Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2022 19:07
Static task
static1
Behavioral task
behavioral1
Sample
0b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1.exe
Resource
win10v2004-20221111-en
General
-
Target
0b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1.exe
-
Size
288KB
-
MD5
b705d582ca060dbcccf95be499ef5031
-
SHA1
e9cafdc06c601121646391c3c5e63972a31e5d66
-
SHA256
0b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1
-
SHA512
da4f175444e57e61f007a79605d52a55372efa100868ff307d78700c6d61c40671f051cbee5da7ab6ed6c0539bae7975a005f98271f59984a38296c4c677e4c1
-
SSDEEP
3072:qzglKfRLW+LM7gWLdRboBH3FOFXzEuzuYVsSkLU8y5/LU8y5cpa2B6xuqqb53y1Y:+Z6+LZWLQAZz9u0/ko5oqGx3E5
Malware Config
Extracted
amadey
3.63
62.204.41.67/g8sjnd3xe/index.php
Extracted
djvu
http://ex3mall.com/lancer/get.php
-
extension
.znto
-
offline_id
bE95c2N1x4fARf4W3qmFCjkKPwfFkQaU9NpNBMt1
-
payload_url
http://uaery.top/dl/build2.exe
http://ex3mall.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-OKSOfVy04R Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0625Sduef
Extracted
vidar
1.7
19
https://t.me/robloxblackl
https://steamcommunity.com/profiles/76561199458928097
-
profile_id
19
Signatures
-
Detect Amadey credential stealer module 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll amadey_cred_module -
Detected Djvu ransomware 10 IoCs
Processes:
resource yara_rule behavioral1/memory/3048-161-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3048-163-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/308-167-0x0000000002180000-0x000000000229B000-memory.dmp family_djvu behavioral1/memory/3048-166-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3048-168-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3048-223-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1900-240-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1900-242-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1900-247-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1900-271-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Detects LgoogLoader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4004-224-0x0000000001560000-0x000000000156D000-memory.dmp family_lgoogloader behavioral1/memory/3500-234-0x0000000000DC0000-0x0000000000DCD000-memory.dmp family_lgoogloader -
Detects Smokeloader packer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4756-133-0x0000000000470000-0x0000000000479000-memory.dmp family_smokeloader behavioral1/memory/3260-184-0x00000000005B0000-0x00000000005B9000-memory.dmp family_smokeloader -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 84 1904 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 23 IoCs
Processes:
B01B.exeB28D.exeB3C6.exenbveek.exenbveek.exeB648.exeB781.exelinda5.exeB01B.exeC30B.exeC7A0.exeD26F.exeDF60.exeB01B.exeB01B.exebuild2.exebuild2.exenbveek.exe5B29.exeSppyteaet.exenbveek.exerwahvgutfahvgupid process 308 B01B.exe 2412 B28D.exe 3760 B3C6.exe 3348 nbveek.exe 3812 nbveek.exe 3260 B648.exe 4776 B781.exe 1312 linda5.exe 3048 B01B.exe 3424 C30B.exe 4404 C7A0.exe 1084 D26F.exe 4924 DF60.exe 4960 B01B.exe 1900 B01B.exe 3352 build2.exe 4080 build2.exe 4776 nbveek.exe 4676 5B29.exe 4596 Sppyteaet.exe 4900 nbveek.exe 2912 rwahvgu 1704 tfahvgu -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\D26F.exe vmprotect C:\Users\Admin\AppData\Local\Temp\D26F.exe vmprotect behavioral1/memory/1084-195-0x0000000140000000-0x000000014061A000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\DF60.exe vmprotect C:\Users\Admin\AppData\Local\Temp\DF60.exe vmprotect behavioral1/memory/4924-209-0x0000000140000000-0x000000014061A000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
linda5.exeB01B.exeB01B.exebuild2.exe5B29.exeB3C6.exeB28D.exenbveek.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation linda5.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation B01B.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation B01B.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation build2.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 5B29.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation B3C6.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation B28D.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation nbveek.exe -
Loads dropped DLL 7 IoCs
Processes:
rundll32.exerundll32.exebuild2.exerundll32.exepid process 4160 rundll32.exe 4160 rundll32.exe 3760 rundll32.exe 4080 build2.exe 4080 build2.exe 1904 rundll32.exe 1904 rundll32.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
nbveek.exeB01B.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000023051\\linda5.exe" nbveek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c9701f7b-6bb9-440d-9101-f2d164de1b81\\B01B.exe\" --AutoStart" B01B.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 api.2ip.ua 26 api.2ip.ua 49 api.2ip.ua -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
chrome.exepid process 2572 3036 chrome.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
B01B.exeC30B.exeC7A0.exeB01B.exebuild2.exe5B29.exedescription pid process target process PID 308 set thread context of 3048 308 B01B.exe B01B.exe PID 3424 set thread context of 4004 3424 C30B.exe ngentask.exe PID 4404 set thread context of 3500 4404 C7A0.exe ngentask.exe PID 4960 set thread context of 1900 4960 B01B.exe B01B.exe PID 3352 set thread context of 4080 3352 build2.exe build2.exe PID 4676 set thread context of 4300 4676 5B29.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4228 4776 WerFault.exe B781.exe 2560 3424 WerFault.exe C30B.exe 5092 4404 WerFault.exe C7A0.exe 2400 3424 WerFault.exe C30B.exe 1600 4404 WerFault.exe C7A0.exe 4604 3036 WerFault.exe chrome.exe 640 4676 WerFault.exe 5B29.exe 2940 1704 WerFault.exe tfahvgu -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
B648.exerwahvgu0b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI B648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rwahvgu Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rwahvgu Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rwahvgu Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI B648.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI B648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1.exe -
Checks processor information in registry 2 TTPs 42 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exe5B29.exebuild2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information 5B29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5B29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status 5B29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString 5B29.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5B29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 5B29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier 5B29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 5B29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet 5B29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 5B29.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5B29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information 5B29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data 5B29.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 5B29.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 5B29.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 5B29.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 5B29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data 5B29.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4892 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -
Modifies registry class 19 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
pid process 2572 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1.exepid process 4756 0b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1.exe 4756 0b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1.exe 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 2572 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2572 -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
0b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1.exeB648.exerwahvgupid process 4756 0b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1.exe 3260 B648.exe 2912 rwahvgu -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Sppyteaet.exerundll32.exedescription pid process Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeDebugPrivilege 4596 Sppyteaet.exe Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeDebugPrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeDebugPrivilege 4300 rundll32.exe Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 Token: SeCreatePagefilePrivilege 2572 Token: SeShutdownPrivilege 2572 -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Sppyteaet.exerundll32.exechrome.exepid process 4596 Sppyteaet.exe 4300 rundll32.exe 3036 chrome.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Sppyteaet.exepid process 4596 Sppyteaet.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
chrome.exepid process 3036 chrome.exe 2572 2572 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
B28D.exeB3C6.exenbveek.exeB01B.exelinda5.execontrol.exeB01B.exeC30B.exedescription pid process target process PID 2572 wrote to memory of 308 2572 B01B.exe PID 2572 wrote to memory of 308 2572 B01B.exe PID 2572 wrote to memory of 308 2572 B01B.exe PID 2572 wrote to memory of 2412 2572 B28D.exe PID 2572 wrote to memory of 2412 2572 B28D.exe PID 2572 wrote to memory of 2412 2572 B28D.exe PID 2572 wrote to memory of 3760 2572 B3C6.exe PID 2572 wrote to memory of 3760 2572 B3C6.exe PID 2572 wrote to memory of 3760 2572 B3C6.exe PID 2412 wrote to memory of 3348 2412 B28D.exe nbveek.exe PID 2412 wrote to memory of 3348 2412 B28D.exe nbveek.exe PID 2412 wrote to memory of 3348 2412 B28D.exe nbveek.exe PID 3760 wrote to memory of 3812 3760 B3C6.exe nbveek.exe PID 3760 wrote to memory of 3812 3760 B3C6.exe nbveek.exe PID 3760 wrote to memory of 3812 3760 B3C6.exe nbveek.exe PID 3348 wrote to memory of 1800 3348 nbveek.exe schtasks.exe PID 3348 wrote to memory of 1800 3348 nbveek.exe schtasks.exe PID 3348 wrote to memory of 1800 3348 nbveek.exe schtasks.exe PID 2572 wrote to memory of 3260 2572 B648.exe PID 2572 wrote to memory of 3260 2572 B648.exe PID 2572 wrote to memory of 3260 2572 B648.exe PID 2572 wrote to memory of 4776 2572 B781.exe PID 2572 wrote to memory of 4776 2572 B781.exe PID 2572 wrote to memory of 4776 2572 B781.exe PID 3348 wrote to memory of 1312 3348 nbveek.exe linda5.exe PID 3348 wrote to memory of 1312 3348 nbveek.exe linda5.exe PID 3348 wrote to memory of 1312 3348 nbveek.exe linda5.exe PID 308 wrote to memory of 3048 308 B01B.exe B01B.exe PID 308 wrote to memory of 3048 308 B01B.exe B01B.exe PID 308 wrote to memory of 3048 308 B01B.exe B01B.exe PID 308 wrote to memory of 3048 308 B01B.exe B01B.exe PID 308 wrote to memory of 3048 308 B01B.exe B01B.exe PID 308 wrote to memory of 3048 308 B01B.exe B01B.exe PID 308 wrote to memory of 3048 308 B01B.exe B01B.exe PID 308 wrote to memory of 3048 308 B01B.exe B01B.exe PID 308 wrote to memory of 3048 308 B01B.exe B01B.exe PID 308 wrote to memory of 3048 308 B01B.exe B01B.exe PID 1312 wrote to memory of 428 1312 linda5.exe control.exe PID 1312 wrote to memory of 428 1312 linda5.exe control.exe PID 1312 wrote to memory of 428 1312 linda5.exe control.exe PID 3348 wrote to memory of 3660 3348 nbveek.exe nbveek.exe PID 3348 wrote to memory of 3660 3348 nbveek.exe nbveek.exe PID 3348 wrote to memory of 3660 3348 nbveek.exe nbveek.exe PID 428 wrote to memory of 4160 428 control.exe rundll32.exe PID 428 wrote to memory of 4160 428 control.exe rundll32.exe PID 428 wrote to memory of 4160 428 control.exe rundll32.exe PID 2572 wrote to memory of 3424 2572 C30B.exe PID 2572 wrote to memory of 3424 2572 C30B.exe PID 2572 wrote to memory of 3424 2572 C30B.exe PID 2572 wrote to memory of 4404 2572 C7A0.exe PID 2572 wrote to memory of 4404 2572 C7A0.exe PID 2572 wrote to memory of 4404 2572 C7A0.exe PID 3048 wrote to memory of 552 3048 B01B.exe icacls.exe PID 3048 wrote to memory of 552 3048 B01B.exe icacls.exe PID 3048 wrote to memory of 552 3048 B01B.exe icacls.exe PID 2572 wrote to memory of 1084 2572 D26F.exe PID 2572 wrote to memory of 1084 2572 D26F.exe PID 3348 wrote to memory of 1976 3348 nbveek.exe nbveek.exe PID 3348 wrote to memory of 1976 3348 nbveek.exe nbveek.exe PID 3348 wrote to memory of 1976 3348 nbveek.exe nbveek.exe PID 2572 wrote to memory of 4924 2572 DF60.exe PID 2572 wrote to memory of 4924 2572 DF60.exe PID 3424 wrote to memory of 4004 3424 C30B.exe ngentask.exe PID 3424 wrote to memory of 4004 3424 C30B.exe ngentask.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1.exe"C:\Users\Admin\AppData\Local\Temp\0b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\B01B.exeC:\Users\Admin\AppData\Local\Temp\B01B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B01B.exeC:\Users\Admin\AppData\Local\Temp\B01B.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\c9701f7b-6bb9-440d-9101-f2d164de1b81" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B01B.exe"C:\Users\Admin\AppData\Local\Temp\B01B.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\B01B.exe"C:\Users\Admin\AppData\Local\Temp\B01B.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\33b1424c-6f8d-4913-a35f-2daff4686478\build2.exe"C:\Users\Admin\AppData\Local\33b1424c-6f8d-4913-a35f-2daff4686478\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\33b1424c-6f8d-4913-a35f-2daff4686478\build2.exe"C:\Users\Admin\AppData\Local\33b1424c-6f8d-4913-a35f-2daff4686478\build2.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\33b1424c-6f8d-4913-a35f-2daff4686478\build2.exe" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\B28D.exeC:\Users\Admin\AppData\Local\Temp\B28D.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000023051\linda5.exe"C:\Users\Admin\AppData\Local\Temp\1000023051\linda5.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\TRNY7o.R4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\TRNY7o.R5⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\TRNY7o.R6⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\TRNY7o.R7⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\B3C6.exeC:\Users\Admin\AppData\Local\Temp\B3C6.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\B648.exeC:\Users\Admin\AppData\Local\Temp\B648.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\B781.exeC:\Users\Admin\AppData\Local\Temp\B781.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 3402⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\C30B.exeC:\Users\Admin\AppData\Local\Temp\C30B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4776 -ip 47761⤵
-
C:\Users\Admin\AppData\Local\Temp\C7A0.exeC:\Users\Admin\AppData\Local\Temp\C7A0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 12522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 12642⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\D26F.exeC:\Users\Admin\AppData\Local\Temp\D26F.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DF60.exeC:\Users\Admin\AppData\Local\Temp\DF60.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3424 -ip 34241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4404 -ip 44041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3424 -ip 34241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4404 -ip 44041⤵
-
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exeC:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5B29.exeC:\Users\Admin\AppData\Local\Temp\5B29.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\Sppyteaet.exe"C:\Users\Admin\AppData\Local\Temp\Sppyteaet.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 14122⤵
- Program crash
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffedb294f50,0x7ffedb294f60,0x7ffedb294f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1700,9826139978025385166,12134628951352105921,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1788 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1700,9826139978025385166,12134628951352105921,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1724 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1700,9826139978025385166,12134628951352105921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2476 /prefetch:82⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3036 -s 31322⤵
- Program crash
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 528 -p 3036 -ip 30361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4676 -ip 46761⤵
-
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exeC:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\rwahvguC:\Users\Admin\AppData\Roaming\rwahvgu1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\tfahvguC:\Users\Admin\AppData\Roaming\tfahvgu1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 3402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1704 -ip 17041⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
2KB
MD59d77c9193735a61912ff3bccb47168a7
SHA1aee81c528117867ca69f22f93aa2ca710f908b6e
SHA25679b78c9e1d9c4fb6c08413757fee9d3d2fdb15415f6b8b9cd9c3bd67a235ba95
SHA512c70ae8ed0d68f38b217f4b6ac809050f27f71e6de140712c56ecf7c55896ae518993c55193bc282097580a3f7c869424789aa3c3cc8ecc81c394f8e15c1f77bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
1KB
MD5a2b3de2676790ac64a1bc51ba3e667d1
SHA12a7f7090fed2ddd299339197428a9fafc3fd349b
SHA256aa8cdcc9c8c19d24037aa62dfb529b22d25a7eb3927d35f59572c153c81c5a4a
SHA512ab9e80a077a2fe486630e4d7fb159994224fce41c6fbc6197cc600e4fac86d504e8b3d1670ca628fb45792498be42a80e1c6b0af4b3e7451bc039222ea123ef5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
488B
MD59a9fe00c8dea90c8aa47d2dccf456c09
SHA1c79101bad2100807f448e26c4ac31b1a543add13
SHA25601f0c9165c261f7c6f7a8f4491268bcb20dfaab20f562cfda4b2a37bb1d25426
SHA512eca61a23c06410c4f82f61763d5b49b13f0cf8c53847276b3d6ec907457195bf1b02d9dce2ea0d6d221d0c4283fcf6cb5a7d3f67435d93484928a7379958057a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
482B
MD56482d8f07bfbe9bd918b39a38ed41dd4
SHA123b60202f9740f9e6a37cc13b0da5a263653cf7b
SHA2568d93ba595f576510173fe176cc83c17ac5f048d7b288814cae0ffcb58eee7566
SHA5127f12e74bd4ff2db09187889e59b294e6a2733e281667e5f03aee5b47b9a62327ffcdb4f4cd7426b3394370c8df3f090e68279972216abb15e7e086ded03befff
-
C:\Users\Admin\AppData\Local\33b1424c-6f8d-4913-a35f-2daff4686478\build2.exeFilesize
407KB
MD53b6782cde711c6e73e09611c5041060e
SHA1412d9f6e64ebee4287eccff782f04943e5381d4f
SHA256740912c948f5c370a23fa34da6fca7ffa1abc420edefcbe3c7a74170c9f47e8c
SHA512d7883a046d9b153094f9f3e5970b78a9084de8472d219a325006a7652cdf5427641a0c10beef4aceaa4ad9d92ea1a2ccf8104588e51760200e7e85be37524c4e
-
C:\Users\Admin\AppData\Local\33b1424c-6f8d-4913-a35f-2daff4686478\build2.exeFilesize
407KB
MD53b6782cde711c6e73e09611c5041060e
SHA1412d9f6e64ebee4287eccff782f04943e5381d4f
SHA256740912c948f5c370a23fa34da6fca7ffa1abc420edefcbe3c7a74170c9f47e8c
SHA512d7883a046d9b153094f9f3e5970b78a9084de8472d219a325006a7652cdf5427641a0c10beef4aceaa4ad9d92ea1a2ccf8104588e51760200e7e85be37524c4e
-
C:\Users\Admin\AppData\Local\33b1424c-6f8d-4913-a35f-2daff4686478\build2.exeFilesize
407KB
MD53b6782cde711c6e73e09611c5041060e
SHA1412d9f6e64ebee4287eccff782f04943e5381d4f
SHA256740912c948f5c370a23fa34da6fca7ffa1abc420edefcbe3c7a74170c9f47e8c
SHA512d7883a046d9b153094f9f3e5970b78a9084de8472d219a325006a7652cdf5427641a0c10beef4aceaa4ad9d92ea1a2ccf8104588e51760200e7e85be37524c4e
-
C:\Users\Admin\AppData\Local\Temp\1000023051\linda5.exeFilesize
1.3MB
MD5aee3d3381601d0c5936bca14afd1f966
SHA131785805f5634c30d7a7df472829b58f28bb6b1b
SHA2560fb3683b8486290bd6b7bc5865fbc685894655d30b528c40fc8295e9987782e0
SHA5120037f363bf5811836c45a57e66e9a892096a92d5b11ba4b0dddb4633b1658aad182ee5b30d4530571b2d65caafddaa584fb301707afd147c1a5ca29850c4a01c
-
C:\Users\Admin\AppData\Local\Temp\1000023051\linda5.exeFilesize
1.3MB
MD5aee3d3381601d0c5936bca14afd1f966
SHA131785805f5634c30d7a7df472829b58f28bb6b1b
SHA2560fb3683b8486290bd6b7bc5865fbc685894655d30b528c40fc8295e9987782e0
SHA5120037f363bf5811836c45a57e66e9a892096a92d5b11ba4b0dddb4633b1658aad182ee5b30d4530571b2d65caafddaa584fb301707afd147c1a5ca29850c4a01c
-
C:\Users\Admin\AppData\Local\Temp\5B29.exeFilesize
5.6MB
MD55b6dcf8ecacc2db7e974e0ec4bf83a3e
SHA1ad63a38ed5e3ae637fef6fe9ae7bd5616ed7580b
SHA2560d58dd045f5ab0dc1fd7696ff211a01faf6430cf20de39d7b8337763af115f6e
SHA5126ea5353fb68efbe545dabd301121111afe852c42151ad4608a85b5461192dd522c2483fa40624c7c8c7bfc6f1ad996983b117625f646ba554662653eeab65603
-
C:\Users\Admin\AppData\Local\Temp\5B29.exeFilesize
5.6MB
MD55b6dcf8ecacc2db7e974e0ec4bf83a3e
SHA1ad63a38ed5e3ae637fef6fe9ae7bd5616ed7580b
SHA2560d58dd045f5ab0dc1fd7696ff211a01faf6430cf20de39d7b8337763af115f6e
SHA5126ea5353fb68efbe545dabd301121111afe852c42151ad4608a85b5461192dd522c2483fa40624c7c8c7bfc6f1ad996983b117625f646ba554662653eeab65603
-
C:\Users\Admin\AppData\Local\Temp\B01B.exeFilesize
752KB
MD5e6133ea9349d980fe1bc6775ba9a4851
SHA15d86f79b568274a26a3956cf27f1e0ca2c2f8000
SHA256b0129df41ef3e0ee1ba9adf39d14b0b3c6d94c2f1cc161f37066a652de902cb4
SHA512111856c90096f685812cd4495d4ad7bda6a262b836b8ae6836fefbc5115d1877a3d6d7208e296521dac427cf0a10a5bd9b7b3f80cce24a9fdfa22569392dd2c5
-
C:\Users\Admin\AppData\Local\Temp\B01B.exeFilesize
752KB
MD5e6133ea9349d980fe1bc6775ba9a4851
SHA15d86f79b568274a26a3956cf27f1e0ca2c2f8000
SHA256b0129df41ef3e0ee1ba9adf39d14b0b3c6d94c2f1cc161f37066a652de902cb4
SHA512111856c90096f685812cd4495d4ad7bda6a262b836b8ae6836fefbc5115d1877a3d6d7208e296521dac427cf0a10a5bd9b7b3f80cce24a9fdfa22569392dd2c5
-
C:\Users\Admin\AppData\Local\Temp\B01B.exeFilesize
752KB
MD5e6133ea9349d980fe1bc6775ba9a4851
SHA15d86f79b568274a26a3956cf27f1e0ca2c2f8000
SHA256b0129df41ef3e0ee1ba9adf39d14b0b3c6d94c2f1cc161f37066a652de902cb4
SHA512111856c90096f685812cd4495d4ad7bda6a262b836b8ae6836fefbc5115d1877a3d6d7208e296521dac427cf0a10a5bd9b7b3f80cce24a9fdfa22569392dd2c5
-
C:\Users\Admin\AppData\Local\Temp\B01B.exeFilesize
752KB
MD5e6133ea9349d980fe1bc6775ba9a4851
SHA15d86f79b568274a26a3956cf27f1e0ca2c2f8000
SHA256b0129df41ef3e0ee1ba9adf39d14b0b3c6d94c2f1cc161f37066a652de902cb4
SHA512111856c90096f685812cd4495d4ad7bda6a262b836b8ae6836fefbc5115d1877a3d6d7208e296521dac427cf0a10a5bd9b7b3f80cce24a9fdfa22569392dd2c5
-
C:\Users\Admin\AppData\Local\Temp\B01B.exeFilesize
752KB
MD5e6133ea9349d980fe1bc6775ba9a4851
SHA15d86f79b568274a26a3956cf27f1e0ca2c2f8000
SHA256b0129df41ef3e0ee1ba9adf39d14b0b3c6d94c2f1cc161f37066a652de902cb4
SHA512111856c90096f685812cd4495d4ad7bda6a262b836b8ae6836fefbc5115d1877a3d6d7208e296521dac427cf0a10a5bd9b7b3f80cce24a9fdfa22569392dd2c5
-
C:\Users\Admin\AppData\Local\Temp\B28D.exeFilesize
235KB
MD5b2d52da50280eb51ffeb63d39c5f6844
SHA13e79393d0f31bdd9c954c1c541833c18cf6613bc
SHA256c16516d51277d0c4902cf23a48b0b3f63e50e8e70efe7f0ea81e4f6a7d7d3b33
SHA512894a17aaf52a2eee890df13f0e3a59e850fb658b88b13cf253c281263369024f8bee040b0295a6580b43b25b618c6efb740ddac8005a0c40e3c70ce6d551687c
-
C:\Users\Admin\AppData\Local\Temp\B28D.exeFilesize
235KB
MD5b2d52da50280eb51ffeb63d39c5f6844
SHA13e79393d0f31bdd9c954c1c541833c18cf6613bc
SHA256c16516d51277d0c4902cf23a48b0b3f63e50e8e70efe7f0ea81e4f6a7d7d3b33
SHA512894a17aaf52a2eee890df13f0e3a59e850fb658b88b13cf253c281263369024f8bee040b0295a6580b43b25b618c6efb740ddac8005a0c40e3c70ce6d551687c
-
C:\Users\Admin\AppData\Local\Temp\B3C6.exeFilesize
235KB
MD5b2d52da50280eb51ffeb63d39c5f6844
SHA13e79393d0f31bdd9c954c1c541833c18cf6613bc
SHA256c16516d51277d0c4902cf23a48b0b3f63e50e8e70efe7f0ea81e4f6a7d7d3b33
SHA512894a17aaf52a2eee890df13f0e3a59e850fb658b88b13cf253c281263369024f8bee040b0295a6580b43b25b618c6efb740ddac8005a0c40e3c70ce6d551687c
-
C:\Users\Admin\AppData\Local\Temp\B3C6.exeFilesize
235KB
MD5b2d52da50280eb51ffeb63d39c5f6844
SHA13e79393d0f31bdd9c954c1c541833c18cf6613bc
SHA256c16516d51277d0c4902cf23a48b0b3f63e50e8e70efe7f0ea81e4f6a7d7d3b33
SHA512894a17aaf52a2eee890df13f0e3a59e850fb658b88b13cf253c281263369024f8bee040b0295a6580b43b25b618c6efb740ddac8005a0c40e3c70ce6d551687c
-
C:\Users\Admin\AppData\Local\Temp\B648.exeFilesize
288KB
MD51eb462e494ea3609632628a79d4ae220
SHA18361223d09a04593c2b936e7eb7162c706837429
SHA25653652e622569d8c62a00f4b915a32d692844a1df220fbca1767122855b573a74
SHA512c9d3cb2f2f797e1b06ecac736beb236320e44eede16b32ad764042f1c0204974a0673c41bdc0cda839b210ce88529955e342a5f3a5f566256826cada368687eb
-
C:\Users\Admin\AppData\Local\Temp\B648.exeFilesize
288KB
MD51eb462e494ea3609632628a79d4ae220
SHA18361223d09a04593c2b936e7eb7162c706837429
SHA25653652e622569d8c62a00f4b915a32d692844a1df220fbca1767122855b573a74
SHA512c9d3cb2f2f797e1b06ecac736beb236320e44eede16b32ad764042f1c0204974a0673c41bdc0cda839b210ce88529955e342a5f3a5f566256826cada368687eb
-
C:\Users\Admin\AppData\Local\Temp\B781.exeFilesize
250KB
MD5d151c0601f09b3a823dd989be8e7a8eb
SHA1ec0bbb7e9f44cbc304c516e2ea17aad0de98172f
SHA2561c58393e900983e01f7f2220fc2756febfbb0b47c173c5251c227469348c1356
SHA512c60b732f3207b09181e474b2e27703dd00bf6550ce158b972133fc621a44ff445cefda8fed5e0a72e6b465b2d0f54e933de176d104925ecd6cafa5ff6e9b2a24
-
C:\Users\Admin\AppData\Local\Temp\B781.exeFilesize
250KB
MD5d151c0601f09b3a823dd989be8e7a8eb
SHA1ec0bbb7e9f44cbc304c516e2ea17aad0de98172f
SHA2561c58393e900983e01f7f2220fc2756febfbb0b47c173c5251c227469348c1356
SHA512c60b732f3207b09181e474b2e27703dd00bf6550ce158b972133fc621a44ff445cefda8fed5e0a72e6b465b2d0f54e933de176d104925ecd6cafa5ff6e9b2a24
-
C:\Users\Admin\AppData\Local\Temp\C30B.exeFilesize
1.9MB
MD53bf7bbc0f949e65080db6e99d3767e13
SHA12b3c06b550d5a2171e40a7edc390c88aa258c422
SHA256d06bf8cf6f3e3c5869453c9e444d66390f2c2ddec8d8ebe6cec0207a368d31f3
SHA512d70cdcbe611289c08b2a5787b173f220372d9c43137e96ff18a019c8078c1737f72a8bdfc6cfbf77e7c406196981cc339e47c73b13c43ce85c24b8762d93b87d
-
C:\Users\Admin\AppData\Local\Temp\C30B.exeFilesize
1.9MB
MD53bf7bbc0f949e65080db6e99d3767e13
SHA12b3c06b550d5a2171e40a7edc390c88aa258c422
SHA256d06bf8cf6f3e3c5869453c9e444d66390f2c2ddec8d8ebe6cec0207a368d31f3
SHA512d70cdcbe611289c08b2a5787b173f220372d9c43137e96ff18a019c8078c1737f72a8bdfc6cfbf77e7c406196981cc339e47c73b13c43ce85c24b8762d93b87d
-
C:\Users\Admin\AppData\Local\Temp\C7A0.exeFilesize
1.9MB
MD53bf7bbc0f949e65080db6e99d3767e13
SHA12b3c06b550d5a2171e40a7edc390c88aa258c422
SHA256d06bf8cf6f3e3c5869453c9e444d66390f2c2ddec8d8ebe6cec0207a368d31f3
SHA512d70cdcbe611289c08b2a5787b173f220372d9c43137e96ff18a019c8078c1737f72a8bdfc6cfbf77e7c406196981cc339e47c73b13c43ce85c24b8762d93b87d
-
C:\Users\Admin\AppData\Local\Temp\C7A0.exeFilesize
1.9MB
MD53bf7bbc0f949e65080db6e99d3767e13
SHA12b3c06b550d5a2171e40a7edc390c88aa258c422
SHA256d06bf8cf6f3e3c5869453c9e444d66390f2c2ddec8d8ebe6cec0207a368d31f3
SHA512d70cdcbe611289c08b2a5787b173f220372d9c43137e96ff18a019c8078c1737f72a8bdfc6cfbf77e7c406196981cc339e47c73b13c43ce85c24b8762d93b87d
-
C:\Users\Admin\AppData\Local\Temp\D26F.exeFilesize
3.5MB
MD5ba2d41ce64789f113baa25ad6014d9ef
SHA12a613d52de7beddced943814a65f66d8e465fc58
SHA256fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646
SHA5121029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301
-
C:\Users\Admin\AppData\Local\Temp\D26F.exeFilesize
3.5MB
MD5ba2d41ce64789f113baa25ad6014d9ef
SHA12a613d52de7beddced943814a65f66d8e465fc58
SHA256fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646
SHA5121029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301
-
C:\Users\Admin\AppData\Local\Temp\DF60.exeFilesize
3.5MB
MD5ba2d41ce64789f113baa25ad6014d9ef
SHA12a613d52de7beddced943814a65f66d8e465fc58
SHA256fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646
SHA5121029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301
-
C:\Users\Admin\AppData\Local\Temp\DF60.exeFilesize
3.5MB
MD5ba2d41ce64789f113baa25ad6014d9ef
SHA12a613d52de7beddced943814a65f66d8e465fc58
SHA256fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646
SHA5121029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301
-
C:\Users\Admin\AppData\Local\Temp\Sppyteaet.exeFilesize
1.3MB
MD5ff6a5732355485b459248f586c2b6945
SHA107da3f03ef18e2eaddfceb050b68e93fd533f7a3
SHA256366ee3319c995b995fcfcc3f2228a18a09d0461a94964b4b4ad9a89dcbf669f4
SHA512379fd03ebec85a9b15caf0aa8ba5a43c76199391ba3a2b29d20426501294e66d8f07c219e05355b47702e5a836d1a89015533f72da6bbe2ded57ee5d24056749
-
C:\Users\Admin\AppData\Local\Temp\Sppyteaet.exeFilesize
1.3MB
MD5ff6a5732355485b459248f586c2b6945
SHA107da3f03ef18e2eaddfceb050b68e93fd533f7a3
SHA256366ee3319c995b995fcfcc3f2228a18a09d0461a94964b4b4ad9a89dcbf669f4
SHA512379fd03ebec85a9b15caf0aa8ba5a43c76199391ba3a2b29d20426501294e66d8f07c219e05355b47702e5a836d1a89015533f72da6bbe2ded57ee5d24056749
-
C:\Users\Admin\AppData\Local\Temp\TRNY7o.RFilesize
1.4MB
MD5cceb2a54607ca36f3bcc3ffbbdd0cdf4
SHA140f5605b3e4562d23ede5dbdc1a64d501630732b
SHA25627e39663bb0f4b8436a0769765d93a54f3cffd2773699a416af245822b10ae42
SHA512a15b2442037d467059fa56c92d76413e3644d81cd5a2a92f79ca74c51f7e4ea68e39c5338286f51500c3378bae61b475ff32285be2ca5128321b5d835d0d602c
-
C:\Users\Admin\AppData\Local\Temp\Trny7o.RFilesize
1.4MB
MD5cceb2a54607ca36f3bcc3ffbbdd0cdf4
SHA140f5605b3e4562d23ede5dbdc1a64d501630732b
SHA25627e39663bb0f4b8436a0769765d93a54f3cffd2773699a416af245822b10ae42
SHA512a15b2442037d467059fa56c92d76413e3644d81cd5a2a92f79ca74c51f7e4ea68e39c5338286f51500c3378bae61b475ff32285be2ca5128321b5d835d0d602c
-
C:\Users\Admin\AppData\Local\Temp\Trny7o.RFilesize
1.4MB
MD5cceb2a54607ca36f3bcc3ffbbdd0cdf4
SHA140f5605b3e4562d23ede5dbdc1a64d501630732b
SHA25627e39663bb0f4b8436a0769765d93a54f3cffd2773699a416af245822b10ae42
SHA512a15b2442037d467059fa56c92d76413e3644d81cd5a2a92f79ca74c51f7e4ea68e39c5338286f51500c3378bae61b475ff32285be2ca5128321b5d835d0d602c
-
C:\Users\Admin\AppData\Local\Temp\Trny7o.RFilesize
1.4MB
MD5cceb2a54607ca36f3bcc3ffbbdd0cdf4
SHA140f5605b3e4562d23ede5dbdc1a64d501630732b
SHA25627e39663bb0f4b8436a0769765d93a54f3cffd2773699a416af245822b10ae42
SHA512a15b2442037d467059fa56c92d76413e3644d81cd5a2a92f79ca74c51f7e4ea68e39c5338286f51500c3378bae61b475ff32285be2ca5128321b5d835d0d602c
-
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exeFilesize
235KB
MD5b2d52da50280eb51ffeb63d39c5f6844
SHA13e79393d0f31bdd9c954c1c541833c18cf6613bc
SHA256c16516d51277d0c4902cf23a48b0b3f63e50e8e70efe7f0ea81e4f6a7d7d3b33
SHA512894a17aaf52a2eee890df13f0e3a59e850fb658b88b13cf253c281263369024f8bee040b0295a6580b43b25b618c6efb740ddac8005a0c40e3c70ce6d551687c
-
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exeFilesize
235KB
MD5b2d52da50280eb51ffeb63d39c5f6844
SHA13e79393d0f31bdd9c954c1c541833c18cf6613bc
SHA256c16516d51277d0c4902cf23a48b0b3f63e50e8e70efe7f0ea81e4f6a7d7d3b33
SHA512894a17aaf52a2eee890df13f0e3a59e850fb658b88b13cf253c281263369024f8bee040b0295a6580b43b25b618c6efb740ddac8005a0c40e3c70ce6d551687c
-
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exeFilesize
235KB
MD5b2d52da50280eb51ffeb63d39c5f6844
SHA13e79393d0f31bdd9c954c1c541833c18cf6613bc
SHA256c16516d51277d0c4902cf23a48b0b3f63e50e8e70efe7f0ea81e4f6a7d7d3b33
SHA512894a17aaf52a2eee890df13f0e3a59e850fb658b88b13cf253c281263369024f8bee040b0295a6580b43b25b618c6efb740ddac8005a0c40e3c70ce6d551687c
-
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exeFilesize
235KB
MD5b2d52da50280eb51ffeb63d39c5f6844
SHA13e79393d0f31bdd9c954c1c541833c18cf6613bc
SHA256c16516d51277d0c4902cf23a48b0b3f63e50e8e70efe7f0ea81e4f6a7d7d3b33
SHA512894a17aaf52a2eee890df13f0e3a59e850fb658b88b13cf253c281263369024f8bee040b0295a6580b43b25b618c6efb740ddac8005a0c40e3c70ce6d551687c
-
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exeFilesize
235KB
MD5b2d52da50280eb51ffeb63d39c5f6844
SHA13e79393d0f31bdd9c954c1c541833c18cf6613bc
SHA256c16516d51277d0c4902cf23a48b0b3f63e50e8e70efe7f0ea81e4f6a7d7d3b33
SHA512894a17aaf52a2eee890df13f0e3a59e850fb658b88b13cf253c281263369024f8bee040b0295a6580b43b25b618c6efb740ddac8005a0c40e3c70ce6d551687c
-
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exeFilesize
235KB
MD5b2d52da50280eb51ffeb63d39c5f6844
SHA13e79393d0f31bdd9c954c1c541833c18cf6613bc
SHA256c16516d51277d0c4902cf23a48b0b3f63e50e8e70efe7f0ea81e4f6a7d7d3b33
SHA512894a17aaf52a2eee890df13f0e3a59e850fb658b88b13cf253c281263369024f8bee040b0295a6580b43b25b618c6efb740ddac8005a0c40e3c70ce6d551687c
-
C:\Users\Admin\AppData\Local\c9701f7b-6bb9-440d-9101-f2d164de1b81\B01B.exeFilesize
752KB
MD5e6133ea9349d980fe1bc6775ba9a4851
SHA15d86f79b568274a26a3956cf27f1e0ca2c2f8000
SHA256b0129df41ef3e0ee1ba9adf39d14b0b3c6d94c2f1cc161f37066a652de902cb4
SHA512111856c90096f685812cd4495d4ad7bda6a262b836b8ae6836fefbc5115d1877a3d6d7208e296521dac427cf0a10a5bd9b7b3f80cce24a9fdfa22569392dd2c5
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
126KB
MD570134bf4d1cd851b382b2930a2e182ea
SHA18454d476c0d36564792b49be546593af3eab29f4
SHA2565e4cb0cc51202cef27c4f5da63362ceee8c29a03e61ac19efda3c137b657d9ef
SHA5121af07ab22359f69fe32e359883f7d31f3068582ba0eddcb1faf6bf7686f32f51e36cdf645ac9dd727a4bf9b8c390245d7e71faf17c1a18ff3054c55f19c770bd
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
126KB
MD570134bf4d1cd851b382b2930a2e182ea
SHA18454d476c0d36564792b49be546593af3eab29f4
SHA2565e4cb0cc51202cef27c4f5da63362ceee8c29a03e61ac19efda3c137b657d9ef
SHA5121af07ab22359f69fe32e359883f7d31f3068582ba0eddcb1faf6bf7686f32f51e36cdf645ac9dd727a4bf9b8c390245d7e71faf17c1a18ff3054c55f19c770bd
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
126KB
MD570134bf4d1cd851b382b2930a2e182ea
SHA18454d476c0d36564792b49be546593af3eab29f4
SHA2565e4cb0cc51202cef27c4f5da63362ceee8c29a03e61ac19efda3c137b657d9ef
SHA5121af07ab22359f69fe32e359883f7d31f3068582ba0eddcb1faf6bf7686f32f51e36cdf645ac9dd727a4bf9b8c390245d7e71faf17c1a18ff3054c55f19c770bd
-
C:\Users\Admin\AppData\Roaming\rwahvguFilesize
288KB
MD5b705d582ca060dbcccf95be499ef5031
SHA1e9cafdc06c601121646391c3c5e63972a31e5d66
SHA2560b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1
SHA512da4f175444e57e61f007a79605d52a55372efa100868ff307d78700c6d61c40671f051cbee5da7ab6ed6c0539bae7975a005f98271f59984a38296c4c677e4c1
-
C:\Users\Admin\AppData\Roaming\rwahvguFilesize
288KB
MD5b705d582ca060dbcccf95be499ef5031
SHA1e9cafdc06c601121646391c3c5e63972a31e5d66
SHA2560b4e43ed4857472d00d4d7e06bd5e95deccfbab1d18354a2a28486fed32657f1
SHA512da4f175444e57e61f007a79605d52a55372efa100868ff307d78700c6d61c40671f051cbee5da7ab6ed6c0539bae7975a005f98271f59984a38296c4c677e4c1
-
C:\Users\Admin\AppData\Roaming\tfahvguFilesize
288KB
MD51eb462e494ea3609632628a79d4ae220
SHA18361223d09a04593c2b936e7eb7162c706837429
SHA25653652e622569d8c62a00f4b915a32d692844a1df220fbca1767122855b573a74
SHA512c9d3cb2f2f797e1b06ecac736beb236320e44eede16b32ad764042f1c0204974a0673c41bdc0cda839b210ce88529955e342a5f3a5f566256826cada368687eb
-
C:\Users\Admin\AppData\Roaming\tfahvguFilesize
288KB
MD51eb462e494ea3609632628a79d4ae220
SHA18361223d09a04593c2b936e7eb7162c706837429
SHA25653652e622569d8c62a00f4b915a32d692844a1df220fbca1767122855b573a74
SHA512c9d3cb2f2f797e1b06ecac736beb236320e44eede16b32ad764042f1c0204974a0673c41bdc0cda839b210ce88529955e342a5f3a5f566256826cada368687eb
-
\??\pipe\crashpad_3036_ASBYPWODZERHIXAWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/308-136-0x0000000000000000-mapping.dmp
-
memory/308-167-0x0000000002180000-0x000000000229B000-memory.dmpFilesize
1.1MB
-
memory/308-165-0x000000000073C000-0x00000000007CD000-memory.dmpFilesize
580KB
-
memory/428-169-0x0000000000000000-mapping.dmp
-
memory/552-191-0x0000000000000000-mapping.dmp
-
memory/1084-192-0x0000000000000000-mapping.dmp
-
memory/1084-195-0x0000000140000000-0x000000014061A000-memory.dmpFilesize
6.1MB
-
memory/1144-228-0x0000000000000000-mapping.dmp
-
memory/1312-158-0x0000000000000000-mapping.dmp
-
memory/1704-356-0x00000000004E8000-0x00000000004F8000-memory.dmpFilesize
64KB
-
memory/1704-357-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/1800-151-0x0000000000000000-mapping.dmp
-
memory/1900-271-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1900-237-0x0000000000000000-mapping.dmp
-
memory/1900-247-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1900-240-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1900-242-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1904-341-0x0000000000000000-mapping.dmp
-
memory/1976-199-0x0000000000000000-mapping.dmp
-
memory/2412-139-0x0000000000000000-mapping.dmp
-
memory/2572-329-0x000000000E5F0000-0x000000000E718000-memory.dmpFilesize
1.2MB
-
memory/2572-349-0x000000000E5F0000-0x000000000E718000-memory.dmpFilesize
1.2MB
-
memory/2912-360-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/2912-358-0x0000000000659000-0x0000000000669000-memory.dmpFilesize
64KB
-
memory/2912-359-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/3048-168-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3048-223-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3048-163-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3048-166-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3048-161-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3048-160-0x0000000000000000-mapping.dmp
-
memory/3260-183-0x0000000000779000-0x000000000078A000-memory.dmpFilesize
68KB
-
memory/3260-184-0x00000000005B0000-0x00000000005B9000-memory.dmpFilesize
36KB
-
memory/3260-185-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/3260-200-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/3260-152-0x0000000000000000-mapping.dmp
-
memory/3348-147-0x0000000000000000-mapping.dmp
-
memory/3352-261-0x00000000005F2000-0x000000000061F000-memory.dmpFilesize
180KB
-
memory/3352-254-0x00000000005F2000-0x000000000061F000-memory.dmpFilesize
180KB
-
memory/3352-248-0x0000000000000000-mapping.dmp
-
memory/3352-257-0x00000000006E0000-0x000000000072C000-memory.dmpFilesize
304KB
-
memory/3424-204-0x000000000B000000-0x000000000B314000-memory.dmpFilesize
3.1MB
-
memory/3424-202-0x0000000002B3F000-0x0000000002CE4000-memory.dmpFilesize
1.6MB
-
memory/3424-172-0x0000000000000000-mapping.dmp
-
memory/3424-235-0x0000000002B3F000-0x0000000002CE4000-memory.dmpFilesize
1.6MB
-
memory/3424-201-0x000000000B000000-0x000000000B314000-memory.dmpFilesize
3.1MB
-
memory/3500-231-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/3500-234-0x0000000000DC0000-0x0000000000DCD000-memory.dmpFilesize
52KB
-
memory/3500-226-0x0000000000000000-mapping.dmp
-
memory/3500-232-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/3500-233-0x0000000000DA0000-0x0000000000DA9000-memory.dmpFilesize
36KB
-
memory/3660-170-0x0000000000000000-mapping.dmp
-
memory/3760-270-0x0000000002570000-0x0000000002576000-memory.dmpFilesize
24KB
-
memory/3760-142-0x0000000000000000-mapping.dmp
-
memory/3760-266-0x0000000000400000-0x0000000000560000-memory.dmpFilesize
1.4MB
-
memory/3760-296-0x0000000002B20000-0x0000000002BFD000-memory.dmpFilesize
884KB
-
memory/3760-298-0x0000000002C00000-0x0000000002CC6000-memory.dmpFilesize
792KB
-
memory/3760-264-0x0000000000000000-mapping.dmp
-
memory/3812-149-0x0000000000000000-mapping.dmp
-
memory/3956-262-0x0000000000000000-mapping.dmp
-
memory/4004-224-0x0000000001560000-0x000000000156D000-memory.dmpFilesize
52KB
-
memory/4004-220-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/4004-219-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/4004-218-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/4004-215-0x0000000000000000-mapping.dmp
-
memory/4004-216-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/4004-222-0x0000000001460000-0x0000000001469000-memory.dmpFilesize
36KB
-
memory/4036-293-0x0000000000000000-mapping.dmp
-
memory/4080-272-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/4080-269-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4080-256-0x0000000000000000-mapping.dmp
-
memory/4080-258-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4080-263-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4080-294-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4080-260-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4160-252-0x0000000002AC0000-0x0000000002B86000-memory.dmpFilesize
792KB
-
memory/4160-178-0x0000000002670000-0x00000000027D0000-memory.dmpFilesize
1.4MB
-
memory/4160-171-0x0000000000000000-mapping.dmp
-
memory/4160-253-0x0000000002AC0000-0x0000000002B86000-memory.dmpFilesize
792KB
-
memory/4160-182-0x0000000002190000-0x0000000002196000-memory.dmpFilesize
24KB
-
memory/4160-179-0x0000000002670000-0x00000000027D0000-memory.dmpFilesize
1.4MB
-
memory/4160-251-0x00000000029E0000-0x0000000002ABD000-memory.dmpFilesize
884KB
-
memory/4300-332-0x0000000000000000-mapping.dmp
-
memory/4300-336-0x0000000001000000-0x0000000001A25000-memory.dmpFilesize
10.1MB
-
memory/4300-337-0x0000000003510000-0x0000000004054000-memory.dmpFilesize
11.3MB
-
memory/4300-346-0x0000000003510000-0x0000000004054000-memory.dmpFilesize
11.3MB
-
memory/4404-186-0x0000000000000000-mapping.dmp
-
memory/4404-203-0x0000000003383000-0x0000000003528000-memory.dmpFilesize
1.6MB
-
memory/4404-236-0x0000000003383000-0x0000000003528000-memory.dmpFilesize
1.6MB
-
memory/4404-212-0x000000000EB40000-0x000000000EE54000-memory.dmpFilesize
3.1MB
-
memory/4404-208-0x000000000EB40000-0x000000000EE54000-memory.dmpFilesize
3.1MB
-
memory/4596-307-0x00000000024B0000-0x00000000025E4000-memory.dmpFilesize
1.2MB
-
memory/4596-304-0x0000000000000000-mapping.dmp
-
memory/4676-347-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/4676-350-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/4676-326-0x0000000007000000-0x0000000007B44000-memory.dmpFilesize
11.3MB
-
memory/4676-324-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/4676-321-0x0000000002C20000-0x00000000031D3000-memory.dmpFilesize
5.7MB
-
memory/4676-319-0x00000000026B8000-0x0000000002C19000-memory.dmpFilesize
5.4MB
-
memory/4676-301-0x0000000000000000-mapping.dmp
-
memory/4676-348-0x0000000007000000-0x0000000007B44000-memory.dmpFilesize
11.3MB
-
memory/4756-134-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/4756-132-0x00000000004B8000-0x00000000004C9000-memory.dmpFilesize
68KB
-
memory/4756-135-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/4756-133-0x0000000000470000-0x0000000000479000-memory.dmpFilesize
36KB
-
memory/4776-155-0x0000000000000000-mapping.dmp
-
memory/4776-189-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4776-187-0x00000000006C9000-0x00000000006DA000-memory.dmpFilesize
68KB
-
memory/4892-295-0x0000000000000000-mapping.dmp
-
memory/4924-209-0x0000000140000000-0x000000014061A000-memory.dmpFilesize
6.1MB
-
memory/4924-205-0x0000000000000000-mapping.dmp
-
memory/4960-221-0x0000000000000000-mapping.dmp
-
memory/4960-241-0x000000000212F000-0x00000000021C0000-memory.dmpFilesize
580KB