Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2023 04:34
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220812-en
General
-
Target
tmp.exe
-
Size
235KB
-
MD5
77e0a0a90e0231493bd421f4cdab0668
-
SHA1
b09f8951b42a2993b637df9e41f6a25be106c2cb
-
SHA256
75520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
-
SHA512
d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
SSDEEP
6144:FSfSsOzqs7nAV3QN2tW0J3SluVy3VYygXqgkX:hbN6J4uVy3V3ga
Malware Config
Extracted
amadey
3.66
62.204.41.27/9djZdj09/index.php
Extracted
redline
Dzokey1111111
82.115.223.9:15486
-
auth_value
a46fd18e8e0de86d363c12c2307db5e9
Extracted
redline
1
librchichelpai.shop:81
rniwondunuifac.shop:81
-
auth_value
b6c86adb7106e9ee7247628f59e06830
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
Processes:
nbveek.exelive1.exenbveek.exedrown.exenbveek.exedrown1.exerumba8.exenbveek.exenbveek.exepid process 4584 nbveek.exe 1712 live1.exe 3376 nbveek.exe 3808 drown.exe 4356 nbveek.exe 2716 drown1.exe 4988 rumba8.exe 5192 nbveek.exe 1944 nbveek.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exenbveek.exerumba8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation nbveek.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation rumba8.exe -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 5248 rundll32.exe 5716 rundll32.exe 5432 rundll32.exe 5468 rundll32.exe 5472 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
nbveek.exedrown1.exedescription pid process target process PID 4584 set thread context of 3376 4584 nbveek.exe nbveek.exe PID 4584 set thread context of 4356 4584 nbveek.exe nbveek.exe PID 2716 set thread context of 724 2716 drown1.exe AppLaunch.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\01aee91f-66a4-4325-963b-7d42452093f3.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230119053438.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5804 5472 WerFault.exe rundll32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exerumba8.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings rumba8.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
msedge.exemsedge.exedrown.exeAppLaunch.exelive1.exeidentity_helper.exemsedge.exepid process 4508 msedge.exe 4508 msedge.exe 4220 msedge.exe 4220 msedge.exe 3808 drown.exe 3808 drown.exe 724 AppLaunch.exe 724 AppLaunch.exe 724 AppLaunch.exe 3808 drown.exe 1712 live1.exe 1712 live1.exe 1712 live1.exe 5176 identity_helper.exe 5176 identity_helper.exe 5988 msedge.exe 5988 msedge.exe 5988 msedge.exe 5988 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 4220 msedge.exe 4220 msedge.exe 4220 msedge.exe 4220 msedge.exe 4220 msedge.exe 4220 msedge.exe 4220 msedge.exe 4220 msedge.exe 4220 msedge.exe 4220 msedge.exe 4220 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
drown.exeAppLaunch.exelive1.exedescription pid process Token: SeDebugPrivilege 3808 drown.exe Token: SeDebugPrivilege 724 AppLaunch.exe Token: SeDebugPrivilege 1712 live1.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 4220 msedge.exe 4220 msedge.exe 4220 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.exenbveek.execmd.exenbveek.exemsedge.exedrown1.exedescription pid process target process PID 4968 wrote to memory of 4584 4968 tmp.exe nbveek.exe PID 4968 wrote to memory of 4584 4968 tmp.exe nbveek.exe PID 4968 wrote to memory of 4584 4968 tmp.exe nbveek.exe PID 4584 wrote to memory of 2232 4584 nbveek.exe schtasks.exe PID 4584 wrote to memory of 2232 4584 nbveek.exe schtasks.exe PID 4584 wrote to memory of 2232 4584 nbveek.exe schtasks.exe PID 4584 wrote to memory of 3572 4584 nbveek.exe cmd.exe PID 4584 wrote to memory of 3572 4584 nbveek.exe cmd.exe PID 4584 wrote to memory of 3572 4584 nbveek.exe cmd.exe PID 3572 wrote to memory of 5024 3572 cmd.exe cmd.exe PID 3572 wrote to memory of 5024 3572 cmd.exe cmd.exe PID 3572 wrote to memory of 5024 3572 cmd.exe cmd.exe PID 3572 wrote to memory of 4568 3572 cmd.exe cacls.exe PID 3572 wrote to memory of 4568 3572 cmd.exe cacls.exe PID 3572 wrote to memory of 4568 3572 cmd.exe cacls.exe PID 3572 wrote to memory of 1268 3572 cmd.exe cacls.exe PID 3572 wrote to memory of 1268 3572 cmd.exe cacls.exe PID 3572 wrote to memory of 1268 3572 cmd.exe cacls.exe PID 3572 wrote to memory of 1680 3572 cmd.exe cmd.exe PID 3572 wrote to memory of 1680 3572 cmd.exe cmd.exe PID 3572 wrote to memory of 1680 3572 cmd.exe cmd.exe PID 3572 wrote to memory of 3056 3572 cmd.exe cacls.exe PID 3572 wrote to memory of 3056 3572 cmd.exe cacls.exe PID 3572 wrote to memory of 3056 3572 cmd.exe cacls.exe PID 3572 wrote to memory of 116 3572 cmd.exe cacls.exe PID 3572 wrote to memory of 116 3572 cmd.exe cacls.exe PID 3572 wrote to memory of 116 3572 cmd.exe cacls.exe PID 4584 wrote to memory of 1712 4584 nbveek.exe live1.exe PID 4584 wrote to memory of 1712 4584 nbveek.exe live1.exe PID 4584 wrote to memory of 1712 4584 nbveek.exe live1.exe PID 4584 wrote to memory of 3376 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 3376 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 3376 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 3376 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 3376 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 3376 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 3376 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 3376 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 3808 4584 nbveek.exe drown.exe PID 4584 wrote to memory of 3808 4584 nbveek.exe drown.exe PID 4584 wrote to memory of 3808 4584 nbveek.exe drown.exe PID 4584 wrote to memory of 4356 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 4356 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 4356 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 4356 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 4356 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 4356 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 4356 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 4356 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 2716 4584 nbveek.exe drown1.exe PID 4584 wrote to memory of 2716 4584 nbveek.exe drown1.exe PID 4584 wrote to memory of 2716 4584 nbveek.exe drown1.exe PID 4356 wrote to memory of 4220 4356 nbveek.exe msedge.exe PID 4356 wrote to memory of 4220 4356 nbveek.exe msedge.exe PID 4220 wrote to memory of 1556 4220 msedge.exe msedge.exe PID 4220 wrote to memory of 1556 4220 msedge.exe msedge.exe PID 4584 wrote to memory of 4872 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 4872 4584 nbveek.exe nbveek.exe PID 4584 wrote to memory of 4872 4584 nbveek.exe nbveek.exe PID 2716 wrote to memory of 724 2716 drown1.exe AppLaunch.exe PID 2716 wrote to memory of 724 2716 drown1.exe AppLaunch.exe PID 2716 wrote to memory of 724 2716 drown1.exe AppLaunch.exe PID 2716 wrote to memory of 724 2716 drown1.exe AppLaunch.exe PID 2716 wrote to memory of 724 2716 drown1.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000016001\live1.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\live1.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=nbveek.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x94,0x108,0x7ffbdcb746f8,0x7ffbdcb74708,0x7ffbdcb747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=nbveek.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdcb746f8,0x7ffbdcb74708,0x7ffbdcb747185⤵
-
C:\Users\Admin\AppData\Local\Temp\1000018001\drown.exe"C:\Users\Admin\AppData\Local\Temp\1000018001\drown.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=nbveek.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbdcb746f8,0x7ffbdcb74708,0x7ffbdcb747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4852 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5660 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x274,0x278,0x27c,0x234,0x280,0x7ff786055460,0x7ff786055470,0x7ff7860554806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8128 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4948 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3640 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=nbveek.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdcb746f8,0x7ffbdcb74708,0x7ffbdcb747185⤵
-
C:\Users\Admin\AppData\Local\Temp\1000020001\drown1.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\drown1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000023001\rumba8.exe"C:\Users\Admin\AppData\Local\Temp\1000023001\rumba8.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\2bBOps.cPl",4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2bBOps.cPl",5⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2bBOps.cPl",6⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\2bBOps.cPl",7⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5472 -s 6805⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 5472 -ip 54721⤵
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d46ac3d95ec929266535e7263b2d696a
SHA12c5130116c7a9f2ab5fa5b46a845dd1c637cc0dc
SHA256759dcb44adb9e6623d48b354451ada4d1069c0de091f86b7b7183cd9b5043dbd
SHA512776f36684418238f92cdadf435a614deeda4e65d5fa357d0322be3ab8663aea31f6b4bb1e549e54f0c5aea3c81617adff7f32943831839129b498576641ad828
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d46ac3d95ec929266535e7263b2d696a
SHA12c5130116c7a9f2ab5fa5b46a845dd1c637cc0dc
SHA256759dcb44adb9e6623d48b354451ada4d1069c0de091f86b7b7183cd9b5043dbd
SHA512776f36684418238f92cdadf435a614deeda4e65d5fa357d0322be3ab8663aea31f6b4bb1e549e54f0c5aea3c81617adff7f32943831839129b498576641ad828
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d46ac3d95ec929266535e7263b2d696a
SHA12c5130116c7a9f2ab5fa5b46a845dd1c637cc0dc
SHA256759dcb44adb9e6623d48b354451ada4d1069c0de091f86b7b7183cd9b5043dbd
SHA512776f36684418238f92cdadf435a614deeda4e65d5fa357d0322be3ab8663aea31f6b4bb1e549e54f0c5aea3c81617adff7f32943831839129b498576641ad828
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
112KB
MD530e375798049100677ea16b7c578a4ee
SHA1bcab7401a5f34ac0e6f795ece8d3ed12944ae99f
SHA256ea5c90cfc97f429a2f9e0b1e9b16778b5b19bd8e83a896a30002de70af84e1ce
SHA512f8ae930e26ecfe06dc30d4f39858b0eec6b4a81a8139883712505b5c6b58504d463d986ef58c7151a247fe157c6013b570b9d39e1d4a860061e37e0419900582
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\1000016001\live1.exeFilesize
175KB
MD5a46b9ecaf0fb91387054988c47fbf8c1
SHA1f1781c22b41e5984c4815f39f4975cac709a0742
SHA256fa9ae97004ea80cb0e0e345438fad97bdcb266fdf5d6252bb359357e5408a13a
SHA5123d44acd9ea65bc5a13bf59956219580911e0b29affe6398db999fda2b4ea5850409babe101f136b8a4142611b8d9cae8401a4385c44c81a4e47bb7926235facf
-
C:\Users\Admin\AppData\Local\Temp\1000016001\live1.exeFilesize
175KB
MD5a46b9ecaf0fb91387054988c47fbf8c1
SHA1f1781c22b41e5984c4815f39f4975cac709a0742
SHA256fa9ae97004ea80cb0e0e345438fad97bdcb266fdf5d6252bb359357e5408a13a
SHA5123d44acd9ea65bc5a13bf59956219580911e0b29affe6398db999fda2b4ea5850409babe101f136b8a4142611b8d9cae8401a4385c44c81a4e47bb7926235facf
-
C:\Users\Admin\AppData\Local\Temp\1000018001\drown.exeFilesize
175KB
MD5b10dadf011b7913109bb31b2cc50fdc6
SHA1b9a6bb3ea75fd43fc50fb3883cb5cba9d69dbe2c
SHA256d05045317e40a873374ffddd6c16a61dfc2211b0f91a44b21b7c8a88ff44351f
SHA5124f76550bd531e8547e02fb525363f95d08c1c659df0f7350ed05197468e3cbf48d9413b153c6f1e2a0c74d233768e7afe5785172683253ec8201c39b2fdc5c5b
-
C:\Users\Admin\AppData\Local\Temp\1000018001\drown.exeFilesize
175KB
MD5b10dadf011b7913109bb31b2cc50fdc6
SHA1b9a6bb3ea75fd43fc50fb3883cb5cba9d69dbe2c
SHA256d05045317e40a873374ffddd6c16a61dfc2211b0f91a44b21b7c8a88ff44351f
SHA5124f76550bd531e8547e02fb525363f95d08c1c659df0f7350ed05197468e3cbf48d9413b153c6f1e2a0c74d233768e7afe5785172683253ec8201c39b2fdc5c5b
-
C:\Users\Admin\AppData\Local\Temp\1000020001\drown1.exeFilesize
3.7MB
MD5f75ca2b1d2dfdc1394518565fdeea79c
SHA1d46c59044fcbd7622f369ed9ef4adcadd6d83f1c
SHA25690a61538166854064428335c2b2beecf44fca5979e8fee4db712fc0b09f4729a
SHA512dd20f1497a703aa6089bf239fe422f46ff14babeeedcdde0b88a0c63f1ce22e3ec518a138ec068cbd3e2eacd7ccc2bb28b7c7bfe2d9adacc182a287fd41ffa74
-
C:\Users\Admin\AppData\Local\Temp\1000020001\drown1.exeFilesize
3.7MB
MD5f75ca2b1d2dfdc1394518565fdeea79c
SHA1d46c59044fcbd7622f369ed9ef4adcadd6d83f1c
SHA25690a61538166854064428335c2b2beecf44fca5979e8fee4db712fc0b09f4729a
SHA512dd20f1497a703aa6089bf239fe422f46ff14babeeedcdde0b88a0c63f1ce22e3ec518a138ec068cbd3e2eacd7ccc2bb28b7c7bfe2d9adacc182a287fd41ffa74
-
C:\Users\Admin\AppData\Local\Temp\1000023001\rumba8.exeFilesize
1.3MB
MD5392935e64d5906f0226d55fbaa65b909
SHA186c1906bfaa0e4658ac7d6839285e6c0d8cb7c65
SHA25683246beebfe344d72bb10448e348921432a8a163fb52e72c1c2d815bfebeb8b1
SHA5123c86db7da4cf8ba9e95e3c77a685e9406f0409725816981f56633fb0b75b62135b383139d453fbadcc5eab8bdfec3c45ce928632099aa6f072ba6198ed4f375e
-
C:\Users\Admin\AppData\Local\Temp\1000023001\rumba8.exeFilesize
1.3MB
MD5392935e64d5906f0226d55fbaa65b909
SHA186c1906bfaa0e4658ac7d6839285e6c0d8cb7c65
SHA25683246beebfe344d72bb10448e348921432a8a163fb52e72c1c2d815bfebeb8b1
SHA5123c86db7da4cf8ba9e95e3c77a685e9406f0409725816981f56633fb0b75b62135b383139d453fbadcc5eab8bdfec3c45ce928632099aa6f072ba6198ed4f375e
-
C:\Users\Admin\AppData\Local\Temp\2bBOps.cPlFilesize
1.6MB
MD58bf1cc0e0ee5199fcae2d67befe1a453
SHA1a6446fa0529a72894b4935a0279634b07dc9faba
SHA256c2932f4a784fc74a6b82f9226aefaae25538e3b109b55e52e59403ce712c8dca
SHA51294459eb5bda2be00f4cd779aad30af48e87c711d43553ef823c36c9c1477806f49eae214c2821939972c70d9bb12ca36901ef9fd7f37a5bf30945298372c90bc
-
C:\Users\Admin\AppData\Local\Temp\2bBOps.cplFilesize
1.6MB
MD58bf1cc0e0ee5199fcae2d67befe1a453
SHA1a6446fa0529a72894b4935a0279634b07dc9faba
SHA256c2932f4a784fc74a6b82f9226aefaae25538e3b109b55e52e59403ce712c8dca
SHA51294459eb5bda2be00f4cd779aad30af48e87c711d43553ef823c36c9c1477806f49eae214c2821939972c70d9bb12ca36901ef9fd7f37a5bf30945298372c90bc
-
C:\Users\Admin\AppData\Local\Temp\2bBOps.cplFilesize
1.6MB
MD58bf1cc0e0ee5199fcae2d67befe1a453
SHA1a6446fa0529a72894b4935a0279634b07dc9faba
SHA256c2932f4a784fc74a6b82f9226aefaae25538e3b109b55e52e59403ce712c8dca
SHA51294459eb5bda2be00f4cd779aad30af48e87c711d43553ef823c36c9c1477806f49eae214c2821939972c70d9bb12ca36901ef9fd7f37a5bf30945298372c90bc
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD577e0a0a90e0231493bd421f4cdab0668
SHA1b09f8951b42a2993b637df9e41f6a25be106c2cb
SHA25675520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
SHA512d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD577e0a0a90e0231493bd421f4cdab0668
SHA1b09f8951b42a2993b637df9e41f6a25be106c2cb
SHA25675520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
SHA512d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD577e0a0a90e0231493bd421f4cdab0668
SHA1b09f8951b42a2993b637df9e41f6a25be106c2cb
SHA25675520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
SHA512d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD577e0a0a90e0231493bd421f4cdab0668
SHA1b09f8951b42a2993b637df9e41f6a25be106c2cb
SHA25675520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
SHA512d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD577e0a0a90e0231493bd421f4cdab0668
SHA1b09f8951b42a2993b637df9e41f6a25be106c2cb
SHA25675520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
SHA512d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD577e0a0a90e0231493bd421f4cdab0668
SHA1b09f8951b42a2993b637df9e41f6a25be106c2cb
SHA25675520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
SHA512d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD51c79ebc079aaa45b861e584094dbeaf8
SHA1968615f24e34042148ec79fde65225f072fa46d9
SHA256262ba206fcb32a991500d7969ade188f9d8f765b4ead3a4a7c0df8bf726c3788
SHA512103774df0c92da9320d25b29d3246fe2deee333cf8e7e5db1ee5bb2e61cfd6c540e135543088f0ce3050659a7c8812fab6692973aa8cb3d48e851c9201daa3e8
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD51c79ebc079aaa45b861e584094dbeaf8
SHA1968615f24e34042148ec79fde65225f072fa46d9
SHA256262ba206fcb32a991500d7969ade188f9d8f765b4ead3a4a7c0df8bf726c3788
SHA512103774df0c92da9320d25b29d3246fe2deee333cf8e7e5db1ee5bb2e61cfd6c540e135543088f0ce3050659a7c8812fab6692973aa8cb3d48e851c9201daa3e8
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.0MB
MD5648156e11228956e243bfcc41607d2e5
SHA163c80eee09b512e46b850b43faa90e7824bc9e0d
SHA256edd2a8910c99b4b0c943563f1e27426330349b4db7ae911e276f3fe7880ee29b
SHA5124fdecae1b71660f33df6a44648374596c91fe2008d210cf7c6a3c23d749ba76ea992b01776236708be6d2b5caf8457a32ebbab47e66a4d550f6c1f1bbb94c086
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.0MB
MD5648156e11228956e243bfcc41607d2e5
SHA163c80eee09b512e46b850b43faa90e7824bc9e0d
SHA256edd2a8910c99b4b0c943563f1e27426330349b4db7ae911e276f3fe7880ee29b
SHA5124fdecae1b71660f33df6a44648374596c91fe2008d210cf7c6a3c23d749ba76ea992b01776236708be6d2b5caf8457a32ebbab47e66a4d550f6c1f1bbb94c086
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.0MB
MD5648156e11228956e243bfcc41607d2e5
SHA163c80eee09b512e46b850b43faa90e7824bc9e0d
SHA256edd2a8910c99b4b0c943563f1e27426330349b4db7ae911e276f3fe7880ee29b
SHA5124fdecae1b71660f33df6a44648374596c91fe2008d210cf7c6a3c23d749ba76ea992b01776236708be6d2b5caf8457a32ebbab47e66a4d550f6c1f1bbb94c086
-
\??\pipe\LOCAL\crashpad_4220_NWIPZGVROLCWDHBUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/116-142-0x0000000000000000-mapping.dmp
-
memory/404-183-0x0000000000000000-mapping.dmp
-
memory/544-181-0x0000000000000000-mapping.dmp
-
memory/724-170-0x0000000000000000-mapping.dmp
-
memory/1268-139-0x0000000000000000-mapping.dmp
-
memory/1556-165-0x0000000000000000-mapping.dmp
-
memory/1680-140-0x0000000000000000-mapping.dmp
-
memory/1680-210-0x0000000000000000-mapping.dmp
-
memory/1712-147-0x0000000005D00000-0x0000000006318000-memory.dmpFilesize
6.1MB
-
memory/1712-143-0x0000000000000000-mapping.dmp
-
memory/1712-149-0x0000000005790000-0x00000000057A2000-memory.dmpFilesize
72KB
-
memory/1712-146-0x0000000000DD0000-0x0000000000E02000-memory.dmpFilesize
200KB
-
memory/1712-186-0x0000000005B00000-0x0000000005B66000-memory.dmpFilesize
408KB
-
memory/1712-152-0x0000000005810000-0x000000000584C000-memory.dmpFilesize
240KB
-
memory/1712-189-0x00000000066C0000-0x0000000006752000-memory.dmpFilesize
584KB
-
memory/1712-190-0x0000000006D10000-0x00000000072B4000-memory.dmpFilesize
5.6MB
-
memory/1712-148-0x0000000005860000-0x000000000596A000-memory.dmpFilesize
1.0MB
-
memory/1788-188-0x0000000000000000-mapping.dmp
-
memory/2232-135-0x0000000000000000-mapping.dmp
-
memory/2288-192-0x0000000000000000-mapping.dmp
-
memory/2484-206-0x0000000000000000-mapping.dmp
-
memory/2716-161-0x0000000000000000-mapping.dmp
-
memory/2716-166-0x0000000000FA0000-0x0000000001544000-memory.dmpFilesize
5.6MB
-
memory/3056-141-0x0000000000000000-mapping.dmp
-
memory/3116-177-0x0000000000000000-mapping.dmp
-
memory/3320-198-0x0000000000000000-mapping.dmp
-
memory/3376-150-0x0000000000000000-mapping.dmp
-
memory/3468-269-0x0000000000000000-mapping.dmp
-
memory/3572-136-0x0000000000000000-mapping.dmp
-
memory/3784-216-0x0000000000000000-mapping.dmp
-
memory/3808-154-0x0000000000000000-mapping.dmp
-
memory/3808-157-0x00000000001F0000-0x0000000000222000-memory.dmpFilesize
200KB
-
memory/3808-195-0x00000000074B0000-0x00000000079DC000-memory.dmpFilesize
5.2MB
-
memory/3808-194-0x0000000006DB0000-0x0000000006F72000-memory.dmpFilesize
1.8MB
-
memory/3908-185-0x0000000000000000-mapping.dmp
-
memory/4112-202-0x0000000000000000-mapping.dmp
-
memory/4220-164-0x0000000000000000-mapping.dmp
-
memory/4356-158-0x0000000000000000-mapping.dmp
-
memory/4508-178-0x0000000000000000-mapping.dmp
-
memory/4524-208-0x0000000000000000-mapping.dmp
-
memory/4528-199-0x0000000000000000-mapping.dmp
-
memory/4556-204-0x0000000000000000-mapping.dmp
-
memory/4560-212-0x0000000000000000-mapping.dmp
-
memory/4568-138-0x0000000000000000-mapping.dmp
-
memory/4584-132-0x0000000000000000-mapping.dmp
-
memory/4720-193-0x0000000000000000-mapping.dmp
-
memory/4872-169-0x0000000000000000-mapping.dmp
-
memory/4988-213-0x0000000000000000-mapping.dmp
-
memory/5024-137-0x0000000000000000-mapping.dmp
-
memory/5176-217-0x0000000000000000-mapping.dmp
-
memory/5248-236-0x0000000002CE0000-0x0000000002DA6000-memory.dmpFilesize
792KB
-
memory/5248-233-0x0000000002C00000-0x0000000002CDD000-memory.dmpFilesize
884KB
-
memory/5248-235-0x0000000002CE0000-0x0000000002DA6000-memory.dmpFilesize
792KB
-
memory/5248-218-0x0000000000000000-mapping.dmp
-
memory/5248-221-0x0000000000400000-0x000000000059B000-memory.dmpFilesize
1.6MB
-
memory/5248-224-0x0000000002590000-0x0000000002596000-memory.dmpFilesize
24KB
-
memory/5428-225-0x0000000000000000-mapping.dmp
-
memory/5432-257-0x0000000000000000-mapping.dmp
-
memory/5444-226-0x0000000000000000-mapping.dmp
-
memory/5468-259-0x0000000000000000-mapping.dmp
-
memory/5472-263-0x0000000000000000-mapping.dmp
-
memory/5500-229-0x0000000000000000-mapping.dmp
-
memory/5512-272-0x0000000000000000-mapping.dmp
-
memory/5520-231-0x0000000000000000-mapping.dmp
-
memory/5600-232-0x0000000000000000-mapping.dmp
-
memory/5624-234-0x0000000000000000-mapping.dmp
-
memory/5664-266-0x0000000000000000-mapping.dmp
-
memory/5696-238-0x0000000000000000-mapping.dmp
-
memory/5716-254-0x00000000034F0000-0x00000000035B6000-memory.dmpFilesize
792KB
-
memory/5716-250-0x0000000003410000-0x00000000034ED000-memory.dmpFilesize
884KB
-
memory/5716-244-0x00000000013D0000-0x00000000013D6000-memory.dmpFilesize
24KB
-
memory/5716-239-0x0000000000000000-mapping.dmp
-
memory/5988-270-0x0000000000000000-mapping.dmp
-
memory/6028-245-0x0000000000000000-mapping.dmp
-
memory/6044-246-0x0000000000000000-mapping.dmp
-
memory/6100-249-0x0000000000000000-mapping.dmp
-
memory/6132-252-0x0000000000000000-mapping.dmp