fecb1f5772ea4997ca01791ed9d1b60d59a5f99fd68b08cc864d3f1da4b3f8f3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe
Size

46KB
MD5

268c432b333726dd06ecddfda2aa55bd
SHA1

46309005cc3c5db54113a310fb33f3ad9fd19d3b
SHA256

fecb1f5772ea4997ca01791ed9d1b60d59a5f99fd68b08cc864d3f1da4b3f8f3
SHA512

f89b0981b9ed10188ad9d1db83934f0ec0c5ccff581630ebe965e10be58b33b7455a843786a279c459b1193aaaf0481ea5da489a2825aa321d76f7f88bba31cf
SSDEEP

768:Px4RQqom3M79vmqZFdALOXmeQY/0ymGWjxWn37ZjOL5Gcz6jU:2eNEG2LG3QY/BmG+O3IFzz6jU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	sys32dll.exe

Executes dropped EXE 1 IoCs

pid	Process
4044	sys32dll.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File opened for modification	C:\Windows\SysWOW64\win_32.bat	sys32dll.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe
File created	C:\Windows\SysWOW64\win_32.txt	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 64 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
824	NETSTAT.EXE
4952	NETSTAT.EXE
1888	NETSTAT.EXE
536	NETSTAT.EXE
1744	NETSTAT.EXE
4176	NETSTAT.EXE
2336	NETSTAT.EXE
3948	NETSTAT.EXE
736	NETSTAT.EXE
1052	NETSTAT.EXE
444	NETSTAT.EXE
2240	NETSTAT.EXE
4808	NETSTAT.EXE
1628	NETSTAT.EXE
1256	NETSTAT.EXE
3432	NETSTAT.EXE
3624	NETSTAT.EXE
1316	NETSTAT.EXE
2568	NETSTAT.EXE
4160	NETSTAT.EXE
2624	NETSTAT.EXE
3848	NETSTAT.EXE
1804	NETSTAT.EXE
3520	NETSTAT.EXE
2628	NETSTAT.EXE
5092	NETSTAT.EXE
4448	NETSTAT.EXE
4488	NETSTAT.EXE
3404	NETSTAT.EXE
728	NETSTAT.EXE
1272	NETSTAT.EXE
4040	NETSTAT.EXE
1156	NETSTAT.EXE
3388	NETSTAT.EXE
3564	NETSTAT.EXE
4808	NETSTAT.EXE
1052	NETSTAT.EXE
4952	NETSTAT.EXE
560	NETSTAT.EXE
2928	NETSTAT.EXE
1620	NETSTAT.EXE
3568	NETSTAT.EXE
4380	NETSTAT.EXE
2528	NETSTAT.EXE
2556	NETSTAT.EXE
3796	NETSTAT.EXE
4224	NETSTAT.EXE
3320	NETSTAT.EXE
2284	NETSTAT.EXE
3532	NETSTAT.EXE
1552	NETSTAT.EXE
4560	NETSTAT.EXE
4104	NETSTAT.EXE
3660	NETSTAT.EXE
3580	NETSTAT.EXE
4652	NETSTAT.EXE
3108	NETSTAT.EXE
3524	NETSTAT.EXE
2388	NETSTAT.EXE
716	NETSTAT.EXE
2900	NETSTAT.EXE
4116	NETSTAT.EXE
4472	NETSTAT.EXE
2360	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4044	sys32dll.exe
4044	sys32dll.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4044	sys32dll.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3388	NETSTAT.EXE
Token: SeDebugPrivilege	1976	NETSTAT.EXE
Token: SeDebugPrivilege	3796	NETSTAT.EXE
Token: SeDebugPrivilege	3404	NETSTAT.EXE
Token: SeDebugPrivilege	208	NETSTAT.EXE
Token: SeDebugPrivilege	3584	NETSTAT.EXE
Token: SeDebugPrivilege	1768	NETSTAT.EXE
Token: SeDebugPrivilege	4224	NETSTAT.EXE
Token: SeDebugPrivilege	4808	NETSTAT.EXE
Token: SeDebugPrivilege	4400	NETSTAT.EXE
Token: SeDebugPrivilege	2388	NETSTAT.EXE
Token: SeDebugPrivilege	3332	NETSTAT.EXE
Token: SeDebugPrivilege	536	NETSTAT.EXE
Token: SeDebugPrivilege	2240	NETSTAT.EXE
Token: SeDebugPrivilege	3520	NETSTAT.EXE
Token: SeDebugPrivilege	1744	NETSTAT.EXE
Token: SeDebugPrivilege	2628	NETSTAT.EXE
Token: SeDebugPrivilege	4160	NETSTAT.EXE
Token: SeDebugPrivilege	1052	NETSTAT.EXE
Token: SeDebugPrivilege	3432	NETSTAT.EXE
Token: SeDebugPrivilege	2884	NETSTAT.EXE
Token: SeDebugPrivilege	2172	NETSTAT.EXE
Token: SeDebugPrivilege	2248	NETSTAT.EXE
Token: SeDebugPrivilege	972	NETSTAT.EXE
Token: SeDebugPrivilege	880	NETSTAT.EXE
Token: SeDebugPrivilege	2928	NETSTAT.EXE
Token: SeDebugPrivilege	1036	NETSTAT.EXE
Token: SeDebugPrivilege	728	NETSTAT.EXE
Token: SeDebugPrivilege	2360	NETSTAT.EXE
Token: SeDebugPrivilege	2336	NETSTAT.EXE
Token: SeDebugPrivilege	1272	NETSTAT.EXE
Token: SeDebugPrivilege	3320	NETSTAT.EXE
Token: SeDebugPrivilege	2288	NETSTAT.EXE
Token: SeDebugPrivilege	3648	NETSTAT.EXE
Token: SeDebugPrivilege	3624	NETSTAT.EXE
Token: SeDebugPrivilege	4636	NETSTAT.EXE
Token: SeDebugPrivilege	5092	NETSTAT.EXE
Token: SeDebugPrivilege	3948	NETSTAT.EXE
Token: SeDebugPrivilege	380	NETSTAT.EXE
Token: SeDebugPrivilege	3796	NETSTAT.EXE
Token: SeDebugPrivilege	4628	NETSTAT.EXE
Token: SeDebugPrivilege	4380	NETSTAT.EXE
Token: SeDebugPrivilege	4016	NETSTAT.EXE
Token: SeDebugPrivilege	3848	NETSTAT.EXE
Token: SeDebugPrivilege	4104	NETSTAT.EXE
Token: SeDebugPrivilege	3660	NETSTAT.EXE
Token: SeDebugPrivilege	4040	NETSTAT.EXE
Token: SeDebugPrivilege	2284	NETSTAT.EXE
Token: SeDebugPrivilege	5096	NETSTAT.EXE
Token: SeDebugPrivilege	3532	NETSTAT.EXE
Token: SeDebugPrivilege	2624	NETSTAT.EXE
Token: SeDebugPrivilege	1552	NETSTAT.EXE
Token: SeDebugPrivilege	2240	NETSTAT.EXE
Token: SeDebugPrivilege	4508	NETSTAT.EXE
Token: SeDebugPrivilege	716	NETSTAT.EXE
Token: SeDebugPrivilege	736	NETSTAT.EXE
Token: SeDebugPrivilege	4160	NETSTAT.EXE
Token: SeDebugPrivilege	1888	NETSTAT.EXE
Token: SeDebugPrivilege	1300	NETSTAT.EXE
Token: SeDebugPrivilege	2764	NETSTAT.EXE
Token: SeDebugPrivilege	1316	NETSTAT.EXE
Token: SeDebugPrivilege	3524	NETSTAT.EXE
Token: SeDebugPrivilege	4320	NETSTAT.EXE
Token: SeDebugPrivilege	4952	NETSTAT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 4044	3868	268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe	83
PID 3868 wrote to memory of 4044	3868	268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe	83
PID 3868 wrote to memory of 4044	3868	268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe	83
PID 4044 wrote to memory of 5036	4044	sys32dll.exe	84
PID 4044 wrote to memory of 5036	4044	sys32dll.exe	84
PID 4044 wrote to memory of 5036	4044	sys32dll.exe	84
PID 5036 wrote to memory of 3388	5036	cmd.exe	86
PID 5036 wrote to memory of 3388	5036	cmd.exe	86
PID 5036 wrote to memory of 3388	5036	cmd.exe	86
PID 4044 wrote to memory of 3068	4044	sys32dll.exe	87
PID 4044 wrote to memory of 3068	4044	sys32dll.exe	87
PID 4044 wrote to memory of 3068	4044	sys32dll.exe	87
PID 3068 wrote to memory of 1976	3068	cmd.exe	89
PID 3068 wrote to memory of 1976	3068	cmd.exe	89
PID 3068 wrote to memory of 1976	3068	cmd.exe	89
PID 4044 wrote to memory of 4428	4044	sys32dll.exe	90
PID 4044 wrote to memory of 4428	4044	sys32dll.exe	90
PID 4044 wrote to memory of 4428	4044	sys32dll.exe	90
PID 4428 wrote to memory of 3796	4428	cmd.exe	92
PID 4428 wrote to memory of 3796	4428	cmd.exe	92
PID 4428 wrote to memory of 3796	4428	cmd.exe	92
PID 4044 wrote to memory of 3700	4044	sys32dll.exe	93
PID 4044 wrote to memory of 3700	4044	sys32dll.exe	93
PID 4044 wrote to memory of 3700	4044	sys32dll.exe	93
PID 3700 wrote to memory of 3404	3700	cmd.exe	95
PID 3700 wrote to memory of 3404	3700	cmd.exe	95
PID 3700 wrote to memory of 3404	3700	cmd.exe	95
PID 4044 wrote to memory of 2092	4044	sys32dll.exe	96
PID 4044 wrote to memory of 2092	4044	sys32dll.exe	96
PID 4044 wrote to memory of 2092	4044	sys32dll.exe	96
PID 2092 wrote to memory of 208	2092	cmd.exe	98
PID 2092 wrote to memory of 208	2092	cmd.exe	98
PID 2092 wrote to memory of 208	2092	cmd.exe	98
PID 4044 wrote to memory of 2540	4044	sys32dll.exe	99
PID 4044 wrote to memory of 2540	4044	sys32dll.exe	99
PID 4044 wrote to memory of 2540	4044	sys32dll.exe	99
PID 2540 wrote to memory of 3584	2540	cmd.exe	101
PID 2540 wrote to memory of 3584	2540	cmd.exe	101
PID 2540 wrote to memory of 3584	2540	cmd.exe	101
PID 4044 wrote to memory of 4104	4044	sys32dll.exe	102
PID 4044 wrote to memory of 4104	4044	sys32dll.exe	102
PID 4044 wrote to memory of 4104	4044	sys32dll.exe	102
PID 4104 wrote to memory of 1768	4104	cmd.exe	104
PID 4104 wrote to memory of 1768	4104	cmd.exe	104
PID 4104 wrote to memory of 1768	4104	cmd.exe	104
PID 4044 wrote to memory of 1656	4044	sys32dll.exe	105
PID 4044 wrote to memory of 1656	4044	sys32dll.exe	105
PID 4044 wrote to memory of 1656	4044	sys32dll.exe	105
PID 1656 wrote to memory of 4224	1656	cmd.exe	107
PID 1656 wrote to memory of 4224	1656	cmd.exe	107
PID 1656 wrote to memory of 4224	1656	cmd.exe	107
PID 4044 wrote to memory of 2400	4044	sys32dll.exe	108
PID 4044 wrote to memory of 2400	4044	sys32dll.exe	108
PID 4044 wrote to memory of 2400	4044	sys32dll.exe	108
PID 2400 wrote to memory of 4808	2400	cmd.exe	110
PID 2400 wrote to memory of 4808	2400	cmd.exe	110
PID 2400 wrote to memory of 4808	2400	cmd.exe	110
PID 4044 wrote to memory of 2772	4044	sys32dll.exe	111
PID 4044 wrote to memory of 2772	4044	sys32dll.exe	111
PID 4044 wrote to memory of 2772	4044	sys32dll.exe	111
PID 2772 wrote to memory of 4400	2772	cmd.exe	113
PID 2772 wrote to memory of 4400	2772	cmd.exe	113
PID 2772 wrote to memory of 4400	2772	cmd.exe	113
PID 4044 wrote to memory of 1648	4044	sys32dll.exe	114

C:\Users\Admin\AppData\Local\Temp\268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\268c432b333726dd06ecddfda2aa55bd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Windows\SysWOW64\sys32dll.exe
  "C:\Windows\system32\sys32dll.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1648
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:3048
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1844
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:4432
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1108
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2852
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2392
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1932
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1672
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1468
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2544
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:4024
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2824
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:4016
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:964
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:4104
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:3664
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1796
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2956
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:4672
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:3456
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:4364
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1724
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1756
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2852
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:736
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:4252
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:3868
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:5092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1416
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2764
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2884
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:4024
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:4644
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2092
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2540
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:3116
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:816
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1244
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:4808
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:668
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:820
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2336
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:4440
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:3748
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:3828
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2412
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:4852
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:3792
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:3952
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2088
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:3616
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:3228
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:4112
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:5084
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:520
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:3076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:964
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1992
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:468
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:4208
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:3108
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2244
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:4668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:3892
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:4728
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:3456
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2020
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1228
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1756
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:760
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:716
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:3624
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2392
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:4256
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1824
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:4176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1472
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:4424
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2136
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:404
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:3564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2752
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:3076
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:3848
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:3556
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2612
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:4560
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2900
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:3580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:628
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:4704
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1640
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1292
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:3368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:4512
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:2740
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:560
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:1064
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2392
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1468
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:3496
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:4568
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:2632
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:532
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:3564
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:5024
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:5044
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    - Drops file in System32 directory
    PID:3992
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:1248
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\win_32.bat" "
    3⤵
    PID:460
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -an -p tcp
      4⤵
      Gathers network information
      PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sys32dll.exe

Filesize
46KB

MD5
268c432b333726dd06ecddfda2aa55bd

SHA1
46309005cc3c5db54113a310fb33f3ad9fd19d3b

SHA256
fecb1f5772ea4997ca01791ed9d1b60d59a5f99fd68b08cc864d3f1da4b3f8f3

SHA512
f89b0981b9ed10188ad9d1db83934f0ec0c5ccff581630ebe965e10be58b33b7455a843786a279c459b1193aaaf0481ea5da489a2825aa321d76f7f88bba31cf

Download Submit
C:\Windows\SysWOW64\win_32.bat

Filesize
50B

MD5
ddc4eae94232ebcc741eb01faa38af50

SHA1
ad1903f4a17b698f55624328f27519c14e9ec258

SHA256
bbd13a89ccf9f8025608d086a06a4c373209cea5206e8fa1ce488f108ee2b6b7

SHA512
87e52f90516d7eed284a0901d23d6b7c8a1bf8722ca2fc3c29d7e384c847810df327aa64d3236884e59d80cf9992900555f2b3dd8f889bece0bff6ab1bc026ab

Download Submit
C:\Windows\SysWOW64\win_32.txt

Filesize
1KB

MD5
8cb59ac0541edbd3bfd19241c701ee27

SHA1
33e7c884b80562e97481220b101097970e4b1daf

SHA256
92d1a4823b18e6279fdf7e783be4866c4c01a773cfcd5640f1a2d3be3039db44

SHA512
67b9501fbd2b19b2a81ba439e091e41132b33494c9f2fc5534339909933c0e74d4e99fca3d3f1f443f9fd94f119644318f7782fd31727e0fdb81d4fb93d4afb8

Download Submit
C:\Windows\SysWOW64\win_32.txt

Filesize
1KB

MD5
7f2db0590e6353995abf2247bf8597b8

SHA1
13a8d204de860edb4bfc1d213e00e8ca6258d9c6

SHA256
e90b29a5006c48259e3ab6cca6c5e6e0ece3bf9e977736acb454504aaeddbdf2

SHA512
b3902b08d79b7623e192724743c2e150d66bd7df86925849c5324e8bd8f99a9360201d41869dc2a41c9da2d9b7a1a3114255a13875a6d307a46ba355ed304112

Download Submit
C:\Windows\SysWOW64\win_32.txt

Filesize
1KB

MD5
e8e8e7134e237770dba06564af5c1b60

SHA1
06f136eebea137f8d954aa1fcdd47b493655b161

SHA256
6f9eb74af5a8427d7d07450fca145b5a9ca585ac4637d60e1284e9f05e5bc5da

SHA512
220fc8067812ce7cd61f39dcc3c553487bf9b22b4711cf162268e5071466e3b8af225f32101f10829e4b5a8499804a810e60efb6ef120190fae5d16755724e17

Download Submit
C:\Windows\SysWOW64\win_32.txt

Filesize
1KB

MD5
52236bf5880e02650ffe74bb2b358353

SHA1
11e15e63df1021665c6497015f74e0cf029c2708

SHA256
ef07ea3a02a2a6f6495e419ba312bdd51d38256adc8dbce35daae042403ecd38

SHA512
f2ad81d83f6907ebad527dc948e41699b756fbb53ebcc649fc294a32c784db251ff42f57fd7b815eb86f7c5a094c82da4e2fc8dd7ede73a613a4eca6cdb731b8

Download Submit
C:\Windows\SysWOW64\win_32.txt

Filesize
1KB

MD5
ed2bdff5cc4fd12e58b7a321fedcbc2b

SHA1
027e61ba215a2dcc885e0042d4e2162a6b88e240

SHA256
9ad700b7224a7bb370ebdda10eeaa143a3662206f4b926d1b8f2862995bbea16

SHA512
3bf9b88ba4a40beec6ca10ec1bc60e4ff792307f31d925317bbe1afba3fd93b6f23bf14c1d18a1565b80e184c927dcf1997a20993ae22e13659d67c71e0480ae

Download Submit
C:\Windows\SysWOW64\win_32.txt

Filesize
1KB

MD5
86b3d781759f82ed1c34b95206c189b3

SHA1
131f66789fa45a2403af2166afb3f72ed27f9795

SHA256
a4ba0a88adfa32b1b0172541e235d322bdc6fb5e067e3190b2d970ac1575f258

SHA512
7cf20a4a8fde63c702e5a9ba4d00e558471efcf4a6c12e52e53aaa695472cf9e55545b783547e7530c32e6e9303b50295c9c4d39a470dc96a1734ff6c9187015

Download Submit
C:\Windows\SysWOW64\win_32.txt

Filesize
1KB

MD5
54e6f9ab042c7ea9c78883471d5aa373

SHA1
ae1cbd08309c10de382e5629f6a95fb525d702a4

SHA256
4e2af4f773d7197bf86d7070a630e6b0f5567c62cf6b491d0e025958e430fac8

SHA512
20231c0688cd621063a4b297bb7dd5152ec74fde71b9915204ec3f55bd2db3128fd21046afd5e8a162cd8f2b40de811a4ecef557922f8d11777f30ccd7123004

Download Submit
memory/3868-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3868-12-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4044-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download