fecb1f5772ea4997ca01791ed9d1b60d59a5f99fd68b08cc864d3f1da4b3f8f3

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 23:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe
Size

46KB
MD5

268c432b333726dd06ecddfda2aa55bd
SHA1

46309005cc3c5db54113a310fb33f3ad9fd19d3b
SHA256

fecb1f5772ea4997ca01791ed9d1b60d59a5f99fd68b08cc864d3f1da4b3f8f3
SHA512

f89b0981b9ed10188ad9d1db83934f0ec0c5ccff581630ebe965e10be58b33b7455a843786a279c459b1193aaaf0481ea5da489a2825aa321d76f7f88bba31cf
SSDEEP

768:Px4RQqom3M79vmqZFdALOXmeQY/0ymGWjxWn37ZjOL5Gcz6jU:2eNEG2LG3QY/BmG+O3IFzz6jU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2172	sys32dll.exe

Loads dropped DLL 2 IoCs

pid	Process
2388	268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe
2388	268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\sys32dll.exe	268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\win_32.bat	sys32dll.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File opened for modification	C:\Windows\SysWOW64\winhelp.exe	268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File opened for modification	C:\Windows\SysWOW64\sys32dll.exe	268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 64 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2940	NETSTAT.EXE
2260	NETSTAT.EXE
1504	NETSTAT.EXE
1920	NETSTAT.EXE
2404	NETSTAT.EXE
2984	NETSTAT.EXE
2300	NETSTAT.EXE
1972	NETSTAT.EXE
2396	NETSTAT.EXE
2228	NETSTAT.EXE
1824	NETSTAT.EXE
2756	NETSTAT.EXE
2736	NETSTAT.EXE
1944	NETSTAT.EXE
1692	NETSTAT.EXE
1708	NETSTAT.EXE
2980	NETSTAT.EXE
1048	NETSTAT.EXE
2052	NETSTAT.EXE
2220	NETSTAT.EXE
2836	NETSTAT.EXE
932	NETSTAT.EXE
2224	NETSTAT.EXE
2076	NETSTAT.EXE
2816	NETSTAT.EXE
952	NETSTAT.EXE
1752	NETSTAT.EXE
2372	NETSTAT.EXE
2608	NETSTAT.EXE
1252	NETSTAT.EXE
2240	NETSTAT.EXE
1468	NETSTAT.EXE
880	NETSTAT.EXE
2380	NETSTAT.EXE
888	NETSTAT.EXE
556	NETSTAT.EXE
2820	NETSTAT.EXE
2232	NETSTAT.EXE
2288	NETSTAT.EXE
2980	NETSTAT.EXE
3012	NETSTAT.EXE
2932	NETSTAT.EXE
1600	NETSTAT.EXE
1380	NETSTAT.EXE
3048	NETSTAT.EXE
1020	NETSTAT.EXE
2508	NETSTAT.EXE
1476	NETSTAT.EXE
2252	NETSTAT.EXE
1964	NETSTAT.EXE
2496	NETSTAT.EXE
3000	NETSTAT.EXE
1216	NETSTAT.EXE
2316	NETSTAT.EXE
2088	NETSTAT.EXE
2516	NETSTAT.EXE
2920	NETSTAT.EXE
1000	NETSTAT.EXE
3060	NETSTAT.EXE
3028	NETSTAT.EXE
1436	NETSTAT.EXE
2204	NETSTAT.EXE
2812	NETSTAT.EXE
816	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2172	sys32dll.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2172	sys32dll.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	NETSTAT.EXE
Token: SeDebugPrivilege	2688	NETSTAT.EXE
Token: SeDebugPrivilege	2372	NETSTAT.EXE
Token: SeDebugPrivilege	2588	NETSTAT.EXE
Token: SeDebugPrivilege	2968	NETSTAT.EXE
Token: SeDebugPrivilege	1824	NETSTAT.EXE
Token: SeDebugPrivilege	1708	NETSTAT.EXE
Token: SeDebugPrivilege	2184	NETSTAT.EXE
Token: SeDebugPrivilege	2088	NETSTAT.EXE
Token: SeDebugPrivilege	2608	NETSTAT.EXE
Token: SeDebugPrivilege	944	NETSTAT.EXE
Token: SeDebugPrivilege	2432	NETSTAT.EXE
Token: SeDebugPrivilege	1920	NETSTAT.EXE
Token: SeDebugPrivilege	2404	NETSTAT.EXE
Token: SeDebugPrivilege	2600	NETSTAT.EXE
Token: SeDebugPrivilege	2728	NETSTAT.EXE
Token: SeDebugPrivilege	2836	NETSTAT.EXE
Token: SeDebugPrivilege	2756	NETSTAT.EXE
Token: SeDebugPrivilege	2508	NETSTAT.EXE
Token: SeDebugPrivilege	2076	NETSTAT.EXE
Token: SeDebugPrivilege	2736	NETSTAT.EXE
Token: SeDebugPrivilege	2980	NETSTAT.EXE
Token: SeDebugPrivilege	1476	NETSTAT.EXE
Token: SeDebugPrivilege	2252	NETSTAT.EXE
Token: SeDebugPrivilege	2516	NETSTAT.EXE
Token: SeDebugPrivilege	1044	NETSTAT.EXE
Token: SeDebugPrivilege	2496	NETSTAT.EXE
Token: SeDebugPrivilege	1140	NETSTAT.EXE
Token: SeDebugPrivilege	556	NETSTAT.EXE
Token: SeDebugPrivilege	2548	NETSTAT.EXE
Token: SeDebugPrivilege	1460	NETSTAT.EXE
Token: SeDebugPrivilege	2820	NETSTAT.EXE
Token: SeDebugPrivilege	1820	NETSTAT.EXE
Token: SeDebugPrivilege	2320	NETSTAT.EXE
Token: SeDebugPrivilege	2616	NETSTAT.EXE
Token: SeDebugPrivilege	1048	NETSTAT.EXE
Token: SeDebugPrivilege	2984	NETSTAT.EXE
Token: SeDebugPrivilege	3000	NETSTAT.EXE
Token: SeDebugPrivilege	2980	NETSTAT.EXE
Token: SeDebugPrivilege	2232	NETSTAT.EXE
Token: SeDebugPrivilege	1944	NETSTAT.EXE
Token: SeDebugPrivilege	816	NETSTAT.EXE
Token: SeDebugPrivilege	2024	NETSTAT.EXE
Token: SeDebugPrivilege	1784	NETSTAT.EXE
Token: SeDebugPrivilege	760	NETSTAT.EXE
Token: SeDebugPrivilege	1480	NETSTAT.EXE
Token: SeDebugPrivilege	1972	NETSTAT.EXE
Token: SeDebugPrivilege	1216	NETSTAT.EXE
Token: SeDebugPrivilege	1600	NETSTAT.EXE
Token: SeDebugPrivilege	1152	NETSTAT.EXE
Token: SeDebugPrivilege	2648	NETSTAT.EXE
Token: SeDebugPrivilege	2288	NETSTAT.EXE
Token: SeDebugPrivilege	2300	NETSTAT.EXE
Token: SeDebugPrivilege	3060	NETSTAT.EXE
Token: SeDebugPrivilege	2544	NETSTAT.EXE
Token: SeDebugPrivilege	1332	NETSTAT.EXE
Token: SeDebugPrivilege	1748	NETSTAT.EXE
Token: SeDebugPrivilege	1380	NETSTAT.EXE
Token: SeDebugPrivilege	2088	NETSTAT.EXE
Token: SeDebugPrivilege	1044	NETSTAT.EXE
Token: SeDebugPrivilege	1392	NETSTAT.EXE
Token: SeDebugPrivilege	548	NETSTAT.EXE
Token: SeDebugPrivilege	1360	NETSTAT.EXE
Token: SeDebugPrivilege	908	NETSTAT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2172	2388	268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe	29
PID 2388 wrote to memory of 2172	2388	268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe	29
PID 2388 wrote to memory of 2172	2388	268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe	29
PID 2388 wrote to memory of 2172	2388	268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe	29
PID 2172 wrote to memory of 2952	2172	sys32dll.exe	30
PID 2172 wrote to memory of 2952	2172	sys32dll.exe	30
PID 2172 wrote to memory of 2952	2172	sys32dll.exe	30
PID 2172 wrote to memory of 2952	2172	sys32dll.exe	30
PID 2952 wrote to memory of 2812	2952	cmd.exe	32
PID 2952 wrote to memory of 2812	2952	cmd.exe	32
PID 2952 wrote to memory of 2812	2952	cmd.exe	32
PID 2952 wrote to memory of 2812	2952	cmd.exe	32
PID 2172 wrote to memory of 2636	2172	sys32dll.exe	33
PID 2172 wrote to memory of 2636	2172	sys32dll.exe	33
PID 2172 wrote to memory of 2636	2172	sys32dll.exe	33
PID 2172 wrote to memory of 2636	2172	sys32dll.exe	33
PID 2636 wrote to memory of 2688	2636	cmd.exe	35
PID 2636 wrote to memory of 2688	2636	cmd.exe	35
PID 2636 wrote to memory of 2688	2636	cmd.exe	35
PID 2636 wrote to memory of 2688	2636	cmd.exe	35
PID 2172 wrote to memory of 388	2172	sys32dll.exe	37
PID 2172 wrote to memory of 388	2172	sys32dll.exe	37
PID 2172 wrote to memory of 388	2172	sys32dll.exe	37
PID 2172 wrote to memory of 388	2172	sys32dll.exe	37
PID 388 wrote to memory of 2372	388	cmd.exe	39
PID 388 wrote to memory of 2372	388	cmd.exe	39
PID 388 wrote to memory of 2372	388	cmd.exe	39
PID 388 wrote to memory of 2372	388	cmd.exe	39
PID 2172 wrote to memory of 1576	2172	sys32dll.exe	40
PID 2172 wrote to memory of 1576	2172	sys32dll.exe	40
PID 2172 wrote to memory of 1576	2172	sys32dll.exe	40
PID 2172 wrote to memory of 1576	2172	sys32dll.exe	40
PID 1576 wrote to memory of 2588	1576	cmd.exe	42
PID 1576 wrote to memory of 2588	1576	cmd.exe	42
PID 1576 wrote to memory of 2588	1576	cmd.exe	42
PID 1576 wrote to memory of 2588	1576	cmd.exe	42
PID 2172 wrote to memory of 3024	2172	sys32dll.exe	43
PID 2172 wrote to memory of 3024	2172	sys32dll.exe	43
PID 2172 wrote to memory of 3024	2172	sys32dll.exe	43
PID 2172 wrote to memory of 3024	2172	sys32dll.exe	43
PID 3024 wrote to memory of 2968	3024	cmd.exe	45
PID 3024 wrote to memory of 2968	3024	cmd.exe	45
PID 3024 wrote to memory of 2968	3024	cmd.exe	45
PID 3024 wrote to memory of 2968	3024	cmd.exe	45
PID 2172 wrote to memory of 1332	2172	sys32dll.exe	46
PID 2172 wrote to memory of 1332	2172	sys32dll.exe	46
PID 2172 wrote to memory of 1332	2172	sys32dll.exe	46
PID 2172 wrote to memory of 1332	2172	sys32dll.exe	46
PID 1332 wrote to memory of 1824	1332	cmd.exe	48
PID 1332 wrote to memory of 1824	1332	cmd.exe	48
PID 1332 wrote to memory of 1824	1332	cmd.exe	48
PID 1332 wrote to memory of 1824	1332	cmd.exe	48
PID 2172 wrote to memory of 2468	2172	sys32dll.exe	49
PID 2172 wrote to memory of 2468	2172	sys32dll.exe	49
PID 2172 wrote to memory of 2468	2172	sys32dll.exe	49
PID 2172 wrote to memory of 2468	2172	sys32dll.exe	49
PID 2468 wrote to memory of 1708	2468	cmd.exe	51
PID 2468 wrote to memory of 1708	2468	cmd.exe	51
PID 2468 wrote to memory of 1708	2468	cmd.exe	51
PID 2468 wrote to memory of 1708	2468	cmd.exe	51
PID 2172 wrote to memory of 1480	2172	sys32dll.exe	52
PID 2172 wrote to memory of 1480	2172	sys32dll.exe	52
PID 2172 wrote to memory of 1480	2172	sys32dll.exe	52
PID 2172 wrote to memory of 1480	2172	sys32dll.exe	52

C:\Users\Admin\AppData\Local\Temp\268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\SysWOW64\sys32dll.exe
  "C:\Windows\system32\sys32dll.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1480
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2188
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1668
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:548
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1528
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:3052
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2116
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2312
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2328
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1820
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2688
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1160
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2960
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1504
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2428
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1944
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2244
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:688
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1920
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1040
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1960
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2108
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2668
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1888
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2512
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1196
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2928
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1824
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2476
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2184
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2064
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1604
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1940
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1688
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2148
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:556
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2488
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:940
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:972
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2848
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2652
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:888
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1436
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2920
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2696
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:264
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2840
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2204
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1976
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1088
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:640
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1012
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2168
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2120
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2228
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:872
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2744
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2896
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2584
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2288
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1988
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2492
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2928
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:3024
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2220
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2464
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2128
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2384
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2340
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:856
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1996
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2568
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2196
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2112
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1116
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1152
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2680
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2484
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2652
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2868
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2492
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2956
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2888
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:324
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2660
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2384
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2608
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:432
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1488
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2292
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2480
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1184
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2364
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2276
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1388
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2308
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:1000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2100
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2968
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:3016
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1252
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2444
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1736491802-1156333583-1461170043718001765-103813332012717372721414786690-1175579081"
1⤵
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\win_32.bat

Filesize
50B

MD5
ddc4eae94232ebcc741eb01faa38af50

SHA1
ad1903f4a17b698f55624328f27519c14e9ec258

SHA256
bbd13a89ccf9f8025608d086a06a4c373209cea5206e8fa1ce488f108ee2b6b7

SHA512
87e52f90516d7eed284a0901d23d6b7c8a1bf8722ca2fc3c29d7e384c847810df327aa64d3236884e59d80cf9992900555f2b3dd8f889bece0bff6ab1bc026ab

Download Submit
C:\Windows\SysWOW64\win_32.txt

Filesize
1016B

MD5
702df41846a0a5d592621dd512316adb

SHA1
70bc670ac0a4d506c506776ca556ff77571ba4af

SHA256
a7471a3a52bfeed5c8a4ac6b439e3401135f66533081ca20d73f44ca65894c1f

SHA512
1a8fd759a32a65db086708abe0a23ce06d0ee4aa0ffc6b4834e98a85d2636c0373c2d0e46039236fe1c2cc7f88cacad20ac1418e7da2b99dc561a0d6e46d62ae

Download Submit
C:\Windows\SysWOW64\win_32.txt

Filesize
882B

MD5
bbfde3a4cb714c5cf10fa417e07f60da

SHA1
2869137639611c3cd83253406536b6a773185e29

SHA256
db88367b1445fd6dff34a4eb038c2d3e0bf12642cdd4d28e0b0d4b62a40d9109

SHA512
192ae2fedf6f806753a6ff9e578445ee1f2e4f05eab9385aaba95f0b26eb323c6753cdbc06e9899923b4c3729ba38db15bf7f62cdb58118d564c74f710628fc7

Download Submit
C:\Windows\SysWOW64\win_32.txt

Filesize
750B

MD5
e6f462fccd6d2d2da07a6880103a6d56

SHA1
db95978ddd0a54c9b7650d42ae2d4bc7a3447ae1

SHA256
bce7ea890b6a710be7d5f0915a326c4748f74421b6ee0196b3c3c47015ce551b

SHA512
56e2961be0efd6eafbb3da5fc15ba89d1c3165c96d5b0e9ab75e530b683c1c683fdf210d09573788cb8011ce807f197841294552fe04500be517dc8fee2e389f

Download Submit
\Windows\SysWOW64\sys32dll.exe

Filesize
46KB

MD5
268c432b333726dd06ecddfda2aa55bd

SHA1
46309005cc3c5db54113a310fb33f3ad9fd19d3b

SHA256
fecb1f5772ea4997ca01791ed9d1b60d59a5f99fd68b08cc864d3f1da4b3f8f3

SHA512
f89b0981b9ed10188ad9d1db83934f0ec0c5ccff581630ebe965e10be58b33b7455a843786a279c459b1193aaaf0481ea5da489a2825aa321d76f7f88bba31cf

Download Submit
memory/2172-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2388-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2388-12-0x0000000002820000-0x0000000002856000-memory.dmp

Filesize
216KB

Download
memory/2388-13-0x0000000002820000-0x0000000002856000-memory.dmp

Filesize
216KB

Download
memory/2388-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download