Analysis
-
max time kernel
143s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 03:45
Static task
static1
Behavioral task
behavioral1
Sample
4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe
Resource
win10v2004-20220812-en
General
-
Target
4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe
-
Size
273KB
-
MD5
766683884bbe6a2c0e0ea7d76b6b13ea
-
SHA1
793d7b457f36a560d7094e4d0fee7270cc0e6842
-
SHA256
4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136
-
SHA512
52bc438968e68e967c1513e9bb1376cf55987a3f1976cd4eb0c463bfc30eb34220c3cfb38713c24d0d6513df3823d1b18aa24857eb8010537cf986ffde6bb12a
-
SSDEEP
6144:vlr2XLlX3MjWzpuXgs8edJwibHbCJfAg:vlr8RX3S+AXew7bHeY
Malware Config
Extracted
amadey
3.66
193.233.20.2/Bn89hku/index.php
Extracted
redline
france
193.233.20.5:4136
-
auth_value
827023aa27bcc1cc2382e4d111feec6f
Extracted
redline
new1
176.113.115.16:4122
-
auth_value
ac44cbde6633acc9d67419c7278d5c70
Signatures
-
Detect rhadamanthys stealer shellcode 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1140-210-0x0000000001F30000-0x0000000001F4D000-memory.dmp family_rhadamanthys behavioral1/memory/3168-211-0x0000000001F50000-0x0000000001F6D000-memory.dmp family_rhadamanthys behavioral1/memory/1140-217-0x0000000001F30000-0x0000000001F4D000-memory.dmp family_rhadamanthys behavioral1/memory/3176-218-0x0000000000480000-0x000000000049D000-memory.dmp family_rhadamanthys behavioral1/memory/3176-224-0x0000000000480000-0x000000000049D000-memory.dmp family_rhadamanthys -
Processes:
lava.exenika.exenika1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" lava.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" lava.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" lava.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" nika1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" nika1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" lava.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" nika1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" lava.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" nika1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" nika1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" nika.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Downloads MZ/PE file
-
Executes dropped EXE 14 IoCs
Processes:
mnolyk.exenika.exelava.exefranc.exenita1.exemixo.exenika1.exenita.exenita.exetrebo1.exetrebo1.exetrebo1.exemnolyk.exemnolyk.exepid process 3944 mnolyk.exe 2568 nika.exe 3968 lava.exe 2108 franc.exe 3704 nita1.exe 1496 mixo.exe 3260 nika1.exe 668 nita.exe 224 nita.exe 1140 trebo1.exe 3168 trebo1.exe 3176 trebo1.exe 948 mnolyk.exe 3672 mnolyk.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exemnolyk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
nika.exelava.exenika1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" lava.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" nika1.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mnolyk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nita.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000008051\\nita.exe" mnolyk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\franc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000003051\\franc.exe" mnolyk.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
trebo1.exetrebo1.exepid process 1140 trebo1.exe 1140 trebo1.exe 1140 trebo1.exe 3176 trebo1.exe 3176 trebo1.exe 3176 trebo1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 53 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4376 2220 WerFault.exe 4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe 5032 2220 WerFault.exe 4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe 948 2220 WerFault.exe 4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe 1360 2220 WerFault.exe 4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe 1548 2220 WerFault.exe 4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe 4620 2220 WerFault.exe 4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe 1732 2220 WerFault.exe 4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe 4936 2220 WerFault.exe 4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe 2860 3944 WerFault.exe mnolyk.exe 3632 3944 WerFault.exe mnolyk.exe 240 3944 WerFault.exe mnolyk.exe 564 3944 WerFault.exe mnolyk.exe 4756 3944 WerFault.exe mnolyk.exe 4192 3944 WerFault.exe mnolyk.exe 1428 3944 WerFault.exe mnolyk.exe 4224 3944 WerFault.exe mnolyk.exe 1896 3944 WerFault.exe mnolyk.exe 4036 3944 WerFault.exe mnolyk.exe 4140 3944 WerFault.exe mnolyk.exe 3092 3944 WerFault.exe mnolyk.exe 4024 3944 WerFault.exe mnolyk.exe 524 3944 WerFault.exe mnolyk.exe 3228 3944 WerFault.exe mnolyk.exe 828 3944 WerFault.exe mnolyk.exe 1624 3944 WerFault.exe mnolyk.exe 2524 3944 WerFault.exe mnolyk.exe 2928 3944 WerFault.exe mnolyk.exe 4940 3944 WerFault.exe mnolyk.exe 2084 3944 WerFault.exe mnolyk.exe 2176 3944 WerFault.exe mnolyk.exe 4816 3944 WerFault.exe mnolyk.exe 448 3944 WerFault.exe mnolyk.exe 1840 3944 WerFault.exe mnolyk.exe 1048 3944 WerFault.exe mnolyk.exe 5028 3944 WerFault.exe mnolyk.exe 3632 3944 WerFault.exe mnolyk.exe 724 3944 WerFault.exe mnolyk.exe 1040 3944 WerFault.exe mnolyk.exe 4868 3944 WerFault.exe mnolyk.exe 3172 3944 WerFault.exe mnolyk.exe 4900 3944 WerFault.exe mnolyk.exe 1944 3944 WerFault.exe mnolyk.exe 1864 3944 WerFault.exe mnolyk.exe 4628 3944 WerFault.exe mnolyk.exe 3896 3704 WerFault.exe nita1.exe 2092 668 WerFault.exe nita.exe 1412 224 WerFault.exe nita.exe 944 948 WerFault.exe mnolyk.exe 3084 3944 WerFault.exe mnolyk.exe 1340 3944 WerFault.exe mnolyk.exe 1564 3672 WerFault.exe mnolyk.exe 3656 3944 WerFault.exe mnolyk.exe 2812 3944 WerFault.exe mnolyk.exe -
Checks SCSI registry key(s) 3 TTPs 10 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
trebo1.exetrebo1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI trebo1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI trebo1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 trebo1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI trebo1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 trebo1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID trebo1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI trebo1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID trebo1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI trebo1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI trebo1.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
nika.exelava.exenika1.exefranc.exemixo.exenita.exenita1.exenita.exepid process 2568 nika.exe 2568 nika.exe 3968 lava.exe 3968 lava.exe 3260 nika1.exe 3260 nika1.exe 2108 franc.exe 1496 mixo.exe 2108 franc.exe 668 nita.exe 668 nita.exe 3704 nita1.exe 224 nita.exe 1496 mixo.exe 3704 nita1.exe 224 nita.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
nika.exelava.exenita1.exenika1.exefranc.exenita.exenita.exemixo.exetrebo1.exetrebo1.exedescription pid process Token: SeDebugPrivilege 2568 nika.exe Token: SeDebugPrivilege 3968 lava.exe Token: SeDebugPrivilege 3704 nita1.exe Token: SeDebugPrivilege 3260 nika1.exe Token: SeDebugPrivilege 2108 franc.exe Token: SeDebugPrivilege 668 nita.exe Token: SeDebugPrivilege 224 nita.exe Token: SeDebugPrivilege 1496 mixo.exe Token: SeShutdownPrivilege 1140 trebo1.exe Token: SeCreatePagefilePrivilege 1140 trebo1.exe Token: SeShutdownPrivilege 3176 trebo1.exe Token: SeCreatePagefilePrivilege 3176 trebo1.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exemnolyk.execmd.exedescription pid process target process PID 2220 wrote to memory of 3944 2220 4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe mnolyk.exe PID 2220 wrote to memory of 3944 2220 4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe mnolyk.exe PID 2220 wrote to memory of 3944 2220 4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe mnolyk.exe PID 3944 wrote to memory of 1112 3944 mnolyk.exe schtasks.exe PID 3944 wrote to memory of 1112 3944 mnolyk.exe schtasks.exe PID 3944 wrote to memory of 1112 3944 mnolyk.exe schtasks.exe PID 3944 wrote to memory of 1576 3944 mnolyk.exe cmd.exe PID 3944 wrote to memory of 1576 3944 mnolyk.exe cmd.exe PID 3944 wrote to memory of 1576 3944 mnolyk.exe cmd.exe PID 1576 wrote to memory of 3900 1576 cmd.exe cmd.exe PID 1576 wrote to memory of 3900 1576 cmd.exe cmd.exe PID 1576 wrote to memory of 3900 1576 cmd.exe cmd.exe PID 1576 wrote to memory of 1184 1576 cmd.exe cacls.exe PID 1576 wrote to memory of 1184 1576 cmd.exe cacls.exe PID 1576 wrote to memory of 1184 1576 cmd.exe cacls.exe PID 1576 wrote to memory of 2752 1576 cmd.exe cacls.exe PID 1576 wrote to memory of 2752 1576 cmd.exe cacls.exe PID 1576 wrote to memory of 2752 1576 cmd.exe cacls.exe PID 1576 wrote to memory of 3516 1576 cmd.exe cmd.exe PID 1576 wrote to memory of 3516 1576 cmd.exe cmd.exe PID 1576 wrote to memory of 3516 1576 cmd.exe cmd.exe PID 1576 wrote to memory of 4708 1576 cmd.exe cacls.exe PID 1576 wrote to memory of 4708 1576 cmd.exe cacls.exe PID 1576 wrote to memory of 4708 1576 cmd.exe cacls.exe PID 1576 wrote to memory of 2324 1576 cmd.exe cacls.exe PID 1576 wrote to memory of 2324 1576 cmd.exe cacls.exe PID 1576 wrote to memory of 2324 1576 cmd.exe cacls.exe PID 3944 wrote to memory of 2568 3944 mnolyk.exe nika.exe PID 3944 wrote to memory of 2568 3944 mnolyk.exe nika.exe PID 3944 wrote to memory of 3968 3944 mnolyk.exe lava.exe PID 3944 wrote to memory of 3968 3944 mnolyk.exe lava.exe PID 3944 wrote to memory of 2108 3944 mnolyk.exe franc.exe PID 3944 wrote to memory of 2108 3944 mnolyk.exe franc.exe PID 3944 wrote to memory of 2108 3944 mnolyk.exe franc.exe PID 3944 wrote to memory of 3704 3944 mnolyk.exe nita1.exe PID 3944 wrote to memory of 3704 3944 mnolyk.exe nita1.exe PID 3944 wrote to memory of 3704 3944 mnolyk.exe nita1.exe PID 3944 wrote to memory of 1496 3944 mnolyk.exe mixo.exe PID 3944 wrote to memory of 1496 3944 mnolyk.exe mixo.exe PID 3944 wrote to memory of 1496 3944 mnolyk.exe mixo.exe PID 3944 wrote to memory of 3260 3944 mnolyk.exe nika1.exe PID 3944 wrote to memory of 3260 3944 mnolyk.exe nika1.exe PID 3944 wrote to memory of 668 3944 mnolyk.exe nita.exe PID 3944 wrote to memory of 668 3944 mnolyk.exe nita.exe PID 3944 wrote to memory of 668 3944 mnolyk.exe nita.exe PID 3944 wrote to memory of 224 3944 mnolyk.exe nita.exe PID 3944 wrote to memory of 224 3944 mnolyk.exe nita.exe PID 3944 wrote to memory of 224 3944 mnolyk.exe nita.exe PID 3944 wrote to memory of 1140 3944 mnolyk.exe trebo1.exe PID 3944 wrote to memory of 1140 3944 mnolyk.exe trebo1.exe PID 3944 wrote to memory of 1140 3944 mnolyk.exe trebo1.exe PID 3944 wrote to memory of 3168 3944 mnolyk.exe trebo1.exe PID 3944 wrote to memory of 3168 3944 mnolyk.exe trebo1.exe PID 3944 wrote to memory of 3168 3944 mnolyk.exe trebo1.exe PID 3944 wrote to memory of 3176 3944 mnolyk.exe trebo1.exe PID 3944 wrote to memory of 3176 3944 mnolyk.exe trebo1.exe PID 3944 wrote to memory of 3176 3944 mnolyk.exe trebo1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe"C:\Users\Admin\AppData\Local\Temp\4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 8882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 9642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 10682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 9602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 9002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 9762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 9642⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 5203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 7083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 7843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 8163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 9523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 9643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 9643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 9883⤵
- Program crash
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 9363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 11603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 6643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 6443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 12203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 13283⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000001001\nika.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\nika.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 15883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 15843⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000002001\lava.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\lava.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16363⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000003051\franc.exe"C:\Users\Admin\AppData\Local\Temp\1000003051\franc.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16083⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000004051\nita1.exe"C:\Users\Admin\AppData\Local\Temp\1000004051\nita1.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 12364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16483⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000005001\mixo.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\mixo.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16603⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000006001\nika1.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\nika1.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16283⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 14643⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000008051\nita.exe"C:\Users\Admin\AppData\Local\Temp\1000008051\nita.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 12324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16283⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000008051\nita.exe"C:\Users\Admin\AppData\Local\Temp\1000008051\nita.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 11844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 17363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16963⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 17363⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16683⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 17403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 16963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 9523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 17203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 14163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 12562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2220 -ip 22201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 2220 -ip 22201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2220 -ip 22201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2220 -ip 22201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2220 -ip 22201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2220 -ip 22201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2220 -ip 22201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2220 -ip 22201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 3704 -ip 37041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 668 -ip 6681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 224 -ip 2241⤵
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 3162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 948 -ip 9481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 3944 -ip 39441⤵
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 3122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 3672 -ip 36721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 3944 -ip 39441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 920 -p 3944 -ip 39441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nita.exe.logFilesize
2KB
MD5454585c01f02a638f91f17093d80f595
SHA1222ae17940da3f48360ca391e2d0d23e762d207d
SHA256cb76f24c65f25d5dda9b4c000a4f4223205b32a5ea0571aab5233192d7e4a47c
SHA512f4cc62375b04dfc6abc6265a2cc7dc88883b57a508f882b46080fcae7b1a4339be145d7983dd297b4ef6d77065ec6ede86c9b64a7f39254c562cb204151cf4b2
-
C:\Users\Admin\AppData\Local\Temp\1000001001\nika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000001001\nika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000002001\lava.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000002001\lava.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000003051\franc.exeFilesize
175KB
MD56991818e08082c4c140db502d2aff79f
SHA1020ee1da61473dcd090805343601c1ae3d265032
SHA256aa0a99779ffa4aa30aa23c9dc9db17b250457c5902e7d06aa785be97d764c3d0
SHA5123f02448363aabe7515f1225a3291fb1fa0185ca78a302d70dd611b7f73b1b317a486eef61c2a7489a0d4e43301fa20c5fa48cb62d26f3e20d87aaeceb8a82d3e
-
C:\Users\Admin\AppData\Local\Temp\1000003051\franc.exeFilesize
175KB
MD56991818e08082c4c140db502d2aff79f
SHA1020ee1da61473dcd090805343601c1ae3d265032
SHA256aa0a99779ffa4aa30aa23c9dc9db17b250457c5902e7d06aa785be97d764c3d0
SHA5123f02448363aabe7515f1225a3291fb1fa0185ca78a302d70dd611b7f73b1b317a486eef61c2a7489a0d4e43301fa20c5fa48cb62d26f3e20d87aaeceb8a82d3e
-
C:\Users\Admin\AppData\Local\Temp\1000004051\nita1.exeFilesize
336KB
MD5c4f045d7baafb0380485a1e028f1ec48
SHA1a07fdb9c8462369f2f721f526e4e18f700029371
SHA2567ef99cf6b2378214934b430a7b9513dfb3fc188fdf212477bf1dc906207663f5
SHA5122fa9467726c8c11ed218c8d6d644f6377b0d9558e883c30c34dcf83081f532ee02aa720d695947add97499c1395f600e885150ce2d5f23821e2a09eb1b9fd8be
-
C:\Users\Admin\AppData\Local\Temp\1000004051\nita1.exeFilesize
336KB
MD5c4f045d7baafb0380485a1e028f1ec48
SHA1a07fdb9c8462369f2f721f526e4e18f700029371
SHA2567ef99cf6b2378214934b430a7b9513dfb3fc188fdf212477bf1dc906207663f5
SHA5122fa9467726c8c11ed218c8d6d644f6377b0d9558e883c30c34dcf83081f532ee02aa720d695947add97499c1395f600e885150ce2d5f23821e2a09eb1b9fd8be
-
C:\Users\Admin\AppData\Local\Temp\1000005001\mixo.exeFilesize
175KB
MD51f2c3b82599a2c08b71927d14161a891
SHA1bb2cd9f22ff5f4125602eae38fe738df4efdfd08
SHA256898f61de806302b411cb94d53aa9493a599038a8e1dd8ccc03801835e018cca1
SHA51268a8b8e7b64babe0f73e92ca2ab3c933c23d1ac77c7b4de835ca42c24205b3202a4211c979bbba0a5e045f51a175307dd1caa7256cf02b47a5f0ea3456ee2106
-
C:\Users\Admin\AppData\Local\Temp\1000005001\mixo.exeFilesize
175KB
MD51f2c3b82599a2c08b71927d14161a891
SHA1bb2cd9f22ff5f4125602eae38fe738df4efdfd08
SHA256898f61de806302b411cb94d53aa9493a599038a8e1dd8ccc03801835e018cca1
SHA51268a8b8e7b64babe0f73e92ca2ab3c933c23d1ac77c7b4de835ca42c24205b3202a4211c979bbba0a5e045f51a175307dd1caa7256cf02b47a5f0ea3456ee2106
-
C:\Users\Admin\AppData\Local\Temp\1000006001\nika1.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000006001\nika1.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000008051\nita.exeFilesize
336KB
MD5c4f045d7baafb0380485a1e028f1ec48
SHA1a07fdb9c8462369f2f721f526e4e18f700029371
SHA2567ef99cf6b2378214934b430a7b9513dfb3fc188fdf212477bf1dc906207663f5
SHA5122fa9467726c8c11ed218c8d6d644f6377b0d9558e883c30c34dcf83081f532ee02aa720d695947add97499c1395f600e885150ce2d5f23821e2a09eb1b9fd8be
-
C:\Users\Admin\AppData\Local\Temp\1000008051\nita.exeFilesize
336KB
MD5c4f045d7baafb0380485a1e028f1ec48
SHA1a07fdb9c8462369f2f721f526e4e18f700029371
SHA2567ef99cf6b2378214934b430a7b9513dfb3fc188fdf212477bf1dc906207663f5
SHA5122fa9467726c8c11ed218c8d6d644f6377b0d9558e883c30c34dcf83081f532ee02aa720d695947add97499c1395f600e885150ce2d5f23821e2a09eb1b9fd8be
-
C:\Users\Admin\AppData\Local\Temp\1000008051\nita.exeFilesize
336KB
MD5c4f045d7baafb0380485a1e028f1ec48
SHA1a07fdb9c8462369f2f721f526e4e18f700029371
SHA2567ef99cf6b2378214934b430a7b9513dfb3fc188fdf212477bf1dc906207663f5
SHA5122fa9467726c8c11ed218c8d6d644f6377b0d9558e883c30c34dcf83081f532ee02aa720d695947add97499c1395f600e885150ce2d5f23821e2a09eb1b9fd8be
-
C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exeFilesize
220KB
MD54b304313bfc0ce7e21da7ae0d3c82c39
SHA160745879faa3544b3a884843e368e668acbb6fa9
SHA256623839847e3aa9ceda27ced8b2b29b2d4545384bc3a322eaeedd04d5d04b65bd
SHA5122da2ec584ccde77ec35cab398272e60ec69eda24491030119110f0e389067d322cd08a04a3bdbbbeff85f43c0d739ae10a6a549e2d7a14854d1109db8d313001
-
C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exeFilesize
220KB
MD54b304313bfc0ce7e21da7ae0d3c82c39
SHA160745879faa3544b3a884843e368e668acbb6fa9
SHA256623839847e3aa9ceda27ced8b2b29b2d4545384bc3a322eaeedd04d5d04b65bd
SHA5122da2ec584ccde77ec35cab398272e60ec69eda24491030119110f0e389067d322cd08a04a3bdbbbeff85f43c0d739ae10a6a549e2d7a14854d1109db8d313001
-
C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exeFilesize
220KB
MD54b304313bfc0ce7e21da7ae0d3c82c39
SHA160745879faa3544b3a884843e368e668acbb6fa9
SHA256623839847e3aa9ceda27ced8b2b29b2d4545384bc3a322eaeedd04d5d04b65bd
SHA5122da2ec584ccde77ec35cab398272e60ec69eda24491030119110f0e389067d322cd08a04a3bdbbbeff85f43c0d739ae10a6a549e2d7a14854d1109db8d313001
-
C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exeFilesize
220KB
MD54b304313bfc0ce7e21da7ae0d3c82c39
SHA160745879faa3544b3a884843e368e668acbb6fa9
SHA256623839847e3aa9ceda27ced8b2b29b2d4545384bc3a322eaeedd04d5d04b65bd
SHA5122da2ec584ccde77ec35cab398272e60ec69eda24491030119110f0e389067d322cd08a04a3bdbbbeff85f43c0d739ae10a6a549e2d7a14854d1109db8d313001
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeFilesize
273KB
MD5766683884bbe6a2c0e0ea7d76b6b13ea
SHA1793d7b457f36a560d7094e4d0fee7270cc0e6842
SHA2564ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136
SHA51252bc438968e68e967c1513e9bb1376cf55987a3f1976cd4eb0c463bfc30eb34220c3cfb38713c24d0d6513df3823d1b18aa24857eb8010537cf986ffde6bb12a
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeFilesize
273KB
MD5766683884bbe6a2c0e0ea7d76b6b13ea
SHA1793d7b457f36a560d7094e4d0fee7270cc0e6842
SHA2564ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136
SHA51252bc438968e68e967c1513e9bb1376cf55987a3f1976cd4eb0c463bfc30eb34220c3cfb38713c24d0d6513df3823d1b18aa24857eb8010537cf986ffde6bb12a
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeFilesize
273KB
MD5766683884bbe6a2c0e0ea7d76b6b13ea
SHA1793d7b457f36a560d7094e4d0fee7270cc0e6842
SHA2564ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136
SHA51252bc438968e68e967c1513e9bb1376cf55987a3f1976cd4eb0c463bfc30eb34220c3cfb38713c24d0d6513df3823d1b18aa24857eb8010537cf986ffde6bb12a
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeFilesize
273KB
MD5766683884bbe6a2c0e0ea7d76b6b13ea
SHA1793d7b457f36a560d7094e4d0fee7270cc0e6842
SHA2564ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136
SHA51252bc438968e68e967c1513e9bb1376cf55987a3f1976cd4eb0c463bfc30eb34220c3cfb38713c24d0d6513df3823d1b18aa24857eb8010537cf986ffde6bb12a
-
memory/224-200-0x0000000000400000-0x0000000002BBD000-memory.dmpFilesize
39.7MB
-
memory/224-199-0x0000000002C8C000-0x0000000002CBA000-memory.dmpFilesize
184KB
-
memory/224-222-0x0000000000400000-0x0000000002BBD000-memory.dmpFilesize
39.7MB
-
memory/224-188-0x0000000000000000-mapping.dmp
-
memory/668-221-0x0000000000400000-0x0000000002BBD000-memory.dmpFilesize
39.7MB
-
memory/668-195-0x0000000000400000-0x0000000002BBD000-memory.dmpFilesize
39.7MB
-
memory/668-194-0x0000000002C30000-0x0000000002D30000-memory.dmpFilesize
1024KB
-
memory/668-181-0x0000000000000000-mapping.dmp
-
memory/948-226-0x0000000000400000-0x0000000002BAD000-memory.dmpFilesize
39.7MB
-
memory/948-225-0x0000000002DBC000-0x0000000002DDA000-memory.dmpFilesize
120KB
-
memory/1112-142-0x0000000000000000-mapping.dmp
-
memory/1140-217-0x0000000001F30000-0x0000000001F4D000-memory.dmpFilesize
116KB
-
memory/1140-196-0x0000000000000000-mapping.dmp
-
memory/1140-212-0x0000000002310000-0x0000000003310000-memory.dmpFilesize
16.0MB
-
memory/1140-209-0x0000000000571000-0x0000000000573000-memory.dmpFilesize
8KB
-
memory/1140-210-0x0000000001F30000-0x0000000001F4D000-memory.dmpFilesize
116KB
-
memory/1184-145-0x0000000000000000-mapping.dmp
-
memory/1496-172-0x0000000000000000-mapping.dmp
-
memory/1496-175-0x0000000000300000-0x0000000000332000-memory.dmpFilesize
200KB
-
memory/1496-206-0x0000000006BB0000-0x00000000070DC000-memory.dmpFilesize
5.2MB
-
memory/1576-143-0x0000000000000000-mapping.dmp
-
memory/2108-204-0x0000000006DE0000-0x0000000006E30000-memory.dmpFilesize
320KB
-
memory/2108-166-0x00000000056E0000-0x00000000057EA000-memory.dmpFilesize
1.0MB
-
memory/2108-205-0x0000000007000000-0x00000000071C2000-memory.dmpFilesize
1.8MB
-
memory/2108-203-0x0000000006D60000-0x0000000006DD6000-memory.dmpFilesize
472KB
-
memory/2108-159-0x0000000000000000-mapping.dmp
-
memory/2108-168-0x0000000005670000-0x00000000056AC000-memory.dmpFilesize
240KB
-
memory/2108-167-0x0000000005610000-0x0000000005622000-memory.dmpFilesize
72KB
-
memory/2108-163-0x0000000000D90000-0x0000000000DC2000-memory.dmpFilesize
200KB
-
memory/2108-189-0x0000000006180000-0x0000000006212000-memory.dmpFilesize
584KB
-
memory/2108-165-0x0000000005B60000-0x0000000006178000-memory.dmpFilesize
6.1MB
-
memory/2108-191-0x0000000005AC0000-0x0000000005B26000-memory.dmpFilesize
408KB
-
memory/2220-132-0x0000000002DE9000-0x0000000002E08000-memory.dmpFilesize
124KB
-
memory/2220-139-0x0000000000400000-0x0000000002BAD000-memory.dmpFilesize
39.7MB
-
memory/2220-133-0x0000000002D50000-0x0000000002D8C000-memory.dmpFilesize
240KB
-
memory/2220-134-0x0000000000400000-0x0000000002BAD000-memory.dmpFilesize
39.7MB
-
memory/2220-138-0x0000000002DE9000-0x0000000002E08000-memory.dmpFilesize
124KB
-
memory/2324-149-0x0000000000000000-mapping.dmp
-
memory/2568-154-0x00007FFE4E460000-0x00007FFE4EF21000-memory.dmpFilesize
10.8MB
-
memory/2568-153-0x0000000000630000-0x000000000063A000-memory.dmpFilesize
40KB
-
memory/2568-190-0x00007FFE4E460000-0x00007FFE4EF21000-memory.dmpFilesize
10.8MB
-
memory/2568-150-0x0000000000000000-mapping.dmp
-
memory/2752-146-0x0000000000000000-mapping.dmp
-
memory/3168-211-0x0000000001F50000-0x0000000001F6D000-memory.dmpFilesize
116KB
-
memory/3168-201-0x0000000000000000-mapping.dmp
-
memory/3168-208-0x00000000005C4000-0x00000000005C7000-memory.dmpFilesize
12KB
-
memory/3176-219-0x0000000002310000-0x0000000003310000-memory.dmpFilesize
16.0MB
-
memory/3176-213-0x0000000000000000-mapping.dmp
-
memory/3176-216-0x00000000004C5000-0x00000000004C8000-memory.dmpFilesize
12KB
-
memory/3176-224-0x0000000000480000-0x000000000049D000-memory.dmpFilesize
116KB
-
memory/3176-218-0x0000000000480000-0x000000000049D000-memory.dmpFilesize
116KB
-
memory/3260-176-0x0000000000000000-mapping.dmp
-
memory/3260-179-0x00007FFE4E460000-0x00007FFE4EF21000-memory.dmpFilesize
10.8MB
-
memory/3260-207-0x00007FFE4E460000-0x00007FFE4EF21000-memory.dmpFilesize
10.8MB
-
memory/3516-147-0x0000000000000000-mapping.dmp
-
memory/3672-229-0x0000000000400000-0x0000000002BAD000-memory.dmpFilesize
39.7MB
-
memory/3672-228-0x0000000002D9C000-0x0000000002DBA000-memory.dmpFilesize
120KB
-
memory/3704-169-0x0000000000000000-mapping.dmp
-
memory/3704-215-0x0000000000400000-0x0000000002BBD000-memory.dmpFilesize
39.7MB
-
memory/3704-180-0x00000000072D0000-0x0000000007874000-memory.dmpFilesize
5.6MB
-
memory/3704-185-0x0000000002D10000-0x0000000002D5B000-memory.dmpFilesize
300KB
-
memory/3704-184-0x0000000002DC8000-0x0000000002DF6000-memory.dmpFilesize
184KB
-
memory/3704-186-0x0000000000400000-0x0000000002BBD000-memory.dmpFilesize
39.7MB
-
memory/3900-144-0x0000000000000000-mapping.dmp
-
memory/3944-161-0x0000000002F38000-0x0000000002F57000-memory.dmpFilesize
124KB
-
memory/3944-141-0x0000000000400000-0x0000000002BAD000-memory.dmpFilesize
39.7MB
-
memory/3944-140-0x0000000002F38000-0x0000000002F57000-memory.dmpFilesize
124KB
-
memory/3944-164-0x0000000000400000-0x0000000002BAD000-memory.dmpFilesize
39.7MB
-
memory/3944-135-0x0000000000000000-mapping.dmp
-
memory/3968-158-0x00007FFE4E460000-0x00007FFE4EF21000-memory.dmpFilesize
10.8MB
-
memory/3968-193-0x00007FFE4E460000-0x00007FFE4EF21000-memory.dmpFilesize
10.8MB
-
memory/3968-155-0x0000000000000000-mapping.dmp
-
memory/4708-148-0x0000000000000000-mapping.dmp