Analysis
-
max time kernel
141s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 11:26
Static task
static1
Behavioral task
behavioral1
Sample
735e27f460be6edce9f0cd5c0d0972b0.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
735e27f460be6edce9f0cd5c0d0972b0.exe
Resource
win10v20201028
General
-
Target
735e27f460be6edce9f0cd5c0d0972b0.exe
-
Size
173KB
-
MD5
2df254dce86ca636e77f4ad422d21da4
-
SHA1
4efa723962bc64e753742f5fdeec4dc1c2985a51
-
SHA256
a1a1e34dbc30a46811f5b717f808908412aa6f3d6840aa526d5c0154e008558e
-
SHA512
9cc70f4525162dfeedba5c3ec421fbf219596077824489cd74d3bc9038c00d96210396312a7426416db1df62d3cad7b71167145aaa1ff8c3623645ffcfa53acd
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415
http://cerberhhyed5frqa.onion.cab/83B4-FED4-14BB-0000-0415
http://cerberhhyed5frqa.onion.nu/83B4-FED4-14BB-0000-0415
http://cerberhhyed5frqa.onion.link/83B4-FED4-14BB-0000-0415
http://cerberhhyed5frqa.tor2web.org/83B4-FED4-14BB-0000-0415
http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415);
http://cerberhhyed5frqa.onion/83B4-FED4-14BB-0000-0415
Extracted
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415
http://cerberhhyed5frqa.onion.cab/83B4-FED4-14BB-0000-0415
http://cerberhhyed5frqa.onion.nu/83B4-FED4-14BB-0000-0415
http://cerberhhyed5frqa.onion.link/83B4-FED4-14BB-0000-0415
http://cerberhhyed5frqa.tor2web.org/83B4-FED4-14BB-0000-0415
http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415);
http://cerberhhyed5frqa.onion/83B4-FED4-14BB-0000-0415
Signatures
-
Ursnif RM3
A heavily modified version of Ursnif discovered in the wild.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
735e27f460be6edce9f0cd5c0d0972b0.exentoskrnl.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\ntoskrnl.exe\"" 735e27f460be6edce9f0cd5c0d0972b0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\ntoskrnl.exe\"" ntoskrnl.exe -
Executes dropped EXE 3 IoCs
Processes:
ntoskrnl.exentoskrnl.exentoskrnl.exepid process 1232 ntoskrnl.exe 1336 ntoskrnl.exe 1624 ntoskrnl.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1100 cmd.exe -
Drops startup file 2 IoCs
Processes:
735e27f460be6edce9f0cd5c0d0972b0.exentoskrnl.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ntoskrnl.lnk 735e27f460be6edce9f0cd5c0d0972b0.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ntoskrnl.lnk ntoskrnl.exe -
Loads dropped DLL 2 IoCs
Processes:
735e27f460be6edce9f0cd5c0d0972b0.exentoskrnl.exepid process 292 735e27f460be6edce9f0cd5c0d0972b0.exe 1232 ntoskrnl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
735e27f460be6edce9f0cd5c0d0972b0.exentoskrnl.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 735e27f460be6edce9f0cd5c0d0972b0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ntoskrnl = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\ntoskrnl.exe\"" 735e27f460be6edce9f0cd5c0d0972b0.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run ntoskrnl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntoskrnl = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\ntoskrnl.exe\"" ntoskrnl.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce ntoskrnl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ntoskrnl = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\ntoskrnl.exe\"" ntoskrnl.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run 735e27f460be6edce9f0cd5c0d0972b0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntoskrnl = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\ntoskrnl.exe\"" 735e27f460be6edce9f0cd5c0d0972b0.exe -
Processes:
ntoskrnl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntoskrnl.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ipinfo.io -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 880 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1624 taskkill.exe 2328 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
ntoskrnl.exe735e27f460be6edce9f0cd5c0d0972b0.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop ntoskrnl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\ntoskrnl.exe\"" ntoskrnl.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop 735e27f460be6edce9f0cd5c0d0972b0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\ntoskrnl.exe\"" 735e27f460be6edce9f0cd5c0d0972b0.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0aefa57d9bcd601 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000fc46876d6a659df303ba7baf7a3648d8a283b9d93dd8d66b3471d95f819ea781000000000e80000000020000200000007b1a802acb9e1c389839267cdedd22719a2c0d1cec03d96421b3dad604841c4a90000000b7d521860cd35970edddc31c0606cf76ab2746265fb5166b5fd2e691b35865c8eabb47d051e9ecb22f003b28fa24dc67db5bac598a3388492edda9713c301990ea7f1f2108f87a074e3dcadef48306eae4fb7b0ae25eb3e4c289e648357de9a546fc49a6ef37ef282833993fd07d834d16eedf4d4d6bc9e2fe2654c7e1be5a218aa5cccf687b76f7e692944cbc5f169a4000000001335acc18a542fa3ec75005228aa92718c2fa22961cf7e1555dc462c11d6747c5943f4d12e176141570211cc7d32e1a5e8c5128e97aa9f3dd447f73c80f6e31 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "312379442" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{935F61C1-28CC-11EB-B2E7-DA78EDA9FF87} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{931CBB41-28CC-11EB-B2E7-DA78EDA9FF87} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a600000000002000000000010660000000100002000000088b10d4a5f754a268d6ce9ce5446888418bcc9b7999392769c8ad5e2084e794c000000000e800000000200002000000000a65b1eca52c04537841579abecd4f595bd7959f88f66df1a58296b37bf336320000000c3d06f5dc953cf0a151ff487dd197e0b60bd2e40bb894a262966cf9da6bb611740000000ff8380a497ea2d001460d5dda91679f2e3f74ca57bf72cddeeebb5b8d12f974b4db30267cbfc139486c3513056dfd997434ca4739cee82d4c46f41a04c313262 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
ntoskrnl.exepid process 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe 1232 ntoskrnl.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
735e27f460be6edce9f0cd5c0d0972b0.exentoskrnl.exetaskkill.exevssvc.exewmic.exentoskrnl.exentoskrnl.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 292 735e27f460be6edce9f0cd5c0d0972b0.exe Token: SeDebugPrivilege 1232 ntoskrnl.exe Token: SeDebugPrivilege 1624 taskkill.exe Token: SeBackupPrivilege 1008 vssvc.exe Token: SeRestorePrivilege 1008 vssvc.exe Token: SeAuditPrivilege 1008 vssvc.exe Token: SeIncreaseQuotaPrivilege 1200 wmic.exe Token: SeSecurityPrivilege 1200 wmic.exe Token: SeTakeOwnershipPrivilege 1200 wmic.exe Token: SeLoadDriverPrivilege 1200 wmic.exe Token: SeSystemProfilePrivilege 1200 wmic.exe Token: SeSystemtimePrivilege 1200 wmic.exe Token: SeProfSingleProcessPrivilege 1200 wmic.exe Token: SeIncBasePriorityPrivilege 1200 wmic.exe Token: SeCreatePagefilePrivilege 1200 wmic.exe Token: SeBackupPrivilege 1200 wmic.exe Token: SeRestorePrivilege 1200 wmic.exe Token: SeShutdownPrivilege 1200 wmic.exe Token: SeDebugPrivilege 1200 wmic.exe Token: SeSystemEnvironmentPrivilege 1200 wmic.exe Token: SeRemoteShutdownPrivilege 1200 wmic.exe Token: SeUndockPrivilege 1200 wmic.exe Token: SeManageVolumePrivilege 1200 wmic.exe Token: 33 1200 wmic.exe Token: 34 1200 wmic.exe Token: 35 1200 wmic.exe Token: SeIncreaseQuotaPrivilege 1200 wmic.exe Token: SeSecurityPrivilege 1200 wmic.exe Token: SeTakeOwnershipPrivilege 1200 wmic.exe Token: SeLoadDriverPrivilege 1200 wmic.exe Token: SeSystemProfilePrivilege 1200 wmic.exe Token: SeSystemtimePrivilege 1200 wmic.exe Token: SeProfSingleProcessPrivilege 1200 wmic.exe Token: SeIncBasePriorityPrivilege 1200 wmic.exe Token: SeCreatePagefilePrivilege 1200 wmic.exe Token: SeBackupPrivilege 1200 wmic.exe Token: SeRestorePrivilege 1200 wmic.exe Token: SeShutdownPrivilege 1200 wmic.exe Token: SeDebugPrivilege 1200 wmic.exe Token: SeSystemEnvironmentPrivilege 1200 wmic.exe Token: SeRemoteShutdownPrivilege 1200 wmic.exe Token: SeUndockPrivilege 1200 wmic.exe Token: SeManageVolumePrivilege 1200 wmic.exe Token: 33 1200 wmic.exe Token: 34 1200 wmic.exe Token: 35 1200 wmic.exe Token: SeDebugPrivilege 1336 ntoskrnl.exe Token: SeDebugPrivilege 1624 ntoskrnl.exe Token: 33 948 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 948 AUDIODG.EXE Token: 33 948 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 948 AUDIODG.EXE Token: SeDebugPrivilege 2328 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exeiexplore.exepid process 1144 iexplore.exe 1336 iexplore.exe 1144 iexplore.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 1144 iexplore.exe 1144 iexplore.exe 1336 iexplore.exe 1336 iexplore.exe 1144 iexplore.exe 1144 iexplore.exe 592 IEXPLORE.EXE 592 IEXPLORE.EXE 592 IEXPLORE.EXE 592 IEXPLORE.EXE 944 IEXPLORE.EXE 944 IEXPLORE.EXE 592 IEXPLORE.EXE 592 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
735e27f460be6edce9f0cd5c0d0972b0.exentoskrnl.execmd.exetaskeng.exeiexplore.exeiexplore.execmd.exedescription pid process target process PID 292 wrote to memory of 1232 292 735e27f460be6edce9f0cd5c0d0972b0.exe ntoskrnl.exe PID 292 wrote to memory of 1232 292 735e27f460be6edce9f0cd5c0d0972b0.exe ntoskrnl.exe PID 292 wrote to memory of 1232 292 735e27f460be6edce9f0cd5c0d0972b0.exe ntoskrnl.exe PID 292 wrote to memory of 1232 292 735e27f460be6edce9f0cd5c0d0972b0.exe ntoskrnl.exe PID 292 wrote to memory of 1100 292 735e27f460be6edce9f0cd5c0d0972b0.exe cmd.exe PID 292 wrote to memory of 1100 292 735e27f460be6edce9f0cd5c0d0972b0.exe cmd.exe PID 292 wrote to memory of 1100 292 735e27f460be6edce9f0cd5c0d0972b0.exe cmd.exe PID 292 wrote to memory of 1100 292 735e27f460be6edce9f0cd5c0d0972b0.exe cmd.exe PID 1232 wrote to memory of 880 1232 ntoskrnl.exe vssadmin.exe PID 1232 wrote to memory of 880 1232 ntoskrnl.exe vssadmin.exe PID 1232 wrote to memory of 880 1232 ntoskrnl.exe vssadmin.exe PID 1232 wrote to memory of 880 1232 ntoskrnl.exe vssadmin.exe PID 1100 wrote to memory of 1624 1100 cmd.exe taskkill.exe PID 1100 wrote to memory of 1624 1100 cmd.exe taskkill.exe PID 1100 wrote to memory of 1624 1100 cmd.exe taskkill.exe PID 1100 wrote to memory of 1624 1100 cmd.exe taskkill.exe PID 1232 wrote to memory of 1200 1232 ntoskrnl.exe wmic.exe PID 1232 wrote to memory of 1200 1232 ntoskrnl.exe wmic.exe PID 1232 wrote to memory of 1200 1232 ntoskrnl.exe wmic.exe PID 1232 wrote to memory of 1200 1232 ntoskrnl.exe wmic.exe PID 1100 wrote to memory of 1416 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1416 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1416 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1416 1100 cmd.exe PING.EXE PID 1352 wrote to memory of 1336 1352 taskeng.exe ntoskrnl.exe PID 1352 wrote to memory of 1336 1352 taskeng.exe ntoskrnl.exe PID 1352 wrote to memory of 1336 1352 taskeng.exe ntoskrnl.exe PID 1352 wrote to memory of 1336 1352 taskeng.exe ntoskrnl.exe PID 1352 wrote to memory of 1624 1352 taskeng.exe ntoskrnl.exe PID 1352 wrote to memory of 1624 1352 taskeng.exe ntoskrnl.exe PID 1352 wrote to memory of 1624 1352 taskeng.exe ntoskrnl.exe PID 1352 wrote to memory of 1624 1352 taskeng.exe ntoskrnl.exe PID 1232 wrote to memory of 1144 1232 ntoskrnl.exe iexplore.exe PID 1232 wrote to memory of 1144 1232 ntoskrnl.exe iexplore.exe PID 1232 wrote to memory of 1144 1232 ntoskrnl.exe iexplore.exe PID 1232 wrote to memory of 1144 1232 ntoskrnl.exe iexplore.exe PID 1232 wrote to memory of 1560 1232 ntoskrnl.exe NOTEPAD.EXE PID 1232 wrote to memory of 1560 1232 ntoskrnl.exe NOTEPAD.EXE PID 1232 wrote to memory of 1560 1232 ntoskrnl.exe NOTEPAD.EXE PID 1232 wrote to memory of 1560 1232 ntoskrnl.exe NOTEPAD.EXE PID 1144 wrote to memory of 592 1144 iexplore.exe IEXPLORE.EXE PID 1144 wrote to memory of 592 1144 iexplore.exe IEXPLORE.EXE PID 1144 wrote to memory of 592 1144 iexplore.exe IEXPLORE.EXE PID 1144 wrote to memory of 592 1144 iexplore.exe IEXPLORE.EXE PID 1336 wrote to memory of 944 1336 iexplore.exe IEXPLORE.EXE PID 1336 wrote to memory of 944 1336 iexplore.exe IEXPLORE.EXE PID 1336 wrote to memory of 944 1336 iexplore.exe IEXPLORE.EXE PID 1336 wrote to memory of 944 1336 iexplore.exe IEXPLORE.EXE PID 1232 wrote to memory of 1904 1232 ntoskrnl.exe WScript.exe PID 1232 wrote to memory of 1904 1232 ntoskrnl.exe WScript.exe PID 1232 wrote to memory of 1904 1232 ntoskrnl.exe WScript.exe PID 1232 wrote to memory of 1904 1232 ntoskrnl.exe WScript.exe PID 1232 wrote to memory of 2292 1232 ntoskrnl.exe cmd.exe PID 1232 wrote to memory of 2292 1232 ntoskrnl.exe cmd.exe PID 1232 wrote to memory of 2292 1232 ntoskrnl.exe cmd.exe PID 1232 wrote to memory of 2292 1232 ntoskrnl.exe cmd.exe PID 2292 wrote to memory of 2328 2292 cmd.exe taskkill.exe PID 2292 wrote to memory of 2328 2292 cmd.exe taskkill.exe PID 2292 wrote to memory of 2328 2292 cmd.exe taskkill.exe PID 2292 wrote to memory of 2328 2292 cmd.exe taskkill.exe PID 2292 wrote to memory of 2372 2292 cmd.exe PING.EXE PID 2292 wrote to memory of 2372 2292 cmd.exe PING.EXE PID 2292 wrote to memory of 2372 2292 cmd.exe PING.EXE PID 2292 wrote to memory of 2372 2292 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\735e27f460be6edce9f0cd5c0d0972b0.exe"C:\Users\Admin\AppData\Local\Temp\735e27f460be6edce9f0cd5c0d0972b0.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe"C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1144 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "ntoskrnl.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "ntoskrnl.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "735e27f460be6edce9f0cd5c0d0972b0.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\735e27f460be6edce9f0cd5c0d0972b0.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "735e27f460be6edce9f0cd5c0d0972b0.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {760246CC-2274-42A1-8FCC-3809EBBB384B} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exeC:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exeC:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1336 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x57c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{931CBB41-28CC-11EB-B2E7-DA78EDA9FF87}.datMD5
07dc4c3050321b9fad2ce95b0e58f34e
SHA1a2b3034d04eb43e2a4b739b81a18e55dd3dd2825
SHA2560079aeaedb11cb1ee1ca459fae085a2437bfc93721b482c7f19e8eff1b62af69
SHA5127f193e6dbabb5fec0d4568f1cd69b8d0dca321f26b7d83eb186e4b0002679a5469b5da33fd96e0cdf24e7445adc550ca76265b69ab12e9eb66afb6c10fe6ef39
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{935F61C1-28CC-11EB-B2E7-DA78EDA9FF87}.datMD5
36c415e9b18e22ff449d335eaff29174
SHA1e95bab7ef785f73309b80d53a0d9a03888239125
SHA256c0730abc3cba3afe1110feb26600c5e6af2ac73e5f93ff47addd88cd075329b1
SHA512141bfae704ea5d8c439134979f1eb07121d43115e0c944233d6c3193bd99283ff97b7e349038a73d6c0bf5f2b9389fcb9dc492026291b0a3bbb4498ca72ee6b0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9P63FQLK.txtMD5
79cfc051ab86c4d1e6dfa506664998ed
SHA130b2f9746d73f1ccfe4f2162828a8d64396f39a9
SHA256c349d6e390b140a1defd2cdcb0ebe657b4f98882a4de5c45dfc5387192849351
SHA512df4c464e9460b6e31f617405e5e8343673ff2aca555fc470140f018f09872d170356bad33798c2a3dd79384a08f757d17f21b64f6c5d199f5e870bfb6b887dbc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ntoskrnl.lnkMD5
eabd3457531a23a471f8ba43801c0de8
SHA16cdad3f77c9f6f32f96f137d8d890a7e95138096
SHA256f040234547286966a25e3f2ffd42e5f9f66e5daaa4462fb58a21ccc98f88c7ca
SHA512f4749e9fcdb8e571f6f8ebe4444c8f613e9af84812bfa77ccbebf5cedeafc00b613a94011212171c56443695cf4d02f4b6e0ac7d485f7b583bd9ed769cc88774
-
C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exeMD5
2df254dce86ca636e77f4ad422d21da4
SHA14efa723962bc64e753742f5fdeec4dc1c2985a51
SHA256a1a1e34dbc30a46811f5b717f808908412aa6f3d6840aa526d5c0154e008558e
SHA5129cc70f4525162dfeedba5c3ec421fbf219596077824489cd74d3bc9038c00d96210396312a7426416db1df62d3cad7b71167145aaa1ff8c3623645ffcfa53acd
-
C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exeMD5
2df254dce86ca636e77f4ad422d21da4
SHA14efa723962bc64e753742f5fdeec4dc1c2985a51
SHA256a1a1e34dbc30a46811f5b717f808908412aa6f3d6840aa526d5c0154e008558e
SHA5129cc70f4525162dfeedba5c3ec421fbf219596077824489cd74d3bc9038c00d96210396312a7426416db1df62d3cad7b71167145aaa1ff8c3623645ffcfa53acd
-
C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exeMD5
2df254dce86ca636e77f4ad422d21da4
SHA14efa723962bc64e753742f5fdeec4dc1c2985a51
SHA256a1a1e34dbc30a46811f5b717f808908412aa6f3d6840aa526d5c0154e008558e
SHA5129cc70f4525162dfeedba5c3ec421fbf219596077824489cd74d3bc9038c00d96210396312a7426416db1df62d3cad7b71167145aaa1ff8c3623645ffcfa53acd
-
C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exeMD5
2df254dce86ca636e77f4ad422d21da4
SHA14efa723962bc64e753742f5fdeec4dc1c2985a51
SHA256a1a1e34dbc30a46811f5b717f808908412aa6f3d6840aa526d5c0154e008558e
SHA5129cc70f4525162dfeedba5c3ec421fbf219596077824489cd74d3bc9038c00d96210396312a7426416db1df62d3cad7b71167145aaa1ff8c3623645ffcfa53acd
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.htmlMD5
bb7e4fe4b4d83cd3b314871b2dc44034
SHA1429f37dc498dd31afe73dbb3c862bb7d45934f5c
SHA256c59a0c7c71e1192b2563fe4f14a517c2514e12a6cbe4b4920c47ffb6b57c9750
SHA5124f4fe4c6c23f69177de192a45607da3c9a3cd34ea7dcbdc2de389cd4776066c698379b10390757686f8a3e630981d562f738f7aba30db41c01a2d20cd89f0570
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txtMD5
013cd64789c31ccf486c6e35b2b01cdc
SHA1ad816730637ebdefa35405c404c5469672529427
SHA256234d8899dc13ca14cf534146197513ad8b777b3f956507483b7ca5e0ca3c3dc9
SHA512bba1b9a79c7af6fd7d8416f9e1f1822df0ce06def53d7e9d7a2a85b5597fb2f24502efc008b70d5f04de55db837fdfc8460b5c0b07b4d49568706a58921a88ac
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.urlMD5
a70761d9300adc2a8c0b740421a85619
SHA17ffee74be402380fc864f8c76103a0660e7b8d1d
SHA256c44c86d4f500dc18f40c3f275dec339d9f80a2f545af2a6340a3ebff55d0654e
SHA512c9972d4b6c375f9ae0f151639ffa77ce7286ef602d6578e79cb787c93a5cc39ac3725c670d4a5ab8f1a60271013fa84125d2ee3e842c511458fa3e5ac085d006
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbsMD5
e885e348f83d97db3deb82ed43a64eeb
SHA1931f6266326fb778117d52d9e74eb9b8545bb2f2
SHA256bf4b1b2372317eb80d719b452100e9538ea7d44f5e168a7e59d0aecfebf5b660
SHA5124fee5c7cf95a5930062eea507911d172644c73c592291a520230eca5bb27009923cf03f0b6bdc1912eee841dcc561f82b4071265e75787801a07547650d1be44
-
\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exeMD5
2df254dce86ca636e77f4ad422d21da4
SHA14efa723962bc64e753742f5fdeec4dc1c2985a51
SHA256a1a1e34dbc30a46811f5b717f808908412aa6f3d6840aa526d5c0154e008558e
SHA5129cc70f4525162dfeedba5c3ec421fbf219596077824489cd74d3bc9038c00d96210396312a7426416db1df62d3cad7b71167145aaa1ff8c3623645ffcfa53acd
-
\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exeMD5
2df254dce86ca636e77f4ad422d21da4
SHA14efa723962bc64e753742f5fdeec4dc1c2985a51
SHA256a1a1e34dbc30a46811f5b717f808908412aa6f3d6840aa526d5c0154e008558e
SHA5129cc70f4525162dfeedba5c3ec421fbf219596077824489cd74d3bc9038c00d96210396312a7426416db1df62d3cad7b71167145aaa1ff8c3623645ffcfa53acd
-
memory/284-11-0x000007FEF7850000-0x000007FEF7ACA000-memory.dmpFilesize
2.5MB
-
memory/592-20-0x0000000000000000-mapping.dmp
-
memory/880-6-0x0000000000000000-mapping.dmp
-
memory/944-21-0x0000000000000000-mapping.dmp
-
memory/1100-4-0x0000000000000000-mapping.dmp
-
memory/1144-16-0x0000000000000000-mapping.dmp
-
memory/1200-8-0x0000000000000000-mapping.dmp
-
memory/1232-1-0x0000000000000000-mapping.dmp
-
memory/1232-17-0x0000000003D60000-0x0000000003D70000-memory.dmpFilesize
64KB
-
memory/1232-37-0x0000000003790000-0x00000000037A2000-memory.dmpFilesize
72KB
-
memory/1336-12-0x0000000000000000-mapping.dmp
-
memory/1416-9-0x0000000000000000-mapping.dmp
-
memory/1560-18-0x0000000000000000-mapping.dmp
-
memory/1624-14-0x0000000000000000-mapping.dmp
-
memory/1624-7-0x0000000000000000-mapping.dmp
-
memory/1904-27-0x0000000000000000-mapping.dmp
-
memory/2292-38-0x0000000000000000-mapping.dmp
-
memory/2328-39-0x0000000000000000-mapping.dmp
-
memory/2372-40-0x0000000000000000-mapping.dmp