Analysis
-
max time kernel
104s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-01-2023 05:27
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
General
-
Target
tmp.exe
-
Size
235KB
-
MD5
6779cd6f17fa7536c4490cc6d72a00a0
-
SHA1
2976ecc0ecc2800be22fa92868c2173a44e04ee0
-
SHA256
b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
-
SHA512
88e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
-
SSDEEP
6144:eLUoeyDABOdDubDXqgraG0JzSRuVyL+VYjQqgE:elu0LgwJ4uVyaV+J
Malware Config
Extracted
amadey
3.66
62.204.41.242/9vZbns/index.php
Extracted
redline
tanos
62.204.41.159:4062
-
auth_value
bcb77cd67cf9918d25e4b6ae210a9305
Extracted
redline
buggy
62.204.41.159:4062
-
auth_value
f3bd7e0e0304fca899cd8bf6146ba4b3
Extracted
redline
temp999
82.115.223.9:15486
-
auth_value
c12cdc1127b45350218306e5550c987e
Extracted
redline
st1
librchichelpai.shop:81
rniwondunuifac.shop:81
-
auth_value
a7232a45d6034ee2454fc434093d8f12
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
Processes:
hyperReviewwin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\nbveek.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\nesto1.exe\", \"C:\\Program Files\\Windows Portable Devices\\tanos1.exe\", \"C:\\Windows\\Media\\Cityscape\\dwm.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\nbveek.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\nesto1.exe\", \"C:\\Program Files\\Windows Portable Devices\\tanos1.exe\", \"C:\\Windows\\Media\\Cityscape\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\WmiPrvSE.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\nbveek.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\nesto1.exe\", \"C:\\Program Files\\Windows Portable Devices\\tanos1.exe\", \"C:\\Windows\\Media\\Cityscape\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\WmiPrvSE.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\AppLaunch.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\MSOCache\\All Users\\love.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\nbveek.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\nbveek.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\nesto1.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\nbveek.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\nesto1.exe\", \"C:\\Program Files\\Windows Portable Devices\\tanos1.exe\", \"C:\\Windows\\Media\\Cityscape\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\WmiPrvSE.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\AppLaunch.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\MSOCache\\All Users\\love.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\smss.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\nbveek.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\nesto1.exe\", \"C:\\Program Files\\Windows Portable Devices\\tanos1.exe\", \"C:\\Windows\\Media\\Cityscape\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\WmiPrvSE.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\AppLaunch.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\MSOCache\\All Users\\love.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\nbveek.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\nesto1.exe\", \"C:\\Program Files\\Windows Portable Devices\\tanos1.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\nbveek.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\nesto1.exe\", \"C:\\Program Files\\Windows Portable Devices\\tanos1.exe\", \"C:\\Windows\\Media\\Cityscape\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WmiPrvSE.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\nbveek.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\nesto1.exe\", \"C:\\Program Files\\Windows Portable Devices\\tanos1.exe\", \"C:\\Windows\\Media\\Cityscape\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\WmiPrvSE.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\cmd.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\nbveek.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\nesto1.exe\", \"C:\\Program Files\\Windows Portable Devices\\tanos1.exe\", \"C:\\Windows\\Media\\Cityscape\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\WmiPrvSE.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\AppLaunch.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\nbveek.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\nesto1.exe\", \"C:\\Program Files\\Windows Portable Devices\\tanos1.exe\", \"C:\\Windows\\Media\\Cityscape\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\WmiPrvSE.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\AppLaunch.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\nbveek.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\winlogon.exe\"" hyperReviewwin.exe -
Processes:
loda.exeloda1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" loda1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" loda1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" loda1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" loda1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" loda1.exe -
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 760 schtasks.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1920-89-0x0000000006E70000-0x0000000006EB6000-memory.dmp family_redline behavioral1/memory/1920-90-0x0000000006EB0000-0x0000000006EF4000-memory.dmp family_redline -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\1000007000\love1.exe dcrat C:\Users\Admin\AppData\Roaming\1000007000\love1.exe dcrat C:\Users\Admin\AppData\Roaming\1000007000\love1.exe dcrat \Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe dcrat C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe dcrat \Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe dcrat C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe dcrat behavioral1/memory/904-140-0x00000000012A0000-0x00000000013AA000-memory.dmp dcrat C:\Windows\Media\Cityscape\dwm.exe dcrat C:\Windows\Media\Cityscape\dwm.exe dcrat behavioral1/memory/2712-171-0x0000000001390000-0x000000000149A000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 15 IoCs
Processes:
nbveek.exeloda.exeloda1.exenesto1.exetanos.exelove1.exenesto.exelove.exetanos1.exestown.exestown1.exehyperReviewwin.exenbveek.exedwm.exenbveek.exepid process 1984 nbveek.exe 112 loda.exe 764 loda1.exe 1920 nesto1.exe 1060 tanos.exe 532 love1.exe 1624 nesto.exe 1424 love.exe 1904 tanos1.exe 2040 stown.exe 832 stown1.exe 904 hyperReviewwin.exe 2820 nbveek.exe 2712 dwm.exe 2848 nbveek.exe -
Loads dropped DLL 30 IoCs
Processes:
tmp.exenbveek.execmd.exerundll32.exerundll32.exerundll32.exeWerFault.exepid process 2032 tmp.exe 1984 nbveek.exe 1984 nbveek.exe 1984 nbveek.exe 1984 nbveek.exe 1984 nbveek.exe 1984 nbveek.exe 1984 nbveek.exe 1984 nbveek.exe 1984 nbveek.exe 1984 nbveek.exe 1984 nbveek.exe 1984 nbveek.exe 1984 nbveek.exe 440 cmd.exe 440 cmd.exe 2432 rundll32.exe 2432 rundll32.exe 2432 rundll32.exe 2432 rundll32.exe 1964 rundll32.exe 1964 rundll32.exe 1964 rundll32.exe 1964 rundll32.exe 2180 rundll32.exe 2180 rundll32.exe 2180 rundll32.exe 2180 rundll32.exe 2984 WerFault.exe 2984 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
loda.exeloda1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" loda1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features loda.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 41 IoCs
Processes:
nbveek.exehyperReviewwin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\tanos.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000006051\\tanos.exe" nbveek.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nesto.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000010051\\nesto.exe" nbveek.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\tanos1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000017051\\tanos1.exe" nbveek.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nbveek = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\nbveek.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nesto1 = "\"C:\\Program Files (x86)\\Windows Mail\\nesto1.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nesto1 = "\"C:\\Program Files (x86)\\Windows Mail\\nesto1.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppLaunch = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\AppLaunch.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\tanos1 = "\"C:\\Program Files\\Windows Portable Devices\\tanos1.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\smss.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\lsass.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nbveek = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\nbveek.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\winlogon.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\winlogon.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Media\\Cityscape\\dwm.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WmiPrvSE.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\WmiPrvSE.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Public\\Music\\Sample Music\\WmiPrvSE.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\cmd.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Libraries\\smss.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Public\\Music\\Sample Music\\WmiPrvSE.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\love = "\"C:\\MSOCache\\All Users\\love.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nesto1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005051\\nesto1.exe" nbveek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\cmd.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\cmd.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Libraries\\smss.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\love = "\"C:\\MSOCache\\All Users\\love.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\smss.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\loda.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000003051\\loda.exe" nbveek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Media\\Cityscape\\dwm.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppLaunch = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\AppLaunch.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\WmiPrvSE.exe\"" hyperReviewwin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tanos1 = "\"C:\\Program Files\\Windows Portable Devices\\tanos1.exe\"" hyperReviewwin.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
stown1.exedescription pid process target process PID 832 set thread context of 1160 832 stown1.exe AppLaunch.exe -
Drops file in Program Files directory 14 IoCs
Processes:
hyperReviewwin.exedescription ioc process File created C:\Program Files\Windows NT\Accessories\fr-FR\WmiPrvSE.exe hyperReviewwin.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\6203df4a6bafc7 hyperReviewwin.exe File created C:\Program Files\Windows Portable Devices\tanos1.exe hyperReviewwin.exe File created C:\Program Files\Mozilla Firefox\browser\features\ebf1f9fa8afd6d hyperReviewwin.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\AppLaunch.exe hyperReviewwin.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\69ddcba757bf72 hyperReviewwin.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsass.exe hyperReviewwin.exe File created C:\Program Files\Mozilla Firefox\browser\features\cmd.exe hyperReviewwin.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\536764fb8cb1f3 hyperReviewwin.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe hyperReviewwin.exe File created C:\Program Files\Windows NT\Accessories\fr-FR\24dbde2999530e hyperReviewwin.exe File created C:\Program Files (x86)\Windows Mail\nesto1.exe hyperReviewwin.exe File created C:\Program Files (x86)\Windows Mail\a8fd22c57cae8c hyperReviewwin.exe File created C:\Program Files\Windows Portable Devices\7d4a55146b5453 hyperReviewwin.exe -
Drops file in Windows directory 3 IoCs
Processes:
hyperReviewwin.exedescription ioc process File created C:\Windows\rescache\rc0002\spoolsv.exe hyperReviewwin.exe File created C:\Windows\Media\Cityscape\dwm.exe hyperReviewwin.exe File created C:\Windows\Media\Cityscape\6cb0b6c459d5d3 hyperReviewwin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2984 1964 WerFault.exe rundll32.exe -
Creates scheduled task(s) 1 TTPs 55 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2648 schtasks.exe 2668 schtasks.exe 2728 schtasks.exe 2752 schtasks.exe 3040 schtasks.exe 1416 schtasks.exe 2476 schtasks.exe 2400 schtasks.exe 2856 schtasks.exe 2588 schtasks.exe 2420 schtasks.exe 2892 schtasks.exe 2964 schtasks.exe 2232 schtasks.exe 2448 schtasks.exe 2792 schtasks.exe 2620 schtasks.exe 2708 schtasks.exe 2816 schtasks.exe 2948 schtasks.exe 1932 schtasks.exe 2668 schtasks.exe 2424 schtasks.exe 2576 schtasks.exe 2504 schtasks.exe 2456 schtasks.exe 2300 schtasks.exe 1060 schtasks.exe 2272 schtasks.exe 2676 schtasks.exe 2716 schtasks.exe 2808 schtasks.exe 3016 schtasks.exe 2500 schtasks.exe 2876 schtasks.exe 2276 schtasks.exe 1212 schtasks.exe 1664 schtasks.exe 2552 schtasks.exe 2688 schtasks.exe 2480 schtasks.exe 1152 schtasks.exe 2128 schtasks.exe 2336 schtasks.exe 3004 schtasks.exe 2920 schtasks.exe 2112 schtasks.exe 2392 schtasks.exe 1728 schtasks.exe 2888 schtasks.exe 2860 schtasks.exe 2840 schtasks.exe 1588 schtasks.exe 2644 schtasks.exe 2384 schtasks.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
loda.exeloda1.exelove.exenesto1.exetanos1.exetanos.exestown.exehyperReviewwin.exenesto.exeAppLaunch.exedwm.exepid process 112 loda.exe 112 loda.exe 764 loda1.exe 764 loda1.exe 1424 love.exe 1920 nesto1.exe 1904 tanos1.exe 1424 love.exe 1920 nesto1.exe 1904 tanos1.exe 1060 tanos.exe 1060 tanos.exe 2040 stown.exe 2040 stown.exe 904 hyperReviewwin.exe 1624 nesto.exe 1624 nesto.exe 904 hyperReviewwin.exe 904 hyperReviewwin.exe 904 hyperReviewwin.exe 904 hyperReviewwin.exe 904 hyperReviewwin.exe 904 hyperReviewwin.exe 1160 AppLaunch.exe 1160 AppLaunch.exe 2712 dwm.exe 2712 dwm.exe 2712 dwm.exe 2712 dwm.exe 2712 dwm.exe 2712 dwm.exe 2712 dwm.exe 2712 dwm.exe 2712 dwm.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
loda.exeloda1.exenesto1.exenesto.exelove.exetanos1.exehyperReviewwin.exestown.exetanos.exeAppLaunch.exedwm.exedescription pid process Token: SeDebugPrivilege 112 loda.exe Token: SeDebugPrivilege 764 loda1.exe Token: SeDebugPrivilege 1920 nesto1.exe Token: SeDebugPrivilege 1624 nesto.exe Token: SeDebugPrivilege 1424 love.exe Token: SeDebugPrivilege 1904 tanos1.exe Token: SeDebugPrivilege 904 hyperReviewwin.exe Token: SeDebugPrivilege 2040 stown.exe Token: SeDebugPrivilege 1060 tanos.exe Token: SeDebugPrivilege 1160 AppLaunch.exe Token: SeDebugPrivilege 2712 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.exenbveek.execmd.exelove1.exedescription pid process target process PID 2032 wrote to memory of 1984 2032 tmp.exe nbveek.exe PID 2032 wrote to memory of 1984 2032 tmp.exe nbveek.exe PID 2032 wrote to memory of 1984 2032 tmp.exe nbveek.exe PID 2032 wrote to memory of 1984 2032 tmp.exe nbveek.exe PID 1984 wrote to memory of 1664 1984 nbveek.exe schtasks.exe PID 1984 wrote to memory of 1664 1984 nbveek.exe schtasks.exe PID 1984 wrote to memory of 1664 1984 nbveek.exe schtasks.exe PID 1984 wrote to memory of 1664 1984 nbveek.exe schtasks.exe PID 1984 wrote to memory of 936 1984 nbveek.exe cmd.exe PID 1984 wrote to memory of 936 1984 nbveek.exe cmd.exe PID 1984 wrote to memory of 936 1984 nbveek.exe cmd.exe PID 1984 wrote to memory of 936 1984 nbveek.exe cmd.exe PID 936 wrote to memory of 528 936 cmd.exe cmd.exe PID 936 wrote to memory of 528 936 cmd.exe cmd.exe PID 936 wrote to memory of 528 936 cmd.exe cmd.exe PID 936 wrote to memory of 528 936 cmd.exe cmd.exe PID 936 wrote to memory of 904 936 cmd.exe cacls.exe PID 936 wrote to memory of 904 936 cmd.exe cacls.exe PID 936 wrote to memory of 904 936 cmd.exe cacls.exe PID 936 wrote to memory of 904 936 cmd.exe cacls.exe PID 936 wrote to memory of 1780 936 cmd.exe cacls.exe PID 936 wrote to memory of 1780 936 cmd.exe cacls.exe PID 936 wrote to memory of 1780 936 cmd.exe cacls.exe PID 936 wrote to memory of 1780 936 cmd.exe cacls.exe PID 936 wrote to memory of 1932 936 cmd.exe cmd.exe PID 936 wrote to memory of 1932 936 cmd.exe cmd.exe PID 936 wrote to memory of 1932 936 cmd.exe cmd.exe PID 936 wrote to memory of 1932 936 cmd.exe cmd.exe PID 936 wrote to memory of 1424 936 cmd.exe cacls.exe PID 936 wrote to memory of 1424 936 cmd.exe cacls.exe PID 936 wrote to memory of 1424 936 cmd.exe cacls.exe PID 936 wrote to memory of 1424 936 cmd.exe cacls.exe PID 936 wrote to memory of 1160 936 cmd.exe cacls.exe PID 936 wrote to memory of 1160 936 cmd.exe cacls.exe PID 936 wrote to memory of 1160 936 cmd.exe cacls.exe PID 936 wrote to memory of 1160 936 cmd.exe cacls.exe PID 1984 wrote to memory of 112 1984 nbveek.exe loda.exe PID 1984 wrote to memory of 112 1984 nbveek.exe loda.exe PID 1984 wrote to memory of 112 1984 nbveek.exe loda.exe PID 1984 wrote to memory of 112 1984 nbveek.exe loda.exe PID 1984 wrote to memory of 764 1984 nbveek.exe loda1.exe PID 1984 wrote to memory of 764 1984 nbveek.exe loda1.exe PID 1984 wrote to memory of 764 1984 nbveek.exe loda1.exe PID 1984 wrote to memory of 764 1984 nbveek.exe loda1.exe PID 1984 wrote to memory of 1920 1984 nbveek.exe nesto1.exe PID 1984 wrote to memory of 1920 1984 nbveek.exe nesto1.exe PID 1984 wrote to memory of 1920 1984 nbveek.exe nesto1.exe PID 1984 wrote to memory of 1920 1984 nbveek.exe nesto1.exe PID 1984 wrote to memory of 1060 1984 nbveek.exe tanos.exe PID 1984 wrote to memory of 1060 1984 nbveek.exe tanos.exe PID 1984 wrote to memory of 1060 1984 nbveek.exe tanos.exe PID 1984 wrote to memory of 1060 1984 nbveek.exe tanos.exe PID 1984 wrote to memory of 532 1984 nbveek.exe love1.exe PID 1984 wrote to memory of 532 1984 nbveek.exe love1.exe PID 1984 wrote to memory of 532 1984 nbveek.exe love1.exe PID 1984 wrote to memory of 532 1984 nbveek.exe love1.exe PID 1984 wrote to memory of 1624 1984 nbveek.exe nesto.exe PID 1984 wrote to memory of 1624 1984 nbveek.exe nesto.exe PID 1984 wrote to memory of 1624 1984 nbveek.exe nesto.exe PID 1984 wrote to memory of 1624 1984 nbveek.exe nesto.exe PID 532 wrote to memory of 1200 532 love1.exe WScript.exe PID 532 wrote to memory of 1200 532 love1.exe WScript.exe PID 532 wrote to memory of 1200 532 love1.exe WScript.exe PID 532 wrote to memory of 1200 532 love1.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:R" /E4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000003051\loda.exe"C:\Users\Admin\AppData\Local\Temp\1000003051\loda.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000004001\loda1.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\loda1.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000005051\nesto1.exe"C:\Users\Admin\AppData\Local\Temp\1000005051\nesto1.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000006051\tanos.exe"C:\Users\Admin\AppData\Local\Temp\1000006051\tanos.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1000007000\love1.exe"C:\Users\Admin\AppData\Roaming\1000007000\love1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\GkeJrm3LHsNPCuEbXf7u.vbe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\87AREt1.bat" "5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe"C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ubo1NYdmx5.bat"7⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
C:\Windows\Media\Cityscape\dwm.exe"C:\Windows\Media\Cityscape\dwm.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f6⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\1000010051\nesto.exe"C:\Users\Admin\AppData\Local\Temp\1000010051\nesto.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000014001\love.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\love.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000017051\tanos1.exe"C:\Users\Admin\AppData\Local\Temp\1000017051\tanos1.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000018001\stown.exe"C:\Users\Admin\AppData\Local\Temp\1000018001\stown.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000019001\stown1.exe"C:\Users\Admin\AppData\Local\Temp\1000019001\stown1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1964 -s 3445⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "nbveekn" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\nbveek.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "nbveek" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\nbveek.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "nbveekn" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\nbveek.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "nesto1n" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\nesto1.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "nesto1" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\nesto1.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "nesto1n" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\nesto1.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tanos1t" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\tanos1.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tanos1" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\tanos1.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tanos1t" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\tanos1.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Cityscape\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Media\Cityscape\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Cityscape\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\browser\features\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\browser\features\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AppLaunchA" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\AppLaunch.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AppLaunch" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\AppLaunch.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AppLaunchA" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\AppLaunch.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lovel" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\love.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "love" /sc ONLOGON /tr "'C:\MSOCache\All Users\love.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lovel" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\love.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {D9D17903-35A3-4E6A-926F-FF9EB06730B3} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000003051\loda.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000003051\loda.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000004001\loda1.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000004001\loda1.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000005051\nesto1.exeFilesize
303KB
MD5fc288c369c4731573f68766309b00706
SHA154c77141ac83db020b0b762a5723a32e252741b9
SHA2565c29dc5a8aa66044b270e79bbeb9213f360c3196c5db255a0693b0e4f8131df8
SHA512ff28b5ebf29a5a61da54eb0067b0f65df5d2d1f74a9a893e5f37e9ae839a382b316519d15f063ad491842e58b68829778bafc95d06c808d0950e3f0fed18e8cd
-
C:\Users\Admin\AppData\Local\Temp\1000006051\tanos.exeFilesize
175KB
MD51d71ce85fb4517119a51fc33910f1975
SHA1de346e455b4435dc9b9b8dbc506bd5f2b3e84052
SHA256f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2
SHA51277e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673
-
C:\Users\Admin\AppData\Local\Temp\1000006051\tanos.exeFilesize
175KB
MD51d71ce85fb4517119a51fc33910f1975
SHA1de346e455b4435dc9b9b8dbc506bd5f2b3e84052
SHA256f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2
SHA51277e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673
-
C:\Users\Admin\AppData\Local\Temp\1000010051\nesto.exeFilesize
303KB
MD5fc288c369c4731573f68766309b00706
SHA154c77141ac83db020b0b762a5723a32e252741b9
SHA2565c29dc5a8aa66044b270e79bbeb9213f360c3196c5db255a0693b0e4f8131df8
SHA512ff28b5ebf29a5a61da54eb0067b0f65df5d2d1f74a9a893e5f37e9ae839a382b316519d15f063ad491842e58b68829778bafc95d06c808d0950e3f0fed18e8cd
-
C:\Users\Admin\AppData\Local\Temp\1000014001\love.exeFilesize
175KB
MD568e8e72cf791f738b1574ae25bcbd45b
SHA147b58f095e0beefa1caaba7ec7e8d609ee7e3d1f
SHA2563aa8e492247c9bc7c9a3dec184e09cc407bbc98683d9646ed984a372fd0958a9
SHA5125f002166f3bb935dd3bfc5c604104d0249b0e378ec370e49efa313b95ff9ba910389448e6c3e124d539aa563af4d727d9e31a4542b9a610fb07fdb4bded10e77
-
C:\Users\Admin\AppData\Local\Temp\1000014001\love.exeFilesize
175KB
MD568e8e72cf791f738b1574ae25bcbd45b
SHA147b58f095e0beefa1caaba7ec7e8d609ee7e3d1f
SHA2563aa8e492247c9bc7c9a3dec184e09cc407bbc98683d9646ed984a372fd0958a9
SHA5125f002166f3bb935dd3bfc5c604104d0249b0e378ec370e49efa313b95ff9ba910389448e6c3e124d539aa563af4d727d9e31a4542b9a610fb07fdb4bded10e77
-
C:\Users\Admin\AppData\Local\Temp\1000017051\tanos1.exeFilesize
175KB
MD51d71ce85fb4517119a51fc33910f1975
SHA1de346e455b4435dc9b9b8dbc506bd5f2b3e84052
SHA256f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2
SHA51277e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673
-
C:\Users\Admin\AppData\Local\Temp\1000017051\tanos1.exeFilesize
175KB
MD51d71ce85fb4517119a51fc33910f1975
SHA1de346e455b4435dc9b9b8dbc506bd5f2b3e84052
SHA256f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2
SHA51277e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673
-
C:\Users\Admin\AppData\Local\Temp\1000018001\stown.exeFilesize
175KB
MD58959136f8f925f4dc1c5d1d61bc5a98c
SHA1490d66f171581e0f7e9af5881a631a692b84a1c3
SHA25699e029131148d09b427e5b2e4859ded511aa569161c2c31f80250cec61b62154
SHA512c3b9d13ef1929e97f5727c329be472c0199ccbc121457af609f1dff0196e24476434e65e73bff9e761dae2d5706c43e88981276a3115dfe43d69361ccf1f40a1
-
C:\Users\Admin\AppData\Local\Temp\1000018001\stown.exeFilesize
175KB
MD58959136f8f925f4dc1c5d1d61bc5a98c
SHA1490d66f171581e0f7e9af5881a631a692b84a1c3
SHA25699e029131148d09b427e5b2e4859ded511aa569161c2c31f80250cec61b62154
SHA512c3b9d13ef1929e97f5727c329be472c0199ccbc121457af609f1dff0196e24476434e65e73bff9e761dae2d5706c43e88981276a3115dfe43d69361ccf1f40a1
-
C:\Users\Admin\AppData\Local\Temp\1000019001\stown1.exeFilesize
3.7MB
MD5f93efd436289bde91568c958b19abb69
SHA19e899b3f05de951a1a35dd130955e52610350932
SHA256b3424e7615f9ad35d6e1a60a813db6d5e3d85c15d05bdc945d3c59d42465dfe2
SHA512e250435607e53b1de1d8da50e2cbb3488216ec60d216bd7e416f7bc2bb29d2a103740d552358e7419c0250917455155084af383c21e9142a90a5b349fe7bb80c
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exeFilesize
235KB
MD56779cd6f17fa7536c4490cc6d72a00a0
SHA12976ecc0ecc2800be22fa92868c2173a44e04ee0
SHA256b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
SHA51288e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exeFilesize
235KB
MD56779cd6f17fa7536c4490cc6d72a00a0
SHA12976ecc0ecc2800be22fa92868c2173a44e04ee0
SHA256b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
SHA51288e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exeFilesize
235KB
MD56779cd6f17fa7536c4490cc6d72a00a0
SHA12976ecc0ecc2800be22fa92868c2173a44e04ee0
SHA256b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
SHA51288e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exeFilesize
235KB
MD56779cd6f17fa7536c4490cc6d72a00a0
SHA12976ecc0ecc2800be22fa92868c2173a44e04ee0
SHA256b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
SHA51288e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
-
C:\Users\Admin\AppData\Local\Temp\Ubo1NYdmx5.batFilesize
199B
MD5829578c3e1588ec96f32844e141c2bee
SHA18e56ed9bc71b2e7b8c0f650b2636282f87ecc5d2
SHA2568c3fc14aecb0eb94eec2dd6680d87bd9dc6a7e2e0febcc8fd97de204865fe25b
SHA512c068b787073d70ff2a9722a361a450d7f183b48cbe29118cac4d9c17e6729ba7c5f4083f565c74a8d46818de604f7094d2866af9763a26f10636de680c05f710
-
C:\Users\Admin\AppData\Roaming\1000007000\love1.exeFilesize
1.3MB
MD5b9a0002e9a104374dea2f4ba571f1764
SHA1627488abb7aeeb5f8f411a9694cebd6b4748a86f
SHA2565d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18
SHA512439d0ad76753bf88adc6d92e80fda5bbc64c5724180d8689f79fbf48a80754eb5f127284f123a71129a110ccfeeccb1c3c4cb0879f7859a0648aa0e09ba805b5
-
C:\Users\Admin\AppData\Roaming\1000007000\love1.exeFilesize
1.3MB
MD5b9a0002e9a104374dea2f4ba571f1764
SHA1627488abb7aeeb5f8f411a9694cebd6b4748a86f
SHA2565d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18
SHA512439d0ad76753bf88adc6d92e80fda5bbc64c5724180d8689f79fbf48a80754eb5f127284f123a71129a110ccfeeccb1c3c4cb0879f7859a0648aa0e09ba805b5
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
89KB
MD546132baadaa4c318d24db8ed2220b80a
SHA1e923041a849d6c4719564280aaf48fe61ed62fa4
SHA25645f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e
SHA512c2afe2d08a3e29d2549df37d8bec7da7f83e7aa9c1e0b039e492d105ae36a00f1d52935fe150e6dbc46d7a414465d818f6eb825b91a31e70d3e73239a736f60f
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\87AREt1.batFilesize
173B
MD52445216481e9c79fe7a7d2dddd5dd047
SHA15caaf8f423f587b26c0d98bb57db0e295d7ca6a7
SHA2560d8405ad4bde2e23144377872f204baf9cdbc1343a55c075dabeec49a64c7c3d
SHA5127000b171a053a0bb20c435765f2c76272e71eb4f429e2b500282f4765b9141757cdcb93a94480ae8ae0b78624098a02bb71caa111e8ab516f12c863725f86484
-
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\GkeJrm3LHsNPCuEbXf7u.vbeFilesize
221B
MD5fc584ab062886ba5b7b34c8a8e4f1809
SHA16be7eeee2021f69be9e4513f0cb28408a56caba9
SHA256873395e08f2ca43b4698329c5e2b6667dec76f2eeb08b05a1cff0a14e5a9db76
SHA512a74d1b3567e169ed0ec0d135e31312eeae71f87e43c2311a16539f670116f2ce75bb4b4f33a6b462aa417c3764637b3e6c027b44728b2da7874031ac0cc4a7b8
-
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exeFilesize
1.0MB
MD5ce9d81db072369459840b1fe59a54ac9
SHA15813fcd53f7670656d036dfb49c6f9ed8f6eebbf
SHA25662a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf
SHA5126be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b
-
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exeFilesize
1.0MB
MD5ce9d81db072369459840b1fe59a54ac9
SHA15813fcd53f7670656d036dfb49c6f9ed8f6eebbf
SHA25662a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf
SHA5126be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b
-
C:\Windows\Media\Cityscape\dwm.exeFilesize
1.0MB
MD5ce9d81db072369459840b1fe59a54ac9
SHA15813fcd53f7670656d036dfb49c6f9ed8f6eebbf
SHA25662a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf
SHA5126be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b
-
C:\Windows\Media\Cityscape\dwm.exeFilesize
1.0MB
MD5ce9d81db072369459840b1fe59a54ac9
SHA15813fcd53f7670656d036dfb49c6f9ed8f6eebbf
SHA25662a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf
SHA5126be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b
-
\Users\Admin\AppData\Local\Temp\1000003051\loda.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
\Users\Admin\AppData\Local\Temp\1000004001\loda1.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
\Users\Admin\AppData\Local\Temp\1000005051\nesto1.exeFilesize
303KB
MD5fc288c369c4731573f68766309b00706
SHA154c77141ac83db020b0b762a5723a32e252741b9
SHA2565c29dc5a8aa66044b270e79bbeb9213f360c3196c5db255a0693b0e4f8131df8
SHA512ff28b5ebf29a5a61da54eb0067b0f65df5d2d1f74a9a893e5f37e9ae839a382b316519d15f063ad491842e58b68829778bafc95d06c808d0950e3f0fed18e8cd
-
\Users\Admin\AppData\Local\Temp\1000005051\nesto1.exeFilesize
303KB
MD5fc288c369c4731573f68766309b00706
SHA154c77141ac83db020b0b762a5723a32e252741b9
SHA2565c29dc5a8aa66044b270e79bbeb9213f360c3196c5db255a0693b0e4f8131df8
SHA512ff28b5ebf29a5a61da54eb0067b0f65df5d2d1f74a9a893e5f37e9ae839a382b316519d15f063ad491842e58b68829778bafc95d06c808d0950e3f0fed18e8cd
-
\Users\Admin\AppData\Local\Temp\1000006051\tanos.exeFilesize
175KB
MD51d71ce85fb4517119a51fc33910f1975
SHA1de346e455b4435dc9b9b8dbc506bd5f2b3e84052
SHA256f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2
SHA51277e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673
-
\Users\Admin\AppData\Local\Temp\1000010051\nesto.exeFilesize
303KB
MD5fc288c369c4731573f68766309b00706
SHA154c77141ac83db020b0b762a5723a32e252741b9
SHA2565c29dc5a8aa66044b270e79bbeb9213f360c3196c5db255a0693b0e4f8131df8
SHA512ff28b5ebf29a5a61da54eb0067b0f65df5d2d1f74a9a893e5f37e9ae839a382b316519d15f063ad491842e58b68829778bafc95d06c808d0950e3f0fed18e8cd
-
\Users\Admin\AppData\Local\Temp\1000010051\nesto.exeFilesize
303KB
MD5fc288c369c4731573f68766309b00706
SHA154c77141ac83db020b0b762a5723a32e252741b9
SHA2565c29dc5a8aa66044b270e79bbeb9213f360c3196c5db255a0693b0e4f8131df8
SHA512ff28b5ebf29a5a61da54eb0067b0f65df5d2d1f74a9a893e5f37e9ae839a382b316519d15f063ad491842e58b68829778bafc95d06c808d0950e3f0fed18e8cd
-
\Users\Admin\AppData\Local\Temp\1000014001\love.exeFilesize
175KB
MD568e8e72cf791f738b1574ae25bcbd45b
SHA147b58f095e0beefa1caaba7ec7e8d609ee7e3d1f
SHA2563aa8e492247c9bc7c9a3dec184e09cc407bbc98683d9646ed984a372fd0958a9
SHA5125f002166f3bb935dd3bfc5c604104d0249b0e378ec370e49efa313b95ff9ba910389448e6c3e124d539aa563af4d727d9e31a4542b9a610fb07fdb4bded10e77
-
\Users\Admin\AppData\Local\Temp\1000017051\tanos1.exeFilesize
175KB
MD51d71ce85fb4517119a51fc33910f1975
SHA1de346e455b4435dc9b9b8dbc506bd5f2b3e84052
SHA256f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2
SHA51277e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673
-
\Users\Admin\AppData\Local\Temp\1000018001\stown.exeFilesize
175KB
MD58959136f8f925f4dc1c5d1d61bc5a98c
SHA1490d66f171581e0f7e9af5881a631a692b84a1c3
SHA25699e029131148d09b427e5b2e4859ded511aa569161c2c31f80250cec61b62154
SHA512c3b9d13ef1929e97f5727c329be472c0199ccbc121457af609f1dff0196e24476434e65e73bff9e761dae2d5706c43e88981276a3115dfe43d69361ccf1f40a1
-
\Users\Admin\AppData\Local\Temp\1000019001\stown1.exeFilesize
3.7MB
MD5f93efd436289bde91568c958b19abb69
SHA19e899b3f05de951a1a35dd130955e52610350932
SHA256b3424e7615f9ad35d6e1a60a813db6d5e3d85c15d05bdc945d3c59d42465dfe2
SHA512e250435607e53b1de1d8da50e2cbb3488216ec60d216bd7e416f7bc2bb29d2a103740d552358e7419c0250917455155084af383c21e9142a90a5b349fe7bb80c
-
\Users\Admin\AppData\Local\Temp\1000019001\stown1.exeFilesize
3.7MB
MD5f93efd436289bde91568c958b19abb69
SHA19e899b3f05de951a1a35dd130955e52610350932
SHA256b3424e7615f9ad35d6e1a60a813db6d5e3d85c15d05bdc945d3c59d42465dfe2
SHA512e250435607e53b1de1d8da50e2cbb3488216ec60d216bd7e416f7bc2bb29d2a103740d552358e7419c0250917455155084af383c21e9142a90a5b349fe7bb80c
-
\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exeFilesize
235KB
MD56779cd6f17fa7536c4490cc6d72a00a0
SHA12976ecc0ecc2800be22fa92868c2173a44e04ee0
SHA256b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
SHA51288e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
-
\Users\Admin\AppData\Roaming\1000007000\love1.exeFilesize
1.3MB
MD5b9a0002e9a104374dea2f4ba571f1764
SHA1627488abb7aeeb5f8f411a9694cebd6b4748a86f
SHA2565d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18
SHA512439d0ad76753bf88adc6d92e80fda5bbc64c5724180d8689f79fbf48a80754eb5f127284f123a71129a110ccfeeccb1c3c4cb0879f7859a0648aa0e09ba805b5
-
\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
89KB
MD546132baadaa4c318d24db8ed2220b80a
SHA1e923041a849d6c4719564280aaf48fe61ed62fa4
SHA25645f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e
SHA512c2afe2d08a3e29d2549df37d8bec7da7f83e7aa9c1e0b039e492d105ae36a00f1d52935fe150e6dbc46d7a414465d818f6eb825b91a31e70d3e73239a736f60f
-
\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
89KB
MD546132baadaa4c318d24db8ed2220b80a
SHA1e923041a849d6c4719564280aaf48fe61ed62fa4
SHA25645f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e
SHA512c2afe2d08a3e29d2549df37d8bec7da7f83e7aa9c1e0b039e492d105ae36a00f1d52935fe150e6dbc46d7a414465d818f6eb825b91a31e70d3e73239a736f60f
-
\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
89KB
MD546132baadaa4c318d24db8ed2220b80a
SHA1e923041a849d6c4719564280aaf48fe61ed62fa4
SHA25645f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e
SHA512c2afe2d08a3e29d2549df37d8bec7da7f83e7aa9c1e0b039e492d105ae36a00f1d52935fe150e6dbc46d7a414465d818f6eb825b91a31e70d3e73239a736f60f
-
\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
89KB
MD546132baadaa4c318d24db8ed2220b80a
SHA1e923041a849d6c4719564280aaf48fe61ed62fa4
SHA25645f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e
SHA512c2afe2d08a3e29d2549df37d8bec7da7f83e7aa9c1e0b039e492d105ae36a00f1d52935fe150e6dbc46d7a414465d818f6eb825b91a31e70d3e73239a736f60f
-
\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exeFilesize
1.0MB
MD5ce9d81db072369459840b1fe59a54ac9
SHA15813fcd53f7670656d036dfb49c6f9ed8f6eebbf
SHA25662a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf
SHA5126be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b
-
\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exeFilesize
1.0MB
MD5ce9d81db072369459840b1fe59a54ac9
SHA15813fcd53f7670656d036dfb49c6f9ed8f6eebbf
SHA25662a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf
SHA5126be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b
-
memory/112-69-0x0000000000000000-mapping.dmp
-
memory/112-72-0x00000000008E0000-0x00000000008EA000-memory.dmpFilesize
40KB
-
memory/440-134-0x0000000000000000-mapping.dmp
-
memory/528-61-0x0000000000000000-mapping.dmp
-
memory/532-95-0x0000000000000000-mapping.dmp
-
memory/764-74-0x0000000000000000-mapping.dmp
-
memory/764-77-0x0000000001240000-0x000000000124A000-memory.dmpFilesize
40KB
-
memory/832-142-0x0000000000293000-0x0000000000295000-memory.dmpFilesize
8KB
-
memory/832-129-0x0000000000000000-mapping.dmp
-
memory/832-131-0x0000000000C80000-0x000000000121E000-memory.dmpFilesize
5.6MB
-
memory/904-153-0x00000000003D0000-0x00000000003E0000-memory.dmpFilesize
64KB
-
memory/904-62-0x0000000000000000-mapping.dmp
-
memory/904-138-0x0000000000000000-mapping.dmp
-
memory/904-156-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/904-140-0x00000000012A0000-0x00000000013AA000-memory.dmpFilesize
1.0MB
-
memory/904-155-0x00000000003F0000-0x00000000003F8000-memory.dmpFilesize
32KB
-
memory/904-154-0x00000000003E0000-0x00000000003EC000-memory.dmpFilesize
48KB
-
memory/936-60-0x0000000000000000-mapping.dmp
-
memory/1060-84-0x0000000000000000-mapping.dmp
-
memory/1060-87-0x00000000000C0000-0x00000000000F2000-memory.dmpFilesize
200KB
-
memory/1160-141-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1160-150-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1160-151-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1160-149-0x000000000041B5DA-mapping.dmp
-
memory/1160-144-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1160-67-0x0000000000000000-mapping.dmp
-
memory/1200-104-0x0000000000000000-mapping.dmp
-
memory/1332-162-0x0000000000000000-mapping.dmp
-
memory/1424-66-0x0000000000000000-mapping.dmp
-
memory/1424-111-0x0000000000110000-0x0000000000142000-memory.dmpFilesize
200KB
-
memory/1424-108-0x0000000000000000-mapping.dmp
-
memory/1580-163-0x0000000000000000-mapping.dmp
-
memory/1624-160-0x0000000002C7E000-0x0000000002CAC000-memory.dmpFilesize
184KB
-
memory/1624-164-0x0000000000400000-0x0000000002BB6000-memory.dmpFilesize
39.7MB
-
memory/1624-100-0x0000000000000000-mapping.dmp
-
memory/1624-120-0x0000000000400000-0x0000000002BB6000-memory.dmpFilesize
39.7MB
-
memory/1624-115-0x0000000002C7E000-0x0000000002CAC000-memory.dmpFilesize
184KB
-
memory/1664-59-0x0000000000000000-mapping.dmp
-
memory/1780-64-0x0000000000000000-mapping.dmp
-
memory/1904-118-0x0000000000170000-0x00000000001A2000-memory.dmpFilesize
200KB
-
memory/1904-114-0x0000000000000000-mapping.dmp
-
memory/1920-90-0x0000000006EB0000-0x0000000006EF4000-memory.dmpFilesize
272KB
-
memory/1920-80-0x0000000000000000-mapping.dmp
-
memory/1920-89-0x0000000006E70000-0x0000000006EB6000-memory.dmpFilesize
280KB
-
memory/1920-157-0x0000000002D8E000-0x0000000002DBC000-memory.dmpFilesize
184KB
-
memory/1920-91-0x0000000002D8E000-0x0000000002DBC000-memory.dmpFilesize
184KB
-
memory/1920-92-0x0000000000240000-0x000000000028B000-memory.dmpFilesize
300KB
-
memory/1920-93-0x0000000000400000-0x0000000002BB6000-memory.dmpFilesize
39.7MB
-
memory/1920-158-0x0000000000400000-0x0000000002BB6000-memory.dmpFilesize
39.7MB
-
memory/1932-65-0x0000000000000000-mapping.dmp
-
memory/1964-179-0x0000000000000000-mapping.dmp
-
memory/1984-56-0x0000000000000000-mapping.dmp
-
memory/2032-54-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/2040-125-0x0000000000330000-0x0000000000362000-memory.dmpFilesize
200KB
-
memory/2040-122-0x0000000000000000-mapping.dmp
-
memory/2092-159-0x0000000000000000-mapping.dmp
-
memory/2180-180-0x0000000000000000-mapping.dmp
-
memory/2432-172-0x0000000000000000-mapping.dmp
-
memory/2712-171-0x0000000001390000-0x000000000149A000-memory.dmpFilesize
1.0MB
-
memory/2712-169-0x0000000000000000-mapping.dmp
-
memory/2820-165-0x0000000000000000-mapping.dmp
-
memory/2848-194-0x0000000000000000-mapping.dmp
-
memory/2984-191-0x0000000000000000-mapping.dmp