5207c0125327c9c4b4508ec553f0514bfb3f21b77264b80b1a1b81135a2bfe7f

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14-01-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a265cbedcc861fa59c051532563b610.exe
Size

40KB
MD5

5a265cbedcc861fa59c051532563b610
SHA1

92acef504ce306474e180fb8c2ec777a8d5d174f
SHA256

5207c0125327c9c4b4508ec553f0514bfb3f21b77264b80b1a1b81135a2bfe7f
SHA512

1cc06f3fb31bbd90003e69427877b313278fd2e8711471c3eaee84195bc5cbeef0c407747191394297ca6a788b36d9934d25c944a9e7298c8696f4701cba5a86
SSDEEP

768:qFB04HzfVsb9Tq8gps2gF7cp2i7NqMLfUGnMGFH1HIewmNLi/A3NaNNn0tr8NNN+:qFBnT6epNgF767NqysGnDfIehNLi/A3l

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\DefragFs.exe	Process not Found

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 31 IoCs

pid	Process
2096	DefragFs.exe
2936	DefragFs.exe
2860	DefragFs.exe
2636	DefragFs.exe
328	DefragFs.exe
2996	DefragFs.exe
332	DefragFs.exe
1936	DefragFs.exe
2284	DefragFs.exe
764	DefragFs.exe
796	DefragFs.exe
1884	DefragFs.exe
2352	DefragFs.exe
3008	DefragFs.exe
2196	DefragFs.exe
1868	attrib.exe
1608	DefragFs.exe
2456	attrib.exe
2040	attrib.exe
1768	DefragFs.exe
1408	DefragFs.exe
2512	DefragFs.exe
612	DefragFs.exe
2616	DefragFs.exe
2660	attrib.exe
1672	attrib.exe
2056	DefragFs.exe
1936	DefragFs.exe
2936	attrib.exe
2868	DefragFs.exe
856	attrib.exe

Loads dropped DLL 62 IoCs

pid	Process
1988	5a265cbedcc861fa59c051532563b610.exe
1988	5a265cbedcc861fa59c051532563b610.exe
2096	Process not Found
2096	Process not Found
2936	DefragFs.exe
2936	DefragFs.exe
2860	DefragFs.exe
2860	DefragFs.exe
2636	DefragFs.exe
2636	DefragFs.exe
328	DefragFs.exe
328	DefragFs.exe
2996	DefragFs.exe
2996	DefragFs.exe
332	DefragFs.exe
332	DefragFs.exe
1936	DefragFs.exe
1936	DefragFs.exe
2284	DefragFs.exe
2284	DefragFs.exe
764	DefragFs.exe
764	DefragFs.exe
796	DefragFs.exe
796	DefragFs.exe
1884	DefragFs.exe
1884	DefragFs.exe
2352	DefragFs.exe
2352	DefragFs.exe
3008	DefragFs.exe
3008	DefragFs.exe
2196	DefragFs.exe
2196	DefragFs.exe
1868	attrib.exe
1868	attrib.exe
1608	DefragFs.exe
1608	DefragFs.exe
2456	attrib.exe
2456	attrib.exe
2040	attrib.exe
2040	attrib.exe
1768	DefragFs.exe
1768	DefragFs.exe
1408	DefragFs.exe
1408	DefragFs.exe
2512	DefragFs.exe
2512	DefragFs.exe
612	DefragFs.exe
612	DefragFs.exe
2616	DefragFs.exe
2616	DefragFs.exe
2660	attrib.exe
2660	attrib.exe
1672	attrib.exe
1672	attrib.exe
2056	DefragFs.exe
2056	DefragFs.exe
1936	DefragFs.exe
1936	DefragFs.exe
2936	attrib.exe
2936	attrib.exe
2868	DefragFs.exe
2868	DefragFs.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1988-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x000d000000012325-6.dat	upx
behavioral1/memory/2096-14-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2936-25-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1988-44-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2096-43-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/328-75-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x000d000000012325-71.dat	upx
behavioral1/files/0x000d000000012325-74.dat	upx
behavioral1/files/0x000d000000012325-96.dat	upx
behavioral1/memory/332-99-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2352-177-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x000d000000012325-193.dat	upx
behavioral1/memory/1608-233-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1408-267-0x00000000007F0000-0x0000000000813000-memory.dmp	upx
behavioral1/memory/2512-280-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2616-287-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2056-296-0x0000000000480000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2936-308-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/856-306-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2868-305-0x00000000003D0000-0x00000000003F3000-memory.dmp	upx
behavioral1/memory/1936-300-0x0000000001BB0000-0x0000000001BD3000-memory.dmp	upx
behavioral1/memory/1672-288-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2040-254-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1868-223-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1608-221-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1868-212-0x0000000001D00000-0x0000000001D23000-memory.dmp	upx
behavioral1/memory/2196-208-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1884-161-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2284-120-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1936-106-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2996-91-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2860-60-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2936-52-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2860-45-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2868-316-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
1988	5a265cbedcc861fa59c051532563b610.exe
2096	Process not Found
2936	DefragFs.exe
2860	DefragFs.exe
2636	DefragFs.exe
328	DefragFs.exe
2996	DefragFs.exe
332	DefragFs.exe
1936	DefragFs.exe
2284	DefragFs.exe
764	DefragFs.exe
796	DefragFs.exe
1884	DefragFs.exe
2352	DefragFs.exe
3008	DefragFs.exe
2196	DefragFs.exe
1868	attrib.exe
1608	DefragFs.exe
2456	attrib.exe
2040	attrib.exe
1768	DefragFs.exe
1408	DefragFs.exe
2512	DefragFs.exe
612	DefragFs.exe
2616	DefragFs.exe
2660	attrib.exe
1672	attrib.exe
2056	DefragFs.exe
1936	DefragFs.exe
2936	attrib.exe
2868	DefragFs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2096	1988	5a265cbedcc861fa59c051532563b610.exe	28
PID 1988 wrote to memory of 2096	1988	5a265cbedcc861fa59c051532563b610.exe	28
PID 1988 wrote to memory of 2096	1988	5a265cbedcc861fa59c051532563b610.exe	28
PID 1988 wrote to memory of 2096	1988	5a265cbedcc861fa59c051532563b610.exe	28
PID 2096 wrote to memory of 2936	2096	Process not Found	411
PID 2096 wrote to memory of 2936	2096	Process not Found	411
PID 2096 wrote to memory of 2936	2096	Process not Found	411
PID 2096 wrote to memory of 2936	2096	Process not Found	411
PID 2936 wrote to memory of 2860	2936	DefragFs.exe	410
PID 2936 wrote to memory of 2860	2936	DefragFs.exe	410
PID 2936 wrote to memory of 2860	2936	DefragFs.exe	410
PID 2936 wrote to memory of 2860	2936	DefragFs.exe	410
PID 2096 wrote to memory of 2836	2096	Process not Found	409
PID 2096 wrote to memory of 2836	2096	Process not Found	409
PID 2096 wrote to memory of 2836	2096	Process not Found	409
PID 2096 wrote to memory of 2836	2096	Process not Found	409
PID 1988 wrote to memory of 2700	1988	5a265cbedcc861fa59c051532563b610.exe	408
PID 1988 wrote to memory of 2700	1988	5a265cbedcc861fa59c051532563b610.exe	408
PID 1988 wrote to memory of 2700	1988	5a265cbedcc861fa59c051532563b610.exe	408
PID 1988 wrote to memory of 2700	1988	5a265cbedcc861fa59c051532563b610.exe	408
PID 2936 wrote to memory of 1000	2936	DefragFs.exe	404
PID 2936 wrote to memory of 1000	2936	DefragFs.exe	404
PID 2936 wrote to memory of 1000	2936	DefragFs.exe	404
PID 2936 wrote to memory of 1000	2936	DefragFs.exe	404
PID 2860 wrote to memory of 2636	2860	DefragFs.exe	405
PID 2860 wrote to memory of 2636	2860	DefragFs.exe	405
PID 2860 wrote to memory of 2636	2860	DefragFs.exe	405
PID 2860 wrote to memory of 2636	2860	DefragFs.exe	405
PID 2700 wrote to memory of 1668	2700	cmd.exe	403
PID 2700 wrote to memory of 1668	2700	cmd.exe	403
PID 2700 wrote to memory of 1668	2700	cmd.exe	403
PID 2700 wrote to memory of 1668	2700	cmd.exe	403
PID 2836 wrote to memory of 1868	2836	cmd.exe	402
PID 2836 wrote to memory of 1868	2836	cmd.exe	402
PID 2836 wrote to memory of 1868	2836	cmd.exe	402
PID 2836 wrote to memory of 1868	2836	cmd.exe	402
PID 2860 wrote to memory of 1088	2860	DefragFs.exe	399
PID 2860 wrote to memory of 1088	2860	DefragFs.exe	399
PID 2860 wrote to memory of 1088	2860	DefragFs.exe	399
PID 2860 wrote to memory of 1088	2860	DefragFs.exe	399
PID 2636 wrote to memory of 328	2636	DefragFs.exe	400
PID 2636 wrote to memory of 328	2636	DefragFs.exe	400
PID 2636 wrote to memory of 328	2636	DefragFs.exe	400
PID 2636 wrote to memory of 328	2636	DefragFs.exe	400
PID 1000 wrote to memory of 1352	1000	cmd.exe	419
PID 1000 wrote to memory of 1352	1000	cmd.exe	419
PID 1000 wrote to memory of 1352	1000	cmd.exe	419
PID 1000 wrote to memory of 1352	1000	cmd.exe	419
PID 2836 wrote to memory of 2740	2836	cmd.exe	396
PID 2836 wrote to memory of 2740	2836	cmd.exe	396
PID 2836 wrote to memory of 2740	2836	cmd.exe	396
PID 2836 wrote to memory of 2740	2836	cmd.exe	396
PID 1000 wrote to memory of 2884	1000	cmd.exe	395
PID 1000 wrote to memory of 2884	1000	cmd.exe	395
PID 1000 wrote to memory of 2884	1000	cmd.exe	395
PID 1000 wrote to memory of 2884	1000	cmd.exe	395
PID 2836 wrote to memory of 2872	2836	cmd.exe	394
PID 2836 wrote to memory of 2872	2836	cmd.exe	394
PID 2836 wrote to memory of 2872	2836	cmd.exe	394
PID 2836 wrote to memory of 2872	2836	cmd.exe	394
PID 1088 wrote to memory of 2756	1088	cmd.exe	244
PID 1088 wrote to memory of 2756	1088	cmd.exe	244
PID 1088 wrote to memory of 2756	1088	cmd.exe	244
PID 1088 wrote to memory of 2756	1088	cmd.exe	244

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1872	Process not Found
1524	Process not Found
2456	Process not Found
2788	Process not Found
1400	attrib.exe
1816	attrib.exe
2100	Process not Found
2780	Process not Found
3052	Process not Found
356	Process not Found
2780	Process not Found
2880	Process not Found
2976	attrib.exe
3036	Process not Found
2612	Process not Found
1420	Process not Found
2768	Process not Found
792	Process not Found
2596	Process not Found
1220	Process not Found
2536	attrib.exe
1716	attrib.exe
2872	Process not Found
2000	Process not Found
1868	Process not Found
2332	Process not Found
1244	Process not Found
2888	Process not Found
764	Process not Found
2092	Process not Found
2084	Process not Found
1528	attrib.exe
328	Process not Found
560	Process not Found
2236	Process not Found
2904	attrib.exe
1668	Process not Found
2808	Process not Found
1680	attrib.exe
2492	Process not Found
996	Process not Found
2600	Process not Found
2384	Process not Found
796	Process not Found
2604	Process not Found
1472	Process not Found
296	Process not Found
2252	attrib.exe
1736	Process not Found
1020	attrib.exe
1508	Process not Found
1648	Process not Found
2440	Process not Found
1104	Process not Found
356	Process not Found
1596	attrib.exe
2356	attrib.exe
1356	Process not Found
1296	Process not Found
680	Process not Found
2020	Process not Found
2740	Process not Found
2460	Process not Found
2952	Process not Found

C:\Users\Admin\AppData\Local\Temp\5a265cbedcc861fa59c051532563b610.exe
"C:\Users\Admin\AppData\Local\Temp\5a265cbedcc861fa59c051532563b610.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\a.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2700

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2756

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2456
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:764
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:356
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2744
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\SysWOW64\drivers\a.bat
    3⤵
    PID:2140
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:1240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2600
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2436
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2236
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:588
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:452
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:3036
- - C:\Windows\SysWOW64\drivers\DefragFs.exe
    C:\Windows\system32\drivers\DefragFs.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2284

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  PID:848
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1944
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2512

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2236

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\drivers\a.bat
1⤵
PID:1896
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2704
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1020
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1940
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2256
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1108
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:764
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2768
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1636
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2112
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2516
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2436
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2652
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1672
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2268
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1676
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  - Views/modifies file attributes
  PID:1020
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1936
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1080
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2816
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2360
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2724
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1524
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:240
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:540
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1544
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1916
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2976
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2644
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2796
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:996
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:540
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2112

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1568

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1860

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  PID:904
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:344
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:996
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:808
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:824
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2184
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1884

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2272

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:824

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2264

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2824

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1284

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1860

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1676

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:808

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2588

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2352

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:336

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2696

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2516

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2720

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2424

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1780

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2796

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:380
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    - Views/modifies file attributes
    PID:1680
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:808
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1608
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  PID:2660

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:580

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:336

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1308

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2220

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2632

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2508

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1416

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2976

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2956

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2596

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:612

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1420

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
- Views/modifies file attributes
PID:1596

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:680
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    - Views/modifies file attributes
    PID:1528
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    - Drops file in Drivers directory
    PID:2996
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:780
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:880
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3008

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:108

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:3044

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  PID:1264
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:612

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2588

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1588

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:996

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
- Views/modifies file attributes
PID:2904

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2676

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2196

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2224

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2612

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1108

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1484

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:344

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2888

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2652

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2780

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2592

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:452

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2760

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2356

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1880

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:808

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1532

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1504

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2272

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1716

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1436

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2000

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2468

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1676

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2100

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:356

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1816

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1812

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2252

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2732

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2332

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1152

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2740

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:560

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2304

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2432

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1736

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2412

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1728

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2396

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1544

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2744

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1252

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2852

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1608

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2168

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:324

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2940

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:3064

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2756

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2792

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2824

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2724

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2568

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:3008

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2492

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1944

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2788

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2772

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1912

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:540

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  PID:2680
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:336
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:108
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:412
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2440
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\SysWOW64\drivers\a.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:1020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:1884
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:1432
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:792
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      Views/modifies file attributes
      PID:1716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:2444
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
      4⤵
      PID:1624
- - C:\Windows\SysWOW64\drivers\DefragFs.exe
    C:\Windows\system32\drivers\DefragFs.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2860

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2088

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2156

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1604

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1352

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2440

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1432

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2856

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:452
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    - Drops file in Drivers directory
    PID:2860
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2384
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2056

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:356

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2264

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2572

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2632

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1416

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2220

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2952

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1584

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  PID:864
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:764
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2940
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1608

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1228

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2596

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  PID:944
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2616

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1420

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1020

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1596

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:108

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:3044

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2980

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1588

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:996

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2796

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  PID:2884
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  PID:1868

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2904

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2676

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2224

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2612

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1484

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1468

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:412

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2344

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1916

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1472

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2760

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
- Views/modifies file attributes
PID:2356

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1780

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1880

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2704

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1504

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2272

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1532

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1716

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1436

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2000

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1812

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2468

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1816

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2100

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
- Views/modifies file attributes
PID:2252

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1152

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1872

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:560

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2324

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2332

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2436

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2044

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2112

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\drivers\a.bat
1⤵
PID:2312
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2656
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2324
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2224
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2220
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2752
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1532
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:612
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2832
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1864
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:344
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2856
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1240
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1056
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1228
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1944
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2304
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:988
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2264
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1608
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2404
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:612
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2656

C:\Windows\SysWOW64\drivers\DefragFs.exe
C:\Windows\system32\drivers\DefragFs.exe
1⤵
PID:856

C:\Windows\SysWOW64\drivers\DefragFs.exe
C:\Windows\system32\drivers\DefragFs.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:292
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:336
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2864

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1768
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1408

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2092

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2268

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1240

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:792

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:324

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\drivers\a.bat
1⤵
PID:1424
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1352
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1544
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1472
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2956
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2900
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2432
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2612
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1432
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2568
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2468
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2952
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2896
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1872
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:344
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2156
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1080
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2704
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2236
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2772
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2324
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2776
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1672
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2752

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:988
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:344
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:988
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:328
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:356
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2896
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  PID:2456

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:3064

C:\Windows\SysWOW64\drivers\DefragFs.exe
C:\Windows\system32\drivers\DefragFs.exe
1⤵
PID:1672

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2792

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2756

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2568

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2724

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2492

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:452
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:380
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:584
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:992
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1912
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2196

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2656

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2832

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1432

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2696

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2508

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1228

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1524

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1596

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2764

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2084

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2776

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2888

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:988

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1468

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2592

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:452

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1160

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2780

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:292

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1536

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1504

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1716

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2000

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2416

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2468

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2288

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2176

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2252

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1872

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1152

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1680

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2936
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:792
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2996
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:796

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2460

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2324

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1284

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2436

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2976

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1764

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2052

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:912

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2316

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1544

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:856

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\drivers\a.bat
1⤵
PID:3012
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1604
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2744
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:824
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1420
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1624
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1152
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2888
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:3052
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:324
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1716
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1228
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2528
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1152
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1880
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:336
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1400
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1524
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2296
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2656
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2044
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1504
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2952
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:324

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\drivers\a.bat
1⤵
PID:1972
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2088
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1860
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2780
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2264
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:3036
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2252
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:412
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2056
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2852
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2356
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:336
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2880
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2512
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2296
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2440
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  - Drops file in Drivers directory
  PID:2396
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2600
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:580
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:3064
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1812
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2716
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2856
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1284

C:\Windows\SysWOW64\drivers\DefragFs.exe
C:\Windows\system32\drivers\DefragFs.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1768

C:\Windows\SysWOW64\drivers\DefragFs.exe
C:\Windows\system32\drivers\DefragFs.exe
1⤵
PID:2040

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2088

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1508

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1604

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2740

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\drivers\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    - Views/modifies file attributes
    PID:1400
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:588
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:292
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:880
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:328
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:356
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
    3⤵
    PID:1240
- C:\Windows\SysWOW64\drivers\DefragFs.exe
  C:\Windows\system32\drivers\DefragFs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2636

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2640

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:3020

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2772

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2516

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\drivers\a.bat
1⤵
PID:2672
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2864
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1528
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1524
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1352
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1240
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1504
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1596
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2456
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:560
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2872
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2696
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1252
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1436
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1584
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2936
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2432
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2344
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2620
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2092
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2980
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1228
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2528

C:\Windows\SysWOW64\drivers\DefragFs.exe
C:\Windows\system32\drivers\DefragFs.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2352

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2224

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:944
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2696
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2972
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1160
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  - Views/modifies file attributes
  PID:2976
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2300
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1812
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  - Drops file in Drivers directory
  PID:2796
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2620
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1608
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1536
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2220
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2644
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2176
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2716
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2056
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1940
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1884
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2220
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2824
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2740
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2872
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1352
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1252

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\drivers\a.bat
1⤵
PID:320
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2264
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2268
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1884
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:108
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:540
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1544
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1780
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2976
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1220
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1812
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2604
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2516
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2112
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:824
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2952
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2896
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2000
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1676
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:680
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1080
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1536
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:380
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2792

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1228

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1484

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2324

C:\Windows\SysWOW64\drivers\DefragFs.exe
C:\Windows\system32\drivers\DefragFs.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:764

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1780

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\drivers\a.bat
1⤵
PID:1692
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2300
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1872
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2196
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1432
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2940
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1536
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2352
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2656
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2044
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2892
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2256
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2384
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1816
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2444
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2528
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1908
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1880
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:780
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2168
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2548
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:108
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2788

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
- Executes dropped EXE
PID:856

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:3000

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
- Drops file in Drivers directory
PID:1568

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2932

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1404

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1056

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1416

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1016

C:\Windows\SysWOW64\drivers\DefragFs.exe
C:\Windows\system32\drivers\DefragFs.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\drivers\a.bat
1⤵
PID:1968
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2856
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1252
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:292
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:580
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2936
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2332
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1108
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:780
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2268
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1436
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1868
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1944
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:764
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1780
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2256
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2940
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2348
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1924
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2832
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:560
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2816
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2360
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1400

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1712

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1996

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1940

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:3068

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:3064

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2444

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2660

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2044

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1176

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1264
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1672
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2996
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2272
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2352
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2788
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2112
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1880
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2956
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2900
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2740
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:240
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:540
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1544
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1472
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1296
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:324
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2176
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:344
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2088
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1940
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1532
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:580
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2924

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2152

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1584

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1588

C:\Windows\SysWOW64\drivers\DefragFs.exe
C:\Windows\system32\drivers\DefragFs.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:332

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\drivers\a.bat
1⤵
PID:1492
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:3036
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2524
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:996
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2440
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1940
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:808
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:580
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2896
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2252
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2296
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2440
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2396
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1916
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2068
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1220
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2416
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1408
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1936
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2972
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2468
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2572
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2456

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1580

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2164

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1672

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\drivers\a.bat
1⤵
PID:1640
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:3004
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1536
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:612
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1912
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1860
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2872
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2632
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2924
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2100
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1924
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1912
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2436
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2592
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2808
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:880
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2512
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2604
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1668
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2396
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2356
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2632
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1220

C:\Windows\SysWOW64\drivers\DefragFs.exe
C:\Windows\system32\drivers\DefragFs.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2872

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2884
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2380
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:796
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1588
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2088
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1252
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2760
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2596
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1236
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2332
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2716
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2156
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1940
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2272
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  - Views/modifies file attributes
  PID:2536
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2924
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1528
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2652
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2020
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2852
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:796
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1584
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2492

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:2740

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
PID:1352

C:\Windows\SysWOW64\drivers\DefragFs.exe
C:\Windows\system32\drivers\DefragFs.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:328

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1868

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h C:\Users\Admin\AppData\Local\Temp\5a265cbedcc861fa59c051532563b610.exe
1⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\drivers\a.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2924
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1648
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2676
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2856
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2996
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2356
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1420
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1624
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2460
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2344
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1672
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2752
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2380
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1868
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2456
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2332
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2084
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1208
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2568
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  - Views/modifies file attributes
  PID:1816
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:1868
- C:\Windows\SysWOW64\attrib.exe
  attrib -a -r -s -h C:\Windows\SysWOW64\drivers\DefragFs.exe
  2⤵
  PID:2936

C:\Windows\SysWOW64\drivers\DefragFs.exe
C:\Windows\system32\drivers\DefragFs.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.bat

Filesize
336B

MD5
11693c80ef93e5d9112caee1bb9ac341

SHA1
740814508857a379b4815e6a49cc2d99ae123e9d

SHA256
278cf2bd69f3b6556af42fc2b83b7dfde7a4f2a491eaf65f0a0bb9bba6953ae1

SHA512
5086bd13594c0496c9de53dcf7e70ab5dc67d954888104f0e067396a31aa31a8ec2d67640ff7f4a50c1eef279da61c50a58223572498cfc3199e3a946e248dec

Download Submit
C:\Windows\SysWOW64\drivers\DefragFs.exe

Filesize
16KB

MD5
8e540d821fc0a919291046b02ed8d049

SHA1
029b7cf3e311d34ba153a2be90d822041bac2956

SHA256
fe96c5a01a712cef7201fa5c7c4de8bd64f8a34ab23ef52706adc5fcf755a090

SHA512
f95385d9dd4bee257a975009556940fbc610d90c092943c34071b1cdd3907d37708d8969e78441161d592cf8eef61417e0dd995e8f15f63b55bc23467c10410f

Download Submit
C:\Windows\SysWOW64\drivers\DefragFs.exe

Filesize
29KB

MD5
9f95f4063a65500e578506add20d3cc8

SHA1
44e4b71b9e45b84c5478a6951620c5213cfca61d

SHA256
09ff8fab0ba9e7a3d75265b50ba3b766f5f9a6f7631d86858104c898cee8042f

SHA512
62a14515d044725b73e305972c1b0c33de768f68f6838a68a502462389323ec57ee69aa8bcf03849fd08384265a7d2c38c5a634b3d1a78facafd0a4f81e70569

Download Submit
C:\Windows\SysWOW64\drivers\a.bat

Filesize
240B

MD5
25d31fbe076d54a5aeabe7d5cb2e6fdf

SHA1
0997ff1fa16d10f398c7caaf039a329c27d8b26c

SHA256
dd21dea45ad75573a363d2013f8b52b407f84f5d822411eccd3b2e1f5dbc1675

SHA512
14554bc59870c3322c8fce2d8a4e32942d5c0529a9e13f0c8b01d32a9989d028c845fe06f9bdb7fde6cda9c707afd0fac2aafdea3485b8afcc24d5b9ef94304c

Download Submit
\Windows\SysWOW64\drivers\DefragFs.exe

Filesize
40KB

MD5
5a265cbedcc861fa59c051532563b610

SHA1
92acef504ce306474e180fb8c2ec777a8d5d174f

SHA256
5207c0125327c9c4b4508ec553f0514bfb3f21b77264b80b1a1b81135a2bfe7f

SHA512
1cc06f3fb31bbd90003e69427877b313278fd2e8711471c3eaee84195bc5cbeef0c407747191394297ca6a788b36d9934d25c944a9e7298c8696f4701cba5a86

Download Submit
\Windows\SysWOW64\drivers\DefragFs.exe

Filesize
39KB

MD5
085f2e031c4a185e00305e48f5acd51e

SHA1
ef01417d8b1899c547db1ef802677f8d4f60f1e9

SHA256
62bb2e6884f046ecb78cc5f071ea0aa519213ab31932d4a394dcd6dddde04fa6

SHA512
d51971ec1522a30bcb75c0d57fc5c8058552ea1f828f0aa37c19bcf4bef8e36237fec362b2f0f834c3499b8df350a983160897dde15ae973dcaa0d3affc3fd33

Download Submit
\Windows\SysWOW64\drivers\DefragFs.exe

Filesize
31KB

MD5
4499ef574ee7b5f6f8224aa9ecdbe54f

SHA1
ee9b3de40f217916b9daa00dcbea0879ba36c633

SHA256
3e65978865a96cb3d9c057a1137e88f6f1bdc9e30bd1b86edce71454918467ba

SHA512
cbda9653924a131e46408574b25640a591d3f595273e39acd402e1dc78feae0f109485dec14204e8b028b16069092cf5f54d86d97af0b69133745f03f2b78acf

Download Submit
memory/328-75-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/332-89-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/332-99-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/612-281-0x00000000023C0000-0x00000000023E3000-memory.dmp

Filesize
140KB

Download
memory/856-306-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1408-266-0x00000000007F0000-0x0000000000813000-memory.dmp

Filesize
140KB

Download
memory/1408-267-0x00000000007F0000-0x0000000000813000-memory.dmp

Filesize
140KB

Download
memory/1608-222-0x00000000004C0000-0x00000000004E3000-memory.dmp

Filesize
140KB

Download
memory/1608-221-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1608-233-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1672-288-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1868-223-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1868-212-0x0000000001D00000-0x0000000001D23000-memory.dmp

Filesize
140KB

Download
memory/1884-147-0x0000000000860000-0x0000000000883000-memory.dmp

Filesize
140KB

Download
memory/1884-161-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1936-300-0x0000000001BB0000-0x0000000001BD3000-memory.dmp

Filesize
140KB

Download
memory/1936-97-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/1936-106-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1936-98-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/1988-12-0x0000000002520000-0x0000000002543000-memory.dmp

Filesize
140KB

Download
memory/1988-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1988-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1988-16-0x0000000002520000-0x0000000002543000-memory.dmp

Filesize
140KB

Download
memory/2040-254-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2040-243-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2056-296-0x0000000000480000-0x00000000004A3000-memory.dmp

Filesize
140KB

Download
memory/2096-14-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2096-24-0x00000000003A0000-0x00000000003C3000-memory.dmp

Filesize
140KB

Download
memory/2096-43-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2196-208-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2196-192-0x0000000002340000-0x0000000002363000-memory.dmp

Filesize
140KB

Download
memory/2284-120-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2352-177-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2352-164-0x00000000006B0000-0x00000000006D3000-memory.dmp

Filesize
140KB

Download
memory/2352-163-0x00000000006B0000-0x00000000006D3000-memory.dmp

Filesize
140KB

Download
memory/2512-280-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2512-277-0x0000000000490000-0x00000000004B3000-memory.dmp

Filesize
140KB

Download
memory/2616-287-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2636-62-0x00000000002E0000-0x0000000000303000-memory.dmp

Filesize
140KB

Download
memory/2860-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2860-54-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/2860-60-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2868-305-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2868-316-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2936-25-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2936-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2936-308-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2996-91-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2996-73-0x0000000000360000-0x0000000000383000-memory.dmp

Filesize
140KB

Download
memory/2996-72-0x0000000000360000-0x0000000000383000-memory.dmp

Filesize
140KB

Download
memory/3008-180-0x00000000006F0000-0x0000000000713000-memory.dmp

Filesize
140KB

Download