncVAqZszmiHHOHsWlL8IOMzeMh3fSA9REEQ8W77WKcpp9lktjKCy2niPgdRY/Rkthzyj1EFBKs6/bwP+4LjwmYdGSCXvOBY1gp5tWmwlCEs= && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Windows\conhost.exe"C:\Windows\conhost.exe" FrMDePGbenrOTaLfeJUsDlB3CRqwJAl+ECjBTGCegLvDPermROFLZIyVEG890/b3LxqXVEMzIOWPbAtlo2HYdVQLotwEpEXuj+a0b7H6mIyWJavckjlozsFAZRq3Yfuv9bqgvwkeQs5dSmGCUIEtCGmINz/N1uPWvJOvzvojQOdeyKPgrfnNTpdoQ2enx/bNqweCryr2FN4uQNev8IXHWisdCME1z1/1OPBrmawROa2ervV+KmjerH3sMqYpVisLA0rAXUwQia3lZ1PD27QB9B/Bhw7QvuRvZH6OSRwnHcBGEqFisPuejgC7P3K5cAKGrx0udhzKFrHF/7SL/+iBfPxlmvmJuUlpe70oKVRglf4SuRIBu/QNgylyJJAvrlSOotFTivrTDVRdDF537Xyp+bPMUCzrxxL+QCTEf/0qvgAgXKe3U6ghSzId26SvHqlc8o6c9k8QYO7SyXQRPAVcPjYJ1DC4uTMpG6TtsCW/9JVZHQWWsV8Wp8H/6jy4ZvscncVAqZszmiHHOHsWlL8IOMzeMh3fSA9REEQ8W77WKcpp9lktjKCy2niPgdRY/Rkthzyj1EFBKs6/bwP+4LjwmYdGSCXvOBY1gp5tWmwlCEs=3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe